In this small post I will just explain a basic and simple way to crack a protected ZIP file with the help of fcrackzip available under linux. You can choose to use it with a dictionary or by bruteforce. Of course, dictionary is the faster method to crack it but the crack’s time depends of the size of your dictionary and the success rate depends only whether the password is present on the dictionary or not.
The bruteforce method is the only one that have a success rate of 100% but often, you must be very very patient. Because bruteforcing tests all possibles combinations of possible passwords using the defined charset, one day, it will find the good one… But the crack’s time depends of the charset used, the password’s size and of the numbers of computations per second of your computer.
In this example, I use Ubuntu 17.10 which has fcrackzip already installed. (you can install it using the following command on Ubuntu)
fl0at0xff@bl00b:~/Desktop$ sudo apt install fcrackzip
Just open a terminal try this command this show the syntax of the tool
fl0at0xff@bl00b:~$ fcrackzip --help USAGE: fcrackzip [-b|--brute-force] use brute force algorithm [-D|--dictionary] use a dictionary [-B|--benchmark] execute a small benchmark [-c|--charset characterset] use characters from charset [-h|--help] show this message [--version] show the version of this program [-V|--validate] sanity-check the algortihm [-v|--verbose] be more verbose [-p|--init-password string] use string as initial password/file [-l|--length min-max] check password with length min to max [-u|--use-unzip] use unzip to weed out wrong passwords [-m|--method num] use method number "num" (see below) [-2|--modulo r/m] only calculcate 1/m of the password file... the zipfiles to crack methods compiled in (* = default): 0: cpmask 1: zip1 *2: zip2, USE_MULT_TAB
As you can see, fcrackzip has not a lot of options and it is really easy to use. For the demo, just create a password protected ZIP archive that contains a folder that contains 3 dummy files. You can do this with the following commands:
fl0at0xff@bl00b:~$ mkdir tocrack fl0at0xff@bl00b:~$ touch tocrack/file1 fl0at0xff@bl00b:~$ touch tocrack/file2 fl0at0xff@bl00b:~$ touch tocrack/file3 fl0at0xff@bl00b:~$ zip --password test1234 tocrack.zip tocrack -r adding: tocrack/ (stored 0%) adding: tocrack/file3 (stored 0%) adding: tocrack/file1 (stored 0%) adding: tocrack/file2 (stored 0%)
As you can see, creating a protected ZIP archive with linux is easy. Just provide the password that you want (test1234), the output name of your archive (tocrack.zip) and the input folder (tocrack) with the “-r” parameters to process the folder recursively. Try to unzip your folder with GUI or by CLI using the following command and you should be prompted for a password.
fl0at0xff@bl00b:~$ unzip tocrack.zip Archive: tocrack.zip [tocrack.zip] tocrack/file3 password:
Ok, now we can try to bruteforce this archive with fcrackzip.
fl0at0xff@bl00b:~$ fcrackzip --brute-force --length 4-8 --charset a1 tocrack.zip -v
The parameters are easy to understand
- –brute-force : we will use brute-force method to crack the archive
- –length 4-8 : we will test only passwords with a minimal length of 4 and maximal length of 8 characters
- –charset a1 : only combination of lowercase [a-z] and digit [0-9] will be used
Of course, these settings are a big impact on the maximum time to brute-force the password and in this example, if the password is bigger than 8 characters, it will be never found. The problem is the same with the charset. In my personal experience, I never saw a hard and complex password used to protect an archive. In my opinion, it is always better to try a first crack with basic parameters like these one and if no result found, extends the charset first. Often, a password contains a special character and at least an uppercase.
info: to have details about how to use –charset parameter, consult the MAN page : http://manpages.ubuntu.com/manpages/xenial/man1/fcrackzip.1.html
After some time, if fcrackzip find the password, it will display it:
fl0at0xff@bl00b:~$ fcrackzip --brute-force --length 4-8 --charset a1 tocrack.zip -v 'tocrack/' is not encrypted, skipping found file 'tocrack/file3', (size cp/uc 12/ 0, flags 9, chk 51b1) found file 'tocrack/file1', (size cp/uc 12/ 0, flags 9, chk 51b0) found file 'tocrack/file2', (size cp/uc 12/ 0, flags 9, chk 51b0) possible pw found: test1234 ()
More detailed information
It is possible to estimate the maximum time needed to crack the password regarding the parameters that you used. It depends of 3 elements
- The charset length. In our case : [a-z] = 26 and [0-9] = 10 –> 36
- The minimum length of the password = 4
- The maximum length of the password = 8
- The computation performance (how many passwords you can test by seconds)
With the 3 first information, we can calculate the total number of possible combinations.
- When password length = 4 –> 36^4 = 1’679’616
- When password length = 5 –> 36^5 = 60’466’176
- When password length = 6 –> 36^6 = 2’176’782’336
- When password length = 7 –> 36^7 = 78’364’164’096
- When password length = 8 –> 36^8 = 2’821’109’907’456
With these simple calculation, we see that the charset length has a bigger influence of the maximum combination than the password length.
To know approximately the computation speed with fcrackzip, you can run the built-in benchmark.
fl0at0xff@bl00b:~$ fcrackzip --benchmark cpmask: (skipped) zip1: cracks/s = 11136799 *zip2, USE_MULT_TAB: cracks/s = 11483825
The correct value is the last one (11483825) because my version of fcrackzip uses zip2. It is mentioned by the asterisk (*). By dividing the total number of combinations by the number of “crack per seconds”, we can find the time to test all combinations for each cases:
- password length = 4, 1’679’616 combinations= 0.15 seconds
- password length = 5, 60’466’176 combinations= 5.27 seconds
- password length = 6, 2’176’782’336 combinations= 189.55 seconds
- password length = 7, 78’364’164’096 combinations= 6823.87 seconds = 1.89 hours
- Password length = 8, 2’821’109’907’456 combinations= 245659.43 seconds = 68.23 hours = 2.84 days
As you can see, the maximum time needed increase very quickly. Imagine the impact of adding a uppercase and a special characters on our demo password ? For example from “test1234” to “Test$234”. The charset will be extended from 36 to 62 (+26) because of including all uppercase and in addition, maybe +10 specials characters… I performed the calculations for charset of 62 characters with a password length of 8 characters, and the result is : 220 days. I let you imagine if you use 10 characters for your password and special char in addition. In this case, the bruteforce technique become useless.
You can download a very basic .ods (excel) file by clicking on the link bellow. It contains all the calculations performed here.