2 minute read

There was recently a question on SuperUser linking back to CybercrimeTech's article about cracking passwords, with an issue about zip files using ZipCrypto, and never finding the password. I left an answer, saying that I guess zip2john does not know how to accurately extract the hash from zip files using that particular algorithm.

In such a case, you can either 1) figure out the data structure, and update zip2john (https://github.com/magnumripper/JohnTheRipper), or use the same approach that we have used before with LUKS to attack the file directly from the command line.

Definitely, attempting to crack the hash is faster, but if you are stuck and don't have time to reverse engineer a new file type, this would *eventually* work for you.

See the code below as an example of having John generate the password then passing it to 7zip to try. This should work regardless of chosen encryption, unless you have to specify it when opening the archive. It is not clean, but it should be enough to illustrate.

    # Using john the ripper to brute-force a zip container
    if [ $(file $1 | grep -c "Zip archive data") ]; then
        john -i --stdout | while read i; do   # this is john generating password to stdout
            echo -ne "\rtrying \"$i\" "\\r
            7z -p$i -so e $1 2>&1> /dev/null     # this is your zip command
            if [ $STATUS -eq 0 ]; then
                echo -e "\nPassword is: \"$i\"
                break                         # if successful, print the password and quit
        echo "Start time $startTime"
        echo "End time $(date)"
        echo "The file does not appear to be a zip file"

This approach should work when you are unable to extract the hash, but is much, much slower (not really practical for most applications). See the results below.

    trying "pmc"
    7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-1
    Processing archive: test.zip
    Extracting  Sample_memo.pdf     Data Error in encrypted file. Wrong password?
    **Sub items Errors: 1**
    trying "1234"
    7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
    Processing archive: test.zip
    Extracting  Sample_memo.pdf
    **Everything is Ok**
    Size:       60936
    Compressed: 51033
    Password is: "1234"
    Start time 2015. 01. 03. (토) 19:02:51 KST
    End time 2015. 01. 03. (토) 19:02:51 KST