You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by Klaus Muth <mu...@hagos.de> on 2014/03/08 07:46:06 UTC
Re: Need Help - Solved, got help
Quick update.
Since I was really interested in password security of OpenOffice, Vanessa had
not much trouble to talk me into giving it a try. So I compiled an MPI
version of john and started it on my i7-2600 4-core 3.4GHz on 7 CPUs, John
chose to use the AVX extension (no fancy graphic card - so no NUMA or CUDA)
I had some infos (language + max pw length) from Vanessa.
It took a total of 77h of CPU time in incremental mode (no hit in single shot
and dictionary mode) to get a 7 character all lower case password with this
setup.
I was able to send back an unencrypted 433 pages book.
No, I'm not that interested - I won't do that a second time. I provided all
information needed to do it yourself.
Am 06.03.2014 15:02, schrieb Klaus Muth:
> Ok. Tried out. You need:
> 1. Encrypted OpenDocumentFormat File (i.e. your book)
> 2. John The Ripper from http://www.openwall.com/john/, I used
> http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2
> 3. A Linux System (There is a Windows binary too)
>
> - Now Download john, then untar it:
> tar xvfj john-1.7.9-jumbo-7.tar.bz2
> - compile it
> cd john-1.7.9-jumbo-7/src
> make clean linux-x86-64-native
> - test it
> cd ../run
> ./john --test
> - get password hash:
> ./odf2john.py MyImportantCrypted.odt > passwd
> - crack password hash
> ./john passwd
>
> In my example it took john 17 seconds to realize that my password was
> actually 123456 - which is of course the most commonly used password ever and
> so one of the first tested options:
>
> ./john passwd
> Loaded 1 password hash (ODF SHA-1 Blowfish [32/64])
> 123456 (MyImportantCrypted.odt)
> guesses: 1 time: 0:00:00:17 DONE (Thu Mar 6 14:43:10 2014) c/s: 1132
> trying: 123456
>
> You might need some kind of Computer Nerd and some fast hardware to crack
> your ODF Password, but that might be easy to get compared to writing your
> book again.
>
> Using passwords on the only original of a file is generally a bad idea - you
> use them to secure a copy you want to send by mail or on a stick.
>
>
> Am 06.03.2014 13:11, schrieb Vanessa Silva:
>> Hello,
>>
>>
>> i’ve written a book, took me over 200 hours, saved it with open Office writer and made a Password for it. Then i didn’t use the document in a while and now i forgot the Password. Please help me, i Need my book back! Can i send you the document per E-Mail? can you erase dthe Password? Please, i beg you. I Need it!
>>
>>
>> I’ll wait for your answer.
>>
>>
>> Vanessa Silva
>>
>>
>>
>>
>>
>>
>> Gesendet von Windows Mail
>>
>
>
> Freundliche Grüße
>
Freundliche Grüße
--
Klaus Muth
HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
http://www.hagos.de Germany mailto:muth@hagos.de
HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
Sitz: Stuttgart
Rechtsform: Genossenschaft
Registergericht: Stuttgart GnR 77
Vorstände: Guido Eichel, Ralf Tigges
Aufsichtsratsvorsitzender: Thomas Müller
USt.-ID-Nr.: DE 147799748
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Julian Thomas <jt...@jt-mj.net>.
On 8 Mar 2014, at 01:46, Klaus Muth <mu...@hagos.de> wrote:
>> 2. John The Ripper from http://www.openwall.com/john/, I used
>> http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2
>> 3. A Linux System (There is a Windows binary too)
Also an OSX version - jt (using a Mac)
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Klaus Muth <mu...@hagos.de>.
Am 11.03.2014 22:02, schrieb Rob Weir:
> Do you have a sense for what your average rate was, passwords/second,
> with your configuration?
Node 4 reported 921c/s
klaus
Freundliche Grüße
--
Klaus Muth
HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
http://www.hagos.de Germany mailto:muth@hagos.de
HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
Sitz: Stuttgart
Rechtsform: Genossenschaft
Registergericht: Stuttgart GnR 77
Vorstände: Guido Eichel, Ralf Tigges
Aufsichtsratsvorsitzender: Thomas Müller
USt.-ID-Nr.: DE 147799748
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Rob Weir <ro...@apache.org>.
On Sat, Mar 8, 2014 at 1:46 AM, Klaus Muth <mu...@hagos.de> wrote:
> Quick update.
>
> Since I was really interested in password security of OpenOffice, Vanessa had
> not much trouble to talk me into giving it a try. So I compiled an MPI
> version of john and started it on my i7-2600 4-core 3.4GHz on 7 CPUs, John
> chose to use the AVX extension (no fancy graphic card - so no NUMA or CUDA)
>
> I had some infos (language + max pw length) from Vanessa.
>
> It took a total of 77h of CPU time in incremental mode (no hit in single shot
> and dictionary mode) to get a 7 character all lower case password with this
> setup.
>
Thanks for the reminder of the importance of picking high-quality
passwords of sufficient length. There is a reason why online
services like banks, Amazon, etc., require complex passwords. Short,
simple ones easily fall to brute-force attacks.
Do you have a sense for what your average rate was, passwords/second,
with your configuration?
This pages gives a rough estimate of how long it takes to crack a
password, depending on its complexity and length:
http://www.lockdown.co.uk/?pg=combi
As you can see, moving from a short alphabetic password to 8
character-long of mixed upper/lower/number/symbol is the difference
between a password that can be cracked in minutes versus millenia. Of
course, quantum computers could someday change that all...
Regards,
-Rob
> I was able to send back an unencrypted 433 pages book.
>
> No, I'm not that interested - I won't do that a second time. I provided all
> information needed to do it yourself.
>
> Am 06.03.2014 15:02, schrieb Klaus Muth:
>> Ok. Tried out. You need:
>> 1. Encrypted OpenDocumentFormat File (i.e. your book)
>> 2. John The Ripper from http://www.openwall.com/john/, I used
>> http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2
>> 3. A Linux System (There is a Windows binary too)
>>
>> - Now Download john, then untar it:
>> tar xvfj john-1.7.9-jumbo-7.tar.bz2
>> - compile it
>> cd john-1.7.9-jumbo-7/src
>> make clean linux-x86-64-native
>> - test it
>> cd ../run
>> ./john --test
>> - get password hash:
>> ./odf2john.py MyImportantCrypted.odt > passwd
>> - crack password hash
>> ./john passwd
>>
>> In my example it took john 17 seconds to realize that my password was
>> actually 123456 - which is of course the most commonly used password ever and
>> so one of the first tested options:
>>
>> ./john passwd
>> Loaded 1 password hash (ODF SHA-1 Blowfish [32/64])
>> 123456 (MyImportantCrypted.odt)
>> guesses: 1 time: 0:00:00:17 DONE (Thu Mar 6 14:43:10 2014) c/s: 1132
>> trying: 123456
>>
>> You might need some kind of Computer Nerd and some fast hardware to crack
>> your ODF Password, but that might be easy to get compared to writing your
>> book again.
>>
>> Using passwords on the only original of a file is generally a bad idea - you
>> use them to secure a copy you want to send by mail or on a stick.
>>
>>
>> Am 06.03.2014 13:11, schrieb Vanessa Silva:
>>> Hello,
>>>
>>>
>>> i’ve written a book, took me over 200 hours, saved it with open Office writer and made a Password for it. Then i didn’t use the document in a while and now i forgot the Password. Please help me, i Need my book back! Can i send you the document per E-Mail? can you erase dthe Password? Please, i beg you. I Need it!
>>>
>>>
>>> I’ll wait for your answer.
>>>
>>>
>>> Vanessa Silva
>>>
>>>
>>>
>>>
>>>
>>>
>>> Gesendet von Windows Mail
>>>
>>
>>
>> Freundliche Grüße
>>
>
>
> Freundliche Grüße
> --
> Klaus Muth
> HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
> EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
> http://www.hagos.de Germany mailto:muth@hagos.de
>
> HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
> Sitz: Stuttgart
> Rechtsform: Genossenschaft
> Registergericht: Stuttgart GnR 77
> Vorstände: Guido Eichel, Ralf Tigges
> Aufsichtsratsvorsitzender: Thomas Müller
> USt.-ID-Nr.: DE 147799748
>
> -------------------------------------------
> List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
> To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: users-help@openoffice.apache.org
>
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Klaus Muth <mu...@hagos.de>.
The cleartext password is revealed. The cracking process does not depend on
the ODF file size, first step of cracking is extracting a password hash from
the ODF file.
Am 08.03.2014 09:31, schrieb Rory O'Farrell:
> On Sat, 08 Mar 2014 07:46:06 +0100
> Klaus Muth <mu...@hagos.de> wrote:
>
>> Quick update.
>>
>> Since I was really interested in password security of OpenOffice, Vanessa had
>> not much trouble to talk me into giving it a try. So I compiled an MPI
>> version of john and started it on my i7-2600 4-core 3.4GHz on 7 CPUs, John
>> chose to use the AVX extension (no fancy graphic card - so no NUMA or CUDA)
>>
>> I had some infos (language + max pw length) from Vanessa.
>>
>> It took a total of 77h of CPU time in incremental mode (no hit in single shot
>> and dictionary mode) to get a 7 character all lower case password with this
>> setup.
>>
>> I was able to send back an unencrypted 433 pages book.
>>
>> No, I'm not that interested - I won't do that a second time. I provided all
>> information needed to do it yourself.
>
> Thank you for posting this information, Klaus. It gives an idea of the complexity of the task. Can you please supply some more information: does the decryption process merely decrypt the target file, or does it as well announce the password?
>
> I'm thinking a theoretical situation, where a User has many encrypted files and has forgotten the only password. Would he need to decrypt them all individually, or could he choose to decrypt one (small, therefore hopefully fast) file and recover the password? This is purely a hypothetical question - I've long since learned never to encrypt a file!
>
>>
>> Am 06.03.2014 15:02, schrieb Klaus Muth:
>>> Ok. Tried out. You need:
>>> 1. Encrypted OpenDocumentFormat File (i.e. your book)
>>> 2. John The Ripper from http://www.openwall.com/john/, I used
>>> http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2
>>> 3. A Linux System (There is a Windows binary too)
>>>
>>> - Now Download john, then untar it:
>>> tar xvfj john-1.7.9-jumbo-7.tar.bz2
>>> - compile it
>>> cd john-1.7.9-jumbo-7/src
>>> make clean linux-x86-64-native
>>> - test it
>>> cd ../run
>>> ./john --test
>>> - get password hash:
>>> ./odf2john.py MyImportantCrypted.odt > passwd
>>> - crack password hash
>>> ./john passwd
>>>
>>> In my example it took john 17 seconds to realize that my password was
>>> actually 123456 - which is of course the most commonly used password ever and
>>> so one of the first tested options:
>>>
>>> ./john passwd
>>> Loaded 1 password hash (ODF SHA-1 Blowfish [32/64])
>>> 123456 (MyImportantCrypted.odt)
>>> guesses: 1 time: 0:00:00:17 DONE (Thu Mar 6 14:43:10 2014) c/s: 1132
>>> trying: 123456
>>>
>>> You might need some kind of Computer Nerd and some fast hardware to crack
>>> your ODF Password, but that might be easy to get compared to writing your
>>> book again.
>>>
>>> Using passwords on the only original of a file is generally a bad idea - you
>>> use them to secure a copy you want to send by mail or on a stick.
>>>
>>>
>>> Am 06.03.2014 13:11, schrieb Vanessa Silva:
>>>> Hello,
>>>>
>>>>
>>>> i’ve written a book, took me over 200 hours, saved it with open Office writer and made a Password for it. Then i didn’t use the document in a while and now i forgot the Password. Please help me, i Need my book back! Can i send you the document per E-Mail? can you erase dthe Password? Please, i beg you. I Need it!
>>>>
>>>>
>>>> I’ll wait for your answer.
>>>>
>>>>
>>>> Vanessa Silva
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Gesendet von Windows Mail
>>>>
>>>
>>>
>>> Freundliche Grüße
>>>
>>
>>
>> Freundliche Grüße
>> --
>> Klaus Muth
>> HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
>> EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
>> http://www.hagos.de Germany mailto:muth@hagos.de
>>
>> HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
>> Sitz: Stuttgart
>> Rechtsform: Genossenschaft
>> Registergericht: Stuttgart GnR 77
>> Vorstände: Guido Eichel, Ralf Tigges
>> Aufsichtsratsvorsitzender: Thomas Müller
>> USt.-ID-Nr.: DE 147799748
>>
>> -------------------------------------------
>> List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
>> To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
>> For additional commands, e-mail: users-help@openoffice.apache.org
>>
>>
>
>
Freundliche Grüße
--
Klaus Muth
HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
http://www.hagos.de Germany mailto:muth@hagos.de
HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
Sitz: Stuttgart
Rechtsform: Genossenschaft
Registergericht: Stuttgart GnR 77
Vorstände: Guido Eichel, Ralf Tigges
Aufsichtsratsvorsitzender: Thomas Müller
USt.-ID-Nr.: DE 147799748
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Toki <to...@gmail.com>.
On 3/8/2014 12:31 AM, Rory O'Farrell wrote:
> or could he choose to decrypt one (small, therefore hopefully fast)
file and recover the password?
File size is virtually irrelevant, when it comes to how fast the
password can be determined.
I'm surprised it only took 77 hours of CPU time. OTOH, it was a very
weak password.
There are a couple of firms that specialize in ODF password recover,
using Beowulf clusters.
jonathon
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org
Re: Need Help - Solved, got help
Posted by Rory O'Farrell <of...@iol.ie>.
On Sat, 08 Mar 2014 07:46:06 +0100
Klaus Muth <mu...@hagos.de> wrote:
> Quick update.
>
> Since I was really interested in password security of OpenOffice, Vanessa had
> not much trouble to talk me into giving it a try. So I compiled an MPI
> version of john and started it on my i7-2600 4-core 3.4GHz on 7 CPUs, John
> chose to use the AVX extension (no fancy graphic card - so no NUMA or CUDA)
>
> I had some infos (language + max pw length) from Vanessa.
>
> It took a total of 77h of CPU time in incremental mode (no hit in single shot
> and dictionary mode) to get a 7 character all lower case password with this
> setup.
>
> I was able to send back an unencrypted 433 pages book.
>
> No, I'm not that interested - I won't do that a second time. I provided all
> information needed to do it yourself.
Thank you for posting this information, Klaus. It gives an idea of the complexity of the task. Can you please supply some more information: does the decryption process merely decrypt the target file, or does it as well announce the password?
I'm thinking a theoretical situation, where a User has many encrypted files and has forgotten the only password. Would he need to decrypt them all individually, or could he choose to decrypt one (small, therefore hopefully fast) file and recover the password? This is purely a hypothetical question - I've long since learned never to encrypt a file!
>
> Am 06.03.2014 15:02, schrieb Klaus Muth:
> > Ok. Tried out. You need:
> > 1. Encrypted OpenDocumentFormat File (i.e. your book)
> > 2. John The Ripper from http://www.openwall.com/john/, I used
> > http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.bz2
> > 3. A Linux System (There is a Windows binary too)
> >
> > - Now Download john, then untar it:
> > tar xvfj john-1.7.9-jumbo-7.tar.bz2
> > - compile it
> > cd john-1.7.9-jumbo-7/src
> > make clean linux-x86-64-native
> > - test it
> > cd ../run
> > ./john --test
> > - get password hash:
> > ./odf2john.py MyImportantCrypted.odt > passwd
> > - crack password hash
> > ./john passwd
> >
> > In my example it took john 17 seconds to realize that my password was
> > actually 123456 - which is of course the most commonly used password ever and
> > so one of the first tested options:
> >
> > ./john passwd
> > Loaded 1 password hash (ODF SHA-1 Blowfish [32/64])
> > 123456 (MyImportantCrypted.odt)
> > guesses: 1 time: 0:00:00:17 DONE (Thu Mar 6 14:43:10 2014) c/s: 1132
> > trying: 123456
> >
> > You might need some kind of Computer Nerd and some fast hardware to crack
> > your ODF Password, but that might be easy to get compared to writing your
> > book again.
> >
> > Using passwords on the only original of a file is generally a bad idea - you
> > use them to secure a copy you want to send by mail or on a stick.
> >
> >
> > Am 06.03.2014 13:11, schrieb Vanessa Silva:
> >> Hello,
> >>
> >>
> >> i’ve written a book, took me over 200 hours, saved it with open Office writer and made a Password for it. Then i didn’t use the document in a while and now i forgot the Password. Please help me, i Need my book back! Can i send you the document per E-Mail? can you erase dthe Password? Please, i beg you. I Need it!
> >>
> >>
> >> I’ll wait for your answer.
> >>
> >>
> >> Vanessa Silva
> >>
> >>
> >>
> >>
> >>
> >>
> >> Gesendet von Windows Mail
> >>
> >
> >
> > Freundliche Grüße
> >
>
>
> Freundliche Grüße
> --
> Klaus Muth
> HAGOS eG Industriestr. 62 fon: (+49) 711 78805-7086
> EDV-Programmierung 70565 Stuttgart fax: (+49) 711 78805-957035
> http://www.hagos.de Germany mailto:muth@hagos.de
>
> HAGOS Verbund deutscher Kachelofen- und Luftheizungsbauerbetriebe eG
> Sitz: Stuttgart
> Rechtsform: Genossenschaft
> Registergericht: Stuttgart GnR 77
> Vorstände: Guido Eichel, Ralf Tigges
> Aufsichtsratsvorsitzender: Thomas Müller
> USt.-ID-Nr.: DE 147799748
>
> -------------------------------------------
> List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
> To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
> For additional commands, e-mail: users-help@openoffice.apache.org
>
>
--
Rory O'Farrell <of...@iol.ie>
-------------------------------------------
List Conduct Guidelines: http://openoffice.apache.org/list-conduct.html
To unsubscribe, e-mail: users-unsubscribe@openoffice.apache.org
For additional commands, e-mail: users-help@openoffice.apache.org