Cybercrime Technologies

Research | Practice

2014-07-31

[How-to] Cracking ZIP and RAR protected files with John the Ripper

Thursday, July 31, 2014 Posted by Unknown , , 10 comments
After seeing how to compile John the Ripper to use all your computer's processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.

For this exercise I have created password protected RAR and ZIP files, that each contain two files.

test.rar: RAR archive data, v1d, os: Unix
 
test.zip: Zip archive data, at least v1.0 to extract
The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.

In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes: 
./zip2john ../test.zip > ../zip.hashes
./rar2john ../test.rar > ../rar.hashes
This will give you files that contain the password hashes to be cracked... something like this: 
../test.zip:$pkzip$2*2*1*0*0*1b*a80c*95e4e9547dcfcde4b8b2f05a80aaeb9d15dd76e7526b81803c8bf7*2*0*1b*f*72051312*0*44*0*1b*a808*cbafdd390bf49ea54064ab3ff9f486e6260b9854e37d1ee3a41c54*$/pkzip$
After, that you can run John the Ripper directly on the password hash files:
./john ../zip.hashes
You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.

Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.

Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours. 
Loaded 1 password hash (PKZIP [32/64])

guesses: 0  time: 0:00:40:29 0.00% (3)  c/s: 2278K  trying: eDTvw - ekTsl
guesses: 0  time: 0:01:25:10 0.00% (3)  c/s: 1248K  trying: ctshm#ni - ctshfon9
guesses: 0  time: 0:02:56:40 0.00% (3)  c/s: 1499K  trying: BR489a - BR48jf
guesses: 0  time: 0:03:56:04 0.00% (3)  c/s: 1703K  trying: fjmis5od - fjmidia0
guesses: 0  time: 0:04:46:09 0.00% (3)  c/s: 1748K  trying: Difg1ek - DifgbpS
guesses: 0  time: 0:05:21:22 0.00% (3)  c/s: 1855K  trying: btkululp - btkulene
guesses: 0  time: 0:06:02:43 0.00% (3)  c/s: 1857K  trying: ghmnymik - ghmnyasd
test4321         (../test.zip)
guesses: 1  time: 0:06:32:34 DONE (Mon Jul 28 17:50:22 2014)  c/s: 1895K  trying: telkuwhy – test43ac
Now if you want to see the cracked passwords give john the following arguments: 
./john ../zip.hashes --show
It should output something like:
../test.zip:test4321 
1 password hash cracked, 0 left
Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.

For the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack. 
Loaded 1 password hash (RAR3 SHA-1 AES [32/64]) 

guesses: 0  time: 0:00:00:10 1.38% (1) (ETA: Mon Jul 28 18:23:58 2014)  c/s: 24.86  trying: rar.tsett - ttests 

guesses: 0  time: 0:00:02:12 13.40% (1) (ETA: Mon Jul 28 18:28:19 2014)  c/s: 25.98  trying: Test29 - Test2rar9 

test1234         (test.rar) 

guesses: 1  time: 0:00:17:03 DONE (Mon Jul 28 18:28:56 2014)  c/s: 24.01  trying: test1234 - testrar1234 

Use the "--show" option to display all of the cracked passwords reliably

10 comments:

  1. Shirish MishraFebruary 11, 2015 1:54 AM

    Nicely written. Helped me crack a zip file very quickly.
    Thanks :)

    ReplyDelete
  2. UnknownFebruary 27, 2015 12:07 PM

    I'm getting
    john-1.7.9-jumbo-5-Linux-x86-64/run$ ./john ../../rar.hashes
    Floating point exception
    Any ideas?

    ReplyDelete
    Replies
    1. UnknownApril 27, 2015 6:26 PM

      I've never had fpe with John. I'm guessing it has to do with the compiler or arch you are running on. The instructions above were done with GNU Make 3.81 and gcc 4.8.2: x86_64-pc-linux-gnu

      Delete
  3. Benjamin Perez CarrilloJuly 04, 2015 4:26 AM

    Hello

    I am having trouble with ZIP video file encrypted with a password . Can you give any recommendations or suggestions ? Or say what I am doing wrong please ? I am adding my terminal outcomes and my tries:

    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./zip2john ../secret.zip > ../zip.hashes
    ! ../secret.zip : No such file or directory
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./john ../zip.hashes
    pkzip validation failed [We could NOT find the internal zip data in this ZIP file] Hash is $pkzip$1*1*3*0*3b6e52b3*3b750f8f*f122ced0*0*33*8*d*f122*../secret.zip*$/pkzip$
    No password hashes loaded (see FAQ)
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./john ../zip.hashes --show
    pkzip validation failed [We could NOT find the internal zip data in this ZIP file] Hash is $pkzip$1*1*3*0*3b6e52b3*3b750f8f*f122ced0*0*33*8*d*f122*../secret.zip*$/pkzip$
    0 password hashes cracked, 0 left
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ sudo su
    [sudo] password for casa:
    root@casa-ThinkPad-T400:/home/casa/john-1.7.9-jumbo-7/run# ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    root@casa-ThinkPad-T400:/home/casa/john-1.7.9-jumbo-7/run# ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    root@casa-ThinkPad-T400:/home/casa/john-1.7.9-jumbo-7/run# zip.hashes --show
    zip.hashes: no se encontrĂ³ la orden
    root@casa-ThinkPad-T400:/home/casa/john-1.7.9-jumbo-7/run# zip.hashes --show
    zip.hashes: no se encontrĂ³ la orden
    root@casa-ThinkPad-T400:/home/casa/john-1.7.9-jumbo-7/run# exit
    exit
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./john ../zip.hashes --showpkzip validation failed [We could NOT find the internal zip data in this ZIP file] Hash is $pkzip$1*1*3*0*3b6e52b3*3b750f8f*f122ced0*0*33*8*d*f122*../secret.zip*$/pkzip$
    0 password hashes cracked, 0 left
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./john ../zip.hashes
    pkzip validation failed [We could NOT find the internal zip data in this ZIP file] Hash is $pkzip$1*1*3*0*3b6e52b3*3b750f8f*f122ced0*0*33*8*d*f122*../secret.zip*$/pkzip$
    No password hashes loaded (see FAQ)
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$ ./zip2john ../secret.zip > ../zip.hashes
    ../secret.zip->Pelicula Completa.mp4 PKZIP Encr: cmplen=997085875, decmplen=997527439, crc=F122CED0
    casa@casa-ThinkPad-T400:~/john-1.7.9-jumbo-7/run$


    Thanks

    ReplyDelete
  4. UnknownDecember 29, 2015 12:13 PM

    Im on windows and I get is "RAR -p mode support not complete yet!"

    Any ideas?

    ReplyDelete
  5. UnknownFebruary 04, 2016 8:35 PM

    i am getting this erorr on CMD when i try to open the test.hashes file:

    MS-DOS style path detected: ..\rarhash.hashes
    Preferred POSIX equivalent is: ../rarhash.hashes
    CYGWIN environment variable option "nodosfilewarning" turns off this warning.
    Consult the user's guide for more details about POSIX paths:
    http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
    stat: ..\rarhash.hashes: No such file or directory

    ReplyDelete
  6. !3runoMay 11, 2016 3:42 PM

    How much time does it take to crack a zip file password? My John version doesn't show the ETA in status while cracking

    ReplyDelete
    Replies
    1. UnknownMay 14, 2016 2:05 PM

      I completely depends on what the password is, and how you are generating the passwords. Very basically, the longer the password, the longer it will take to guess. John the Ripper attempts to do some intelligent guessing to generate more likely passwords, but that does not mean it will necessarily be faster.

      Delete
  7. UnknownJuly 02, 2016 6:28 PM

    hi im kinda noob with this, is this for windows ?? cuz when i tipe

    john rar.hashes

    all i can see is

    RAR -p mode support is not complete yet!

    someone can help me?? and sorry iknow my english is bad thx for the help

    ReplyDelete
  8. poerneyJuly 29, 2016 6:58 PM

    This is really written well and comprehensible and therefore I can't believe I cannot get it to work.
    I tried this in a KALI linux distribution and (after it did not work for existing files) created a ZIP file from a text file with password 'bb' and ran zip2john to get the hashes. However, when I try to run john I only get 'No password hashes loaded (see FAQ)' as a result. I read the FAQ but none of them seem to be addressing my problem.

    Can anyone tell me what I could be doing wrong here?

    Best regards,
    poerney

    ReplyDelete