Cracking protected ZIP files on Linux
Says it in the title!
Introduction to ZIP
The zip binary allows users to package and compress archive files. The companion program unzip unpacks ZIP archives. As stated in the man page, zip "puts one or more compressed files into a single ZIP archive". It also adds information such as the "name, path, date" along with the archive.
Note: ZIP uses the PKZIP encryption algorithm which has known security weaknesses. In the modern day, using stronger algorithms like AES-256 will offer far greater security.
We will first create a test ZIP archive within the /tmp/zip/ directory. One must have zip installed on their distribution of choice; install it using your package manager.
sudo pacman -S zip
sudo apt install zipCreating a ZIP archive
We can use the -p argument to supply a password to the ZIP command.
zip -p test archive.zip test-archive/We supply the password, the name of the ZIP file and the target folder. It must be noted, using the -p argument is extremely insecure. As the password is supplied like any other argument, it is saved in clear-text in ~/.bash_history. Therefore, if an attacker compromised the system; attempts to protect the archive would be in vain.
Thus, using -e or --encryptwill prompt the user for a password, and it will not be stored. For example:
$ zip -e archive.zip test-archive/
Enter password:
Verify password: That's it! It is pretty simple. Now, let's get on to cracking.
Cracking a ZIP archive
In order to crack this ZIP file, we first need the hash to brute-force against. Then, tools such as hashcat and john will do the hard work for us. To obtain a hash, we need to use the the zip2john program. This should come installed with john automatically.
To install:
sudo pacman -S john [arch base]
sudo apt install john [debian base]Procuring the hash is simple. Invoke ssh2john with the target ZIP file as the argument and output the hash to another file. For example:
ssh2john archive.zip > zip-hashNow, we have the hash of the ZIP file. It will look something similiar to this:
arch /tmp/zip $ cat zip-hash archive. zip: $pkzip2$3*2*1*0*8*24*7cf0*433a%d9eff28a97d95635b6Fa95d90112aead53fOc7Ff1ife3sde6308b 6848e86dF7a270F18770b4*1%0%8*24%C18C%x42b8*6F6927bd9 F5e8db18F3eaceb8d8a564c01b535d71e9475dcIbdaf 232487eda59557a2dbc33*2*0*13*7*xebd78eb7*1lbeeax6b*O*13%ebd7*433a%42420120b0cb36a12b6c31737d25a 0f56d777d*$/pkzip2$ :: archive. zip:site/libraries/vendor/phpmailer/phpmailer/VERSION, site/libr aries/phpass/PasswordHash.php, db/joomladb.sql:archive.zip -ZIP hash outputNote: I used a ZIP file from a machine on TryHackMe to crack.
Forjohn, we simply specify the format, the wordlist to use in the attack and the hash of the ZIP file. I'll be using rockyou.txt, a well-known wordlist.
Format: zip or zip-opencl (for use with dedicated graphics cards). However, you don't need to specify the format as john will automatically detect it.
john --wordlist=/opt/wordlists/rockyou.txt zip-hashAnd like magic:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannah (archive.zip)
1g 0:00:00:00 DONE (2022-08-24 17:21) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completedWe get the password.
Conclusion
Cracking ZIP files are pretty simple. Obtain a hash, create or use an existing wordlist, specify formats if necessary, and wait. Again, the PKZIP algorithm is weaker compared to AES-256. Thus, tools like 7zip will offer greater protection in terms of security.
Last updated