ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/fcrackzip/fcrackzip.html
Revision: 1.1
Committed: Mon Aug 4 07:09:50 2008 UTC (16 years, 3 months ago) by root
Content type: text/html
Branch: MAIN
CVS Tags: HEAD
Log Message:
initial check-in, also 1.0 check-in

File Contents

# User Rev Content
1 root 1.1 <HTML><HEAD><TITLE>Manpage of FCRACKZIP</TITLE>
2     </HEAD><BODY>
3     <H1>FCRACKZIP</H1>
4     Section: User Commands (1)<BR>Updated: Free/Fast Zip Password Cracker<BR><A HREF="#index">Index</A>
5     <HR>
6    
7     <A NAME="lbAB">&nbsp;</A>
8     <H2>NAME</H2>
9    
10     <I>fcrackzip</I>
11    
12     - a Free/Fast Zip Password Cracker
13     <A NAME="lbAC">&nbsp;</A>
14     <H2>SYNOPSIS</H2>
15    
16     <B>fcrackzip</B>
17    
18     [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset]
19     [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max]
20     [--use-unzip] [--method name] [--modulo r/m] file...
21     <A NAME="lbAD">&nbsp;</A>
22     <H2>DESCRIPTION</H2>
23    
24     <I>fcrackzip</I>
25    
26     searches each zipfile given for encrypted files and tries to guess the
27     password. All files must be encrypted with the same password, the more
28     files you provide, the better.
29     <A NAME="lbAE">&nbsp;</A>
30     <H3>OPTIONS</H3>
31    
32     <DL COMPACT>
33     <DT><B>-h, --help</B>
34    
35     <DD>
36     Prints the version number and (hopefully) some helpful insights.
37     <DT><B>-v, --verbose</B>
38    
39     <DD>
40     Each -v makes the program more verbose.
41     <DT><B>-b, --brute-force</B>
42    
43     <DD>
44     Select brute force mode. This tries all possible combinations
45     of the letters you specify.
46     <DT><B>-D, --dictionary</B>
47    
48     <DD>
49     Select dictionary mode. In this mode, fcrackzip will read passwords
50     from a file, which must contain one password per line and should be
51     alphabetically sorted (e.g. using <B>(1)</B>).
52     <DT><B>-c, --charset characterset-specification</B>
53    
54     <DD>
55     Select the characters to use in brute-force cracking. Must be one
56     of
57     <P>
58     <PRE>
59     a include all lowercase characters [a-z]
60     A include all uppercase characters [A-Z]
61     1 include the digits [0-9]
62     ! include [!:$%&amp;/()=?{[]}+*~#]
63     : the following characters upto the end of the spe-
64     cification string are included in the character set.
65     This way you can include any character except binary
66     null (at least under unix).
67     </PRE>
68    
69     <P>
70     For example, a1:$% selects lowercase characters, digits and the dollar and
71     percent signs.
72     <DT><B>-p, --init-password string</B>
73    
74     <DD>
75     Set initial (starting) password for brute-force searching to <I>string</I>,
76     or use the file with the name <I>string</I> to supply passwords for dictionary
77     searching.
78     <DT><B>-l, --length min[-max]</B>
79    
80     <DD>
81     Use an initial password of length min, and check all passwords
82     upto passwords of length max (including). You can omit the max
83     parameter.
84     <DT><B>-u, --use-unzip</B>
85    
86     <DD>
87     Try to decompress the first file by calling unzip with the guessed
88     password. This weeds out false positives when not enough files have
89     been given.
90     <DT><B>-m, --method name</B>
91    
92     <DD>
93     Use method number &quot;name&quot; instead of the default cracking method. The
94     switch <B>--help</B> will print a list of available methods. Use
95     <B>--benchmark</B> to see which method does perform best on your
96     machine. The <B>name</B> can also be the number of the method to use.
97     <DT><B>-2, --modulo r/m</B>
98    
99     <DD>
100     Calculate only r/m of the password. Not yet supported.
101     <DT><B>-B, --benchmark</B>
102    
103     <DD>
104     Make a small benchmark, the output is nearly meaningless.
105     <DT><B>-V, --validate</B>
106    
107     <DD>
108     Make some basic checks wether the cracker works.
109     </DL>
110     <A NAME="lbAF">&nbsp;</A>
111     <H2>ZIP PASSWORD BASICS</H2>
112    
113     Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with
114     'incorrect password', <I>without</I> decrypting the whole file. While the
115     encryption algorithm used by zip is relatively secure, PK made cracking easy
116     by providing hooks for very fast password-checking, directly in the zip
117     file. Understanding these is crucial to zip password cracking:
118     <P>
119     For each password that is tried, the first twelve bytes of the file are
120     decrypted. Depending on the version of zip used to encrypt the file (more on
121     that later), the first ten or eleven bytes are random, followed by one or
122     two bytes whose values are stored elsewhere in the zip file, i.e. are known
123     beforehand. If these last bytes don't have the correct (known) value, the
124     password is definitely wrong. If the bytes are correct, the password
125     <I>might</I> be correct, but the only method to find out is to unzip the file
126     and compare the uncompressed length and crc's.
127     <P>
128     Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for
129     other operating systems!) stored two known bytes. Thus the error rate was
130     roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls
131     improved) the security of their format by only including one byte, so the
132     possibility of false passwords is now raised to 0.4%. Unfortunately, there
133     is no real way to distinguish one byte from two byte formats, so we have to
134     be conservative.
135     <A NAME="lbAG">&nbsp;</A>
136     <H2>BRUTE FORCE MODE</H2>
137    
138     By default, brute force starts at the given starting password, and
139     successively tries all combinations until they are exhausted, printing all
140     passwords that it detects, together with a rough correctness indicator.
141     <P>
142     The starting password given by the <I>-p</I> switch determines the length.
143     fcrackzip will not currently increase the password length automatically, unless
144     the <I>-l</I> switch is used.
145     <A NAME="lbAH">&nbsp;</A>
146     <H2>DICTIONARY MODE</H2>
147    
148     This mode is similar to brute force mode, but instead of generating passwords
149     using a given set of characters and a length, the passwords will be read from
150     a file that you have to specify using the <I>-p</I> switch.
151     <A NAME="lbAI">&nbsp;</A>
152     <H2>CP MASK</H2>
153    
154     A CP mask is a method to obscure images or parts of images using a
155     password. These obscured images can be restored even when saved as JPEG
156     files. In most of these files the password is actually hidden and can
157     be decoded easily (using one of the many available viewer and masking
158     programs, e.g. xv). If you convert the image the password, however, is
159     lost. The <B>cpmask</B> crack method can be used to brute-force these
160     images. Instead of a zip file you supply the obscured part (and nothing
161     else) of the image in the <B>PPM</B>-Image Format (<B>xv</B> and other
162     viewers can easily do this).
163     <P>
164     The <B>cpmask</B> method can only cope with password composed of uppercase
165     letters, so be sure to supply the <B>--charset A</B> or equivalent option,
166     together with a suitable initialization password.
167     <A NAME="lbAJ">&nbsp;</A>
168     <H2>EXAMPLES</H2>
169    
170     <DL COMPACT>
171     <DT><B>fcrackzip -c a -p aaaaaa sample.zip</B>
172    
173     <DD>
174     checks the encrypted files in sample.zip for all lowercase 6 character
175     passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
176     <DT><B>fcrackzip --method cpmask --charset A --init AAAA test.ppm</B>
177    
178     <DD>
179     checks the obscured image <B>test.ppm</B> for all four character passwords.
180     -TP
181     <B>fcrackzip -D -p passwords.txt sample.zip</B>
182    
183     check for every password listed in the file <B>passwords.txt</B>.
184     </DL>
185     <A NAME="lbAK">&nbsp;</A>
186     <H2>PERFORMANCE</H2>
187    
188     <I>fzc</I>, which seems to be widely used as a fast password cracker,
189     claims to make 204570 checks per second on my machine (measured under plain
190     dos w/o memory manager).
191     <P>
192     <I>fcrackzip</I>, being written in C and not in assembler, naturally
193     is slower. Measured on a slightly loaded unix (same machine), it's 12
194     percent slower (the compiler used was <I>pgcc</I>, from
195     <B><A HREF="http://www.gcc.ml.org/">http://www.gcc.ml.org/</A></B>).
196     <P>
197     To remedy this a bit, I converted small parts of the encryption core to x86
198     assembler (it will still compile on non x86 machines), and now it's about
199     4-12 percent faster than <I>fzc</I> (again, the <I>fcrackzip</I> performance
200     was measured under a multitasking os, so there are inevitably some
201     meaurement errors), so there shouldn't be a tempting reason to switch to
202     other programs.
203     <P>
204     Further improvements are definitely possible: <I>fzc</I> took 4 years to get
205     into shape, while fcrackzip was hacked together in under 10 hours. And not to
206     forget you have the source, while other programs (like <I>fzc</I>), even come
207     as an <I>encrypted .exe</I> file (maybe because their programmers are afraid
208     of other people could having a look at their lack of programming skills?
209     nobody knows...)
210     <A NAME="lbAL">&nbsp;</A>
211     <H2>RATIONALE</H2>
212    
213     The reason I wrote <I>fcrackzip</I> was <B>NOT</B> to have the fastest zip
214     cracker available, but to provide a <I>portable</I>, <I>free</I> (thus
215     <I>extensible</I>), but still <I>fast</I> zip password cracker. I was really
216     pissed of with that dumb, nonextendable zipcrackers that were either slow,
217     were too limited, or wouldn't run in the background (say, under unix). (And
218     you can't run them on your superfast 600Mhz Alpha).
219     <A NAME="lbAM">&nbsp;</A>
220     <H2>BUGS</H2>
221    
222     No automatic unzip checking.
223     <P>
224    
225     Stop/resume facility is missing.
226     <P>
227    
228     Should be able to distinguish between files with 16 bit stored CRC's and 8
229     bit stored CRC's.
230     <P>
231    
232     The benchmark does not work on all systems.
233     <P>
234    
235     It's still early alpha.
236     <P>
237    
238     Method &quot;cpmask&quot; only accepts ppms.
239     <P>
240    
241     Could be faster.
242     <A NAME="lbAN">&nbsp;</A>
243     <H2>AUTHOR</H2>
244    
245     <I>fcrackzip</I> was written by Marc Lehmann &lt;<A HREF="mailto:pcg@goof.com">pcg@goof.com</A>&gt;. The main
246     <I>fcrackzip</I> page is at <B><A HREF="http://www.goof.com/pcg/marc/fcrackzip.html">http://www.goof.com/pcg/marc/fcrackzip.html</A></B>)
247     <P>
248     <P>
249    
250     <HR>
251     <A NAME="index">&nbsp;</A><H2>Index</H2>
252     <DL>
253     <DT><A HREF="#lbAB">NAME</A><DD>
254     <DT><A HREF="#lbAC">SYNOPSIS</A><DD>
255     <DT><A HREF="#lbAD">DESCRIPTION</A><DD>
256     <DL>
257     <DT><A HREF="#lbAE">OPTIONS</A><DD>
258     </DL>
259     <DT><A HREF="#lbAF">ZIP PASSWORD BASICS</A><DD>
260     <DT><A HREF="#lbAG">BRUTE FORCE MODE</A><DD>
261     <DT><A HREF="#lbAH">DICTIONARY MODE</A><DD>
262     <DT><A HREF="#lbAI">CP MASK</A><DD>
263     <DT><A HREF="#lbAJ">EXAMPLES</A><DD>
264     <DT><A HREF="#lbAK">PERFORMANCE</A><DD>
265     <DT><A HREF="#lbAL">RATIONALE</A><DD>
266     <DT><A HREF="#lbAM">BUGS</A><DD>
267     <DT><A HREF="#lbAN">AUTHOR</A><DD>
268     </DL>
269     <HR>
270     This document was created by
271     ,
272     using the manual pages.<BR>
273     Time: 09:44:43 GMT, February 09, 2003
274     </BODY>
275     </HTML>