Professional Documents
Culture Documents
Brute Force Password Search by Interop - Automation - CodeProject
Brute Force Password Search by Interop - Automation - CodeProject
How to use the Microsoft Interop/Automation to implement parallel research of a Microsoft Office file password.
Introduction
Is possibile to recover a forgotten password about a Microsoft Office file using automation? The answer is yes, by the brute force
via automation/Interop, the multithreading and a lot of quantifiable cpu time.
The main goal of this software is verify the capability of Interop to open the password protected file and also to check when a
password is strenght enought to resist to attacks. But this software can be anso used in a real world, to find a forgotten password
about your owned files. Infact it was written to open a file that the owner forgive the exact password.
it's not a time performant on the open file password protected operations.
Software requirements
To use the software developed by Visual Studio 2017. It is required to have installed the Microsoft Office (or Excel or Word,
according the file kind to work on) on the target computer .
error CS0234
If you have the error CS0234 , it means you need to reference the Office library. Open the menu Project, Add reference... and
select the tab "COM" and scroll the list to "Microsoft Word 16.0 Object Library" or other version you have.
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 1/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
The total combinations (matemathic more correctly term: dispositions) to be tested are:
Now last step for computing the time, is adding the time factor.
The old hardware used for testing obtanined c.a. 1.500 test/minute. Then:
The situation of 148 days is the worst case is represented by 'ZZZZZZ'. The best one is the password filled by just 'A' that is
immediatly tested and found.
It is possible to skip too short password, starting, for example, from a 4 char lenght passwords (i.e. 'AAAA')
Of course, if we know the password lenght, it's a great improvment about the time we can save.
Reduced combinations avoiding the absolute unlikely password as 'RKWLPG' or 'TMQNTZ' (just because those are meaningless
then hard to remember or located in a nonsense order of the keybords -to the opposite to 'QWERTY' that is it-) is not possibile by
algorithm and is a concrete risk to jump over the right one.
It sum up to 26+26+10+10 over 70 chars. then, if the password have a size of 5 chars, we obtain 70^1 +70^2 +70 ^3 +70^4 +70^5
=1.680.700.000 possibile passwords to test (against 308.915.776 if used a single alphabet set as seen before).
I have to undeline this software can useful if it will be used on your files, because you can reduce the complexity of all the
possibilities. In fact you know:
witch char set is or is not appliable (for example, if you never used some special char or the uppercase set, you can exclude
them from testing).
the minumum lenght of the password (for example, if you use password of 8 or more chars, if means you start the
elaboration from that length saving a lot ot time)
the kind of characters that can be tryed to guess the password: uppercase, lowercase, numbers. Actually, special characters
are not inserted as avaiable char set.
the password length range: the minumum and the maximum length to check: it is very useful to avoid to trash time to verify
the too short passwords.
the number of core to be used: this feature is intended to limit the payload on the cpu, to maintain an every day responsible
computer. More, the jobs are executed in a low priority mode, then they don't affect the regular usage.
lowercase letters
uppercase letters
numbers
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 3/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
Here follows the code that creates and starts the all the threads: they will be inserted in a List<Thread> to reference them
further. The instruction T.Priority is used to set the thread to the lowest priority.
Here the form when it is running. In bottom, with a more gray background, is visible the the TableLayoutPanel with four threads
numbered from '00' to '03', displaying the password they are curently testing: '6K', '6L', '6J', '6M'.
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 4/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
Suggestions
If you will start a test, remember to disable the sleep/stand by function of your computer, otherwise the day after you could find the
computer stopped.
Creating Instance
The thread create an instance of the software to be used to try to open the file protected password:
If the tested password is can open the file, then the routine performs those steps:
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 5/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
try
{
WDoc = WApp.Documents.Open(FileName, PasswordDocument: test , ReadOnly: true);
StopSearch(true);
Achivied(test);
WDoc.Close();
System.Runtime.InteropServices.Marshal.ReleaseComObject(WDoc);
}
Calling WApp.Documents.Open() on a password protected file using a wrong one, raise an exception. This is the reason to
wrap that instruction by try/catch.
Inside the catch is not necessary to perform any operation. Infact, WDoc is null. In case you want to do something with
exception, the ex.Message string comparization must be changed according the language used on the computer.
Last job of the rountine is to release the Interop instance using the instruction:
ReleaseComObject(WApp);
lock (SyncLockerobjNewPassword)
{
// --- password to verify
GiveBack = new char[PasswordToVerify.Length];
riporto = false ;
break;
}
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 6/8
19/06/2018 Brute force password search by Interop/Automation - CodeProject
else
{
// zero
PasswordToVerify[i] = AllowedCC[0];
riporto = true;
}
}
// --- insert new starting char on left side
if ( riporto)
{
char [] tmp = new char[PasswordToVerify.Length ];
PasswordToVerify.CopyTo( tmp,0) ;
return GiveBack ;
}
I got it !
Here the form at the end of elaboration, when the password is found. It reports information about:
The start button remains disabled to avoid the user can launch inadvertently another run. To run another test, the software have to
be restarted.
To use the code against an Excel file, the line to modify is the WApp declatation, changing it to:
For who approach to the Threading, there is nice example about the creation and syncronization to stop them according a situation
that became true in a one of them.
Conclusions
The Microsoft password protection is strong enough if is respected the simple rule of any password: lenght (more than 8 chars), the
usage of a large set of chars: uppercase and lowercase, numbers and special chars. But if you are looking for your lost password,
you have a good change to recover it. If you are not in hurry, of course!
License
This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)
I start to develope software in the '80, specialized in desktop application in the sales and marketing area and system integration.
Since 2005 I'm a c# DotNet ehntusiast.
Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile Article Copyright 2018 by paolo guccini
Web04-2016 | 2.8.180618.1 | Last Updated 14 Jun 2018 Everything else Copyright © CodeProject, 1999-2018
https://www.codeproject.com/Articles/1247450/Brute-force-password-search-by-Interop-Automation?display=Print 8/8