55

I have some files I was given by my teacher at University, I could chase him up, but I may as well try getting blood from a stone, his response rate isn't great and I completed my degree a year ago!

They're pdf files stored inside password protected zip files. The passwords are networking related, have upper and lowercase and numbers, but no special characters as far as I remember, and some are permutations of each other "passwordL1", "l2Password" etc.

What are the different encryption algorithms employed by .zip files?

How can I determine the protection in use on my zip files?

Where can I find good papers and tools, which will ultimately give me back the pdfs which are annoyingly hidden by the password?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
bluekeys
  • 671
  • 1
  • 5
  • 9

5 Answers5

38

If you haven't already looked at it there's a couple of sources I'd recommend for this.

  • John the ripper with the community jumbo patch supports zip cracking. If you look at the supported modes there's some options (including the basic brute-force) for cracking zip passwords.

  • Elcomsoft have good zip crackers including guaranteed recovery under some circumstances

  • There are also some companies like this one who appear to have GPU accelerated zip cracking, which could speed things up depending on your hardware.

In terms of the approach it sounds like a dictionary based attack with mutation rules(so changing the dictionary with things like leet speak rules) would be the best bet, particularly if you've got the idea that the words would come from a specific domain. Straight brute-force would likely not be a good idea as it tends to top out around 8 characters (unless you're throwing a lot of CPU/GPU power at it)

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Because I kind of have an idea of what the passwords are, I'm thinking John the ripper, plus a custom dictionary could be just right. Thanks for taking the time to answer. – bluekeys Jan 28 '13 at 13:23
  • I just tried to download John the ripper, but Chrome blocked it saying that it was malicious. Anyone have any experience with this? – bornfromanegg Nov 18 '15 at 09:24
  • 2
    @bornfromanegg I've had malware checkers say that Offensive security software (e.g. password crackers) are malware on some occasions, that said a quick check on a couple of downloads of john didn't seem to show an issue in chrome for me... If you're worried about it, you could check the PGP signature on the file to make sure it's not been tampered with when you get it... – Rory McCune Nov 18 '15 at 09:53
18

You can also use this shell script.

Source: http://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/

#!/bin/bash
echo "ZIP-JTR Decrypt Script";
if [ $# -ne 2 ]
then
echo "Usage $0 <zipfile> <wordlist>";
exit;
fi
unzip -l $1
for i in $(john --wordlist=$2 --rules --stdout) 
do
 echo -ne "\rtrying \"$i\" " 
 unzip -o -P $i $1 >/dev/null 2>&1 
 STATUS=$?
 if [ $STATUS -eq 0 ]; then
 echo -e "\nArchive password is: \"$i\"" 
 break
 fi
done
sybind
  • 511
  • 2
  • 5
  • 9
9

There are different recovery suites available. Most of them implement these solutions:

  • Brute-force attack
  • Dictionary attack
  • Biham-Kocher attack (this attack is possible when you have part of the text)
  • Stay attack (also plaintext based)

Also this link (from which I got most of my information) suggests that if you used a recent winzip (which is suspected since you encrypted this last year), the encryption is AES with a 128 or 256 bit key. This means you can do nothing more but try a bruteforce attack.

D.W.
  • 98,420
  • 30
  • 267
  • 572
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    I'm not sure what you're searching in Google. All I'm seeing is freeware / adware crap. Second link is to ubuntu fwcrackzip page. – bluekeys Jul 28 '12 at 19:00
  • I'll add it to my answer ;) – Lucas Kauffman Jul 28 '12 at 19:13
  • 3
    OK, but can you remove the whole "second link" and "I used tylerl's suggestion", I'm familiar with the whole Google concept and it makes me look lazy, I resent that :) It isn't the second link for me, infact it's not even on the 2nd page! Infact, I asked the question here because of all the crap Google was pulling up! /rant – bluekeys Jul 28 '12 at 19:22
  • 1
    Yes I can, just for you :) – Lucas Kauffman Jul 28 '12 at 19:48
8

Just wanted to add another method using fcrackzip CLI tool. It's in most Linux distro repos such as Ubuntu & Fedora/CentOS. Using it is pretty straightforward:

$ fcrackzip -b -c a1:$% -l 1-6 -u myencrypted.zip

Options

  • -b - brute force
  • -c a1:$% - specifies the character sets to use
  • -l 1-6 - specifies the length of passwords to try
  • -u - unzip to weed out wrong passwords

Usage

$ fcrackzip --help

fcrackzip version 1.0, a fast/free zip password cracker
written by Marc Lehmann <pcg@goof.com> You can find more info on
http://www.goof.com/pcg/marc/

USAGE: fcrackzip
          [-b|--brute-force]            use brute force algorithm
          [-D|--dictionary]             use a dictionary
          [-B|--benchmark]              execute a small benchmark
          [-c|--charset characterset]   use characters from charset
          [-h|--help]                   show this message
          [--version]                   show the version of this program
          [-V|--validate]               sanity-check the algortihm
          [-v|--verbose]                be more verbose
          [-p|--init-password string]   use string as initial password/file
          [-l|--length min-max]         check password with length min to max
          [-u|--use-unzip]              use unzip to weed out wrong passwords
          [-m|--method num]             use method number "num" (see below)
          [-2|--modulo r/m]             only calculcate 1/m of the password
          file...                    the zipfiles to crack

methods compiled in (* = default):

 0: cpmask
 1: zip1
*2: zip2, USE_MULT_TAB
slm
  • 245
  • 5
  • 15
  • By googling “fcrackzip multithread” you will get a template gist – SLCH000 May 04 '21 at 12:04
  • 1
    @SLCH000 is referring to this link: https://gist.github.com/shikendon/50879d10594bb8537d85e4b8e72fcf8c. It's also referenced on AU - https://askubuntu.com/questions/1112108/how-to-use-fcrackzip-on-multiple-cores. – slm May 05 '21 at 03:49
4

Password Breaker is a windows software that simulates keyboard typing, theoretically allowing you to break in to any password protected application. It also has native support for Zip files which doesn't rely on typing simulation. Both of these methods support Dictionary & Brute Force Attacks.

Also, we have released a web application that supports recovery of passwords from file formats such as Zip, PDF, Excel & Word.

You can utilize the block & charset functionality of the brute force engine to drastically reduce the no. of combinations by selecting only the characters you need. The blocks can be used to make the parts of the password fixed or permute differently from the rest.

Disclaimer: I work for Maxotek who built these.

Partho
  • 49
  • 3