1 |
root |
1.1 |
.TH FCRACKZIP 1 "Free/Fast Zip Password Cracker" |
2 |
|
|
.SH NAME |
3 |
|
|
.I fcrackzip |
4 |
|
|
\- a Free/Fast Zip Password Cracker |
5 |
|
|
.SH SYNOPSIS |
6 |
|
|
.B fcrackzip |
7 |
|
|
[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] |
8 |
|
|
[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] |
9 |
|
|
[--use-unzip] [--method name] [--modulo r/m] file... |
10 |
|
|
.SH DESCRIPTION |
11 |
|
|
.I fcrackzip |
12 |
|
|
searches each zipfile given for encrypted files and tries to guess the |
13 |
|
|
password. All files must be encrypted with the same password, the more |
14 |
|
|
files you provide, the better. |
15 |
|
|
.SS OPTIONS |
16 |
|
|
.TP |
17 |
|
|
.B \-h, \--help |
18 |
|
|
Prints the version number and (hopefully) some helpful insights. |
19 |
|
|
.TP |
20 |
|
|
.B \-v, \--verbose |
21 |
|
|
Each -v makes the program more verbose. |
22 |
|
|
.TP |
23 |
|
|
.B \-b, \--brute-force |
24 |
|
|
Select brute force mode. This tries all possible combinations |
25 |
|
|
of the letters you specify. |
26 |
|
|
.TP |
27 |
|
|
.B \-D, \--dictionary |
28 |
|
|
Select dictionary mode. In this mode, fcrackzip will read passwords |
29 |
|
|
from a file, which must contain one password per line and should be |
30 |
|
|
alphabetically sorted (e.g. using \fBsort(1)\fR). |
31 |
|
|
.TP |
32 |
|
|
.B \-c, \--charset characterset-specification |
33 |
|
|
Select the characters to use in brute-force cracking. Must be one |
34 |
|
|
of |
35 |
|
|
|
36 |
|
|
.nf |
37 |
|
|
a include all lowercase characters [a-z] |
38 |
|
|
A include all uppercase characters [A-Z] |
39 |
|
|
1 include the digits [0-9] |
40 |
|
|
! include [!:$%&/()=?{[]}+*~#] |
41 |
|
|
: the following characters upto the end of the spe- |
42 |
|
|
cification string are included in the character set. |
43 |
|
|
This way you can include any character except binary |
44 |
|
|
null (at least under unix). |
45 |
|
|
.fi |
46 |
|
|
|
47 |
|
|
For example, a1:$% selects lowercase characters, digits and the dollar and |
48 |
|
|
percent signs. |
49 |
|
|
.TP |
50 |
|
|
.B \-p, \--init-password string |
51 |
|
|
Set initial (starting) password for brute-force searching to \fIstring\fR, |
52 |
|
|
or use the file with the name \fIstring\fR to supply passwords for dictionary |
53 |
|
|
searching. |
54 |
|
|
.TP |
55 |
|
|
.B \-l, \--length min[-max] |
56 |
|
|
Use an initial password of length min, and check all passwords |
57 |
|
|
upto passwords of length max (including). You can omit the max |
58 |
|
|
parameter. |
59 |
|
|
.TP |
60 |
|
|
.B \-u, \--use-unzip |
61 |
|
|
Try to decompress the first file by calling unzip with the guessed |
62 |
|
|
password. This weeds out false positives when not enough files have |
63 |
|
|
been given. |
64 |
|
|
.TP |
65 |
|
|
.B \-m, \--method name |
66 |
|
|
Use method number "name" instead of the default cracking method. The |
67 |
|
|
switch \fB--help\fR will print a list of available methods. Use |
68 |
|
|
\fB--benchmark\fR to see which method does perform best on your |
69 |
|
|
machine. The \fBname\fR can also be the number of the method to use. |
70 |
|
|
.TP |
71 |
|
|
.B \-2, \--modulo r/m |
72 |
|
|
Calculate only r/m of the password. Not yet supported. |
73 |
|
|
.TP |
74 |
|
|
.B \-B, \--benchmark |
75 |
|
|
Make a small benchmark, the output is nearly meaningless. |
76 |
|
|
.TP |
77 |
|
|
.B -V, \--validate |
78 |
|
|
Make some basic checks wether the cracker works. |
79 |
|
|
.SH ZIP PASSWORD BASICS |
80 |
|
|
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with |
81 |
|
|
\'incorrect password\', \fIwithout\fR decrypting the whole file. While the |
82 |
|
|
encryption algorithm used by zip is relatively secure, PK made cracking easy |
83 |
|
|
by providing hooks for very fast password-checking, directly in the zip |
84 |
|
|
file. Understanding these is crucial to zip password cracking: |
85 |
|
|
|
86 |
|
|
For each password that is tried, the first twelve bytes of the file are |
87 |
|
|
decrypted. Depending on the version of zip used to encrypt the file (more on |
88 |
|
|
that later), the first ten or eleven bytes are random, followed by one or |
89 |
|
|
two bytes whose values are stored elsewhere in the zip file, i.e. are known |
90 |
|
|
beforehand. If these last bytes don't have the correct (known) value, the |
91 |
|
|
password is definitely wrong. If the bytes are correct, the password |
92 |
|
|
\fImight\fR be correct, but the only method to find out is to unzip the file |
93 |
|
|
and compare the uncompressed length and crc\'s. |
94 |
|
|
|
95 |
|
|
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for |
96 |
|
|
other operating systems!) stored two known bytes. Thus the error rate was |
97 |
|
|
roughly 1/2^16 = 0.01%. PKWARE \'improved\' (interesting what industry calls |
98 |
|
|
improved) the security of their format by only including one byte, so the |
99 |
|
|
possibility of false passwords is now raised to 0.4%. Unfortunately, there |
100 |
|
|
is no real way to distinguish one byte from two byte formats, so we have to |
101 |
|
|
be conservative. |
102 |
|
|
.SH BRUTE FORCE MODE |
103 |
|
|
By default, brute force starts at the given starting password, and |
104 |
|
|
successively tries all combinations until they are exhausted, printing all |
105 |
|
|
passwords that it detects, together with a rough correctness indicator. |
106 |
|
|
|
107 |
|
|
The starting password given by the \fI-p\fR switch determines the length. |
108 |
|
|
fcrackzip will not currently increase the password length automatically, unless |
109 |
|
|
the \fI-l\fR switch is used. |
110 |
|
|
.SH DICTIONARY MODE |
111 |
|
|
This mode is similar to brute force mode, but instead of generating passwords |
112 |
|
|
using a given set of characters and a length, the passwords will be read from |
113 |
|
|
a file that you have to specify using the \fI-p\fR switch. |
114 |
|
|
.SH CP MASK |
115 |
|
|
A CP mask is a method to obscure images or parts of images using a |
116 |
|
|
password. These obscured images can be restored even when saved as JPEG |
117 |
|
|
files. In most of these files the password is actually hidden and can |
118 |
|
|
be decoded easily (using one of the many available viewer and masking |
119 |
|
|
programs, e.g. xv). If you convert the image the password, however, is |
120 |
|
|
lost. The \fBcpmask\fR crack method can be used to brute-force these |
121 |
|
|
images. Instead of a zip file you supply the obscured part (and nothing |
122 |
|
|
else) of the image in the \fBPPM\fR-Image Format (\fBxv\fR and other |
123 |
|
|
viewers can easily do this). |
124 |
|
|
|
125 |
|
|
The \fBcpmask\fR method can only cope with password composed of uppercase |
126 |
|
|
letters, so be sure to supply the \fB--charset A\fR or equivalent option, |
127 |
|
|
together with a suitable initialization password. |
128 |
|
|
.SH EXAMPLES |
129 |
|
|
.TP |
130 |
|
|
.B fcrackzip -c a -p aaaaaa sample.zip |
131 |
|
|
checks the encrypted files in sample.zip for all lowercase 6 character |
132 |
|
|
passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
133 |
|
|
.TP |
134 |
|
|
.B fcrackzip --method cpmask --charset A --init AAAA test.ppm |
135 |
|
|
checks the obscured image \fBtest.ppm\fR for all four character passwords. |
136 |
|
|
-TP |
137 |
|
|
.B fcrackzip -D -p passwords.txt sample.zip |
138 |
|
|
check for every password listed in the file \fBpasswords.txt\fR. |
139 |
|
|
.SH PERFORMANCE |
140 |
|
|
\fIfzc\fR, which seems to be widely used as a fast password cracker, |
141 |
|
|
claims to make 204570 checks per second on my machine (measured under plain |
142 |
|
|
dos w/o memory manager). |
143 |
|
|
|
144 |
|
|
\fIfcrackzip\fR, being written in C and not in assembler, naturally |
145 |
|
|
is slower. Measured on a slightly loaded unix (same machine), it\'s 12 |
146 |
|
|
percent slower (the compiler used was \fIpgcc\fR, from |
147 |
|
|
\fBhttp://www.gcc.ml.org/\fR). |
148 |
|
|
|
149 |
|
|
To remedy this a bit, I converted small parts of the encryption core to x86 |
150 |
|
|
assembler (it will still compile on non x86 machines), and now it\'s about |
151 |
|
|
4-12 percent faster than \fIfzc\fR (again, the \fIfcrackzip\fR performance |
152 |
|
|
was measured under a multitasking os, so there are inevitably some |
153 |
|
|
meaurement errors), so there shouldn't be a tempting reason to switch to |
154 |
|
|
other programs. |
155 |
|
|
|
156 |
|
|
Further improvements are definitely possible: \fIfzc\fR took 4 years to get |
157 |
|
|
into shape, while fcrackzip was hacked together in under 10 hours. And not to |
158 |
|
|
forget you have the source, while other programs (like \fIfzc\fR), even come |
159 |
|
|
as an \fIencrypted .exe\fR file (maybe because their programmers are afraid |
160 |
|
|
of other people could having a look at their lack of programming skills? |
161 |
|
|
nobody knows...) |
162 |
|
|
.SH RATIONALE |
163 |
|
|
The reason I wrote \fIfcrackzip\fR was \fBNOT\fR to have the fastest zip |
164 |
|
|
cracker available, but to provide a \fIportable\fR, \fIfree\fR (thus |
165 |
|
|
\fIextensible\fR), but still \fIfast\fR zip password cracker. I was really |
166 |
|
|
pissed of with that dumb, nonextendable zipcrackers that were either slow, |
167 |
|
|
were too limited, or wouldn't run in the background (say, under unix). (And |
168 |
|
|
you can't run them on your superfast 600Mhz Alpha). |
169 |
|
|
.SH BUGS |
170 |
|
|
No automatic unzip checking. |
171 |
|
|
.PP |
172 |
|
|
Stop/resume facility is missing. |
173 |
|
|
.PP |
174 |
|
|
Should be able to distinguish between files with 16 bit stored CRC\'s and 8 |
175 |
|
|
bit stored CRC\'s. |
176 |
|
|
.PP |
177 |
|
|
\The benchmark does not work on all systems. |
178 |
|
|
.PP |
179 |
|
|
It's still early alpha. |
180 |
|
|
.PP |
181 |
|
|
Method "cpmask" only accepts ppms. |
182 |
|
|
.PP |
183 |
|
|
Could be faster. |
184 |
|
|
.SH AUTHOR |
185 |
|
|
\fIfcrackzip\fR was written by Marc Lehmann <pcg@goof.com>. The main |
186 |
|
|
\fIfcrackzip\fR page is at \fBhttp://www.goof.com/pcg/marc/fcrackzip.html\fR) |
187 |
|
|
|