5

I recently recovered a zip archive with some files I need access to, but I can't remember the password. All I can remember is that the password was short (around 3-4 characters), and contained only lowercase characters and possibly numbers). However there is no Incremental mode for this particular situation in John the Ripper. The closest there is is lanman, which also increases the set of possible passwords dramatically by including uppercase chars, which I'm positive the password includes none of.

Although I can edit the john.conf file so that a specific mode goes only to 4 characters, for instance, I don't know how to customize the set of characters to try. How could I do this?

Minh-Triet Pham Tran
  • 500
  • 3
  • 7
andrepd
  • 161
  • 1
  • 1
  • 4
  • 1
    I think with 3-4 characters you could probably run the attack with Uppercase enabled and still be reasonably confident in getting a result. It's not quite as dramatic as you think and I'm fairly confident you'll get a result back in reasonable time. – RoraΖ Aug 25 '14 at 19:45
  • It's $ratio_of_#characters^length_of_password$. Something like 16x decrease on a 4 char password and 256x on a 8 char password, so not completely negligible. – andrepd Aug 25 '14 at 19:49
  • have you tried running it? – RoraΖ Aug 25 '14 at 19:52
  • I remember doing this yeeeeeaaaars ago with a very simple Turbo Pascal program I wrote that called unzip with each possible password. Maybe that's an option, just add some logging and the next morning you have your hit. –  Aug 25 '14 at 20:50

3 Answers3

5

lowercase + numbers

Incremental actually has a predefined mode for lowercase + numbers:

[Incremental:LowerNum]
File = $JOHN/lowernum.chr
MinLen = 1
MaxLen = 13
CharCount = 36

From the documentation:

"LowerNum" (lowercase letters plus digits, for 36 total)

Just adjust MinLen and MaxLen.

Create new incremental mode with certain characters

If you want to create your own chr file with a customized set of characters, you would do it like this:

john --pot=YOUR.pot --make-charset=YOUR_NEW_FILE.chr --external=filter_lowernum

filter_lowernum is the filter which determines what characters will be in your chr file. It is defined in your john.conf (under [List.External:Filter_LowerNum]), and you can create your own filters there as well. The code for LowerNum looks like this:

[List.External:Filter_LowerNum]
void filter()
{
    int i, c;

    i = 0;
    while (c = word[i++])
    if (((c < 'a' || c > 'z') && (c < '0' || c > '9')) || i > 13) {
        word = 0; return;
    }
}

Then just add the incremental filter to your config.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Lowernum exists only on 1.8.0, that does not crack zip passwords. On 1.7.9-jumbo, which cracks zip passwords, there is no predefined Lowernum mode, nor a lowernum.chr. Using the 1.8.0 lowernum.chr, available on their website, throws an error. Running your code to generate my own chr file (after copying filter_lowernum from the 1.8.0 to the 1.7.9-jumbo john.conf) throws "Loaded 0 plaintexts, exiting..." I have no idea what to do now... – andrepd Aug 25 '14 at 22:49
  • 1
    @andrepd do you have a `.pot` file (which contains all the characters that you want)? if not, this will not work. In that case, either create a `.pot` file from a wordlist or similar, or use `john --make-charset=YOUR_NEW_FILE.chr --external=filter_lowernum YOUR_WORDLIST` (the wordlist should at least contain all the characters you want once) – tim Aug 25 '14 at 22:58
  • I followed your instructions and still get the "Loaded 0 plaintexts, exiting..." message. The only `.pot` file I have is `john.pot`, which contains some passwords that it guessed after 5mins running the lanman` incremental, and the respective hashes. I then tried editing `john.pot` so that instead of the passwords it found, it is filled with `[a..z] [0..9]`. It now loads 9 plaintexts, and finishes with `Successfully written charset file: lowernum.chr (33 characters)`. It apparently worked, but why 33 chars? 26+10=36 at least, and I threw in `.` and `_` as well. – andrepd Aug 26 '14 at 00:24
  • @andrepd well, `.` and `_` will be filtered out. And you probably are missing three characters in your `.pot` file? how does it look? – tim Aug 26 '14 at 08:50
  • Apparently I had made a typo, it all works well now. I ran incremental with this mode and it finished in 20 minutes. Thanks for the helpful answers. – andrepd Aug 26 '14 at 13:59
4

you can run following python code to do this

import zipfile,sys,time
import itertools
def extractFile(zFile, password):
    try:
        answer= zFile.extractall(pwd=password)
        print 'Fount password : ', password
        return True
    except:
        #print password + " was incorrect"
        return False
def main(ifile):
    zFile = zipfile.ZipFile(ifile)
    pass_str = "abcdebcdefghijklmnopqrstuvwxyz0123456789"
    for pass_len in range(1,5):
        passwords = itertools.permutations(pass_str,pass_len)
        for password in passwords:
            #print password
            #time.sleep(.01)
            password = ''.join(password)
            sys.stdout.write("\r checking .. %s" % password )
            sys.stdout.flush()

            if (extractFile(zFile, password)):
                print "checked  "+password+"  ..."
                sys.exit()

if __name__ == '__main__':
    try:
        ifile = sys.argv[1]
    except:
        print "please run like  'python python-file-name.py zip-file-name.zip'"
        sys.exit()    
    main(ifile)

this program dont need any external library. its pure python. just run llke

python python-file-name.py zip-file-name.zip

open source guy
  • 1,909
  • 9
  • 25
  • 27
  • Yeah but I'm trying to save time by testing only lowercase and digits. If I run a python script instead of the highly optimized jtr I will end up not saving any time at all. – andrepd Aug 26 '14 at 14:00
  • @andrepd this is a customised script for you.it use only lower case and digit.you can brute force within 10 min using this. it will check from a,b,c....9,...aaaa,...aaa9,...zzzz,......zz99....9999 – open source guy Aug 26 '14 at 15:51
0

Using John the Ripper (JtR), you could find your Zipped file's password with these commands:

zip2john.exe example.zip > hash.txt
john.exe --incremental=LowerNum hash.txt
Minh-Triet Pham Tran
  • 500
  • 3
  • 7