| View previous topic :: View next topic |
| Author |
Message |
pitonyak
Administrator
Joined: 09 Mar 2004
Posts: 3618
Location: Columbus, Ohio, USA
|
 Posted: Mon Aug 22, 2005 11:58 am Post subject: Writing a password cracker |
 |
|
If I open a document with a password and I use the wrong password, an empty frame is opened. I seem to remember seeing this issue before, but I can not remember the solution.
Assume that I the 1000 years required to crack an eight character password, each attempt will leave an open frame.
I suppose that I can create a blank document with a named frame and open the document every time into the named frame, but I am curious if there is another solution.
If you already have a "cracker", I would appreciate a copy, but I am really looking for a solution to the opening issue.
_________________
--
Andrew Pitonyak
http://www.pitonyak.org/oo.php |
|
| Back to top |
|
 |
avantman42
Super User
Joined: 28 Jul 2003
Posts: 751
Location: Staffordshire, UK
|
| Posted: Mon Aug 22, 2005 2:11 pm Post subject: |
|
|
I have a cracker that uses dictionary files. I wrote it in OOo 1.1.4, and haven't tried it in 1.9.x
The relevant lines are:
| Code: |
'Try to open file
oDoc = StarDesktop.LoadComponentFromURL(ConvertToURL (SXC_FILE), "_default", 0, OpenProperties())
'Check for success
if not (IsNull (oDoc)) then
msgbox "Document opened. Password is:" & chr (10) & sPass
|
If the password is wrong, then oDoc is null, since it couldn't open the file. It doesn't leave a frame behind. This may be different in 1.9.x
Does that help?
If you want a copy of the cracker, just PM or e-mail me.
Russ |
|
| Back to top |
|
|
pitonyak
Administrator
Joined: 09 Mar 2004
Posts: 3618
Location: Columbus, Ohio, USA
|
| Posted: Mon Aug 22, 2005 7:19 pm Post subject: |
|
|
I would really like a copy of your dictionary version (andrew@pitonyak.org). Also, your simple example showed me what I needed to do solve my problem. I used the frame name as "_blank" and you used "_default". If you use "_blank", then it opens into a NEW blank window even if the document can NOT be opened.
I started on a brute force method in Basic, but it is way to slow to be practical. I can shoot you a copy of what I have, or even post the existing code here. It is not too long. Well, here is the code that I have so far. Not really usable  but it did pass one simple test...
| Code: | Sub Main
Dim sChars(0 To 25) As String
Dim i%
Dim sURL$
For i=0 To 25
sChars(i) = CHR$(97 + i)
'sChars(i+26) = CHR$(65 + i)
Next
sURL = "file:///c:/password.sxw"
sURL = "file:///andrew0/home/andy/Password2.odt"
Print CrackIt(sChars(), 5, 5, sURL)
End Sub
Function CrackIt(chars() As String, nMinChars%, nMaxChars%, sURL$) As Variant
Dim nCharIdx(1 To nMaxChars) As Integer
Dim sChars(1 To nMaxChars) As String
Dim s$
Dim i%
Dim nLB%, nUB%
Dim nNumChars
Dim bPassFound As Boolean
Dim bNumWrapped As Boolean
Dim n As Long
Dim tStart
Dim tEnd
Dim oDoc
Dim oArgs(1) As New com.sun.star.beans.PropertyValue
oArgs(0).Name = "Password"
oArgs(1).Name = "Hidden"
oArgs(1).Value = True
For i=1 To nMaxChars
nCharIdx(i) = nLB
sChars(i) = ""
Next
tStart = GetSystemTicks()
n = 0
nLB = LBound(chars())
nUB = UBound(chars())
bPassFound = False
For nNumChars = nMinChars To nMaxChars
For i=1 To nNumChars
nCharIdx(i) = nLB
sChars(i) = chars(nLB)
Next
bNumWrapped = False
Do Until bPassFound OR bNumWrapped
n = n + 1
's = ""
bNumWrapped = True
s = Join(sChars(), "")
'Print "s = " & s
oArgs(0).Value = s
REM I must use "_default" rather than "_blank" or a new
REM blank document is opened no matter what.
oDoc = StarDesktop.loadComponentFromURL(sURL, "_default", 0, oArgs())
If NOT IsNull(oDoc) Then
CrackIt = "Found:" & s
tEnd = GetSystemTicks() - tStart
MsgBox "Total ticks = " & tEnd & CHR$(10) & _
"Iterations = " & n & CHR$(10) & _
"Iterations / tick = " & (n / tEnd)
Exit Function
End If
For i = 1 To nNumChars
's = s & chars(nCharIdx(i))
If bNumWrapped Then
nCharIdx(i) = nCharIdx(i) + 1
If nCharIdx(i) <= nUB Then
bNumWrapped = False
sChars(i) = chars(nCharIdx(i))
Exit For
Else
nCharIdx(i) = nLB
sChars(i) = chars(nLB)
End If
End If
Next
Loop
Next
tEnd = GetSystemTicks() - tStart
MsgBox "Total ticks = " & tEnd & CHR$(10) & _
"Iterations = " & n & CHR$(10) & _
"Iterations / tick = " & (n / tEnd)
'Print "n = " & n
CrackIt = "Not Found:" & s
End Function |
_________________
--
Andrew Pitonyak
http://www.pitonyak.org/oo.php |
|
| Back to top |
|
|
avantman42
Super User
Joined: 28 Jul 2003
Posts: 751
Location: Staffordshire, UK
|
| Posted: Tue Aug 23, 2005 12:40 am Post subject: |
|
|
| pitonyak wrote: | | I would really like a copy of your dictionary version (andrew@pitonyak.org) |
It's at home (I'm at work at the moment) but I'll send it on later.
| pitonyak wrote: | | I started on a brute force method in Basic, but it is way to slow to be practical. I can shoot you a copy of what I have, or even post the existing code here. It is not too long. |
My cracker has dictionary & brute force routines, but the brute force takes far too long to be useable. I'd be interested in seeing your code if you get it to a useable state. I doubt I'll ever need it, but it could be interesting to examine
While we're talking about such things, I had thought about putting my cracker up on OOoMacros, but wasn't sure about the ethics of doing so. Any thoughts?
Russ |
|
| Back to top |
|
|
pitonyak
Administrator
Joined: 09 Mar 2004
Posts: 3618
Location: Columbus, Ohio, USA
|
| Posted: Tue Aug 23, 2005 5:24 am Post subject: |
|
|
I have no problems with a password cracker available on the internet. My feeling is that anyone who really wants one can (and will) write one. It is sort of like publishing a study against SHA1, which they can attack faster than before.
Assume that the password has exactly n characters chosen from a set of k characters. There are k^n possibilities. If k=64 and n=8 then there are 218,340,105,584,896 possibilities.
Assume that the password is from 1 to n characters chosen from a set of k characters. The number of possibilities would be: k^1 + k^2 + k^3 + ... + k^n. Again, for n=8 and k=64, there are 221,919,451,578,090 possibilities.
My Macro can generate roughly 126 passwords a second in Basic, it is much slower if I try to use the password, but it would take me around 800 years just ot generate all of the passwords to check for n=8 and k=64.
Sure, Basic is slow, and I could use a faster language. I would be more careful with my code if I could quickly break an OOo document; and then I would be in a dialog with the developers to use better encryption.
I consider the code to be mostly educational with an occassional good use and an occassional bad use. I am willing to allow the occassional bad use. If there was no purpose other than bad then I would feel differently.
_________________
--
Andrew Pitonyak
http://www.pitonyak.org/oo.php |
|
| Back to top |
|
|
pitonyak
Administrator
Joined: 09 Mar 2004
Posts: 3618
Location: Columbus, Ohio, USA
|
| Posted: Tue Aug 23, 2005 6:41 am Post subject: |
|
|
Here is my final "brute force" code
| Code: | Sub Main
Dim sChars(0 To 3) As String
Dim i%
Dim sURL$
For i=0 To UBound(sChars())
If (i < 26) Then
sChars(i) = CHR$(97 + i)
ElseIf (i < 52) Then
sChars(i) = CHR$(65 + i - 26)
End If
'sChars(i+26) = CHR$(97 + i)
Next
sURL = "file:///c:/password.sxw"
Print CrackIt(sChars(), 4, 5, sURL)
End Sub
Function CrackIt(chars() As String, nMinChars%, nMaxChars%, sURL$) As Variant
Dim s$ ' Holds the password string.
Dim sLB$ ' The first character.
Dim i% ' General index variable.
Dim nTemp% ' Temporary integer used to increment the password.
Dim nLB% ' Lower bound of the character array.
Dim nUB% ' Upper bound of the character array.
Dim n As Long ' Total number of passwords checked.
Dim tStart ' Starting ticks.
Dim tEnd ' Total elapsed ticks
Dim oDoc As Object ' If I leave this as an Object then it defaults to NULL
Dim oArgs(1) As New com.sun.star.beans.PropertyValue
Dim nCharIdx(1 To nMaxChars) As Integer
REM Set the actual password just before testing
oArgs(0).Name = "Password"
oArgs(1).Name = "Hidden"
oArgs(1).Value = True
REM Some initial values
nLB = LBound(chars())
nUB = UBound(chars())
sLB = chars(nLB)
REM Set the initial password in s.
REM nCharIdx holds the index into chars() for the corresponding character.
s = ""
For i=1 To nMinChars
nCharIdx(i) = nLB
s = s & sLB
Next
REM Initialize to one before the first character.
REM When the previous charcter rolls into this character,
REM the value will be incremented to nLB, which is the first
REM character.
For i=nMinChars + 1 To nMaxChars
nCharIdx(i) = nLB - 1
Next
REM Get ready to start!
n = 0
tStart = GetSystemTicks()
Do While True
n = n + 1
'Print s
'if ((n MOD 50) = 0) Then Print "n = " & n & " s = " & s
oArgs(0).Value = s
REM If I use "_blank", then a new frame opens even if the load fails.
oDoc = StarDesktop.loadComponentFromURL(sURL, "_default", 0, oArgs())
If IsNull(oDoc) Then
REM The last password was NOT valid
REM try a new one!
For i = 1 To nMaxChars
nTemp = nCharIdx(i) + 1
If nTemp <= nUB Then
nCharIdx(i) = nTemp
Mid(s, i, 1, chars(nTemp))
Exit For
Else
nCharIdx(i) = nLB
Mid(s, i, 1, sLB)
If i = nMaxChars Then Exit Do
End If
Next
Else
oDoc.close(True)
CrackIt = s
tEnd = GetSystemTicks() - tStart
MsgBox "Total ticks = " & tEnd & CHR$(10) & _
"Iterations = " & n & CHR$(10) & _
"Iterations / tick = " & (n / tEnd) & CHR$(10) & _
"ticks / Iteration = " & (tEnd / n) & CHR$(10) & _
"Iterations / second = " & (n / tEnd * 1000)
Exit Function
End If
Loop
tEnd = GetSystemTicks() - tStart
MsgBox "Total ticks = " & tEnd & CHR$(10) & _
"Iterations = " & n & CHR$(10) & _
"Iterations / tick = " & (n / tEnd) & CHR$(10) & _
"ticks / Iteration = " & (tEnd / n) & CHR$(10) & _
"Iterations / second = " & (n / tEnd * 1000)
CrackIt = "Not Found:" & s
End Function |
The revised code is much faster than the old while generating the passwords. I can now generate around 8300 passwords a second on a 3.19Ghz Pentium. Just comment out "LoadComponentFromURL" to see this speed.
The real speed killer, however, is attempting to load the document from the URL. I can only check approximately 16.8 passwords a second. If I really need to crack a document, I would need to use a different method for evaluating the password for a match.
_________________
--
Andrew Pitonyak
http://www.pitonyak.org/oo.php |
|
| Back to top |
|
|
avantman42
Super User
Joined: 28 Jul 2003
Posts: 751
Location: Staffordshire, UK
|
| Posted: Tue Aug 23, 2005 7:38 am Post subject: |
|
|
| pitonyak wrote: | | I have no problems with a password cracker available on the internet. My feeling is that anyone who really wants one can (and will) write one. It is sort of like publishing a study against SHA1, which they can attack faster than before. |
I'm inclined to agree, although I'm happier now that I've got another opinion. Not publishing it smells of "security through obscurity". On the other hand, I was a bit worried about people claiming that OOoMacros was doing something bad & wrong by publishing something like that. On balance, I think I'll publish and be damned  I just need to clean the code up a bit first.
Russ |
|
| Back to top |
|
|
Dale
Super User
Joined: 21 Feb 2005
Posts: 1440
Location: Australia
|
| Posted: Tue Aug 23, 2005 3:27 pm Post subject: |
|
|
| avantman42 wrote: | | pitonyak wrote: | | I have no problems with a password cracker available on the internet. My feeling is that anyone who really wants one can (and will) write one. It is sort of like publishing a study against SHA1, which they can attack faster than before. |
I'm inclined to agree, although I'm happier now that I've got another opinion. Not publishing it smells of "security through obscurity". |
FWIW you have a second concurrence with your opinion. Not making password crackers available is particularly ridiculous when others are selling them for reasonably big bucks (eg. http://www.atstake.com/products/lc/consultant.html ).
Also, if you figure out a crack someone else will in turn work out a better implementation and we all get more security.
_________________
Dale
To err is human, but to destroy your slippers in the process takes a real son of a bitch: Me!
OOo documentation from the source
http://documentation.openoffice.org
Guides, FAQ, How Tos |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
