Description

This tutorial teaches some methods to crack zip password protected archives.

Brute force

Let's use zip2john to extract the password hashes first:

$ /data/src/john-1.9.0-jumbo-1/run/zip2john Evelyn\ Davis.zip > evelyn.hashes
ver 2.0 efh 5455 efh 7875 Evelyn Davis.zip/Evelyn Davis.vcf PKZIP Encr: 2b chk, TS_chk, cmplen=137, decmplen=155, crc=133F127D
ver 2.0 efh 5455 efh 7875 Evelyn Davis.zip/signature.png PKZIP Encr: 2b chk, TS_chk, cmplen=23743, decmplen=27018, crc=87E609B9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

It results in the below file:

$ cat evelyn.hashes 
Evelyn Davis.zip:$pkzip2$2*2*1*0*8*24*87e6*92fc*fc2c41155ff6b3c6d3cc89249bcd9b6b113c3574456807b8c3f0f5938a8e3c097e039f49*2*0*89*9b*133f127d*0*4a*8*89*133f*926d*f299079bdc49a88f5ec5927d1919241863552513893ab3c058c7a1edc7b482a86ada9ee13b99de8bd0ed5c0c660ed08d1c76944275c86a05b04fb4423293f2efb1816b4d65f64626bd69eb610aa4ea97bacc6494f11fa6615d6598716b11135cbdcb0212298ef47d708f7ffb0715c2b342f897d691c3da89bffe18733758ba16fcbe59a03040669c93*$/pkzip2$::Evelyn Davis.zip:Evelyn Davis.vcf, signature.png:Evelyn Davis.zip

Now, let's use John the Ripper to brute force a password

$ /data/src/john-1.9.0-jumbo-1/run/john evelyn.hashes 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/data/src/john-1.9.0-jumbo-1/run/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
basher           (Evelyn Davis.zip)
1g 0:00:00:01 DONE 3/3 (2020-03-22 14:03) 0.6329g/s 455093p/s 455093c/s 455093C/s 096935..ch3187
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Plaintext attack using template

Suppose that we have the 2 below zip archives:

$ zipinfo Evelyn\ Davis.zip 
Archive:  Evelyn Davis.zip
Zip file size: 24248 bytes, number of entries: 2
-rw-r--r--  3.0 unx      155 TX defN 16-Jul-24 12:19 Evelyn Davis.vcf
-rw-r--r--  3.0 unx    27018 BX defN 16-Jul-24 12:23 signature.png
2 files, 27173 bytes uncompressed, 23856 bytes compressed:  12.2%
$ zipinfo Ryan\ King.zip 
Archive:  Ryan King.zip
Zip file size: 98482 bytes, number of entries: 2
-rw-r--r--  3.0 unx      146 TX defN 16-Jul-24 12:19 Ryan King.vcf
-rw-r--r--  3.0 unx   100990 BX defN 16-Jul-27 15:27 signature.png
2 files, 101136 bytes uncompressed, 98096 bytes compressed:  3.0%

We have already been able to crack the password of the first zip archive (Evelyn Davis.zip). And considering both zip archives have a similar content, we can easily guess what the content of the Ryan King.vcf looks like, based on Evelyn Davis.vcf:

BEGIN:VCARD
VERSION:3.0
N:Davis;Evelyn;;;
FN:Evelyn Davis
ORG:Defund Corp;
EMAIL;type=INTERNET;type=WORK;type=pref:[email protected]
END:VCARD

BEGIN:VCARD
VERSION:3.0
N:King;Ryan;;;
FN:Ryan King
ORG:Defund Corp;
EMAIL;type=INTERNET;type=WORK;type=pref:[email protected]
END:VCARD

Now, we can use pkcrack to perform a plaintext attack:

$ pkcrack-1.2.2/src/pkcrack -C Ryan\ King.zip -c 'Ryan King.vcf' -P archive.zip -p 'Ryan King.vcf' -d decrypted.zip -a
Files read. Starting stage 1 on Sat Aug 27 10:23:09 2016
Generating 1st generation of possible key2_133 values...done.
Found 4194304 possible key2-values.
Now we're trying to reduce these...
Done. Left with 64012 possible Values. bestOffset is 24.
Stage 1 completed. Starting stage 2 on Sat Aug 27 10:23:13 2016
Strange... had a false hit.
Ta-daaaaa! key0=86cdf919, key1=bd44c60c, key2=60dbe8f7
Probabilistic test succeeded for 114 bytes.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Strange... had a false hit.
Stage 2 completed. Starting zipdecrypt on Sat Aug 27 10:47:01 2016
Decrypting Ryan King.vcf (be2570e236508bf4c50b6b92)... OK!
Decrypting signature.png (0d296646595805d826ba79ab)... OK!
Finished on Sat Aug 27 10:47:01 2016

Comments