Most of my posts in this blog are based on Scratch your own itch projects: When you have a problem and you work on a solution, then later you realize that you are not the only one with that problem.
For years I have archived old source code, documents and more as compressed archives, to put more of them on CDs. Nowadays most of my devices do not even have a CD drive, but an even greater problem is that: at the time I somehow thought that the data would be more safe if I put passwords on my archives. This was before password managers.
So every now and then I fight against my past self trying to guess my old passwords, often without success. And this often ends with the same process:
- Download a ZIP cracker
- Find a suitable dictionary for the attack
- Add a few of my own passwords
- Read the documentation of the tool, try to make it run
- Delete the tool again
So after 5-6 years of repeating this process, I finally managed to create a Dockerfile that offers a ready-made cracker.
Here is the
Dockerfile, which is based on Kali Linux:
FROM kalilinux/kali-rolling RUN apt-get update && apt-get install -yqq wordlists john \ && gunzip /usr/share/wordlists/rockyou.txt.gz ADD crack-zip.sh /crack-zip.sh WORKDIR /work CMD ["bash", "-c", "/crack-zip.sh"]
Here is the
#!/usr/bin/env sh zip2john /work/*.zip > /work/zip.hashes john --wordlist=/usr/share/wordlists/rockyou.txt /work/zip.hashes
John the Ripper is an Open Source password recovery tool. You can extract passwords of ZIP or RAR archives. You can see how it works on the script above:
rar2john extracts hashes of password-protected files for
john to crack. The extraction of hashes is pretty fast, the cracking of these hashes is not.
Hashes are one-way transformations of passwords. You can easily convert a password into a hash, but not convert a hash into the original password.
John the Ripper’s supports three different password cracking modes: single crack mode, wordlist mode, and incremental. The above script uses a wordlist, therefore if the hashes are not in the dictionary, you won’t find the password. The single crack mode is useful for regular password files and is not relevant here. Incremental mode is the classical “bruteforce” attack, which will definitely find a password if you have a million years of time. This mode is only helpful if you know that the password has an upper length limit (e.g., max. 8 chars).
Building and using Docker image
Save the above Dockerfile and build the Docker image:
docker build -t kali-john -f Dockerfile .
Now you can put any password-protected ZIP files in the current directory and start a container like this:
docker run -it -v "$(pwd)":/work --rm kali-john
This mounts your current directory into the container. You can also have an interactive
bash session and run it manually:
docker run -it -v "$(pwd)":/work --rm kali-john bash
This is an example output of a
secret.txt inside a zip:
─# john --wordlist=/usr/share/wordlists/rockyou.txt zoeegal.zip.hashes Using default input encoding: UTF-8 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:03 1.95% (ETA: 12:44:48) 0g/s 95197p/s 95197c/s 95197C/s desodorante..01diva 0g 0:00:00:07 4.28% (ETA: 12:44:58) 0g/s 97056p/s 97056c/s 97056C/s blah19..SCORPIO8 0g 0:00:00:20 9.30% (ETA: 12:45:50) 0g/s 73179p/s 73179c/s 73179C/s mosnarak..minkochitthe zoeegal (zoeegal.zip/secret.txt) 1g 0:00:00:38 DONE (2021-07-12 12:42) 0.02584g/s 64367p/s 64367c/s 64367C/s zwartje01..zoeegal Use the "--show" option to display all of the cracked passwords reliably Session completed
The password is shown in the line: