ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/fcrackzip/fcrackzip.1
Revision: 1.1
Committed: Mon Aug 4 07:09:50 2008 UTC (16 years, 3 months ago) by root
Branch: MAIN
CVS Tags: HEAD
Log Message:
initial check-in, also 1.0 check-in

File Contents

# User Rev Content
1 root 1.1 .TH FCRACKZIP 1 "Free/Fast Zip Password Cracker"
2     .SH NAME
3     .I fcrackzip
4     \- a Free/Fast Zip Password Cracker
5     .SH SYNOPSIS
6     .B fcrackzip
7     [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset]
8     [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max]
9     [--use-unzip] [--method name] [--modulo r/m] file...
10     .SH DESCRIPTION
11     .I fcrackzip
12     searches each zipfile given for encrypted files and tries to guess the
13     password. All files must be encrypted with the same password, the more
14     files you provide, the better.
15     .SS OPTIONS
16     .TP
17     .B \-h, \--help
18     Prints the version number and (hopefully) some helpful insights.
19     .TP
20     .B \-v, \--verbose
21     Each -v makes the program more verbose.
22     .TP
23     .B \-b, \--brute-force
24     Select brute force mode. This tries all possible combinations
25     of the letters you specify.
26     .TP
27     .B \-D, \--dictionary
28     Select dictionary mode. In this mode, fcrackzip will read passwords
29     from a file, which must contain one password per line and should be
30     alphabetically sorted (e.g. using \fBsort(1)\fR).
31     .TP
32     .B \-c, \--charset characterset-specification
33     Select the characters to use in brute-force cracking. Must be one
34     of
35    
36     .nf
37     a include all lowercase characters [a-z]
38     A include all uppercase characters [A-Z]
39     1 include the digits [0-9]
40     ! include [!:$%&/()=?{[]}+*~#]
41     : the following characters upto the end of the spe-
42     cification string are included in the character set.
43     This way you can include any character except binary
44     null (at least under unix).
45     .fi
46    
47     For example, a1:$% selects lowercase characters, digits and the dollar and
48     percent signs.
49     .TP
50     .B \-p, \--init-password string
51     Set initial (starting) password for brute-force searching to \fIstring\fR,
52     or use the file with the name \fIstring\fR to supply passwords for dictionary
53     searching.
54     .TP
55     .B \-l, \--length min[-max]
56     Use an initial password of length min, and check all passwords
57     upto passwords of length max (including). You can omit the max
58     parameter.
59     .TP
60     .B \-u, \--use-unzip
61     Try to decompress the first file by calling unzip with the guessed
62     password. This weeds out false positives when not enough files have
63     been given.
64     .TP
65     .B \-m, \--method name
66     Use method number "name" instead of the default cracking method. The
67     switch \fB--help\fR will print a list of available methods. Use
68     \fB--benchmark\fR to see which method does perform best on your
69     machine. The \fBname\fR can also be the number of the method to use.
70     .TP
71     .B \-2, \--modulo r/m
72     Calculate only r/m of the password. Not yet supported.
73     .TP
74     .B \-B, \--benchmark
75     Make a small benchmark, the output is nearly meaningless.
76     .TP
77     .B -V, \--validate
78     Make some basic checks wether the cracker works.
79     .SH ZIP PASSWORD BASICS
80     Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with
81     \'incorrect password\', \fIwithout\fR decrypting the whole file. While the
82     encryption algorithm used by zip is relatively secure, PK made cracking easy
83     by providing hooks for very fast password-checking, directly in the zip
84     file. Understanding these is crucial to zip password cracking:
85    
86     For each password that is tried, the first twelve bytes of the file are
87     decrypted. Depending on the version of zip used to encrypt the file (more on
88     that later), the first ten or eleven bytes are random, followed by one or
89     two bytes whose values are stored elsewhere in the zip file, i.e. are known
90     beforehand. If these last bytes don't have the correct (known) value, the
91     password is definitely wrong. If the bytes are correct, the password
92     \fImight\fR be correct, but the only method to find out is to unzip the file
93     and compare the uncompressed length and crc\'s.
94    
95     Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for
96     other operating systems!) stored two known bytes. Thus the error rate was
97     roughly 1/2^16 = 0.01%. PKWARE \'improved\' (interesting what industry calls
98     improved) the security of their format by only including one byte, so the
99     possibility of false passwords is now raised to 0.4%. Unfortunately, there
100     is no real way to distinguish one byte from two byte formats, so we have to
101     be conservative.
102     .SH BRUTE FORCE MODE
103     By default, brute force starts at the given starting password, and
104     successively tries all combinations until they are exhausted, printing all
105     passwords that it detects, together with a rough correctness indicator.
106    
107     The starting password given by the \fI-p\fR switch determines the length.
108     fcrackzip will not currently increase the password length automatically, unless
109     the \fI-l\fR switch is used.
110     .SH DICTIONARY MODE
111     This mode is similar to brute force mode, but instead of generating passwords
112     using a given set of characters and a length, the passwords will be read from
113     a file that you have to specify using the \fI-p\fR switch.
114     .SH CP MASK
115     A CP mask is a method to obscure images or parts of images using a
116     password. These obscured images can be restored even when saved as JPEG
117     files. In most of these files the password is actually hidden and can
118     be decoded easily (using one of the many available viewer and masking
119     programs, e.g. xv). If you convert the image the password, however, is
120     lost. The \fBcpmask\fR crack method can be used to brute-force these
121     images. Instead of a zip file you supply the obscured part (and nothing
122     else) of the image in the \fBPPM\fR-Image Format (\fBxv\fR and other
123     viewers can easily do this).
124    
125     The \fBcpmask\fR method can only cope with password composed of uppercase
126     letters, so be sure to supply the \fB--charset A\fR or equivalent option,
127     together with a suitable initialization password.
128     .SH EXAMPLES
129     .TP
130     .B fcrackzip -c a -p aaaaaa sample.zip
131     checks the encrypted files in sample.zip for all lowercase 6 character
132     passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
133     .TP
134     .B fcrackzip --method cpmask --charset A --init AAAA test.ppm
135     checks the obscured image \fBtest.ppm\fR for all four character passwords.
136     -TP
137     .B fcrackzip -D -p passwords.txt sample.zip
138     check for every password listed in the file \fBpasswords.txt\fR.
139     .SH PERFORMANCE
140     \fIfzc\fR, which seems to be widely used as a fast password cracker,
141     claims to make 204570 checks per second on my machine (measured under plain
142     dos w/o memory manager).
143    
144     \fIfcrackzip\fR, being written in C and not in assembler, naturally
145     is slower. Measured on a slightly loaded unix (same machine), it\'s 12
146     percent slower (the compiler used was \fIpgcc\fR, from
147     \fBhttp://www.gcc.ml.org/\fR).
148    
149     To remedy this a bit, I converted small parts of the encryption core to x86
150     assembler (it will still compile on non x86 machines), and now it\'s about
151     4-12 percent faster than \fIfzc\fR (again, the \fIfcrackzip\fR performance
152     was measured under a multitasking os, so there are inevitably some
153     meaurement errors), so there shouldn't be a tempting reason to switch to
154     other programs.
155    
156     Further improvements are definitely possible: \fIfzc\fR took 4 years to get
157     into shape, while fcrackzip was hacked together in under 10 hours. And not to
158     forget you have the source, while other programs (like \fIfzc\fR), even come
159     as an \fIencrypted .exe\fR file (maybe because their programmers are afraid
160     of other people could having a look at their lack of programming skills?
161     nobody knows...)
162     .SH RATIONALE
163     The reason I wrote \fIfcrackzip\fR was \fBNOT\fR to have the fastest zip
164     cracker available, but to provide a \fIportable\fR, \fIfree\fR (thus
165     \fIextensible\fR), but still \fIfast\fR zip password cracker. I was really
166     pissed of with that dumb, nonextendable zipcrackers that were either slow,
167     were too limited, or wouldn't run in the background (say, under unix). (And
168     you can't run them on your superfast 600Mhz Alpha).
169     .SH BUGS
170     No automatic unzip checking.
171     .PP
172     Stop/resume facility is missing.
173     .PP
174     Should be able to distinguish between files with 16 bit stored CRC\'s and 8
175     bit stored CRC\'s.
176     .PP
177     \The benchmark does not work on all systems.
178     .PP
179     It's still early alpha.
180     .PP
181     Method "cpmask" only accepts ppms.
182     .PP
183     Could be faster.
184     .SH AUTHOR
185     \fIfcrackzip\fR was written by Marc Lehmann <pcg@goof.com>. The main
186     \fIfcrackzip\fR page is at \fBhttp://www.goof.com/pcg/marc/fcrackzip.html\fR)
187