This program has been designed for recovering the lost passwords for the documents/files created all versions of Microsoft Excel: password to open, password to modify, document protection password. Multilingual passwords can be recovered, too. Most of the passwords for Excel documents and files are not secure and can be recovered (or removed, or changed) instantly: all passwords for Excel 95 (and older: 4.0, 5.0, 6.0) files, and all passwords except one to open for Excel 97/2000 files.
The program is compatible with all international (non-English) versions of MS Office. Write protection and workbook/worksheet protection passwords are being recovered (or removed) instantly. However, “password to open” in Office 97/2000 is encrypted with a very strong algorithm and requires time-consuming brute-force or dictionary attacks to be performed; the success/recovery rate is about 80-85%, but if the password is long (8+ characters) and complex, it cannot be recovered at all (in a reasonable time). MS Office XP files are also supported, but “password to open” can be recovered only if “compatible” (with Office 95 or Office 97/2000) encryption has been used; for files protected using CSP (Cryptographic Service Provider) all passwords but “password to open” are supported.
Simply selection the file you want to recover the password(s) for. Press the Load Excel document into the project button and select an appropriate file (or press on a small arrow at the right to load a recent file you have been working with recently); file format will be recognized automatically with corresponding message in the Status window; if the specified file format is not supported by AE2000PR, or it's corrupted, or used by another application – appropriate error message will be displayed. In most cases, the password will be decrypted instantly
Requirements :
Windows 95 (any version), Windows 98, Windows ME, Windows NT 4.0, Windows 2000 or Windows XP running on Pentium CPU
8 megabytes of RAM
about 1,5 megabytes of hard disk space
When you assign the “open” password to your Excel 97/2000 document (so the user will have to enter it to open the file), Microsoft Office encrypts the document using relatively complicated algorythm (without storing the password itself inside the file), so it is impossible to retrieve it at all. However, in most cases AE2000PR can recover the lost password using the brute-force and dictionary attacks. For the "brute-force" attack, you have to set up the password length (it is limited to 15 characters) and password range (which, by the way, can include a national symbols).
Don’t expect to recover long (8+ characters) and complex passwords in a reasonable time, though. If the Excel 97/2000 document you've opened has been created on a machine with French regional settings, the password will be recovered instantly, i.e. without the brute-force – exactly as for documents created in older version of Excel. The program simply displays the passwords in a message box, and also writes them to the log window.
If you need to recover the “open” password for Excel 97/2000 document, you have to create a project first. Project file contains all information about the source file, selected options and character set. It is based on the Excel document file. When the program starts, it creates a new project automatically. Also, you can create a project by pressing the Create a new project button or selecting the Project > New menu item.
When the file is loaded, you can save your project -- all the changes you've made will be reflected in the project file; the name for the project is selected automatically based on the name of the file; if you want to give an alternative name – use Project | Save as... menu item. If you don't want to change the name, just use the Save project button or Project | Save menu item.
Brute-force or dictionary attack. Brute-force, Mask and Dictionary attacks are available. A brute-force attack will try all possible passwords in specified range; if you remember a part of password, you can use a brute-force with mask attack. A dictionary attack verifies the words stored in specified dictionary file. The dictionary is just the text (ASCII file) with one work at a line; the lines are separated with line breaks. A dictionary attack is faster, and so we recommend to run it first; only if it fails, perform a brute-force attack.
In Excel 97/2000 documents, passwords may contain the following characters: latin letters (both small and capital), digits, special symbols (like @, #, $ etc) and national languages symbols. You can select these ranges separately, or define your own password range. To define your own range, check the box Custom charset, press the Custom charset… button, and enter all characters you think the password may consist of. You can load, save and insert your defined character sets, using appropriate buttons in User defined charset dialog.
The special characters are:
!@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
This option may help, for example, if you know the first character(s) of the password. For example, if you're sure that the small letters have been used (from 'a' to 'z'), the length is 5, and the password definitely starts with 'k', than type 'kaaaa' here. Please also note, that if you press the Stop button when AE2000PR is working, the program writes the current password to this window (Start from password). It can be used later to restart the program from the same point.
Please note that the program verifies the passwords according to the following character order:
• CAPITAL letters: 'A'..'Z'
• the space
• small letters: 'a'..'z')
• digits: '0'..'9'
• special characters: !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\
If you already know some characters in the password, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords, but doing this can still help.
For example, you know that the password contains 8 characters, starts with ‘x’, and ends with ‘99’; the other symbols are small or capital letters. So, the mask to be set is “x?????99”, and the charset has to be set to All caps and All small. With such options, the total number of the passwords that AE2000PR will try will be the same as if you’re working with 5-character passwords which don’t contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the ‘?’ chars indicate the unknown symbols.
If you know that the password contains an occurrence of the mask character ‘?’, you can choose a different mask character to avoid having one character, ‘?’, represent both an unknown pattern position and a known character. In this case, you could change the mask symbol from ‘?’ to, for example, ‘#’ or ‘*’, and use a mask pattern of "x######?" (for mask symbol '#') or "x******?" (for mask symbol '*').
This is one of the most important options affecting checking time. You can check all 4-character (and shorter) passwords in a few minutes; but for longer passwords, you have to have patience and/or some knowledge about the password (including the character set which has been used, or even better – the mask).
The minimum length cannot be set to a value greater than maximum length, of course.
If the minimum and maximum lengths are not the same, the program tries the shorter passwords first. For example, if you set minimum=3 and maximum=7, the program will start from 3-character passwords, then try 4-character ones and so on -- up to 7. While AE2000PR is running, it shows the current password length, as well as the current password, average speed, elapsed and remaining time, and total and processed number of passwords (Program status). All of this information except average speed and elapsed time, which are global, is related only to the current length.
Simply select the desired dictionary file here. In that attack, the program will try all words from it as passwords for the selected document. It really helps when the password has some meaning, i.e. the whole word. You can select an option Smart mutations or Try all possible upper/lower case combinations – it may really help if you're not sure about the register the password has been typed in. For example, let's assume that the next word in dictionary is «PASSword» (the case, actually, doesn't matter here). With the second option enabled, the program will just try all possible combinations, like:
password
passworD
passwoRd
passwoRD
passwOrd
…
PASSWORd
PASSWORD
However, checking all such combinations takes a lot of time: in the example above, the program will check 2^8 words (i.e. 256) instead of one. With smart mutations, you can eliminate a number of “virtually impossible” combinations, and here are all the words which will be checked:
PASSword (as is)
passWORD (reversed)
password (all lower case)
PASSWORD (all upper case)
Password (first uppercase, rest lowercase)
pASSWORD (first lower case, rest uppercase)
PaSSWoRD (elite: vowels in lc, others in uc)
pAsswOrd (noelite)
PaSsWoRd (alt/1)
pAsSwOrD (alt/2)
So, it makes only 10 combinations for each word.
The Start line # option allows you to start an attack from a given line (in dictionary); if you’ll interrupt the attack, the “current” line number will be written there (and saved to the project file, of course).
If you'd like AE2000PR to save its state periodically, please check the appropriate option, and select the time (in minutes) between saves. If you do that, AE2000PR will periodically update a project file – exactly as if you press the Save project button yourself. Even if your computer stops responding (or if power fails), you'll be able to restore breaking the password from the last saved state. Enabling this option is strongly recommended.
If you'll select the Minimize to tray option, the program will hide itself from the screen when being minimized (so you will not see an appropriate button on Windows toolbar), but small icon will be created in the tray (near the system tray). Double-click on it to restore.
By disabling the Prompt if project was changed option, you instruct AE2000PR not to display the messages like "The project has been changed. Save?", when you've changed some options and open an another project, or creating a new one.
The Progress bar update interval option allows you to set how often the program will update the progress bar and display the password which is currently verified. Higher value will give you slightly better speed; the recommended one is 500 (milliseconds). If the interval is set to 0, the progress bar will not be updated at all (but you still will be able to stop the process, of course, and resume from that point later).
Log file option instructs the program to write all messages (the same as in Status window) to the ae2000pr.log file – for future analysis.
Just press the Calculate button to get the speed of your computer on Excel 97/2000 “open” password recovery. Having that figure, you can estimate the time you’ll need to recover the password (by dividing the total number of passwords to that speed). And the total number of passwords is just the number of characters in selected character set in a power of password length.
The latest version of AE2000PR is always available from our web page at http://www.elcomsoft.com. Other password recovery products (for ZIP, ARJ, RAR and ACE archives; all Microsoft Office components and some other Microsoft software; Lotus Organizer, Lotus 1-2-3, Lotus ExcelPro, Lotus Approach; Symantec Act!, Borland/Corel Paradox, Intuit Quicken and QuickBooks, Mirabilis/AOL ICQ; Adobe Acrobat PDF, Adobe Acrobat eBooks) are available from our site at http://www.elcomsoft.com.
One really effective dictionary is included into AE2000PR distribution: english.dic (about 250,000 words). Some other very good ones are available at:
here
and
here
and
here
Advanced Excel 2000 Password Recovery - AE2000PR
Labels:
Security Program
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment