Wednesday, October 3, 2012

Cracking Password Protected Zip Files on Linux with FCRACKZIP

I recently was given the keys to the castle and once inside I did the usual snooping around and well in the end I found myself with a collection of password protected Zip files that I knew had all kinds of juicy info inside. Now I have cracked protected Zip files in the past on Windows using a few tools some friends of mine made, but I had never done it since I had moved to my new Linux setup. I decided to make a little tutorial out of the whole incident for anyone interested or in a similar situation. In my search and review I ended up using a tool called FCRACKZIP, and this will be the focus for today's writeup. They actually support a Windows binary version which syntax should be identical to what your about to read. You can download the appropriate package for you from the makers homepage here: FCRACKZIP.

If you are on a Linux machine you can install it using apt-get, like so:

COMMAND:  sudo apt-get install fcrackzip

Now if you have some protected Zip files laying around then that's great, but if you don't you can perform a quick command to make one.  Here is the syntax and quick example:

COMMAND: zip --encrypt -r <ArchiveName> </target/U/want/2/zip>
EXAMPLE: zip --encrypt -r sup3rs3cr3t /home/hood3drob1n/Desktop/fcrackzip-TuT.txt



You will get a prompt after you hit enter which will ask you to type in the password, and then again to confirm it. You should then have a password protected Zip file to use for further testing.

First, as with any tool, we start by quickly reviewing the documentation and then the help menu. Here is quick shot of the main features as outlined in the help menu:

COMMAND: fcrackzip --help



I will note since it may not be clear at first that the '-c' charset option has a few options which will aid you if you are going to perform a straight bruteforce attack on the password:
    a => lower aplha charset [a-z]
    A => UPPER aplha charset [A-Z]
    1 => numerical charset [0-9]
    ! => Special charset [!:$%&/()=?[]+*~#]
    : => Used to mark additional characters to add into the charset

You should typically start with a wordlist and then move to bruteforcing after. In order to perform Dictionary based attack just point it at the wordlist and zip file you want to crack open:

COMMAND: fcrackzip -D -p 500-worst-passwords.txt -u -v --method 2 sup3rs3cr3t.zip
        => try to cracking using 500-worst-passwords.txt as our pass list


NOTE: I experienced app crashes if I didn’t place the password list in same location i was running fcrackzip from so just do some copying or moving if you experience similar issues to work around the issue...

Once you have exhausted your wordlist options you can move to bruteforce attacks. Now you can use the '-l <min>-<max>' option to set the min and max password lengths for bruteforce attacks, or you can use the '-p' init option to set the default value and starting string for cracking, for example:

COMMAND: fcrackzip -b -c a -l 1-8 -u -v sup3rs3cr3t.zip
        => bruteforce attack using the lower aplha charset, testing for lengths 1-8


NOTE: use of the '-u' option cuts down on the false positives as it actually tries to unzip the file using the password. It may increase load and time a little but will greatly cut down on false detections. I highly recommend using this option for pretty much all attacks...

Another example using a bruteforce attack against a fixed length via the -p/init option. It works like so:

COMMAND: fcrackzip -u -c a1 -p saaaaa sup3rs3cr3t.zip
        => test a-z0-9 but only for those of 6 char in length, starting at string 'saaaaa'


This sums up the general usage of fcrackzip and you should now be on your way to opening up all those pesky zip files you don't seem to have passwords for. I'm sure there are other tools out there, but this one worked well for me so thought I would share....

Until next time, Enjoy!

10 comments:

  1. Hey bro. i'm robinhoodsun .i'm trying to find the password for a zipped pdf but i have no idea the password length or char set. using the -u (along with -b -v -l etc.)command gives me a syntax unexpected end of file error repeatedly.
    i'm not sure what that means. if i don't include the -u it goes through millions of "possible pw found:
    but never seems to end. the unencrypted readme within the zip file says, i can get the pw from here.:http://www.linkbax.com
    if you looked it's just a page of code. please give me some tips here my friend.
    thanks

    ReplyDelete
  2. if it helps. the book i'm trying to open within the zip is "True Path of the Ninja The Definitive Translation of the Shonin.zip"
    any help given i will owe you big time:)

    ReplyDelete
  3. I cracked the password, it is: thankyou

    but don't mind even unzip it... it is just a scam, all zips you download from that page (freebooks1.com #1 Free Books Site or similiar link) is just a scam, it will contain a pdf to a stupid guide to CPA marketing.

    ReplyDelete
  4. @Luis Pulido: u r right bro same password worked for me and its fucking sit CPA marketing kind of book .........

    ReplyDelete
  5. Replies
    1. I don't but you can find me on jabber occasionally: TronDoe@jabber.at

      Delete
  6. hi dear i am trying this frcrackzip in backtrack 5r3 but after loading some passwords it just do nothing it tells me nothing
    and i am redirected to root@bt:-#
    what is the issue ?

    ReplyDelete
    Replies
    1. I get the same thing... only when running off a password file tho. any ideas?

      Delete
  7. http://www.bash-scripts.com/how-to-find-zip-password-brute-force/

    I'm using this.

    ReplyDelete