Author Archive

Breaking Passwords in the Cloud: Using Amazon P2 Instances

Tuesday, August 1st, 2017

Cloud services such as Amazon EC2 can quickly deliver additional computing power on demand. Amazon’s recent introduction of the a type of EC2 Compute Units made this proposition much more attractive than ever before. With Elcomsoft Distributed Password Recovery now supporting Amazon’s new P2 instances, each with up to 16 GPU units, users can get as much speed as they need the moment they need. In this article, we’ll discuss the benefits of using cloud compute units for password recovery, and provide a step-by-step guide on how to add virtual instances to Elcomsoft Distributed Password Recovery. (more…)

ElcomSoft Breaks Into MS Office 2013

Wednesday, September 26th, 2012

ElcomSoft has recently updated two products recovering Microsoft Office passwords with Office 2013 support. Elcomsoft Advanced Office Password Recovery and Elcomsoft Distributed Password Recovery received the ability to recover plain-text passwords used to encrypt documents in Microsoft Office 2013 format. Initially, we are releasing a CPU-only implementation, with support for additional hardware accelerators such as ATI and NVIDIA video cards scheduled for a later date.

Stronger Protection

In version 2013, Microsoft used an even tighter encryption compared to the already strong Office 2010. To further strengthen the protection, Microsoft replaced SHA1 algorithm used for calculating hash values with a stronger and slower SHA512. In addition, the encryption key is now 256 bits long, while the previous versions of Microsoft Office were using ‘only’ 128 bits. While the length of the encryption key has no direct effect on the speed of password recovery, the slower and stronger hash calculation algorithm does. It’s obvious that Microsoft is dedicated to making subsequent Office releases more and more secure.

No Brute Force

While we continue supporting brute force attacks, brute force becomes less and less efficient with every new release of Microsoft Office even with full-blown hardware acceleration in place. Office 2013 sets a new standard in document encryption, pretty much taking brute force out of the question. This is why we continue relying on a variety of smart attacks that include a combination of dictionary attacks, masks and advanced permutations. Brute-forcing SHA512 hashes with 256-bit encryption key is a dead end. Smart password attacks are pretty much the only way to go with Office 2013.

Breaking Apple iWork Passwords

Thursday, February 9th, 2012

Apple iWork, an inexpensive office productivity suite for the Mac and iOS platforms, has been around since 2005 and 2011 respectively. The iWork suite consists of three apps: Numbers, Pages, and Keynotes, and gained quite some popularity among Apple followers. Yet, for all this time, no one came out with a feasible password recovery solution for the iWork document format.

The reason for the lack of a password recovery solution for the iWork format is extremely slow recovery speed. This owes to Apple’s implementation of encryption: the company used an industry-standard AES algorithm with strong, 128-bit keys. Brute-forcing a 128-bit number on today’s hardware remains impossible. The original, plain-text password has to be recovered in order to decrypt protected iWork documents.

However, recovering that plain-text password is also very slow. Apple used the PBKDF2 algorithm to derive an encryption key from plain-text passwords, with some 4000 iterations of a hash function (SHA1). While it takes only a hundredth of a second to verify a single password, an attack would be speed-limited to about 500 passwords per second on today’s top hardware. This is extremely slow considering the number of possible password combinations.

Distributed Attacks

When starting considering the addition of Apple iWork to the list of supported products, we quickly recognized the speed bottleneck. With as slow a recovery, a distributed attack on the password would be the only feasible one. Indeed, using multiple computers connected to a large cluster gives us more speed, breaking the barrier of unreasonable and promising realistic recovery timeframe. Brute-forcing is still not a good option, but ElcomSoft’s advanced dictionary attack with customizable masks and configurable permutations is very feasible if we consider one thing: the human factor.

The Human Factor

Let’s look at the product one more time. Apple iWork is sold to mobile users for $9.99. Mac customers can purchase the suite for $79. These price points clearly suggest that Apple is targeting the consumer market, not government agencies and not corporations with established security policies enforcing the use of long, complex, strong passwords.

Multiple researches confirm it’s a given fact that most people, if not enforced by a security policy, will choose simple, easy to remember passwords such as ‘abc’, ‘password1’ or their dog’s name. In addition, it’s in the human nature to reduce the number of things to remember. Humans are likely to re-use their passwords, with little or no variation, in various places: their instant messenger accounts, Web and email accounts, social networks and other places from which a password can be easily retrieved.

Considering all this, 500 passwords per second doesn’t sound that bad anymore. Which brings us to the announcement: Elcomsoft Distributed Password Recovery now supports Apple iWork, becoming an industry-first tool and the only product so far to recover passwords for Numbers, Pages and Keynotes apps. It’s the human factor and advanced dictionary attacks that help it recover a significant share of iWork passwords in reasonable time.

Read the official press-release on Elcomsoft Distributed Password Recovery recovering Apple iWork passwords.

Need to protect your VBA macro ? Simply damage the file !

Thursday, October 8th, 2009

One of our customers sent me two Excel XLA add-ins. When I tried to open that file in the VBA Editor — the "Project is locked" message appeared. Add-in has been already unlocked by our VBA password recovery tool. According to Microsoft article this message may appear in two cases: when the macro is protected by password or when it is digitally signed. I analysed the macro password record and found that the password is empty. MS Excel also showed me that macro have no any digital signatures. Then I looked into protection record with more attention and for example found that:

"[Host Extender Info]" string is replaced to "[Host Extender 1nfo]".

There were some additional similar changes and finally I found that the macro has damaged digital signature record. It’s ignored when macro is running but when we try to open the macro to view — Excel shows the error.

Microsoft has very weak VBA macro protection. That’s why developers are searching for non-standard protection methods. It’s not simple to reconstruct a damaged macro and it may require a lot of time.

If your macro cannot be opened by our password recovery programs — the most probable reason is custom protection that damages some technical records. I cannot say that it’s a good protection. New versions of MS Office may not work correctly with damaged files.

Advanced Office Password Recovery: customizing the preliminary attack

Tuesday, August 4th, 2009

 Every time when you open a document in Advanced Office Password Recovery it performs the preliminary attack in case when the "file open" password is set. This attack tries all passwords that you recovered in past (which are stored in password cache), dictionary attack and finally the brute-force attack is running.

The brute-force attack consists of two parts:

1. Trying digits and latin letters
2. Trying national characters depending on code page set in Windows.

Before this time these parts were hardcoded in the program. The new version of Advanced Office Password Recovery has an option to customize the preliminary brute-force attack. 

Look to the directory where AOPR is installed. There is "attacks.xml" file inside. The first section of this file is the language map:

The codes are Windows language identifiers. You can link any LID to your custom name.

The next section contains predefined charsets:

All charsets are in unicode so you can define any national characters here.

And the final section is "documents". All parts of this section has comments about document types. You can define the "common" charsets and charsets that are related to system language. Each "attack" record defines password length and charset.

In this XML file you can simply change the standard preliminary attack and define the custom charsets for your language. I hope this will help to recover your Office passwords faster.

Office 2010: two times more secure

Tuesday, July 28th, 2009

We are waiting for release of new Microsoft office suite – Office 2010. Right now Microsoft has only technical preview of new Office; this preview has been leaked from Microsoft and everyone can download it with the help of torrent trackers. We’ve got a copy of Office 2010 and analysed its (new) password protection.

Starting from Office 2007, Microsoft used password protection system called ECMA-376, developed by ECMA International. This standard is open and everyone can write ECMA-376 based protection which will be accepted by Microsoft Office. The standard allows to select hash and encryption algorithms as well as the number of hash rounds (up to 10 millions is allowed).

In Office 2007, ECMA-376 with SHA-1 hash and AES-128 encryption is implemented. The number of hash rounds is 50000 that makes password recovery really difficult and slow. Office 2010 also uses SHA-1 and AES-128, but the number of hash rounds is now 100000. Therefore password recovery for new Office files will be two times slower.

Here is a diagram of password recovery speed for Office 2007:

To get a speed for Office 2010, simply divide these values to 2. We’ll get about 175 pps on Core2 6600 and about 8750 pps on Tesla S1070.

Why don’t increase the number of hash rounds to 10 millions ? Security is really important but it always affects usability. The hash is calculating to verify a password and when each document block is decrypted. If we add hash rounds – the document decryption time is increased. If a document is opening in MS Office during one hour – its unacceptable despite of high security.

Anyway – Office 2010 documents will be more secure than Office 2007 ones. And the new encryption has backward compatibility – all Office 2010 documents can be opened in Office 2007.