| 1 |
<HTML><HEAD><TITLE>Manpage of FCRACKZIP</TITLE> |
| 2 |
</HEAD><BODY> |
| 3 |
<H1>FCRACKZIP</H1> |
| 4 |
Section: User Commands (1)<BR>Updated: Free/Fast Zip Password Cracker<BR><A HREF="#index">Index</A> |
| 5 |
<HR> |
| 6 |
|
| 7 |
<A NAME="lbAB"> </A> |
| 8 |
<H2>NAME</H2> |
| 9 |
|
| 10 |
<I>fcrackzip</I> |
| 11 |
|
| 12 |
- a Free/Fast Zip Password Cracker |
| 13 |
<A NAME="lbAC"> </A> |
| 14 |
<H2>SYNOPSIS</H2> |
| 15 |
|
| 16 |
<B>fcrackzip</B> |
| 17 |
|
| 18 |
[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] |
| 19 |
[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] |
| 20 |
[--use-unzip] [--method name] [--modulo r/m] file... |
| 21 |
<A NAME="lbAD"> </A> |
| 22 |
<H2>DESCRIPTION</H2> |
| 23 |
|
| 24 |
<I>fcrackzip</I> |
| 25 |
|
| 26 |
searches each zipfile given for encrypted files and tries to guess the |
| 27 |
password. All files must be encrypted with the same password, the more |
| 28 |
files you provide, the better. |
| 29 |
<A NAME="lbAE"> </A> |
| 30 |
<H3>OPTIONS</H3> |
| 31 |
|
| 32 |
<DL COMPACT> |
| 33 |
<DT><B>-h, --help</B> |
| 34 |
|
| 35 |
<DD> |
| 36 |
Prints the version number and (hopefully) some helpful insights. |
| 37 |
<DT><B>-v, --verbose</B> |
| 38 |
|
| 39 |
<DD> |
| 40 |
Each -v makes the program more verbose. |
| 41 |
<DT><B>-b, --brute-force</B> |
| 42 |
|
| 43 |
<DD> |
| 44 |
Select brute force mode. This tries all possible combinations |
| 45 |
of the letters you specify. |
| 46 |
<DT><B>-D, --dictionary</B> |
| 47 |
|
| 48 |
<DD> |
| 49 |
Select dictionary mode. In this mode, fcrackzip will read passwords |
| 50 |
from a file, which must contain one password per line and should be |
| 51 |
alphabetically sorted (e.g. using <B>(1)</B>). |
| 52 |
<DT><B>-c, --charset characterset-specification</B> |
| 53 |
|
| 54 |
<DD> |
| 55 |
Select the characters to use in brute-force cracking. Must be one |
| 56 |
of |
| 57 |
<P> |
| 58 |
<PRE> |
| 59 |
a include all lowercase characters [a-z] |
| 60 |
A include all uppercase characters [A-Z] |
| 61 |
1 include the digits [0-9] |
| 62 |
! include [!:$%&/()=?{[]}+*~#] |
| 63 |
: the following characters upto the end of the spe- |
| 64 |
cification string are included in the character set. |
| 65 |
This way you can include any character except binary |
| 66 |
null (at least under unix). |
| 67 |
</PRE> |
| 68 |
|
| 69 |
<P> |
| 70 |
For example, a1:$% selects lowercase characters, digits and the dollar and |
| 71 |
percent signs. |
| 72 |
<DT><B>-p, --init-password string</B> |
| 73 |
|
| 74 |
<DD> |
| 75 |
Set initial (starting) password for brute-force searching to <I>string</I>, |
| 76 |
or use the file with the name <I>string</I> to supply passwords for dictionary |
| 77 |
searching. |
| 78 |
<DT><B>-l, --length min[-max]</B> |
| 79 |
|
| 80 |
<DD> |
| 81 |
Use an initial password of length min, and check all passwords |
| 82 |
upto passwords of length max (including). You can omit the max |
| 83 |
parameter. |
| 84 |
<DT><B>-u, --use-unzip</B> |
| 85 |
|
| 86 |
<DD> |
| 87 |
Try to decompress the first file by calling unzip with the guessed |
| 88 |
password. This weeds out false positives when not enough files have |
| 89 |
been given. |
| 90 |
<DT><B>-m, --method name</B> |
| 91 |
|
| 92 |
<DD> |
| 93 |
Use method number "name" instead of the default cracking method. The |
| 94 |
switch <B>--help</B> will print a list of available methods. Use |
| 95 |
<B>--benchmark</B> to see which method does perform best on your |
| 96 |
machine. The <B>name</B> can also be the number of the method to use. |
| 97 |
<DT><B>-2, --modulo r/m</B> |
| 98 |
|
| 99 |
<DD> |
| 100 |
Calculate only r/m of the password. Not yet supported. |
| 101 |
<DT><B>-B, --benchmark</B> |
| 102 |
|
| 103 |
<DD> |
| 104 |
Make a small benchmark, the output is nearly meaningless. |
| 105 |
<DT><B>-V, --validate</B> |
| 106 |
|
| 107 |
<DD> |
| 108 |
Make some basic checks wether the cracker works. |
| 109 |
</DL> |
| 110 |
<A NAME="lbAF"> </A> |
| 111 |
<H2>ZIP PASSWORD BASICS</H2> |
| 112 |
|
| 113 |
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with |
| 114 |
'incorrect password', <I>without</I> decrypting the whole file. While the |
| 115 |
encryption algorithm used by zip is relatively secure, PK made cracking easy |
| 116 |
by providing hooks for very fast password-checking, directly in the zip |
| 117 |
file. Understanding these is crucial to zip password cracking: |
| 118 |
<P> |
| 119 |
For each password that is tried, the first twelve bytes of the file are |
| 120 |
decrypted. Depending on the version of zip used to encrypt the file (more on |
| 121 |
that later), the first ten or eleven bytes are random, followed by one or |
| 122 |
two bytes whose values are stored elsewhere in the zip file, i.e. are known |
| 123 |
beforehand. If these last bytes don't have the correct (known) value, the |
| 124 |
password is definitely wrong. If the bytes are correct, the password |
| 125 |
<I>might</I> be correct, but the only method to find out is to unzip the file |
| 126 |
and compare the uncompressed length and crc's. |
| 127 |
<P> |
| 128 |
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for |
| 129 |
other operating systems!) stored two known bytes. Thus the error rate was |
| 130 |
roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls |
| 131 |
improved) the security of their format by only including one byte, so the |
| 132 |
possibility of false passwords is now raised to 0.4%. Unfortunately, there |
| 133 |
is no real way to distinguish one byte from two byte formats, so we have to |
| 134 |
be conservative. |
| 135 |
<A NAME="lbAG"> </A> |
| 136 |
<H2>BRUTE FORCE MODE</H2> |
| 137 |
|
| 138 |
By default, brute force starts at the given starting password, and |
| 139 |
successively tries all combinations until they are exhausted, printing all |
| 140 |
passwords that it detects, together with a rough correctness indicator. |
| 141 |
<P> |
| 142 |
The starting password given by the <I>-p</I> switch determines the length. |
| 143 |
fcrackzip will not currently increase the password length automatically, unless |
| 144 |
the <I>-l</I> switch is used. |
| 145 |
<A NAME="lbAH"> </A> |
| 146 |
<H2>DICTIONARY MODE</H2> |
| 147 |
|
| 148 |
This mode is similar to brute force mode, but instead of generating passwords |
| 149 |
using a given set of characters and a length, the passwords will be read from |
| 150 |
a file that you have to specify using the <I>-p</I> switch. |
| 151 |
<A NAME="lbAI"> </A> |
| 152 |
<H2>CP MASK</H2> |
| 153 |
|
| 154 |
A CP mask is a method to obscure images or parts of images using a |
| 155 |
password. These obscured images can be restored even when saved as JPEG |
| 156 |
files. In most of these files the password is actually hidden and can |
| 157 |
be decoded easily (using one of the many available viewer and masking |
| 158 |
programs, e.g. xv). If you convert the image the password, however, is |
| 159 |
lost. The <B>cpmask</B> crack method can be used to brute-force these |
| 160 |
images. Instead of a zip file you supply the obscured part (and nothing |
| 161 |
else) of the image in the <B>PPM</B>-Image Format (<B>xv</B> and other |
| 162 |
viewers can easily do this). |
| 163 |
<P> |
| 164 |
The <B>cpmask</B> method can only cope with password composed of uppercase |
| 165 |
letters, so be sure to supply the <B>--charset A</B> or equivalent option, |
| 166 |
together with a suitable initialization password. |
| 167 |
<A NAME="lbAJ"> </A> |
| 168 |
<H2>EXAMPLES</H2> |
| 169 |
|
| 170 |
<DL COMPACT> |
| 171 |
<DT><B>fcrackzip -c a -p aaaaaa sample.zip</B> |
| 172 |
|
| 173 |
<DD> |
| 174 |
checks the encrypted files in sample.zip for all lowercase 6 character |
| 175 |
passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
| 176 |
<DT><B>fcrackzip --method cpmask --charset A --init AAAA test.ppm</B> |
| 177 |
|
| 178 |
<DD> |
| 179 |
checks the obscured image <B>test.ppm</B> for all four character passwords. |
| 180 |
-TP |
| 181 |
<B>fcrackzip -D -p passwords.txt sample.zip</B> |
| 182 |
|
| 183 |
check for every password listed in the file <B>passwords.txt</B>. |
| 184 |
</DL> |
| 185 |
<A NAME="lbAK"> </A> |
| 186 |
<H2>PERFORMANCE</H2> |
| 187 |
|
| 188 |
<I>fzc</I>, which seems to be widely used as a fast password cracker, |
| 189 |
claims to make 204570 checks per second on my machine (measured under plain |
| 190 |
dos w/o memory manager). |
| 191 |
<P> |
| 192 |
<I>fcrackzip</I>, being written in C and not in assembler, naturally |
| 193 |
is slower. Measured on a slightly loaded unix (same machine), it's 12 |
| 194 |
percent slower (the compiler used was <I>pgcc</I>, from |
| 195 |
<B><A HREF="http://www.gcc.ml.org/">http://www.gcc.ml.org/</A></B>). |
| 196 |
<P> |
| 197 |
To remedy this a bit, I converted small parts of the encryption core to x86 |
| 198 |
assembler (it will still compile on non x86 machines), and now it's about |
| 199 |
4-12 percent faster than <I>fzc</I> (again, the <I>fcrackzip</I> performance |
| 200 |
was measured under a multitasking os, so there are inevitably some |
| 201 |
meaurement errors), so there shouldn't be a tempting reason to switch to |
| 202 |
other programs. |
| 203 |
<P> |
| 204 |
Further improvements are definitely possible: <I>fzc</I> took 4 years to get |
| 205 |
into shape, while fcrackzip was hacked together in under 10 hours. And not to |
| 206 |
forget you have the source, while other programs (like <I>fzc</I>), even come |
| 207 |
as an <I>encrypted .exe</I> file (maybe because their programmers are afraid |
| 208 |
of other people could having a look at their lack of programming skills? |
| 209 |
nobody knows...) |
| 210 |
<A NAME="lbAL"> </A> |
| 211 |
<H2>RATIONALE</H2> |
| 212 |
|
| 213 |
The reason I wrote <I>fcrackzip</I> was <B>NOT</B> to have the fastest zip |
| 214 |
cracker available, but to provide a <I>portable</I>, <I>free</I> (thus |
| 215 |
<I>extensible</I>), but still <I>fast</I> zip password cracker. I was really |
| 216 |
pissed of with that dumb, nonextendable zipcrackers that were either slow, |
| 217 |
were too limited, or wouldn't run in the background (say, under unix). (And |
| 218 |
you can't run them on your superfast 600Mhz Alpha). |
| 219 |
<A NAME="lbAM"> </A> |
| 220 |
<H2>BUGS</H2> |
| 221 |
|
| 222 |
No automatic unzip checking. |
| 223 |
<P> |
| 224 |
|
| 225 |
Stop/resume facility is missing. |
| 226 |
<P> |
| 227 |
|
| 228 |
Should be able to distinguish between files with 16 bit stored CRC's and 8 |
| 229 |
bit stored CRC's. |
| 230 |
<P> |
| 231 |
|
| 232 |
The benchmark does not work on all systems. |
| 233 |
<P> |
| 234 |
|
| 235 |
It's still early alpha. |
| 236 |
<P> |
| 237 |
|
| 238 |
Method "cpmask" only accepts ppms. |
| 239 |
<P> |
| 240 |
|
| 241 |
Could be faster. |
| 242 |
<A NAME="lbAN"> </A> |
| 243 |
<H2>AUTHOR</H2> |
| 244 |
|
| 245 |
<I>fcrackzip</I> was written by Marc Lehmann <<A HREF="mailto:pcg@goof.com">pcg@goof.com</A>>. The main |
| 246 |
<I>fcrackzip</I> page is at <B><A HREF="http://www.goof.com/pcg/marc/fcrackzip.html">http://www.goof.com/pcg/marc/fcrackzip.html</A></B>) |
| 247 |
<P> |
| 248 |
<P> |
| 249 |
|
| 250 |
<HR> |
| 251 |
<A NAME="index"> </A><H2>Index</H2> |
| 252 |
<DL> |
| 253 |
<DT><A HREF="#lbAB">NAME</A><DD> |
| 254 |
<DT><A HREF="#lbAC">SYNOPSIS</A><DD> |
| 255 |
<DT><A HREF="#lbAD">DESCRIPTION</A><DD> |
| 256 |
<DL> |
| 257 |
<DT><A HREF="#lbAE">OPTIONS</A><DD> |
| 258 |
</DL> |
| 259 |
<DT><A HREF="#lbAF">ZIP PASSWORD BASICS</A><DD> |
| 260 |
<DT><A HREF="#lbAG">BRUTE FORCE MODE</A><DD> |
| 261 |
<DT><A HREF="#lbAH">DICTIONARY MODE</A><DD> |
| 262 |
<DT><A HREF="#lbAI">CP MASK</A><DD> |
| 263 |
<DT><A HREF="#lbAJ">EXAMPLES</A><DD> |
| 264 |
<DT><A HREF="#lbAK">PERFORMANCE</A><DD> |
| 265 |
<DT><A HREF="#lbAL">RATIONALE</A><DD> |
| 266 |
<DT><A HREF="#lbAM">BUGS</A><DD> |
| 267 |
<DT><A HREF="#lbAN">AUTHOR</A><DD> |
| 268 |
</DL> |
| 269 |
<HR> |
| 270 |
This document was created by |
| 271 |
, |
| 272 |
using the manual pages.<BR> |
| 273 |
Time: 09:44:43 GMT, February 09, 2003 |
| 274 |
</BODY> |
| 275 |
</HTML> |
