1 |
<HTML><HEAD><TITLE>Manpage of FCRACKZIP</TITLE> |
2 |
</HEAD><BODY> |
3 |
<H1>FCRACKZIP</H1> |
4 |
Section: User Commands (1)<BR>Updated: Free/Fast Zip Password Cracker<BR><A HREF="#index">Index</A> |
5 |
<HR> |
6 |
|
7 |
<A NAME="lbAB"> </A> |
8 |
<H2>NAME</H2> |
9 |
|
10 |
<I>fcrackzip</I> |
11 |
|
12 |
- a Free/Fast Zip Password Cracker |
13 |
<A NAME="lbAC"> </A> |
14 |
<H2>SYNOPSIS</H2> |
15 |
|
16 |
<B>fcrackzip</B> |
17 |
|
18 |
[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] |
19 |
[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] |
20 |
[--use-unzip] [--method name] [--modulo r/m] file... |
21 |
<A NAME="lbAD"> </A> |
22 |
<H2>DESCRIPTION</H2> |
23 |
|
24 |
<I>fcrackzip</I> |
25 |
|
26 |
searches each zipfile given for encrypted files and tries to guess the |
27 |
password. All files must be encrypted with the same password, the more |
28 |
files you provide, the better. |
29 |
<A NAME="lbAE"> </A> |
30 |
<H3>OPTIONS</H3> |
31 |
|
32 |
<DL COMPACT> |
33 |
<DT><B>-h, --help</B> |
34 |
|
35 |
<DD> |
36 |
Prints the version number and (hopefully) some helpful insights. |
37 |
<DT><B>-v, --verbose</B> |
38 |
|
39 |
<DD> |
40 |
Each -v makes the program more verbose. |
41 |
<DT><B>-b, --brute-force</B> |
42 |
|
43 |
<DD> |
44 |
Select brute force mode. This tries all possible combinations |
45 |
of the letters you specify. |
46 |
<DT><B>-D, --dictionary</B> |
47 |
|
48 |
<DD> |
49 |
Select dictionary mode. In this mode, fcrackzip will read passwords |
50 |
from a file, which must contain one password per line and should be |
51 |
alphabetically sorted (e.g. using <B>(1)</B>). |
52 |
<DT><B>-c, --charset characterset-specification</B> |
53 |
|
54 |
<DD> |
55 |
Select the characters to use in brute-force cracking. Must be one |
56 |
of |
57 |
<P> |
58 |
<PRE> |
59 |
a include all lowercase characters [a-z] |
60 |
A include all uppercase characters [A-Z] |
61 |
1 include the digits [0-9] |
62 |
! include [!:$%&/()=?{[]}+*~#] |
63 |
: the following characters upto the end of the spe- |
64 |
cification string are included in the character set. |
65 |
This way you can include any character except binary |
66 |
null (at least under unix). |
67 |
</PRE> |
68 |
|
69 |
<P> |
70 |
For example, a1:$% selects lowercase characters, digits and the dollar and |
71 |
percent signs. |
72 |
<DT><B>-p, --init-password string</B> |
73 |
|
74 |
<DD> |
75 |
Set initial (starting) password for brute-force searching to <I>string</I>, |
76 |
or use the file with the name <I>string</I> to supply passwords for dictionary |
77 |
searching. |
78 |
<DT><B>-l, --length min[-max]</B> |
79 |
|
80 |
<DD> |
81 |
Use an initial password of length min, and check all passwords |
82 |
upto passwords of length max (including). You can omit the max |
83 |
parameter. |
84 |
<DT><B>-u, --use-unzip</B> |
85 |
|
86 |
<DD> |
87 |
Try to decompress the first file by calling unzip with the guessed |
88 |
password. This weeds out false positives when not enough files have |
89 |
been given. |
90 |
<DT><B>-m, --method name</B> |
91 |
|
92 |
<DD> |
93 |
Use method number "name" instead of the default cracking method. The |
94 |
switch <B>--help</B> will print a list of available methods. Use |
95 |
<B>--benchmark</B> to see which method does perform best on your |
96 |
machine. The <B>name</B> can also be the number of the method to use. |
97 |
<DT><B>-2, --modulo r/m</B> |
98 |
|
99 |
<DD> |
100 |
Calculate only r/m of the password. Not yet supported. |
101 |
<DT><B>-B, --benchmark</B> |
102 |
|
103 |
<DD> |
104 |
Make a small benchmark, the output is nearly meaningless. |
105 |
<DT><B>-V, --validate</B> |
106 |
|
107 |
<DD> |
108 |
Make some basic checks wether the cracker works. |
109 |
</DL> |
110 |
<A NAME="lbAF"> </A> |
111 |
<H2>ZIP PASSWORD BASICS</H2> |
112 |
|
113 |
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with |
114 |
'incorrect password', <I>without</I> decrypting the whole file. While the |
115 |
encryption algorithm used by zip is relatively secure, PK made cracking easy |
116 |
by providing hooks for very fast password-checking, directly in the zip |
117 |
file. Understanding these is crucial to zip password cracking: |
118 |
<P> |
119 |
For each password that is tried, the first twelve bytes of the file are |
120 |
decrypted. Depending on the version of zip used to encrypt the file (more on |
121 |
that later), the first ten or eleven bytes are random, followed by one or |
122 |
two bytes whose values are stored elsewhere in the zip file, i.e. are known |
123 |
beforehand. If these last bytes don't have the correct (known) value, the |
124 |
password is definitely wrong. If the bytes are correct, the password |
125 |
<I>might</I> be correct, but the only method to find out is to unzip the file |
126 |
and compare the uncompressed length and crc's. |
127 |
<P> |
128 |
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for |
129 |
other operating systems!) stored two known bytes. Thus the error rate was |
130 |
roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls |
131 |
improved) the security of their format by only including one byte, so the |
132 |
possibility of false passwords is now raised to 0.4%. Unfortunately, there |
133 |
is no real way to distinguish one byte from two byte formats, so we have to |
134 |
be conservative. |
135 |
<A NAME="lbAG"> </A> |
136 |
<H2>BRUTE FORCE MODE</H2> |
137 |
|
138 |
By default, brute force starts at the given starting password, and |
139 |
successively tries all combinations until they are exhausted, printing all |
140 |
passwords that it detects, together with a rough correctness indicator. |
141 |
<P> |
142 |
The starting password given by the <I>-p</I> switch determines the length. |
143 |
fcrackzip will not currently increase the password length automatically, unless |
144 |
the <I>-l</I> switch is used. |
145 |
<A NAME="lbAH"> </A> |
146 |
<H2>DICTIONARY MODE</H2> |
147 |
|
148 |
This mode is similar to brute force mode, but instead of generating passwords |
149 |
using a given set of characters and a length, the passwords will be read from |
150 |
a file that you have to specify using the <I>-p</I> switch. |
151 |
<A NAME="lbAI"> </A> |
152 |
<H2>CP MASK</H2> |
153 |
|
154 |
A CP mask is a method to obscure images or parts of images using a |
155 |
password. These obscured images can be restored even when saved as JPEG |
156 |
files. In most of these files the password is actually hidden and can |
157 |
be decoded easily (using one of the many available viewer and masking |
158 |
programs, e.g. xv). If you convert the image the password, however, is |
159 |
lost. The <B>cpmask</B> crack method can be used to brute-force these |
160 |
images. Instead of a zip file you supply the obscured part (and nothing |
161 |
else) of the image in the <B>PPM</B>-Image Format (<B>xv</B> and other |
162 |
viewers can easily do this). |
163 |
<P> |
164 |
The <B>cpmask</B> method can only cope with password composed of uppercase |
165 |
letters, so be sure to supply the <B>--charset A</B> or equivalent option, |
166 |
together with a suitable initialization password. |
167 |
<A NAME="lbAJ"> </A> |
168 |
<H2>EXAMPLES</H2> |
169 |
|
170 |
<DL COMPACT> |
171 |
<DT><B>fcrackzip -c a -p aaaaaa sample.zip</B> |
172 |
|
173 |
<DD> |
174 |
checks the encrypted files in sample.zip for all lowercase 6 character |
175 |
passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
176 |
<DT><B>fcrackzip --method cpmask --charset A --init AAAA test.ppm</B> |
177 |
|
178 |
<DD> |
179 |
checks the obscured image <B>test.ppm</B> for all four character passwords. |
180 |
-TP |
181 |
<B>fcrackzip -D -p passwords.txt sample.zip</B> |
182 |
|
183 |
check for every password listed in the file <B>passwords.txt</B>. |
184 |
</DL> |
185 |
<A NAME="lbAK"> </A> |
186 |
<H2>PERFORMANCE</H2> |
187 |
|
188 |
<I>fzc</I>, which seems to be widely used as a fast password cracker, |
189 |
claims to make 204570 checks per second on my machine (measured under plain |
190 |
dos w/o memory manager). |
191 |
<P> |
192 |
<I>fcrackzip</I>, being written in C and not in assembler, naturally |
193 |
is slower. Measured on a slightly loaded unix (same machine), it's 12 |
194 |
percent slower (the compiler used was <I>pgcc</I>, from |
195 |
<B><A HREF="http://www.gcc.ml.org/">http://www.gcc.ml.org/</A></B>). |
196 |
<P> |
197 |
To remedy this a bit, I converted small parts of the encryption core to x86 |
198 |
assembler (it will still compile on non x86 machines), and now it's about |
199 |
4-12 percent faster than <I>fzc</I> (again, the <I>fcrackzip</I> performance |
200 |
was measured under a multitasking os, so there are inevitably some |
201 |
meaurement errors), so there shouldn't be a tempting reason to switch to |
202 |
other programs. |
203 |
<P> |
204 |
Further improvements are definitely possible: <I>fzc</I> took 4 years to get |
205 |
into shape, while fcrackzip was hacked together in under 10 hours. And not to |
206 |
forget you have the source, while other programs (like <I>fzc</I>), even come |
207 |
as an <I>encrypted .exe</I> file (maybe because their programmers are afraid |
208 |
of other people could having a look at their lack of programming skills? |
209 |
nobody knows...) |
210 |
<A NAME="lbAL"> </A> |
211 |
<H2>RATIONALE</H2> |
212 |
|
213 |
The reason I wrote <I>fcrackzip</I> was <B>NOT</B> to have the fastest zip |
214 |
cracker available, but to provide a <I>portable</I>, <I>free</I> (thus |
215 |
<I>extensible</I>), but still <I>fast</I> zip password cracker. I was really |
216 |
pissed of with that dumb, nonextendable zipcrackers that were either slow, |
217 |
were too limited, or wouldn't run in the background (say, under unix). (And |
218 |
you can't run them on your superfast 600Mhz Alpha). |
219 |
<A NAME="lbAM"> </A> |
220 |
<H2>BUGS</H2> |
221 |
|
222 |
No automatic unzip checking. |
223 |
<P> |
224 |
|
225 |
Stop/resume facility is missing. |
226 |
<P> |
227 |
|
228 |
Should be able to distinguish between files with 16 bit stored CRC's and 8 |
229 |
bit stored CRC's. |
230 |
<P> |
231 |
|
232 |
The benchmark does not work on all systems. |
233 |
<P> |
234 |
|
235 |
It's still early alpha. |
236 |
<P> |
237 |
|
238 |
Method "cpmask" only accepts ppms. |
239 |
<P> |
240 |
|
241 |
Could be faster. |
242 |
<A NAME="lbAN"> </A> |
243 |
<H2>AUTHOR</H2> |
244 |
|
245 |
<I>fcrackzip</I> was written by Marc Lehmann <<A HREF="mailto:pcg@goof.com">pcg@goof.com</A>>. The main |
246 |
<I>fcrackzip</I> page is at <B><A HREF="http://www.goof.com/pcg/marc/fcrackzip.html">http://www.goof.com/pcg/marc/fcrackzip.html</A></B>) |
247 |
<P> |
248 |
<P> |
249 |
|
250 |
<HR> |
251 |
<A NAME="index"> </A><H2>Index</H2> |
252 |
<DL> |
253 |
<DT><A HREF="#lbAB">NAME</A><DD> |
254 |
<DT><A HREF="#lbAC">SYNOPSIS</A><DD> |
255 |
<DT><A HREF="#lbAD">DESCRIPTION</A><DD> |
256 |
<DL> |
257 |
<DT><A HREF="#lbAE">OPTIONS</A><DD> |
258 |
</DL> |
259 |
<DT><A HREF="#lbAF">ZIP PASSWORD BASICS</A><DD> |
260 |
<DT><A HREF="#lbAG">BRUTE FORCE MODE</A><DD> |
261 |
<DT><A HREF="#lbAH">DICTIONARY MODE</A><DD> |
262 |
<DT><A HREF="#lbAI">CP MASK</A><DD> |
263 |
<DT><A HREF="#lbAJ">EXAMPLES</A><DD> |
264 |
<DT><A HREF="#lbAK">PERFORMANCE</A><DD> |
265 |
<DT><A HREF="#lbAL">RATIONALE</A><DD> |
266 |
<DT><A HREF="#lbAM">BUGS</A><DD> |
267 |
<DT><A HREF="#lbAN">AUTHOR</A><DD> |
268 |
</DL> |
269 |
<HR> |
270 |
This document was created by |
271 |
, |
272 |
using the manual pages.<BR> |
273 |
Time: 09:44:43 GMT, February 09, 2003 |
274 |
</BODY> |
275 |
</HTML> |