fcrackzip/fcrackzip.html

<HTML><HEAD><TITLE>Manpage of FCRACKZIP</TITLE>
</HEAD><BODY>
<H1>FCRACKZIP</H1>
Section: User Commands  (1)<BR>Updated: Free/Fast Zip Password Cracker<BR><A HREF="#index">Index</A>
<HR>

<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

<I>fcrackzip</I>

- a Free/Fast Zip Password Cracker
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>fcrackzip</B>

[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset]
[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max]
[--use-unzip] [--method name] [--modulo r/m] file...
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<I>fcrackzip</I>

searches each zipfile given for encrypted files and tries to guess the
password. All files must be encrypted with the same password, the more
files you provide, the better.
<A NAME="lbAE">&nbsp;</A>
<H3>OPTIONS</H3>

<DL COMPACT>
<DT><B>-h, --help</B>

<DD>
Prints the version number and (hopefully) some helpful insights.
<DT><B>-v, --verbose</B>

<DD>
Each -v makes the program more verbose.
<DT><B>-b, --brute-force</B>

<DD>
Select brute force mode. This tries all possible combinations
of the letters you specify.
<DT><B>-D, --dictionary</B>

<DD>
Select dictionary mode. In this mode, fcrackzip will read passwords
from a file, which must contain one password per line and should be
alphabetically sorted (e.g. using <B>(1)</B>).
<DT><B>-c, --charset characterset-specification</B>

<DD>
Select the characters to use in brute-force cracking. Must be one
of
<P>
<PRE>
  a   include all lowercase characters [a-z]
  A   include all uppercase characters [A-Z]
  1   include the digits [0-9]
  !   include [!:$%&amp;/()=?{[]}+*~#]
  :   the following characters upto the end of the spe-
      cification string are included in the character set.
      This way you can include any character except binary
      null (at least under unix).
</PRE>

<P>
For example, a1:$% selects lowercase characters, digits and the dollar and
percent signs.
<DT><B>-p, --init-password string</B>

<DD>
Set initial (starting) password for brute-force searching to <I>string</I>,
or use the file with the name <I>string</I> to supply passwords for dictionary
searching.
<DT><B>-l, --length min[-max]</B>

<DD>
Use an initial password of length min, and check all passwords
upto passwords of length max (including). You can omit the max
parameter.
<DT><B>-u, --use-unzip</B>

<DD>
Try to decompress the first file by calling unzip with the guessed
password. This weeds out false positives when not enough files have
been given.
<DT><B>-m, --method name</B>

<DD>
Use method number &quot;name&quot; instead of the default cracking method. The
switch <B>--help</B> will print a list of available methods. Use
<B>--benchmark</B> to see which method does perform best on your
machine. The <B>name</B> can also be the number of the method to use.
<DT><B>-2, --modulo r/m</B>

<DD>
Calculate only r/m of the password. Not yet supported.
<DT><B>-B, --benchmark</B>

<DD>
Make a small benchmark, the output is nearly meaningless.
<DT><B>-V, --validate</B>

<DD>
Make some basic checks wether the cracker works.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>ZIP PASSWORD BASICS</H2>

Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with
'incorrect password', <I>without</I> decrypting the whole file. While the
encryption algorithm used by zip is relatively secure, PK made cracking easy
by providing hooks for very fast password-checking, directly in the zip
file. Understanding these is crucial to zip password cracking:
<P>
For each password that is tried, the first twelve bytes of the file are
decrypted. Depending on the version of zip used to encrypt the file (more on
that later), the first ten or eleven bytes are random, followed by one or
two bytes whose values are stored elsewhere in the zip file, i.e. are known
beforehand. If these last bytes don't have the correct (known) value, the
password is definitely wrong. If the bytes are correct, the password
<I>might</I> be correct, but the only method to find out is to unzip the file
and compare the uncompressed length and crc's.
<P>
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for
other operating systems!) stored two known bytes. Thus the error rate was
roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls
improved) the security of their format by only including one byte, so the
possibility of false passwords is now raised to 0.4%. Unfortunately, there
is no real way to distinguish one byte from two byte formats, so we have to
be conservative.
<A NAME="lbAG">&nbsp;</A>
<H2>BRUTE FORCE MODE</H2>

By default, brute force starts at the given starting password, and
successively tries all combinations until they are exhausted, printing all
passwords that it detects, together with a rough correctness indicator.
<P>
The starting password given by the <I>-p</I> switch determines the length.
fcrackzip will not currently increase the password length automatically, unless
the <I>-l</I> switch is used.
<A NAME="lbAH">&nbsp;</A>
<H2>DICTIONARY MODE</H2>

This mode is similar to brute force mode, but instead of generating passwords
using a given set of characters and a length, the passwords will be read from
a file that you have to specify using the <I>-p</I> switch.
<A NAME="lbAI">&nbsp;</A>
<H2>CP MASK</H2>

A CP mask is a method to obscure images or parts of images using a
password.  These obscured images can be restored even when saved as JPEG
files. In most of these files the password is actually hidden and can
be decoded easily (using one of the many available viewer and masking
programs, e.g. xv). If you convert the image the password, however, is
lost. The <B>cpmask</B> crack method can be used to brute-force these
images. Instead of a zip file you supply the obscured part (and nothing
else) of the image in the <B>PPM</B>-Image Format (<B>xv</B> and other
viewers can easily do this).
<P>
The <B>cpmask</B> method can only cope with password composed of uppercase
letters, so be sure to supply the <B>--charset A</B> or equivalent option,
together with a suitable initialization password.
<A NAME="lbAJ">&nbsp;</A>
<H2>EXAMPLES</H2>

<DL COMPACT>
<DT><B>fcrackzip -c a -p aaaaaa sample.zip</B>

<DD>
checks the encrypted files in sample.zip for all lowercase 6 character
passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
<DT><B>fcrackzip --method cpmask --charset A --init AAAA test.ppm</B>

<DD>
checks the obscured image <B>test.ppm</B> for all four character passwords.
-TP
<B>fcrackzip -D -p passwords.txt sample.zip</B>

check for every password listed in the file <B>passwords.txt</B>.
</DL>
<A NAME="lbAK">&nbsp;</A>
<H2>PERFORMANCE</H2>

<I>fzc</I>, which seems to be widely used as a fast password cracker,
claims to make 204570 checks per second on my machine (measured under plain
dos w/o memory manager).
<P>
<I>fcrackzip</I>, being written in C and not in assembler, naturally
is slower. Measured on a slightly loaded unix (same machine), it's 12
percent slower (the compiler used was <I>pgcc</I>, from
<B><A HREF="http://www.gcc.ml.org/">http://www.gcc.ml.org/</A></B>).
<P>
To remedy this a bit, I converted small parts of the encryption core to x86
assembler (it will still compile on non x86 machines), and now it's about
4-12 percent faster than <I>fzc</I> (again, the <I>fcrackzip</I> performance
was measured under a multitasking os, so there are inevitably some
meaurement errors), so there shouldn't be a tempting reason to switch to
other programs.
<P>
Further improvements are definitely possible: <I>fzc</I> took 4 years to get
into shape, while fcrackzip was hacked together in under 10 hours. And not to
forget you have the source, while other programs (like <I>fzc</I>), even come
as an <I>encrypted .exe</I> file (maybe because their programmers are afraid
of other people could having a look at their lack of programming skills?
nobody knows...)
<A NAME="lbAL">&nbsp;</A>
<H2>RATIONALE</H2>

The reason I wrote <I>fcrackzip</I> was <B>NOT</B> to have the fastest zip
cracker available, but to provide a <I>portable</I>, <I>free</I> (thus
<I>extensible</I>), but still <I>fast</I> zip password cracker. I was really
pissed of with that dumb, nonextendable zipcrackers that were either slow,
were too limited, or wouldn't run in the background (say, under unix). (And
you can't run them on your superfast 600Mhz Alpha).
<A NAME="lbAM">&nbsp;</A>
<H2>BUGS</H2>

No automatic unzip checking.
<P>

Stop/resume facility is missing.
<P>

Should be able to distinguish between files with 16 bit stored CRC's and 8
bit stored CRC's.
<P>

The benchmark does not work on all systems.
<P>

It's still early alpha.
<P>

Method &quot;cpmask&quot; only accepts ppms.
<P>

Could be faster.
<A NAME="lbAN">&nbsp;</A>
<H2>AUTHOR</H2>

<I>fcrackzip</I> was written by Marc Lehmann &lt;<A HREF="mailto:pcg@goof.com">pcg@goof.com</A>&gt;. The main
<I>fcrackzip</I> page is at <B><A HREF="http://www.goof.com/pcg/marc/fcrackzip.html">http://www.goof.com/pcg/marc/fcrackzip.html</A></B>)
<P>
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
</DL>
<DT><A HREF="#lbAF">ZIP PASSWORD BASICS</A><DD>
<DT><A HREF="#lbAG">BRUTE FORCE MODE</A><DD>
<DT><A HREF="#lbAH">DICTIONARY MODE</A><DD>
<DT><A HREF="#lbAI">CP MASK</A><DD>
<DT><A HREF="#lbAJ">EXAMPLES</A><DD>
<DT><A HREF="#lbAK">PERFORMANCE</A><DD>
<DT><A HREF="#lbAL">RATIONALE</A><DD>
<DT><A HREF="#lbAM">BUGS</A><DD>
<DT><A HREF="#lbAN">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
,
using the manual pages.<BR>
Time: 09:44:43 GMT, February 09, 2003
</BODY>
</HTML>
Revision:	1.1
Committed:	Mon Aug 4 07:09:50 2008 UTC (15 years, 9 months ago) by root
Content type:	text/html
Branch:	MAIN
CVS Tags:	HEAD
Log Message:	initial check-in, also 1.0 check-in
#	User	Rev	Content
1	root	1.1	<HTML><HEAD><TITLE>Manpage of FCRACKZIP</TITLE>
2			</HEAD><BODY>
3			<H1>FCRACKZIP</H1>
4			Section: User Commands (1)<BR>Updated: Free/Fast Zip Password Cracker<BR><A HREF="#index">Index</A>
5			<HR>
6
7			<A NAME="lbAB"> </A>
8			<H2>NAME</H2>
9
10			<I>fcrackzip</I>
11
12			- a Free/Fast Zip Password Cracker
13			<A NAME="lbAC"> </A>
14			<H2>SYNOPSIS</H2>
15
16			<B>fcrackzip</B>
17
18			[-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset]
19			[--help] [--validate] [--verbose] [--init-password string/path] [--length min-max]
20			[--use-unzip] [--method name] [--modulo r/m] file...
21			<A NAME="lbAD"> </A>
22			<H2>DESCRIPTION</H2>
23
24			<I>fcrackzip</I>
25
26			searches each zipfile given for encrypted files and tries to guess the
27			password. All files must be encrypted with the same password, the more
28			files you provide, the better.
29			<A NAME="lbAE"> </A>
30			<H3>OPTIONS</H3>
31
32			<DL COMPACT>
33			<DT><B>-h, --help</B>
34
35			<DD>
36			Prints the version number and (hopefully) some helpful insights.
37			<DT><B>-v, --verbose</B>
38
39			<DD>
40			Each -v makes the program more verbose.
41			<DT><B>-b, --brute-force</B>
42
43			<DD>
44			Select brute force mode. This tries all possible combinations
45			of the letters you specify.
46			<DT><B>-D, --dictionary</B>
47
48			<DD>
49			Select dictionary mode. In this mode, fcrackzip will read passwords
50			from a file, which must contain one password per line and should be
51			alphabetically sorted (e.g. using <B>(1)</B>).
52			<DT><B>-c, --charset characterset-specification</B>
53
54			<DD>
55			Select the characters to use in brute-force cracking. Must be one
56			of
57			<P>
58			<PRE>
59			a include all lowercase characters [a-z]
60			A include all uppercase characters [A-Z]
61			1 include the digits [0-9]
62			! include [!:$%&/()=?{[]}+*~#]
63			: the following characters upto the end of the spe-
64			cification string are included in the character set.
65			This way you can include any character except binary
66			null (at least under unix).
67			</PRE>
68
69			<P>
70			For example, a1:$% selects lowercase characters, digits and the dollar and
71			percent signs.
72			<DT><B>-p, --init-password string</B>
73
74			<DD>
75			Set initial (starting) password for brute-force searching to <I>string</I>,
76			or use the file with the name <I>string</I> to supply passwords for dictionary
77			searching.
78			<DT><B>-l, --length min[-max]</B>
79
80			<DD>
81			Use an initial password of length min, and check all passwords
82			upto passwords of length max (including). You can omit the max
83			parameter.
84			<DT><B>-u, --use-unzip</B>
85
86			<DD>
87			Try to decompress the first file by calling unzip with the guessed
88			password. This weeds out false positives when not enough files have
89			been given.
90			<DT><B>-m, --method name</B>
91
92			<DD>
93			Use method number "name" instead of the default cracking method. The
94			switch <B>--help</B> will print a list of available methods. Use
95			<B>--benchmark</B> to see which method does perform best on your
96			machine. The <B>name</B> can also be the number of the method to use.
97			<DT><B>-2, --modulo r/m</B>
98
99			<DD>
100			Calculate only r/m of the password. Not yet supported.
101			<DT><B>-B, --benchmark</B>
102
103			<DD>
104			Make a small benchmark, the output is nearly meaningless.
105			<DT><B>-V, --validate</B>
106
107			<DD>
108			Make some basic checks wether the cracker works.
109			</DL>
110			<A NAME="lbAF"> </A>
111			<H2>ZIP PASSWORD BASICS</H2>
112
113			Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with
114			'incorrect password', <I>without</I> decrypting the whole file. While the
115			encryption algorithm used by zip is relatively secure, PK made cracking easy
116			by providing hooks for very fast password-checking, directly in the zip
117			file. Understanding these is crucial to zip password cracking:
118			<P>
119			For each password that is tried, the first twelve bytes of the file are
120			decrypted. Depending on the version of zip used to encrypt the file (more on
121			that later), the first ten or eleven bytes are random, followed by one or
122			two bytes whose values are stored elsewhere in the zip file, i.e. are known
123			beforehand. If these last bytes don't have the correct (known) value, the
124			password is definitely wrong. If the bytes are correct, the password
125			<I>might</I> be correct, but the only method to find out is to unzip the file
126			and compare the uncompressed length and crc's.
127			<P>
128			Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for
129			other operating systems!) stored two known bytes. Thus the error rate was
130			roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls
131			improved) the security of their format by only including one byte, so the
132			possibility of false passwords is now raised to 0.4%. Unfortunately, there
133			is no real way to distinguish one byte from two byte formats, so we have to
134			be conservative.
135			<A NAME="lbAG"> </A>
136			<H2>BRUTE FORCE MODE</H2>
137
138			By default, brute force starts at the given starting password, and
139			successively tries all combinations until they are exhausted, printing all
140			passwords that it detects, together with a rough correctness indicator.
141			<P>
142			The starting password given by the <I>-p</I> switch determines the length.
143			fcrackzip will not currently increase the password length automatically, unless
144			the <I>-l</I> switch is used.
145			<A NAME="lbAH"> </A>
146			<H2>DICTIONARY MODE</H2>
147
148			This mode is similar to brute force mode, but instead of generating passwords
149			using a given set of characters and a length, the passwords will be read from
150			a file that you have to specify using the <I>-p</I> switch.
151			<A NAME="lbAI"> </A>
152			<H2>CP MASK</H2>
153
154			A CP mask is a method to obscure images or parts of images using a
155			password. These obscured images can be restored even when saved as JPEG
156			files. In most of these files the password is actually hidden and can
157			be decoded easily (using one of the many available viewer and masking
158			programs, e.g. xv). If you convert the image the password, however, is
159			lost. The <B>cpmask</B> crack method can be used to brute-force these
160			images. Instead of a zip file you supply the obscured part (and nothing
161			else) of the image in the <B>PPM</B>-Image Format (<B>xv</B> and other
162			viewers can easily do this).
163			<P>
164			The <B>cpmask</B> method can only cope with password composed of uppercase
165			letters, so be sure to supply the <B>--charset A</B> or equivalent option,
166			together with a suitable initialization password.
167			<A NAME="lbAJ"> </A>
168			<H2>EXAMPLES</H2>
169
170			<DL COMPACT>
171			<DT><B>fcrackzip -c a -p aaaaaa sample.zip</B>
172
173			<DD>
174			checks the encrypted files in sample.zip for all lowercase 6 character
175			passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
176			<DT><B>fcrackzip --method cpmask --charset A --init AAAA test.ppm</B>
177
178			<DD>
179			checks the obscured image <B>test.ppm</B> for all four character passwords.
180			-TP
181			<B>fcrackzip -D -p passwords.txt sample.zip</B>
182
183			check for every password listed in the file <B>passwords.txt</B>.
184			</DL>
185			<A NAME="lbAK"> </A>
186			<H2>PERFORMANCE</H2>
187
188			<I>fzc</I>, which seems to be widely used as a fast password cracker,
189			claims to make 204570 checks per second on my machine (measured under plain
190			dos w/o memory manager).
191			<P>
192			<I>fcrackzip</I>, being written in C and not in assembler, naturally
193			is slower. Measured on a slightly loaded unix (same machine), it's 12
194			percent slower (the compiler used was <I>pgcc</I>, from
195			<B><A HREF="http://www.gcc.ml.org/">http://www.gcc.ml.org/</A></B>).
196			<P>
197			To remedy this a bit, I converted small parts of the encryption core to x86
198			assembler (it will still compile on non x86 machines), and now it's about
199			4-12 percent faster than <I>fzc</I> (again, the <I>fcrackzip</I> performance
200			was measured under a multitasking os, so there are inevitably some
201			meaurement errors), so there shouldn't be a tempting reason to switch to
202			other programs.
203			<P>
204			Further improvements are definitely possible: <I>fzc</I> took 4 years to get
205			into shape, while fcrackzip was hacked together in under 10 hours. And not to
206			forget you have the source, while other programs (like <I>fzc</I>), even come
207			as an <I>encrypted .exe</I> file (maybe because their programmers are afraid
208			of other people could having a look at their lack of programming skills?
209			nobody knows...)
210			<A NAME="lbAL"> </A>
211			<H2>RATIONALE</H2>
212
213			The reason I wrote <I>fcrackzip</I> was <B>NOT</B> to have the fastest zip
214			cracker available, but to provide a <I>portable</I>, <I>free</I> (thus
215			<I>extensible</I>), but still <I>fast</I> zip password cracker. I was really
216			pissed of with that dumb, nonextendable zipcrackers that were either slow,
217			were too limited, or wouldn't run in the background (say, under unix). (And
218			you can't run them on your superfast 600Mhz Alpha).
219			<A NAME="lbAM"> </A>
220			<H2>BUGS</H2>
221
222			No automatic unzip checking.
223			<P>
224
225			Stop/resume facility is missing.
226			<P>
227
228			Should be able to distinguish between files with 16 bit stored CRC's and 8
229			bit stored CRC's.
230			<P>
231
232			The benchmark does not work on all systems.
233			<P>
234
235			It's still early alpha.
236			<P>
237
238			Method "cpmask" only accepts ppms.
239			<P>
240
241			Could be faster.
242			<A NAME="lbAN"> </A>
243			<H2>AUTHOR</H2>
244
245			<I>fcrackzip</I> was written by Marc Lehmann <<A HREF="mailto:pcg@goof.com">pcg@goof.com</A>>. The main
246			<I>fcrackzip</I> page is at <B><A HREF="http://www.goof.com/pcg/marc/fcrackzip.html">http://www.goof.com/pcg/marc/fcrackzip.html</A></B>)
247			<P>
248			<P>
249
250			<HR>
251			<A NAME="index"> </A><H2>Index</H2>
252			<DL>
253			<DT><A HREF="#lbAB">NAME</A><DD>
254			<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
255			<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
256			<DL>
257			<DT><A HREF="#lbAE">OPTIONS</A><DD>
258			</DL>
259			<DT><A HREF="#lbAF">ZIP PASSWORD BASICS</A><DD>
260			<DT><A HREF="#lbAG">BRUTE FORCE MODE</A><DD>
261			<DT><A HREF="#lbAH">DICTIONARY MODE</A><DD>
262			<DT><A HREF="#lbAI">CP MASK</A><DD>
263			<DT><A HREF="#lbAJ">EXAMPLES</A><DD>
264			<DT><A HREF="#lbAK">PERFORMANCE</A><DD>
265			<DT><A HREF="#lbAL">RATIONALE</A><DD>
266			<DT><A HREF="#lbAM">BUGS</A><DD>
267			<DT><A HREF="#lbAN">AUTHOR</A><DD>
268			</DL>
269			<HR>
270			This document was created by
271			,
272			using the manual pages.<BR>
273			Time: 09:44:43 GMT, February 09, 2003
274			</BODY>
275			</HTML>