Crack-zip-password-protected

From aldeid
Jump to navigation Jump to search

Description

This tutorial teaches some methods to crack zip password protected archives.

Brute force

Let's use zip2john to extract the password hashes first:

$ /data/src/john-1.9.0-jumbo-1/run/zip2john Evelyn\ Davis.zip > evelyn.hashes
ver 2.0 efh 5455 efh 7875 Evelyn Davis.zip/Evelyn Davis.vcf PKZIP Encr: 2b chk, TS_chk, cmplen=137, decmplen=155, crc=133F127D
ver 2.0 efh 5455 efh 7875 Evelyn Davis.zip/signature.png PKZIP Encr: 2b chk, TS_chk, cmplen=23743, decmplen=27018, crc=87E609B9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

It results in the below file:

$ cat evelyn.hashes 
Evelyn Davis.zip:$pkzip2$2*2*1*0*8*24*87e6*92fc*fc2c41155ff6b3c6d3cc89249bcd9b6b113c3574456807b8c3f0f5938a8e3c097e039f49*2*0*89*9b*133f127d*0*4a*8*89*133f*926d*f299079bdc49a88f5ec5927d1919241863552513893ab3c058c7a1edc7b482a86ada9ee13b99de8bd0ed5c0c660ed08d1c76944275c86a05b04fb4423293f2efb1816b4d65f64626bd69eb610aa4ea97bacc6494f11fa6615d6598716b11135cbdcb0212298ef47d708f7ffb0715c2b342f897d691c3da89bffe18733758ba16fcbe59a03040669c93*$/pkzip2$::Evelyn Davis.zip:Evelyn Davis.vcf, signature.png:Evelyn Davis.zip

Now, let's use John the Ripper to brute force a password

$ /data/src/john-1.9.0-jumbo-1/run/john evelyn.hashes 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/data/src/john-1.9.0-jumbo-1/run/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
basher           (Evelyn Davis.zip)
1g 0:00:00:01 DONE 3/3 (2020-03-22 14:03) 0.6329g/s 455093p/s 455093c/s 455093C/s 096935..ch3187
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Plaintext attack using template

Suppose that we have the 2 below zip archives:

$ zipinfo Evelyn\ Davis.zip 
Archive:  Evelyn Davis.zip
Zip file size: 24248 bytes, number of entries: 2
-rw-r--r--  3.0 unx      155 TX defN 16-Jul-24 12:19 Evelyn Davis.vcf
-rw-r--r--  3.0 unx    27018 BX defN 16-Jul-24 12:23 signature.png
2 files, 27173 bytes uncompressed, 23856 bytes compressed:  12.2%
$ zipinfo Ryan\ King.zip 
Archive:  Ryan King.zip
Zip file size: 98482 bytes, number of entries: 2
-rw-r--r--  3.0 unx      146 TX defN 16-Jul-24 12:19 Ryan King.vcf
-rw-r--r--  3.0 unx   100990 BX defN 16-Jul-27 15:27 signature.png
2 files, 101136 bytes uncompressed, 98096 bytes compressed:  3.0%

We have already been able to crack the password of the first zip archive (Evelyn Davis.zip). And considering both zip archives have a similar content, we can easily guess what the content of the Ryan King.vcf looks like, based on Evelyn Davis.vcf:

Evelyn\ Davis.vcf (we know it) Ryan King.vcf (assumption)
BEGIN:VCARD
VERSION:3.0
N:Davis;Evelyn;;;
FN:Evelyn Davis
ORG:Defund Corp;
EMAIL;type=INTERNET;type=WORK;type=pref:[email protected]
END:VCARD
BEGIN:VCARD
VERSION:3.0
N:King;Ryan;;;
FN:Ryan King
ORG:Defund Corp;
EMAIL;type=INTERNET;type=WORK;type=pref:[email protected]
END:VCARD

Now, we can use pkcrack to perform a plaintext attack:

$ pkcrack-1.2.2/src/pkcrack -C Ryan\ King.zip -c 'Ryan King.vcf' -P archive.zip -p 'Ryan King.vcf' -d decrypted.zip -a
Files read. Starting stage 1 on Sat Aug 27 10:23:09 2016
Generating 1st generation of possible key2_133 values...done.
Found 4194304 possible key2-values.
Now we're trying to reduce these...
Done. Left with 64012 possible Values. bestOffset is 24.
Stage 1 completed. Starting stage 2 on Sat Aug 27 10:23:13 2016
Strange... had a false hit.
Ta-daaaaa! key0=86cdf919, key1=bd44c60c, key2=60dbe8f7
Probabilistic test succeeded for 114 bytes.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Stage 2 completed. Starting zipdecrypt on Sat Aug 27 10:47:01 2016
Decrypting Ryan King.vcf (be2570e236508bf4c50b6b92)... OK!
Decrypting signature.png (0d296646595805d826ba79ab)... OK!
Finished on Sat Aug 27 10:47:01 2016

Comments

blog comments powered by Disqus

Keywords: crack zip password archive john ripper bruteforce pkcrack plaintext