1 |
.TH FCRACKZIP 1 "Free/Fast Zip Password Cracker" |
2 |
.SH NAME |
3 |
.I fcrackzip |
4 |
\- a Free/Fast Zip Password Cracker |
5 |
.SH SYNOPSIS |
6 |
.B fcrackzip |
7 |
[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] |
8 |
[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] |
9 |
[--use-unzip] [--method name] [--modulo r/m] file... |
10 |
.SH DESCRIPTION |
11 |
.I fcrackzip |
12 |
searches each zipfile given for encrypted files and tries to guess the |
13 |
password. All files must be encrypted with the same password, the more |
14 |
files you provide, the better. |
15 |
.SS OPTIONS |
16 |
.TP |
17 |
.B \-h, \--help |
18 |
Prints the version number and (hopefully) some helpful insights. |
19 |
.TP |
20 |
.B \-v, \--verbose |
21 |
Each -v makes the program more verbose. |
22 |
.TP |
23 |
.B \-b, \--brute-force |
24 |
Select brute force mode. This tries all possible combinations |
25 |
of the letters you specify. |
26 |
.TP |
27 |
.B \-D, \--dictionary |
28 |
Select dictionary mode. In this mode, fcrackzip will read passwords |
29 |
from a file, which must contain one password per line and should be |
30 |
alphabetically sorted (e.g. using \fBsort(1)\fR). |
31 |
.TP |
32 |
.B \-c, \--charset characterset-specification |
33 |
Select the characters to use in brute-force cracking. Must be one |
34 |
of |
35 |
|
36 |
.nf |
37 |
a include all lowercase characters [a-z] |
38 |
A include all uppercase characters [A-Z] |
39 |
1 include the digits [0-9] |
40 |
! include [!:$%&/()=?{[]}+*~#] |
41 |
: the following characters upto the end of the spe- |
42 |
cification string are included in the character set. |
43 |
This way you can include any character except binary |
44 |
null (at least under unix). |
45 |
.fi |
46 |
|
47 |
For example, a1:$% selects lowercase characters, digits and the dollar and |
48 |
percent signs. |
49 |
.TP |
50 |
.B \-p, \--init-password string |
51 |
Set initial (starting) password for brute-force searching to \fIstring\fR, |
52 |
or use the file with the name \fIstring\fR to supply passwords for dictionary |
53 |
searching. |
54 |
.TP |
55 |
.B \-l, \--length min[-max] |
56 |
Use an initial password of length min, and check all passwords |
57 |
upto passwords of length max (including). You can omit the max |
58 |
parameter. |
59 |
.TP |
60 |
.B \-u, \--use-unzip |
61 |
Try to decompress the first file by calling unzip with the guessed |
62 |
password. This weeds out false positives when not enough files have |
63 |
been given. |
64 |
.TP |
65 |
.B \-m, \--method name |
66 |
Use method number "name" instead of the default cracking method. The |
67 |
switch \fB--help\fR will print a list of available methods. Use |
68 |
\fB--benchmark\fR to see which method does perform best on your |
69 |
machine. The \fBname\fR can also be the number of the method to use. |
70 |
.TP |
71 |
.B \-2, \--modulo r/m |
72 |
Calculate only r/m of the password. Not yet supported. |
73 |
.TP |
74 |
.B \-B, \--benchmark |
75 |
Make a small benchmark, the output is nearly meaningless. |
76 |
.TP |
77 |
.B -V, \--validate |
78 |
Make some basic checks wether the cracker works. |
79 |
.SH ZIP PASSWORD BASICS |
80 |
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with |
81 |
\'incorrect password\', \fIwithout\fR decrypting the whole file. While the |
82 |
encryption algorithm used by zip is relatively secure, PK made cracking easy |
83 |
by providing hooks for very fast password-checking, directly in the zip |
84 |
file. Understanding these is crucial to zip password cracking: |
85 |
|
86 |
For each password that is tried, the first twelve bytes of the file are |
87 |
decrypted. Depending on the version of zip used to encrypt the file (more on |
88 |
that later), the first ten or eleven bytes are random, followed by one or |
89 |
two bytes whose values are stored elsewhere in the zip file, i.e. are known |
90 |
beforehand. If these last bytes don't have the correct (known) value, the |
91 |
password is definitely wrong. If the bytes are correct, the password |
92 |
\fImight\fR be correct, but the only method to find out is to unzip the file |
93 |
and compare the uncompressed length and crc\'s. |
94 |
|
95 |
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for |
96 |
other operating systems!) stored two known bytes. Thus the error rate was |
97 |
roughly 1/2^16 = 0.01%. PKWARE \'improved\' (interesting what industry calls |
98 |
improved) the security of their format by only including one byte, so the |
99 |
possibility of false passwords is now raised to 0.4%. Unfortunately, there |
100 |
is no real way to distinguish one byte from two byte formats, so we have to |
101 |
be conservative. |
102 |
.SH BRUTE FORCE MODE |
103 |
By default, brute force starts at the given starting password, and |
104 |
successively tries all combinations until they are exhausted, printing all |
105 |
passwords that it detects, together with a rough correctness indicator. |
106 |
|
107 |
The starting password given by the \fI-p\fR switch determines the length. |
108 |
fcrackzip will not currently increase the password length automatically, unless |
109 |
the \fI-l\fR switch is used. |
110 |
.SH DICTIONARY MODE |
111 |
This mode is similar to brute force mode, but instead of generating passwords |
112 |
using a given set of characters and a length, the passwords will be read from |
113 |
a file that you have to specify using the \fI-p\fR switch. |
114 |
.SH CP MASK |
115 |
A CP mask is a method to obscure images or parts of images using a |
116 |
password. These obscured images can be restored even when saved as JPEG |
117 |
files. In most of these files the password is actually hidden and can |
118 |
be decoded easily (using one of the many available viewer and masking |
119 |
programs, e.g. xv). If you convert the image the password, however, is |
120 |
lost. The \fBcpmask\fR crack method can be used to brute-force these |
121 |
images. Instead of a zip file you supply the obscured part (and nothing |
122 |
else) of the image in the \fBPPM\fR-Image Format (\fBxv\fR and other |
123 |
viewers can easily do this). |
124 |
|
125 |
The \fBcpmask\fR method can only cope with password composed of uppercase |
126 |
letters, so be sure to supply the \fB--charset A\fR or equivalent option, |
127 |
together with a suitable initialization password. |
128 |
.SH EXAMPLES |
129 |
.TP |
130 |
.B fcrackzip -c a -p aaaaaa sample.zip |
131 |
checks the encrypted files in sample.zip for all lowercase 6 character |
132 |
passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
133 |
.TP |
134 |
.B fcrackzip --method cpmask --charset A --init AAAA test.ppm |
135 |
checks the obscured image \fBtest.ppm\fR for all four character passwords. |
136 |
-TP |
137 |
.B fcrackzip -D -p passwords.txt sample.zip |
138 |
check for every password listed in the file \fBpasswords.txt\fR. |
139 |
.SH PERFORMANCE |
140 |
\fIfzc\fR, which seems to be widely used as a fast password cracker, |
141 |
claims to make 204570 checks per second on my machine (measured under plain |
142 |
dos w/o memory manager). |
143 |
|
144 |
\fIfcrackzip\fR, being written in C and not in assembler, naturally |
145 |
is slower. Measured on a slightly loaded unix (same machine), it\'s 12 |
146 |
percent slower (the compiler used was \fIpgcc\fR, from |
147 |
\fBhttp://www.gcc.ml.org/\fR). |
148 |
|
149 |
To remedy this a bit, I converted small parts of the encryption core to x86 |
150 |
assembler (it will still compile on non x86 machines), and now it\'s about |
151 |
4-12 percent faster than \fIfzc\fR (again, the \fIfcrackzip\fR performance |
152 |
was measured under a multitasking os, so there are inevitably some |
153 |
meaurement errors), so there shouldn't be a tempting reason to switch to |
154 |
other programs. |
155 |
|
156 |
Further improvements are definitely possible: \fIfzc\fR took 4 years to get |
157 |
into shape, while fcrackzip was hacked together in under 10 hours. And not to |
158 |
forget you have the source, while other programs (like \fIfzc\fR), even come |
159 |
as an \fIencrypted .exe\fR file (maybe because their programmers are afraid |
160 |
of other people could having a look at their lack of programming skills? |
161 |
nobody knows...) |
162 |
.SH RATIONALE |
163 |
The reason I wrote \fIfcrackzip\fR was \fBNOT\fR to have the fastest zip |
164 |
cracker available, but to provide a \fIportable\fR, \fIfree\fR (thus |
165 |
\fIextensible\fR), but still \fIfast\fR zip password cracker. I was really |
166 |
pissed of with that dumb, nonextendable zipcrackers that were either slow, |
167 |
were too limited, or wouldn't run in the background (say, under unix). (And |
168 |
you can't run them on your superfast 600Mhz Alpha). |
169 |
.SH BUGS |
170 |
No automatic unzip checking. |
171 |
.PP |
172 |
Stop/resume facility is missing. |
173 |
.PP |
174 |
Should be able to distinguish between files with 16 bit stored CRC\'s and 8 |
175 |
bit stored CRC\'s. |
176 |
.PP |
177 |
\The benchmark does not work on all systems. |
178 |
.PP |
179 |
It's still early alpha. |
180 |
.PP |
181 |
Method "cpmask" only accepts ppms. |
182 |
.PP |
183 |
Could be faster. |
184 |
.SH AUTHOR |
185 |
\fIfcrackzip\fR was written by Marc Lehmann <pcg@goof.com>. The main |
186 |
\fIfcrackzip\fR page is at \fBhttp://www.goof.com/pcg/marc/fcrackzip.html\fR) |
187 |
|