Most of my posts in this blog are based on Scratch your own itch projects: When you have a problem and you work on a solution, then later you realize that you are not the only one with that problem.
For years I have archived old source code, documents and more as compressed archives, to put more of them on CDs. Nowadays most of my devices do not even have a CD drive, but an even greater problem is that: at the time I somehow thought that the data would be more safe if I put passwords on my archives. This was before password managers.
So every now and then I fight against my past self trying to guess my old passwords, often without success. And this often ends with the same process:
- Download a ZIP cracker
- Find a suitable dictionary for the attack
- Add a few of my own passwords
- Read the documentation of the tool, try to make it run
- Wait…forever…
- Delete the tool again
So after 5-6 years of repeating this process, I finally managed to create a Dockerfile that offers a ready-made cracker.
The Dockerfile
Here is the Dockerfile
, which is based on Kali Linux:
FROM kalilinux/kali-rolling
RUN apt-get update && apt-get install -yqq wordlists john \
&& gunzip /usr/share/wordlists/rockyou.txt.gz
ADD crack-zip.sh /crack-zip.sh
WORKDIR /work
CMD ["bash", "-c", "/crack-zip.sh"]
Here is the crack-zip.sh
file:
#!/usr/bin/env sh
zip2john /work/*.zip > /work/zip.hashes
john --wordlist=/usr/share/wordlists/rockyou.txt /work/zip.hashes
Explanation
John the Ripper is an Open Source password recovery tool. You can extract passwords of ZIP or RAR archives. You can see how it works on the script above: zip2john
/ rar2john
extracts hashes of password-protected files for john
to crack. The extraction of hashes is pretty fast, the cracking of these hashes is not.
Hashes are one-way transformations of passwords. You can easily convert a password into a hash, but not convert a hash into the original password.
John the Ripper’s supports three different password cracking modes: single crack mode, wordlist mode, and incremental. The above script uses a wordlist, therefore if the hashes are not in the dictionary, you won’t find the password. The single crack mode is useful for regular password files and is not relevant here. Incremental mode is the classical “bruteforce” attack, which will definitely find a password if you have a million years of time. This mode is only helpful if you know that the password has an upper length limit (e.g., max. 8 chars).
Building and using Docker image
Save the above Dockerfile and build the Docker image:
docker build -t kali-john -f Dockerfile .
Now you can put any password-protected ZIP files in the current directory and start a container like this:
docker run -it -v "$(pwd)":/work --rm kali-john
This mounts your current directory into the container. You can also have an interactive bash
session and run it manually:
docker run -it -v "$(pwd)":/work --rm kali-john bash
This is an example output of a secret.txt
inside a zip:
─# john --wordlist=/usr/share/wordlists/rockyou.txt zoeegal.zip.hashes
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 1.95% (ETA: 12:44:48) 0g/s 95197p/s 95197c/s 95197C/s desodorante..01diva
0g 0:00:00:07 4.28% (ETA: 12:44:58) 0g/s 97056p/s 97056c/s 97056C/s blah19..SCORPIO8
0g 0:00:00:20 9.30% (ETA: 12:45:50) 0g/s 73179p/s 73179c/s 73179C/s mosnarak..minkochitthe
zoeegal (zoeegal.zip/secret.txt)
1g 0:00:00:38 DONE (2021-07-12 12:42) 0.02584g/s 64367p/s 64367c/s 64367C/s zwartje01..zoeegal
Use the "--show" option to display all of the cracked passwords reliably
Session completed
The password is shown in the line:
zoeegal (zoeegal.zip/secret.txt)
Be First to Comment