John the Ripper: Crack ZipCrypto password
If the password is 1234, then John should find it relatively quickly.
I just tried your hash with JoT, and I am not finding anything. If you are using zipCrypto, I am guessing zip2john does not understand how the password hash is being stored. You can either attempt to find the hash and update zip2john, or try to attack the zip file directly.
See the code below as an example of having John generate the password then passing it to 7zip to try. This should work regardless of chosen encryption, unless you have to specify it when opening the archive. It is not clean, but it should be enough to illustrate.
#!/bin/bash
# Using john the ripper to brute-force a zip container
startTime=$(date)
if [ $(file $1 | grep -c "Zip archive data") ]; then
john -i --stdout | while read i; do # this is john generating password to stdout
echo -ne "\rtrying \"$i\" "\\r
7z -p$i -so e $1 2>&1> /dev/null # this is your zip command
STATUS=$?
if [ $STATUS -eq 0 ]; then
echo -e "\nPassword is: \"$i\""
break # if successful, print the password and quit
fi
done
echo "Start time $startTime"
echo "End time $(date)"
else
echo "The file does not appear to be a zip file"
fi
This approach should work when you are unable to extract the hash, but is much, much slower (not really practical for most applications). See the results below.
...
trying "pmc"
7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-1
Processing archive: test.zip
Extracting Sample_memo.pdf Data Error in encrypted file. Wrong password?
**Sub items Errors: 1**
trying "1234"
7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
Processing archive: test.zip
Extracting Sample_memo.pdf
**Everything is Ok**
Size: 60936
Compressed: 51033
Password is: "1234"
Start time 2015. 01. 03. (토) 19:02:51 KST
End time 2015. 01. 03. (토) 19:02:51 KST
Related videos on Youtube
12 : 27
04 : 43
03 : 52
07 : 10
14 : 35
05 : 04
04 : 20
Comments
-
JakeRoberts over 1 year
I made a password protected zip file with 7zip, using ZipCrypto algorithm. Set the password to 1234.
I am using john-1.7.9-jumbo-7. I followed this manual: http://www.cybercrimetech.com/2014/07/how-to-cracking-zip-and-rar-protected.html All seems good, but somehow it doesn't crack the password.Made my own password list, containing three lines:
hello 1234 moohaa
No luck.
When I use AES-256 john cracks the password, no problem.
If I just use unzip:
$ unzip test.zip Archive: test.zip creating: test/ creating: test/Perl64/ creating: test/Perl64/bin/ [test.zip] test/Perl64/bin/a2p.exe password:When I enter 1234, works perfect.
Anybody an idea what I'm doing wrong?
Here are my steps: Working dir: /install/john-1.7.9-jumbo-7/run (just after successful compilation)
run $ ./zip2john test.zip > test.zip.hashes run $ cat test.zip.hashes test.zip:$pkzip$3*1*1*5*0*83*61e5*9a86da2553753dc102b07f0386675aa8c3ed0f25ee9dc0c0dd385639ded7a43051da28bd09b3c2b80f0bdaab0738c50d458c0e00d2eb0997a54bc6128d54c12f1212d865a240b14dcf68e64f4c1765d20314f1ef7b10db3c901a58e3bebd2841cd39a4bbfd09c4d8febab6101cb93c631d39216083e3be16fcefa3c5cb760b39da6568*1*2*8*c0*10c1*f656f9947fdb2ba2339f4c6a2b12479b87338da5fdd9c1c8820d9b0551720a9ff842a0d45bab6a985a59447d975994b1d353c69e937c1a4aac0fa4095bcbc8c73b363bbfe5b7b66ee078ea0a5b713472202e9ef3958bd6198b5a8b3636e0ea38d541ac40441ad0cf429b0e531d6f7b53edd9f1ffed94332ad4cb10ea5a8c7e373ab8be7a8541024ef327211c698cf0548d1c14fe5ae45698413323153e57332e0f304a3dcf66b0181b6f4d5177ed3f6c189377f9d3a4c4f104c3e118c7551403*2*0*2f*23*33d86f80*23638a*37*0*2f*33d8*0f00cdb657782dbf8b10befb485b3d0ccdf366c10bc511c171889055d1bced5f38ce8b423198ea70a67a1a84466667*$/pkzip$ run $ rm john.rec john.pot run $ ./john test.zip.hashes Loaded 1 password hash (PKZIP [32/64]) guesses: 0 time: 0:00:00:10 0.00% (3) c/s: 3415K trying: cd4640 - cd46a1