Crack protected ZIP archives with fcrackzip

Hello guys,

In this small post I will just explain a basic and simple way to crack a protected ZIP file with the help of fcrackzip available under linux. You can choose to use it with a dictionary or by bruteforce. Of course, dictionary is the faster method to crack it but the crack’s time depends of the size of your dictionary and the success rate depends only whether the password is present on the dictionary or not.

The bruteforce method is the only one that have a success rate of 100% but often, you must be very very patient. Because bruteforcing tests all possibles combinations of possible passwords using the defined charset, one day, it will find the good one… But the crack’s time depends of the charset used, the password’s size and of the numbers of computations per second of your computer. 

In this example, I use Ubuntu 17.10 which has fcrackzip already installed. (you can install it using the following command on Ubuntu)

fl0at0xff@bl00b:~/Desktop$ sudo apt install fcrackzip

Just open a terminal try this command this show the syntax of the tool

fl0at0xff@bl00b:~$ fcrackzip --help

USAGE: fcrackzip
          [-b|--brute-force]            use brute force algorithm
          [-D|--dictionary]             use a dictionary
          [-B|--benchmark]              execute a small benchmark
          [-c|--charset characterset]   use characters from charset
          [-h|--help]                   show this message
          [--version]                   show the version of this program
          [-V|--validate]               sanity-check the algortihm
          [-v|--verbose]                be more verbose
          [-p|--init-password string]   use string as initial password/file
          [-l|--length min-max]         check password with length min to max
          [-u|--use-unzip]              use unzip to weed out wrong passwords
          [-m|--method num]             use method number "num" (see below)
          [-2|--modulo r/m]             only calculcate 1/m of the password
          file...                    the zipfiles to crack

methods compiled in (* = default):

 0: cpmask
 1: zip1
*2: zip2, USE_MULT_TAB

As you can see, fcrackzip has not a lot of options and it is really easy to use. For the demo, just create a password protected ZIP archive that contains a folder that contains 3 dummy files. You can do this with the following commands:

fl0at0xff@bl00b:~$ mkdir tocrack

fl0at0xff@bl00b:~$ touch tocrack/file1
fl0at0xff@bl00b:~$ touch tocrack/file2
fl0at0xff@bl00b:~$ touch tocrack/file3

fl0at0xff@bl00b:~$ zip --password test1234 tocrack.zip tocrack -r
  adding: tocrack/ (stored 0%)
  adding: tocrack/file3 (stored 0%)
  adding: tocrack/file1 (stored 0%)
  adding: tocrack/file2 (stored 0%)

As you can see, creating a protected ZIP archive with linux is easy. Just provide the password that you want (test1234), the output name of your archive (tocrack.zip) and the input folder (tocrack) with the “-r” parameters to process the folder recursively. Try to unzip your folder with GUI or by CLI using the following command and you should be prompted for a password. 

fl0at0xff@bl00b:~$ unzip tocrack.zip 
Archive:  tocrack.zip
[tocrack.zip] tocrack/file3 password:

Ok, now we can try to bruteforce this archive with fcrackzip. 

fl0at0xff@bl00b:~$ fcrackzip --brute-force --length 4-8 --charset a1 tocrack.zip -v

The parameters are easy to understand

  • –brute-force : we will use brute-force method to crack the archive
  • –length 4-8 : we will test only passwords with a minimal length of 4 and maximal length of 8 characters
  • –charset a1 : only combination of lowercase [a-z] and digit [0-9] will be used

Of course, these settings are a big impact on the maximum time to brute-force the password and in this example, if the password is bigger than 8 characters, it will be never found. The problem is the same with the charset. In my personal experience, I never saw a hard and complex password used to protect an archive. In my opinion, it is always better to try a first crack with basic parameters like these one and if no result found, extends the charset first. Often, a password contains a special character and at least an uppercase. 

info: to have details about how to use –charset parameter, consult the MAN page : http://manpages.ubuntu.com/manpages/xenial/man1/fcrackzip.1.html 

After some time, if fcrackzip find the password, it will display it:

fl0at0xff@bl00b:~$ fcrackzip --brute-force --length 4-8 --charset a1 tocrack.zip -v
'tocrack/' is not encrypted, skipping
found file 'tocrack/file3', (size cp/uc     12/     0, flags 9, chk 51b1)
found file 'tocrack/file1', (size cp/uc     12/     0, flags 9, chk 51b0)
found file 'tocrack/file2', (size cp/uc     12/     0, flags 9, chk 51b0)
possible pw found: test1234 ()          

More detailed information

It is possible to estimate the maximum time needed to crack the password regarding the parameters that you used. It depends of 3 elements

  • The charset length. In our case : [a-z] = 26 and [0-9] = 10 –> 36
  • The minimum length of the password = 4
  • The maximum length of the password = 8
  • The computation performance (how many passwords you can test by seconds)

With the 3 first information, we can calculate the total number of possible combinations.

  • When password length = 4 –> 36^4 = 1’679’616
  • When password length = 5 –> 36^5 = 60’466’176
  • When password length = 6 –> 36^6 = 2’176’782’336
  • When password length = 7 –> 36^7 = 78’364’164’096
  • When password length = 8 –> 36^8 = 2’821’109’907’456

With these simple calculation, we see that the charset length has a bigger influence of the maximum combination than the password length. 

To know approximately the computation speed with fcrackzip, you can run the built-in benchmark. 

fl0at0xff@bl00b:~$ fcrackzip --benchmark
cpmask: (skipped)
zip1: cracks/s = 11136799
*zip2, USE_MULT_TAB: cracks/s = 11483825

The correct value is the last one (11483825) because my version of fcrackzip uses zip2. It is mentioned by the asterisk (*). By dividing the total number of combinations by the number of “crack per seconds”, we can find the time to test all combinations for each cases:

  • password length = 4, 1’679’616 combinations= 0.15 seconds
  • password length = 5, 60’466’176 combinations= 5.27 seconds
  • password length = 6, 2’176’782’336 combinations= 189.55 seconds
  • password length = 7, 78’364’164’096 combinations= 6823.87 seconds = 1.89 hours
  • Password length = 8, 2’821’109’907’456 combinations= 245659.43 seconds = 68.23 hours = 2.84 days

As you can see, the maximum time needed increase very quickly. Imagine the impact of adding a uppercase and a special characters on our demo password ? For example from “test1234” to “Test$234”. The charset will be extended from 36 to 62 (+26) because of including all uppercase and in addition, maybe +10 specials characters… I performed the calculations for charset of 62 characters with a password length of 8 characters, and the result is : 220 days. I let you imagine if you use 10 characters for your password and special char in addition. In this case, the bruteforce technique become useless. 

You can download a very basic .ods (excel) file by clicking on the link bellow. It contains all the calculations performed here. 

Calculation Sheet for bruteforcing

 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.