Ultra Excel 97 Password Cracker

Ultra Excel 97 Password Cracker v1.00 (c) 1999 Ivan Golubev =========================================================== Contents ======== Description Requirements Usage Template attack National languages support Performance Known bugs and limitations Future enhancements How to register Special thanks Technical support Where to get the latest version Description ----------- Ultra Excel 97 Password Cracker (or UE97PC) can be used to recover passwords for Microsoft Excel 97 files. Here is brief list of UE97PC advantages: - UE97PC is a 32-bit application for Windows 9x/NT4.0. - UE97PC has a user friendly GUI. - UE97PC supports three types of attack: "brute-force", dictionary based and a mix of "brute-force" and dictionary based, called a template attack. - UE97PC is a fast program. On a K6-2-300 system its performance is about 35 000 password tests per second. - UE97PC is customisable: you can set up the minimum and maximum password length, define the type of characters used in the password for a "brute-force" attack, and you can choose the method of modifying a test password from the dictionary file, for a "dictionary based" attack. - You can interrupt UE97PC at any time and save the current cracking status. - UE97PC shows you an estimate of the time remaining for a solution. - There is multi-lingual National language support, using simple text files. Requirements ------------ To run this program you need: - A computer with running Windows 95/98/NT. - About 100 kilobytes of free hard disk space. Usage ----- After starting UE97PC, select the Task menu, choose New, then select the Excel 97 file that you want to process. In the next dialog box select the attack type to be used. If you have selected the "brute-force" attack, in the next dialog box define the characters to use in the password search, and the minimum and maximum password length. Then press the "Go" button. If you have selected the "dictionary based" attack, in the next dialog box enter the dictionary name and choose how to modify passwords found in the dictionary file. Then press the "Go" button. The program automatically recognises the line delimiter used in the dictionary file. It may be DOS <CR/LF> or UNIX <LF> or just a <CR> delimiter. For the "template attack" see the description below. The program is now working. It shows the current status. You can see the current password being tested, the average passwords tested per second, and the estimated time to reach a solution. The status information is updating every 5 (by default) seconds. At any moment you can interrupt the cracking process by selecting the "Task\Stop" menu item. Also at any moment you can save the current cracking status by selecting the "Task\Save" menu item. By default, UE97PC will save the current cracking status in a file with an extension of .wpc, and with the same name as the Excel document file being processed. You can open this file later and continue the cracking process from the saved position. If you think that your system is not stable you can use the autosave function. Select "Options\Setup" and check "autosave every xx minutes". Note that if you start a new task with autosave "on" then you will be asked for the status filename when the autosave time comes (if you have not manually saved the status previously). Also you can change the time interval between status updates. However, we recommend that the update time interval be 5 or more seconds; if it is less than 5 seconds the speed of execution of the program will decrease by between 1% and 3%. If you think that UE97PC takes up too much space on the task bar you can select "Options\Setup\Minimize to tray". When (if) UE97PC find a password it stops working and displays the results. It shows the Excel document filename, the password for those files and the password length. Also UE97PC saves the password in a file with the extension .psw, into the same location as the Excel document. Template attack --------------- A "template attack" is a mix of "brute-force" and a dictionary-based attack. It can greatly assist in the finding of a password if you know something about the password. The main idea of a template attack is to subdivide the password using known information. Each part of a template may be either some character set with a minimum and maximum length, or some word from a dictionary file. To understand how to use a template attack let's take some examples: I. I remember that the password starts with two digits (but I don't remember them), then I used from 3 to 5 lower case letters and maybe I used a special character at the end. So I select template attack and describe the template as: +----------+--------------+------------------------------+ | Position | Repeat Count | Description | | | min | max | | +----------+-------+------+------------------------------+ | 1 | 2 | 2 | Digits (0123456789) | | 2 | 3 | 5 | Lower case letters (abc...)| | 3 | 0 | 1 | Special symbols (!#$...) | +----------+-------+------+------------------------------+ Using this template UE97PC starting to generate password from 00aaa, 00aab, 00aac, ..., 00baa, ..., 12adef$, ..., 21ivan$, ..., up to 99zzzzz~. This template will be processed much faster than a "brute-force" attack that uses character sets "digits" + "lower case letters" + "special symbols", and with a minimum length of 5 and a maximum length of 8. II. Ok, let's look at the standard keyboard layout: 1 2 3 4 5 6 7 8 9 0 - = \ q w e r t y u i o p [ ] a s d f g h j k l ; ' z x c v b n m , . / Consider the case where I remember that the password for a file is, for example, "golubev". Suppose I incorrectly typed the password, so that in fact "golubev" is incorrect. Then, given that word, I know which parts of the keyboard I originally pressed, (or I've watched how another person typed in a password :-)). Using that incorrect password I can create the following template: +----------+--------------+----------------------------+ | Position | Repeat Count | Description | | | min | max | | +----------+-------+------+----------------------------+ | 1 | 1 | 1 | rtyfghcvbn | | 2 | 1 | 1 | 890iopjkl; | | 3 | 1 | 1 | iopkl;m,./ | | 4 | 1 | 1 | 678yuighjk | | 5 | 1 | 1 | fghjvbn and space | | 6 | 1 | 1 | 234wersdf | | 7 | 1 | 1 | dfgcvb and space | +----------+-------+------+----------------------------+ Using this template UE97PC can find such passwords as "go;ubev" or "holubwv". III. Since I am smart enough not to password a file with only a simple word, I've used a more complex password, but I've forgotten that password! And, because I am so smart, the password cannot be recovered by a simple dictionary based attack (even using all available modifiers). However, I know that the password starts with from 2 to 3 digits, then I've used some simple word, and maybe I've used a special symbol at the end. So, first I create a dictionary file of the likely words that I may have used, (I don't know what word I've used but I try to anticipate it): ================================================================= ivan formula-1 f1 formula1 formula_1 password UE97PC computer ok ok computer radio head ================================================================= I have called this dictionary file mydict.txt. Secondly, I create the following template: +----------+--------------+-----------------