I recently was given the keys to the castle and once inside I did the usual snooping around and well in the end I found myself with a collection of password protected Zip files that I knew had all kinds of juicy info inside. Now I have cracked protected Zip files in the past on Windows using a few tools some friends of mine made, but I had never done it since I had moved to my new Linux setup. I decided to make a little tutorial out of the whole incident for anyone interested or in a similar situation. In my search and review I ended up using a tool called FCRACKZIP, and this will be the focus for today's writeup. They actually support a Windows binary version which syntax should be identical to what your about to read. You can download the appropriate package for you from the makers homepage here: FCRACKZIP.
If you are on a Linux machine you can install it using apt-get, like so:
COMMAND: sudo apt-get install fcrackzip
Now if you have some protected Zip files laying around then that's great, but if you don't you can perform a quick command to make one. Here is the syntax and quick example:
COMMAND: zip --encrypt -r <ArchiveName> </target/U/want/2/zip>
EXAMPLE: zip --encrypt -r sup3rs3cr3t /home/hood3drob1n/Desktop/fcrackzip-TuT.txt
You will get a prompt after you hit enter which will ask you to type in the password, and then again to confirm it. You should then have a password protected Zip file to use for further testing.
First, as with any tool, we start by quickly reviewing the documentation and then the help menu. Here is quick shot of the main features as outlined in the help menu:
COMMAND: fcrackzip --help
I will note since it may not be clear at first that the '-c' charset option has a few options which will aid you if you are going to perform a straight bruteforce attack on the password:
a => lower aplha charset [a-z]
A => UPPER aplha charset [A-Z]
1 => numerical charset [0-9]
! => Special charset [!:$%&/()=?+*~#]
: => Used to mark additional characters to add into the charset
You should typically start with a wordlist and then move to bruteforcing after. In order to perform Dictionary based attack just point it at the wordlist and zip file you want to crack open:
COMMAND: fcrackzip -D -p 500-worst-passwords.txt -u -v --method 2 sup3rs3cr3t.zip
=> try to cracking using 500-worst-passwords.txt as our pass list
NOTE: I experienced app crashes if I didn’t place the password list in same location i was running fcrackzip from so just do some copying or moving if you experience similar issues to work around the issue...
Once you have exhausted your wordlist options you can move to bruteforce attacks. Now you can use the '-l <min>-<max>' option to set the min and max password lengths for bruteforce attacks, or you can use the '-p' init option to set the default value and starting string for cracking, for example:
COMMAND: fcrackzip -b -c a -l 1-8 -u -v sup3rs3cr3t.zip
=> bruteforce attack using the lower aplha charset, testing for lengths 1-8
NOTE: use of the '-u' option cuts down on the false positives as it actually tries to unzip the file using the password. It may increase load and time a little but will greatly cut down on false detections. I highly recommend using this option for pretty much all attacks...
Another example using a bruteforce attack against a fixed length via the -p/init option. It works like so:
COMMAND: fcrackzip -u -c a1 -p saaaaa sup3rs3cr3t.zip
=> test a-z0-9 but only for those of 6 char in length, starting at string 'saaaaa'
This sums up the general usage of fcrackzip and you should now be on your way to opening up all those pesky zip files you don't seem to have passwords for. I'm sure there are other tools out there, but this one worked well for me so thought I would share....
Until next time, Enjoy!