1 |
FCRACKZIP(1) FCRACKZIP(1) |
2 |
|
3 |
|
4 |
|
5 |
NNAAMMEE |
6 |
_f_c_r_a_c_k_z_i_p - a Free/Fast Zip Password Cracker |
7 |
|
8 |
SSYYNNOOPPSSIISS |
9 |
ffccrraacckkzziipp [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] |
10 |
[--charset characterset] [--help] [--validate] [--verbose] [--init- |
11 |
password string/path] [--length min-max] [--use-unzip] [--method name] |
12 |
[--modulo r/m] file... |
13 |
|
14 |
DDEESSCCRRIIPPTTIIOONN |
15 |
_f_c_r_a_c_k_z_i_p searches each zipfile given for encrypted files and tries to |
16 |
guess the password. All files must be encrypted with the same password, |
17 |
the more files you provide, the better. |
18 |
|
19 |
OOPPTTIIOONNSS |
20 |
--hh,, ----hheellpp |
21 |
Prints the version number and (hopefully) some helpful insights. |
22 |
|
23 |
--vv,, ----vveerrbboossee |
24 |
Each -v makes the program more verbose. |
25 |
|
26 |
--bb,, ----bbrruuttee--ffoorrccee |
27 |
Select brute force mode. This tries all possible combinations of |
28 |
the letters you specify. |
29 |
|
30 |
--DD,, ----ddiiccttiioonnaarryy |
31 |
Select dictionary mode. In this mode, fcrackzip will read pass- |
32 |
words from a file, which must contain one password per line and |
33 |
should be alphabetically sorted (e.g. using ssoorrtt((11))). |
34 |
|
35 |
--cc,, ----cchhaarrsseett cchhaarraacctteerrsseett--ssppeecciiffiiccaattiioonn |
36 |
Select the characters to use in brute-force cracking. Must be |
37 |
one of |
38 |
|
39 |
a include all lowercase characters [a-z] |
40 |
A include all uppercase characters [A-Z] |
41 |
1 include the digits [0-9] |
42 |
! include [!:$%&/()=?{[]}+*~#] |
43 |
: the following characters upto the end of the spe- |
44 |
cification string are included in the character set. |
45 |
This way you can include any character except binary |
46 |
null (at least under unix). |
47 |
|
48 |
For example, a1:$% selects lowercase characters, digits and the |
49 |
dollar and percent signs. |
50 |
|
51 |
--pp,, ----iinniitt--ppaasssswwoorrdd ssttrriinngg |
52 |
Set initial (starting) password for brute-force searching to |
53 |
_s_t_r_i_n_g, or use the file with the name _s_t_r_i_n_g to supply passwords |
54 |
for dictionary searching. |
55 |
|
56 |
--ll,, ----lleennggtthh mmiinn[[--mmaaxx]] |
57 |
Use an initial password of length min, and check all passwords |
58 |
upto passwords of length max (including). You can omit the max |
59 |
parameter. |
60 |
|
61 |
--uu,, ----uussee--uunnzziipp |
62 |
Try to decompress the first file by calling unzip with the |
63 |
guessed password. This weeds out false positives when not enough |
64 |
files have been given. |
65 |
|
66 |
--mm,, ----mmeetthhoodd nnaammee |
67 |
Use method number "name" instead of the default cracking method. |
68 |
The switch ----hheellpp will print a list of available methods. Use |
69 |
----bbeenncchhmmaarrkk to see which method does perform best on your |
70 |
machine. The nnaammee can also be the number of the method to use. |
71 |
|
72 |
--22,, ----mmoodduulloo rr//mm |
73 |
Calculate only r/m of the password. Not yet supported. |
74 |
|
75 |
--BB,, ----bbeenncchhmmaarrkk |
76 |
Make a small benchmark, the output is nearly meaningless. |
77 |
|
78 |
--VV,, ----vvaalliiddaattee |
79 |
Make some basic checks wether the cracker works. |
80 |
|
81 |
ZZIIPP PPAASSSSWWOORRDD BBAASSIICCSS |
82 |
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast |
83 |
with ´incorrect password´, _w_i_t_h_o_u_t decrypting the whole file. While the |
84 |
encryption algorithm used by zip is relatively secure, PK made cracking |
85 |
easy by providing hooks for very fast password-checking, directly in |
86 |
the zip file. Understanding these is crucial to zip password cracking: |
87 |
|
88 |
For each password that is tried, the first twelve bytes of the file are |
89 |
decrypted. Depending on the version of zip used to encrypt the file |
90 |
(more on that later), the first ten or eleven bytes are random, fol- |
91 |
lowed by one or two bytes whose values are stored elsewhere in the zip |
92 |
file, i.e. are known beforehand. If these last bytes don't have the |
93 |
correct (known) value, the password is definitely wrong. If the bytes |
94 |
are correct, the password _m_i_g_h_t be correct, but the only method to find |
95 |
out is to unzip the file and compare the uncompressed length and crc´s. |
96 |
|
97 |
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones |
98 |
for other operating systems!) stored two known bytes. Thus the error |
99 |
rate was roughly 1/2^16 = 0.01%. PKWARE ´improved´ (interesting what |
100 |
industry calls improved) the security of their format by only including |
101 |
one byte, so the possibility of false passwords is now raised to 0.4%. |
102 |
Unfortunately, there is no real way to distinguish one byte from two |
103 |
byte formats, so we have to be conservative. |
104 |
|
105 |
BBRRUUTTEE FFOORRCCEE MMOODDEE |
106 |
By default, brute force starts at the given starting password, and suc- |
107 |
cessively tries all combinations until they are exhausted, printing all |
108 |
passwords that it detects, together with a rough correctness indicator. |
109 |
|
110 |
The starting password given by the _-_p switch determines the length. |
111 |
fcrackzip will not currently increase the password length automati- |
112 |
cally, unless the _-_l switch is used. |
113 |
|
114 |
DDIICCTTIIOONNAARRYY MMOODDEE |
115 |
This mode is similar to brute force mode, but instead of generating |
116 |
passwords using a given set of characters and a length, the passwords |
117 |
will be read from a file that you have to specify using the _-_p switch. |
118 |
|
119 |
CCPP MMAASSKK |
120 |
A CP mask is a method to obscure images or parts of images using a |
121 |
password. These obscured images can be restored even when saved as |
122 |
JPEG files. In most of these files the password is actually hidden and |
123 |
can be decoded easily (using one of the many available viewer and mask- |
124 |
ing programs, e.g. xv). If you convert the image the password, however, |
125 |
is lost. The ccppmmaasskk crack method can be used to brute-force these |
126 |
images. Instead of a zip file you supply the obscured part (and nothing |
127 |
else) of the image in the PPPPMM-Image Format (xxvv and other viewers can |
128 |
easily do this). |
129 |
|
130 |
The ccppmmaasskk method can only cope with password composed of uppercase |
131 |
letters, so be sure to supply the ----cchhaarrsseett AA or equivalent option, |
132 |
together with a suitable initialization password. |
133 |
|
134 |
EEXXAAMMPPLLEESS |
135 |
ffccrraacckkzziipp --cc aa --pp aaaaaaaaaaaa ssaammppllee..zziipp |
136 |
checks the encrypted files in sample.zip for all lowercase 6 |
137 |
character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
138 |
|
139 |
ffccrraacckkzziipp ----mmeetthhoodd ccppmmaasskk ----cchhaarrsseett AA ----iinniitt AAAAAAAA tteesstt..ppppmm |
140 |
checks the obscured image tteesstt..ppppmm for all four character pass- |
141 |
words. -TP ffccrraacckkzziipp --DD --pp ppaasssswwoorrddss..ttxxtt ssaammppllee..zziipp check for |
142 |
every password listed in the file ppaasssswwoorrddss..ttxxtt. |
143 |
|
144 |
PPEERRFFOORRMMAANNCCEE |
145 |
_f_z_c, which seems to be widely used as a fast password cracker, claims |
146 |
to make 204570 checks per second on my machine (measured under plain |
147 |
dos w/o memory manager). |
148 |
|
149 |
_f_c_r_a_c_k_z_i_p, being written in C and not in assembler, naturally is |
150 |
slower. Measured on a slightly loaded unix (same machine), it´s 12 per- |
151 |
cent slower (the compiler used was _p_g_c_c, from hhttttpp::////wwwwww..ggcccc..mmll..oorrgg//). |
152 |
|
153 |
To remedy this a bit, I converted small parts of the encryption core to |
154 |
x86 assembler (it will still compile on non x86 machines), and now it´s |
155 |
about 4-12 percent faster than _f_z_c (again, the _f_c_r_a_c_k_z_i_p performance |
156 |
was measured under a multitasking os, so there are inevitably some |
157 |
meaurement errors), so there shouldn't be a tempting reason to switch |
158 |
to other programs. |
159 |
|
160 |
Further improvements are definitely possible: _f_z_c took 4 years to get |
161 |
into shape, while fcrackzip was hacked together in under 10 hours. And |
162 |
not to forget you have the source, while other programs (like _f_z_c), |
163 |
even come as an _e_n_c_r_y_p_t_e_d _._e_x_e file (maybe because their programmers |
164 |
are afraid of other people could having a look at their lack of pro- |
165 |
gramming skills? nobody knows...) |
166 |
|
167 |
RRAATTIIOONNAALLEE |
168 |
The reason I wrote _f_c_r_a_c_k_z_i_p was NNOOTT to have the fastest zip cracker |
169 |
available, but to provide a _p_o_r_t_a_b_l_e, _f_r_e_e (thus _e_x_t_e_n_s_i_b_l_e), but still |
170 |
_f_a_s_t zip password cracker. I was really pissed of with that dumb, |
171 |
nonextendable zipcrackers that were either slow, were too limited, or |
172 |
wouldn't run in the background (say, under unix). (And you can't run |
173 |
them on your superfast 600Mhz Alpha). |
174 |
|
175 |
BBUUGGSS |
176 |
No automatic unzip checking. |
177 |
|
178 |
Stop/resume facility is missing. |
179 |
|
180 |
Should be able to distinguish between files with 16 bit stored CRC´s |
181 |
and 8 bit stored CRC´s. |
182 |
|
183 |
The benchmark does not work on all systems. |
184 |
|
185 |
It's still early alpha. |
186 |
|
187 |
Method "cpmask" only accepts ppms. |
188 |
|
189 |
Could be faster. |
190 |
|
191 |
AAUUTTHHOORR |
192 |
_f_c_r_a_c_k_z_i_p was written by Marc Lehmann <pcg@goof.com>. The main |
193 |
_f_c_r_a_c_k_z_i_p page is at hhttttpp::////wwwwww..ggooooff..ccoomm//ppccgg//mmaarrcc//ffccrraacckkzziipp..hhttmmll) |
194 |
|
195 |
|
196 |
|
197 |
|
198 |
Free/Fast Zip Password Cracker FCRACKZIP(1) |