Skip to content

Building a ZIP archive cracker

Most of my posts in this blog are based on Scratch your own itch projects: When you have a problem and you work on a solution, then later you realize that you are not the only one with that problem.

For years I have archived old source code, documents and more as compressed archives, to put more of them on CDs. Nowadays most of my devices do not even have a CD drive, but an even greater problem is that: at the time I somehow thought that the data would be more safe if I put passwords on my archives. This was before password managers.

So every now and then I fight against my past self trying to guess my old passwords, often without success. And this often ends with the same process:

  • Download a ZIP cracker
  • Find a suitable dictionary for the attack
  • Add a few of my own passwords
  • Read the documentation of the tool, try to make it run
  • Wait…forever…
  • Delete the tool again
The age-old dilemma: Does it make sense to make a process more efficient that you do not require that often?

So after 5-6 years of repeating this process, I finally managed to create a Dockerfile that offers a ready-made cracker.

The Dockerfile

Here is the Dockerfile, which is based on Kali Linux:

FROM kalilinux/kali-rolling

RUN apt-get update && apt-get install -yqq wordlists john \
        && gunzip /usr/share/wordlists/rockyou.txt.gz 


ADD crack-zip.sh /crack-zip.sh
WORKDIR /work
CMD ["bash", "-c", "/crack-zip.sh"]

Here is the crack-zip.sh file:

#!/usr/bin/env sh
zip2john /work/*.zip > /work/zip.hashes
john --wordlist=/usr/share/wordlists/rockyou.txt /work/zip.hashes

Explanation

John the Ripper is an Open Source password recovery tool. You can extract passwords of ZIP or RAR archives. You can see how it works on the script above: zip2john / rar2john extracts hashes of password-protected files for john to crack. The extraction of hashes is pretty fast, the cracking of these hashes is not.

Hashes are one-way transformations of passwords. You can easily convert a password into a hash, but not convert a hash into the original password.

John the Ripper’s supports three different password cracking modes: single crack mode, wordlist mode, and incremental. The above script uses a wordlist, therefore if the hashes are not in the dictionary, you won’t find the password. The single crack mode is useful for regular password files and is not relevant here. Incremental mode is the classical “bruteforce” attack, which will definitely find a password if you have a million years of time. This mode is only helpful if you know that the password has an upper length limit (e.g., max. 8 chars).

Building and using Docker image

Save the above Dockerfile and build the Docker image:

docker build -t kali-john -f Dockerfile .

Now you can put any password-protected ZIP files in the current directory and start a container like this:

docker run -it -v "$(pwd)":/work --rm kali-john

This mounts your current directory into the container. You can also have an interactive bash session and run it manually:

docker run -it -v "$(pwd)":/work --rm kali-john bash

This is an example output of a secret.txt inside a zip:

─# john --wordlist=/usr/share/wordlists/rockyou.txt zoeegal.zip.hashes

Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 1.95% (ETA: 12:44:48) 0g/s 95197p/s 95197c/s 95197C/s desodorante..01diva
0g 0:00:00:07 4.28% (ETA: 12:44:58) 0g/s 97056p/s 97056c/s 97056C/s blah19..SCORPIO8
0g 0:00:00:20 9.30% (ETA: 12:45:50) 0g/s 73179p/s 73179c/s 73179C/s mosnarak..minkochitthe
zoeegal          (zoeegal.zip/secret.txt)
1g 0:00:00:38 DONE (2021-07-12 12:42) 0.02584g/s 64367p/s 64367c/s 64367C/s zwartje01..zoeegal
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The password is shown in the line:

zoeegal          (zoeegal.zip/secret.txt)

Published inIT-SecurityTips and Tricks

Be First to Comment

Leave a Reply

Your email address will not be published.