how to crack a PW in LO?

rost52 · October 15, 2012, 1:48pm

LO files can be protected with PWs when doing "save as".
Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the
MS related PW remover be used for LO as well?
Thanks in advance for comments.

Villeroy · October 15, 2012, 2:15pm

Am 15.10.2012 15:49, rost52 wrote:

LO files can be protected with PWs when doing "save as".
Fighting currently with an xls file and its lost PW, I wonder how LO files can be cracked? Can the
MS related PW remover be used for LO as well?
Thanks in advance for comments.

xls does not encript your document. The only thing that gets encrypted
is the password. Any old version of OpenOffice.org opens a password
"protected" xls ignoring the password.

Dr_R_O_Stapf · October 15, 2012, 2:29pm

Thanks for the information. It seems that my version of LO 3.5.6.2 is too young to ignore the PW of an xls file.

However, my question was how to open an LO file if the PW get forgotten (not and MS file)?
Hints are welcome for the future.

Villeroy · October 15, 2012, 2:35pm

Am 15.10.2012 16:30, Dr. R. O Stapf wrote:

However, my question was how to open an LO file if the PW get forgotten
(not and MS file)?
Hints are welcome for the future.

There is no way to open encrypted ODF other than a brute force script
working through a list of possible passwords.

Jean-Baptiste_Faure · October 15, 2012, 2:46pm

Buy a super-computer, launch a brute force algorithm and pray that the
password is a short word from the standard English vocabulary.

Best regards.
JBF

krackedpress · October 15, 2012, 4:30pm

For future reference, if you have to create a password protected document [for viewing or editing] make sure you use one that will not be forgotten or WRITE IT DOWN somewhere and save it in your filing cabinet.

At one computer center I worked, they taped the needed passwords on the back of the keyboard. You needed a door key to get into the place, so the passwords were protected, but that way all the personnel will be able to access the needed systems and not forget the needed passwords.

I use a list of about a dozen passwords. So if I forget which one I used, I just go down the "mental" list till I get the one I used for that application or document.

Tom_Davies · October 15, 2012, 5:07pm

Hi
I apply an algorithm to the name of whatever it is that i am doing and then apply a series of standard characters at set locations. The set of characters and their locations depends on which of 3 categories the thing fits into
1. Something i really don't want to have cracked, such as my bank, in which case i try to use the longest relevant 'name'
2. Something that it would be good not to get cracked but not really too fussed about
3. Something that i wouldn't care about sharing the password with pretty much anyone

LO and most of my work passwords fall into the 3rd. One at work falls into the 1st. So, i don't need to write anything down anywhere but do tend to lose track of which sites and stuff i do have passwords for and which i might need to register at. Usually i just try out the password i would use and if i don't get in then i try to register (or give up)
Regards from
Tom

Jean-Baptiste_Faure · October 15, 2012, 5:33pm

I tried that with a software named "password recovery" or something like
that. It failed to find a 6 characters password in 8 hours on a standard PC.

Best regards.
JBF

Tom_Davies · October 15, 2012, 6:33pm

Hi :)
The trick is to try to remember what you might have been thinking about at the time. If that's even possible for anyone!

There is no password cracking functionality or Extension for LO it's just the inept way MS fails to implement security. Just double-click on an xls or open LO and drop the xls into it or open LO and choose
File - Open
to navigate to and open the xls. File opens.

My company's finance department asked me to add something to one of their spreadsheets but 'forgot' to tell me the password. One of them rushed down to give me the password but was somewhat mortified to find i had already made the change without having the slightest idea that there even was a password. There was a very cofusing conversation where neither of us had a clue what the other was talking about until i figured it out.

The company still uses Excel and still attempts to 'protect' those spreadsheets with passwords that don't work. Occasionally people give me other files they want cracked which gives me a morale dilemma each time. Usually i just give a really half-hearted non-effort and then fob them off.
Regards from
Tom

Dr_R_O_Stapf · October 16, 2012, 12:24am

Thanks to all of you providing me with lots of hints on not to forget passwords or prepare in advance for it.
The SW I am using to crack an xls-file runs already for more than 60 h in the background. It's a nothing to loose only to win job. 6 or 8 digits alphanumeric no special characters is the PW used.

Thereafter I will make a test cracking an LO file.

The only thing which makes me wonder is that there are PW removing SW commercially availabe which run demos and claim within 10 - 30 sec they could remove the PW but open the xls file only when I purchase a full license.

Does someone has experience with such a SW?

Jean-Louis_Oneto · October 16, 2012, 12:40am

I used the following:
http://www.crackpdf.com/
but not the Pro version which allows to make brute force attack, but then, they warn you that it will take _a_long_time_ !!!
To remove simple protections, it was really fast, but they unlock the file without retrieving the password (or at least they don't display it)
Reards,
Jean-Louis

Dr_R_O_Stapf · October 16, 2012, 5:57am

Jean-Louis, thanks for the hint and link!

Tom_Davies · October 16, 2012, 8:15am

Hi
This is pitiful. OpenSource sometimes has a reputation of being where reformed hackers go when they grow up or when they want more kudos. Maybe the devs list might have ideas? It's just 1 password! It can't be this tough! Maybe that reputation is just more FUD after all!

Maybe try with Caps Lock off and then again with Caps Lock
on. For some reason it recently seemed to make a difference if Num
Lock was on, even when it was on i would have to switch it off and then
on again. I thought it was just me but it's happened to me on a few
different machines now and on all 3 OSes i commonly use. Hmm, it could still be me.

Regards from
Tom

pitonyak · October 16, 2012, 1:22pm

I wrote my own password cracker for OOo files, but as you found, they run for a very long time.

I did it just to see how well it would, or would not work. Unless you have a lot of time to kill (days, weeks, months, etc), you are much better off not forgetting your password.

Dr_R_O_Stapf · October 16, 2012, 1:29pm

you are perfectly right about this!!!

Viral_Orpe · October 16, 2012, 2:34pm

Hi Jay

That is an interesting idea - not to know your own password(s).
You definitely can't forget what you don't know.
Worth following that concept ......

One of my friends would set his sharable password to "iwonttell" ("I won't tell").
He then would keep fighting back and forth for sometime when somebody would request
him his password and get offended by the dramatic answer.

He would explain just before something broke down that the string he uttered is to be
taken as password and not as a meaningful statement!

regards,
- Viral Orpe

Dennis_E_Hamilton · October 16, 2012, 2:34pm

It is important to separate the use of passwords to set
protections from use of a password to encrypt the document.

Only "Save with Password" provides cryptographic security
of the document.

The "Save with Password" encryption is difficult to attack.
The password is usually the weakest point and the password
may fall to a variety of attacks that use pre-computed
dictionaries of SHA1 digests and other brute-force
techniques. It is also possible that an attack may break
the encryption without discovering the password itself.
All of these attacks are believed to required great effort.
In general, one should expect that a password used in
"Save with Password" is not discoverable unless it is
carelessly chosen or heavily reused.

The harder the password is to attack, the harder it is
to recover, of course.

In contrast, all of the protection settings are insecure.

The protections are trivial to remove. It can be done
by any knowledgeable user with a Zip utility and an XML
editor. It is not necessary to know the password to
remove the protection. However, all passwords used in
making protection settings should be considered compromised.
That is because the document stores an SHA1 or other unsalted
hash in "plain view" in the document. These hashes are
cracked with ease using conventional systems. A password
used to set a protection should not be used for any
more-private purpose. In particular, if the same passwords
are used for protections on unencrypted documents and for
saving with password (encryption), the encryption can be
broken directly using the SHA1 digest from the protection
setting.

Protection settings are on spreadsheet fields and sheets.
There are protection settings on text as well. The
protection against altering change-tracking and the
protection for keeping a document read-only are all of
this kind. The protection is useful for avoiding mistaken
alterations.

It is easy for all of these protections to be removed, the
document altered, and the protections restored with the
very same unlocking password without ever having to
know the password.

A digital signature can prevent the document from undetected
alterations, but that doesn't work for turnaround documents
where some alterations are meant to be allowed.

There is more explanation of the use and risk of protections,
and their removal, here:
<https://tools.oasis-open.org/version-control/svn/oic/Advisories/00009-ProtectionKeySafety/trunk/description.html>

A proposal for more-reliable security of protection passwords
(but not the protections themselves) is before the
OASIS ODF TC:
<https://www.oasis-open.org/committees/document.php?document_id=46220>.

- Dennis

Tom_Davies · October 16, 2012, 3:21pm

Hi
Brilliant!! Ahhh, just thought of a problem. Was it xls or xlsX? If it has an X at the end then just rename the file to replace .xlsx with .zip and then double-click on it.

Can the xml files be pulled into a new file without pulling the password along at the same time?
Regards from
Tom

Dennis_E_Hamilton · October 16, 2012, 3:37pm

Some protections are preserved in conversions between Office binaries and OpenOffice. But the protections in OOXML have digital hashes that are computed differently than those in ODF. They are not inter-convertible.

Since the implementations tend to drop those protections in either direction, there is an easy round-trip technique to over-ride protections (but not encryption). Of course, there may be other incompatibilities that can have the result be undesirable.

- Dennis

PS: To preserve the protection, you'd either have to recover the password and rehash, or ask the user for the password as part of the conversion so it could be rehashed. There are conceivable extensions in the implementation of ODF that could facilitate protection preservation, but it might not be worth the effort considering that the protections don't really protect anything [;<).

Dennis_E_Hamilton · October 16, 2012, 3:50pm

I don't understand the XML question.

In ODT and ODS, the protection keys are in the content.xml and settings.xml files. You can just delete the settings.xml to get rid of those protections (read-only and change-tracking). For the protection locks in the content.xml, you need to edit the xml. The web page on Safe Use of Protection sketches one approach at the end.

For OOXML (.xlsx), the structure of the files is more complicated and I have not done the work to figure out how to hunt down and defeat the protections there.

The simple approach is to simply try a cross-product transfer. Open the .xslx in LO; open the .ods in Microsoft Office.