ZIP file Password cracking. Guide with real life examples!

Article Metadata

• Category: CTI
• Source article: https://medium.com/@1200km/zip-file-password-cracking-guide-with-real-life-examples-4e8705d51897
• Published: 2024-10-28
• Preserved media: 7 image(s), including cover images, screenshots, diagrams, and infographics where present.
• Preserved technical blocks: 5 code/configuration block(s).

Ecosystem Fit

This page mirrors the original Medium article into the 1200km.com Docusaurus ecosystem. The original article flow, images, screenshots, infographics, and technical blocks are preserved from the export.

Unlock the secrets of ZIP file password cracking with our in-depth guide. Learn the tools, techniques, and strategies used to breach ZIP file encryption, illustrated with vivid real-life examples. Whether you’re a cybersecurity enthusiast or a professional, this article will provide you with actionable insights into the world of digital security and password recovery.

About author

Hello and welcome to my article. My name is Andrey, and I am a penetration tester and cybersecurity researcher

Disclaimer: Educational Purpose Only

The information provided in this article, is intended for educational purposes only. The techniques and methods described herein are discussed as a means to understand and improve security measures and should not be used for illegal purposes. The author and publisher disclaim any liability from the misuse of this information. Readers are urged to use this knowledge to enhance their cybersecurity defenses and are reminded that unauthorized hacking into any system is illegal and unethical.

Zip file password cracking

I have a password-protected ZIP file.secretfile.zip

Brute force/Dictionary Brute force

1. Extraction of Encrypted Data

When you have a zip file that is password-protected, the actual password isn’t stored anywhere in plaintext or any easily readable format. Instead, what is stored is a cryptographic hash of the password. This hash is generated by applying a hashing algorithm to the password when the zip file is created. By creating a hash file from the zip file, you essentially extract this encrypted representation of the password, which is what you will attempt to crack.

For this propose you can usezip2john

zip2john: This tool is part of theJohn the Ripperpassword cracking suite. It extracts the encrypted hash from a zip file. The output is the encrypted data needed to attempt cracking the password.

Command:

zip2john target_file.
zip
 > 
hash
.txt && sed -n 
's/.*\(\$zip2\$.*\$\/zip2\$\).*/\1/p'
 
hash
.txt > temp.txt && mv temp.txt 
hash
.txt

• **>**: This operator redirects the output ofzip2johnto a file namedhash.txt.

• sed: This command is used here for stream editing. It filters and formats the hash output fromzip2johnto isolate only the necessary part of the hash for further processing. The specificsedcommand used here extracts the portion between$zip2$...$/zip2$, which contains the relevant hash information.

• mv: This command moves the contents oftemp.txtback tohash.txt, effectively updating it with the processed hash data.

2. Compatibility with Cracking Tools

Tools like[hashcat](https://hashcat.net/hashcat/)andJohn the Ripperare designed to work with hashes rather than directly with files or passwords. They use various algorithms to attempt to match provided hashes with hashes generated from potential passwords. In essence, these tools need the specific hash data to function correctly. By converting the zip file into a hash format using tools likezip2john, you transform the password protection into a form that these cracking tools can process.

3. Efficiency and Focus

When you extract the hash from a zip file, you’re focusing the password cracking effort directly on what needs to be decoded — the password’s hash — rather than dealing with the entire file encryption scheme. This makes the cracking process more direct and efficient because the tool can concentrate all its computational power on breaking the hash, rather than navigating through file encryption methods, which might include additional complexities.

4. Enables Automated and Targeted Attacks

Creating a hash file allows the use of automated tools that can apply complex, targeted attacks like brute force, dictionary attacks, and others. These tools can handle large volumes of data and apply sophisticated patterns and methods to efficiently crack the password. Without converting the zip file’s protection into a hash, leveraging these powerful tools wouldn’t be possible.

For example in this file the password is just digits and maximum lenght is 8 chars:

Command:

hashcat -
a
 
3
 -m 
13600
 
--increment
 
--increment-min
 
1
 
--increment-max
 
7
 hash
.txt
 ?d?d?d?d?d?d?d

Detailed Breakdown of the Command

• hashcat: This is the command to invoke thehashcattool, which is one of the most powerful password recovery tools available, supporting numerous algorithms and attack modes.

• List with all Optionshere.

• -a 3: Specifies the attack mode to 3, which is brute force. This mode attempts to crack passwords by trying every possible combination within the defined character set and mask.

• List with all Attack Modeshere

• -m 13600: Sets the mode to 13600, indicating that the hash type is specific to WinZip archives. This mode is necessary because different types of hashes require different handling and algorithms for effective cracking.

• Table with hash modeshere

• — increment: This option enables the incremental attack mode. Incremental mode is particularly useful when you do not know the exact length of the password but you have a range in mind. It starts at the shortest length and increases until it reaches either the password length or the specified maximum.

• — increment-min 1: Sets the minimum starting length for the incremental attack at 1, meaninghashcatwill start by trying all single-digit possibilities.

• — increment-max 7: Sets the maximum length for the incremental attack at 7, meaninghashcatwill increment the password length up to 7 digits, trying all combinations at each length.

• hash.txt: This is the file containing the hash you aim to crack. This file should be prepared beforehand, containing the hash data extracted from the target zip file.

• ?d?d?d?d?d?d?d: This mask pattern tellshashcatto use digits (0-9) for the password attempts. In the context of this command,hashcatwill start with the first?dand incrementally add more up to a total of seven digits as specified.

Done! Password was found — “123456”

Command flow for password-protected ZIP file simple brute force:

zip2john target_file.zip > hash.txt && sed -n 
's/.*\(\$zip2\$.*\$\/zip2\$\).*/\1/p'
 hash.txt > temp.txt && 
mv
 temp.txt hash.txt
hashcat -a 3 -m 13600 --increment --increment-min 1 --increment-max 7 hash.txt ?d?d?d?d?d?d?d

For more complicated password cracking I need to use Dictionary Brute Force Attack:

Download or create file with passwords (dictionary)

Use this list with “hashcat” to Dictionary Attack

Command:

hashcat -a 0 -m 13600 ./hash.txt ./best1050.txt

Detailed Breakdown of the Command

• hashcat: This is the command to invoke thehashcattool, which is one of the most powerful password recovery tools available, supporting numerous algorithms and attack modes.

• List with all Optionshere.

• -a 0: Specifies the attack mode to 0, which is a dictionary attack. In this mode,hashcatuses a list of predefined words or phrases as potential passwords from a specified wordlist file.

• List with all Attack Modeshere

• -m 13600: Sets the mode to 13600, indicating that the hash type is specific to WinZip archives. This mode is necessary because different types of hashes require different handling and algorithms for effective cracking.

• Table with hash modeshere

• hash.txt: This is the file containing the hash you aim to crack. This file should be prepared beforehand, containing the hash data extracted from the target zip file.

• best1050.txt: This represents the wordlist or dictionary file thathashcatwill use as the source of potential passwords. The file"best1050.txt"should contain a list of passwords thathashcatwill try against the hash. Each line in the file should represent a different password attempt.

Done! Password was found — “Password1234”

Command flow for password-protected ZIP file simple brute force:

zip2john target_file.
zip
 > 
hash
.txt && sed -n 
's/.*\(\$zip2\$.*\$\/zip2\$\).*/\1/p'
 
hash
.txt > temp.txt && mv temp.txt 
hash
.txt
hashcat -a 
0
 -m 
13600
 ./
hash
.txt ./best1050.txt

Good luck!

1200km@gmail.com