| 1 |
root |
1.1 |
FCRACKZIP(1) FCRACKZIP(1) |
| 2 |
|
|
|
| 3 |
|
|
|
| 4 |
|
|
|
| 5 |
|
|
N�NA�AM�ME�E |
| 6 |
|
|
_�f_�c_�r_�a_�c_�k_�z_�i_�p - a Free/Fast Zip Password Cracker |
| 7 |
|
|
|
| 8 |
|
|
S�SY�YN�NO�OP�PS�SI�IS�S |
| 9 |
|
|
f�fc�cr�ra�ac�ck�kz�zi�ip�p [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] |
| 10 |
|
|
[--charset characterset] [--help] [--validate] [--verbose] [--init- |
| 11 |
|
|
password string/path] [--length min-max] [--use-unzip] [--method name] |
| 12 |
|
|
[--modulo r/m] file... |
| 13 |
|
|
|
| 14 |
|
|
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
| 15 |
|
|
_�f_�c_�r_�a_�c_�k_�z_�i_�p searches each zipfile given for encrypted files and tries to |
| 16 |
|
|
guess the password. All files must be encrypted with the same password, |
| 17 |
|
|
the more files you provide, the better. |
| 18 |
|
|
|
| 19 |
|
|
O�OP�PT�TI�IO�ON�NS�S |
| 20 |
|
|
-�-h�h,�, -�--�-h�he�el�lp�p |
| 21 |
|
|
Prints the version number and (hopefully) some helpful insights. |
| 22 |
|
|
|
| 23 |
|
|
-�-v�v,�, -�--�-v�ve�er�rb�bo�os�se�e |
| 24 |
|
|
Each -v makes the program more verbose. |
| 25 |
|
|
|
| 26 |
|
|
-�-b�b,�, -�--�-b�br�ru�ut�te�e-�-f�fo�or�rc�ce�e |
| 27 |
|
|
Select brute force mode. This tries all possible combinations of |
| 28 |
|
|
the letters you specify. |
| 29 |
|
|
|
| 30 |
|
|
-�-D�D,�, -�--�-d�di�ic�ct�ti�io�on�na�ar�ry�y |
| 31 |
|
|
Select dictionary mode. In this mode, fcrackzip will read pass- |
| 32 |
|
|
words from a file, which must contain one password per line and |
| 33 |
|
|
should be alphabetically sorted (e.g. using s�so�or�rt�t(�(1�1)�)). |
| 34 |
|
|
|
| 35 |
|
|
-�-c�c,�, -�--�-c�ch�ha�ar�rs�se�et�t c�ch�ha�ar�ra�ac�ct�te�er�rs�se�et�t-�-s�sp�pe�ec�ci�if�fi�ic�ca�at�ti�io�on�n |
| 36 |
|
|
Select the characters to use in brute-force cracking. Must be |
| 37 |
|
|
one of |
| 38 |
|
|
|
| 39 |
|
|
a include all lowercase characters [a-z] |
| 40 |
|
|
A include all uppercase characters [A-Z] |
| 41 |
|
|
1 include the digits [0-9] |
| 42 |
|
|
! include [!:$%&/()=?{[]}+*~#] |
| 43 |
|
|
: the following characters upto the end of the spe- |
| 44 |
|
|
cification string are included in the character set. |
| 45 |
|
|
This way you can include any character except binary |
| 46 |
|
|
null (at least under unix). |
| 47 |
|
|
|
| 48 |
|
|
For example, a1:$% selects lowercase characters, digits and the |
| 49 |
|
|
dollar and percent signs. |
| 50 |
|
|
|
| 51 |
|
|
-�-p�p,�, -�--�-i�in�ni�it�t-�-p�pa�as�ss�sw�wo�or�rd�d s�st�tr�ri�in�ng�g |
| 52 |
|
|
Set initial (starting) password for brute-force searching to |
| 53 |
|
|
_�s_�t_�r_�i_�n_�g, or use the file with the name _�s_�t_�r_�i_�n_�g to supply passwords |
| 54 |
|
|
for dictionary searching. |
| 55 |
|
|
|
| 56 |
|
|
-�-l�l,�, -�--�-l�le�en�ng�gt�th�h m�mi�in�n[�[-�-m�ma�ax�x]�] |
| 57 |
|
|
Use an initial password of length min, and check all passwords |
| 58 |
|
|
upto passwords of length max (including). You can omit the max |
| 59 |
|
|
parameter. |
| 60 |
|
|
|
| 61 |
|
|
-�-u�u,�, -�--�-u�us�se�e-�-u�un�nz�zi�ip�p |
| 62 |
|
|
Try to decompress the first file by calling unzip with the |
| 63 |
|
|
guessed password. This weeds out false positives when not enough |
| 64 |
|
|
files have been given. |
| 65 |
|
|
|
| 66 |
|
|
-�-m�m,�, -�--�-m�me�et�th�ho�od�d n�na�am�me�e |
| 67 |
|
|
Use method number "name" instead of the default cracking method. |
| 68 |
|
|
The switch -�--�-h�he�el�lp�p will print a list of available methods. Use |
| 69 |
|
|
-�--�-b�be�en�nc�ch�hm�ma�ar�rk�k to see which method does perform best on your |
| 70 |
|
|
machine. The n�na�am�me�e can also be the number of the method to use. |
| 71 |
|
|
|
| 72 |
|
|
-�-2�2,�, -�--�-m�mo�od�du�ul�lo�o r�r/�/m�m |
| 73 |
|
|
Calculate only r/m of the password. Not yet supported. |
| 74 |
|
|
|
| 75 |
|
|
-�-B�B,�, -�--�-b�be�en�nc�ch�hm�ma�ar�rk�k |
| 76 |
|
|
Make a small benchmark, the output is nearly meaningless. |
| 77 |
|
|
|
| 78 |
|
|
-�-V�V,�, -�--�-v�va�al�li�id�da�at�te�e |
| 79 |
|
|
Make some basic checks wether the cracker works. |
| 80 |
|
|
|
| 81 |
|
|
Z�ZI�IP�P P�PA�AS�SS�SW�WO�OR�RD�D B�BA�AS�SI�IC�CS�S |
| 82 |
|
|
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast |
| 83 |
|
|
with ´incorrect password´, _�w_�i_�t_�h_�o_�u_�t decrypting the whole file. While the |
| 84 |
|
|
encryption algorithm used by zip is relatively secure, PK made cracking |
| 85 |
|
|
easy by providing hooks for very fast password-checking, directly in |
| 86 |
|
|
the zip file. Understanding these is crucial to zip password cracking: |
| 87 |
|
|
|
| 88 |
|
|
For each password that is tried, the first twelve bytes of the file are |
| 89 |
|
|
decrypted. Depending on the version of zip used to encrypt the file |
| 90 |
|
|
(more on that later), the first ten or eleven bytes are random, fol- |
| 91 |
|
|
lowed by one or two bytes whose values are stored elsewhere in the zip |
| 92 |
|
|
file, i.e. are known beforehand. If these last bytes don't have the |
| 93 |
|
|
correct (known) value, the password is definitely wrong. If the bytes |
| 94 |
|
|
are correct, the password _�m_�i_�g_�h_�t be correct, but the only method to find |
| 95 |
|
|
out is to unzip the file and compare the uncompressed length and crc´s. |
| 96 |
|
|
|
| 97 |
|
|
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones |
| 98 |
|
|
for other operating systems!) stored two known bytes. Thus the error |
| 99 |
|
|
rate was roughly 1/2^16 = 0.01%. PKWARE ´improved´ (interesting what |
| 100 |
|
|
industry calls improved) the security of their format by only including |
| 101 |
|
|
one byte, so the possibility of false passwords is now raised to 0.4%. |
| 102 |
|
|
Unfortunately, there is no real way to distinguish one byte from two |
| 103 |
|
|
byte formats, so we have to be conservative. |
| 104 |
|
|
|
| 105 |
|
|
B�BR�RU�UT�TE�E F�FO�OR�RC�CE�E M�MO�OD�DE�E |
| 106 |
|
|
By default, brute force starts at the given starting password, and suc- |
| 107 |
|
|
cessively tries all combinations until they are exhausted, printing all |
| 108 |
|
|
passwords that it detects, together with a rough correctness indicator. |
| 109 |
|
|
|
| 110 |
|
|
The starting password given by the _�-_�p switch determines the length. |
| 111 |
|
|
fcrackzip will not currently increase the password length automati- |
| 112 |
|
|
cally, unless the _�-_�l switch is used. |
| 113 |
|
|
|
| 114 |
|
|
D�DI�IC�CT�TI�IO�ON�NA�AR�RY�Y M�MO�OD�DE�E |
| 115 |
|
|
This mode is similar to brute force mode, but instead of generating |
| 116 |
|
|
passwords using a given set of characters and a length, the passwords |
| 117 |
|
|
will be read from a file that you have to specify using the _�-_�p switch. |
| 118 |
|
|
|
| 119 |
|
|
C�CP�P M�MA�AS�SK�K |
| 120 |
|
|
A CP mask is a method to obscure images or parts of images using a |
| 121 |
|
|
password. These obscured images can be restored even when saved as |
| 122 |
|
|
JPEG files. In most of these files the password is actually hidden and |
| 123 |
|
|
can be decoded easily (using one of the many available viewer and mask- |
| 124 |
|
|
ing programs, e.g. xv). If you convert the image the password, however, |
| 125 |
|
|
is lost. The c�cp�pm�ma�as�sk�k crack method can be used to brute-force these |
| 126 |
|
|
images. Instead of a zip file you supply the obscured part (and nothing |
| 127 |
|
|
else) of the image in the P�PP�PM�M-Image Format (x�xv�v and other viewers can |
| 128 |
|
|
easily do this). |
| 129 |
|
|
|
| 130 |
|
|
The c�cp�pm�ma�as�sk�k method can only cope with password composed of uppercase |
| 131 |
|
|
letters, so be sure to supply the -�--�-c�ch�ha�ar�rs�se�et�t A�A or equivalent option, |
| 132 |
|
|
together with a suitable initialization password. |
| 133 |
|
|
|
| 134 |
|
|
E�EX�XA�AM�MP�PL�LE�ES�S |
| 135 |
|
|
f�fc�cr�ra�ac�ck�kz�zi�ip�p -�-c�c a�a -�-p�p a�aa�aa�aa�aa�aa�a s�sa�am�mp�pl�le�e.�.z�zi�ip�p |
| 136 |
|
|
checks the encrypted files in sample.zip for all lowercase 6 |
| 137 |
|
|
character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
| 138 |
|
|
|
| 139 |
|
|
f�fc�cr�ra�ac�ck�kz�zi�ip�p -�--�-m�me�et�th�ho�od�d c�cp�pm�ma�as�sk�k -�--�-c�ch�ha�ar�rs�se�et�t A�A -�--�-i�in�ni�it�t A�AA�AA�AA�A t�te�es�st�t.�.p�pp�pm�m |
| 140 |
|
|
checks the obscured image t�te�es�st�t.�.p�pp�pm�m for all four character pass- |
| 141 |
|
|
words. -TP f�fc�cr�ra�ac�ck�kz�zi�ip�p -�-D�D -�-p�p p�pa�as�ss�sw�wo�or�rd�ds�s.�.t�tx�xt�t s�sa�am�mp�pl�le�e.�.z�zi�ip�p check for |
| 142 |
|
|
every password listed in the file p�pa�as�ss�sw�wo�or�rd�ds�s.�.t�tx�xt�t. |
| 143 |
|
|
|
| 144 |
|
|
P�PE�ER�RF�FO�OR�RM�MA�AN�NC�CE�E |
| 145 |
|
|
_�f_�z_�c, which seems to be widely used as a fast password cracker, claims |
| 146 |
|
|
to make 204570 checks per second on my machine (measured under plain |
| 147 |
|
|
dos w/o memory manager). |
| 148 |
|
|
|
| 149 |
|
|
_�f_�c_�r_�a_�c_�k_�z_�i_�p, being written in C and not in assembler, naturally is |
| 150 |
|
|
slower. Measured on a slightly loaded unix (same machine), it´s 12 per- |
| 151 |
|
|
cent slower (the compiler used was _�p_�g_�c_�c, from h�ht�tt�tp�p:�:/�//�/w�ww�ww�w.�.g�gc�cc�c.�.m�ml�l.�.o�or�rg�g/�/). |
| 152 |
|
|
|
| 153 |
|
|
To remedy this a bit, I converted small parts of the encryption core to |
| 154 |
|
|
x86 assembler (it will still compile on non x86 machines), and now it´s |
| 155 |
|
|
about 4-12 percent faster than _�f_�z_�c (again, the _�f_�c_�r_�a_�c_�k_�z_�i_�p performance |
| 156 |
|
|
was measured under a multitasking os, so there are inevitably some |
| 157 |
|
|
meaurement errors), so there shouldn't be a tempting reason to switch |
| 158 |
|
|
to other programs. |
| 159 |
|
|
|
| 160 |
|
|
Further improvements are definitely possible: _�f_�z_�c took 4 years to get |
| 161 |
|
|
into shape, while fcrackzip was hacked together in under 10 hours. And |
| 162 |
|
|
not to forget you have the source, while other programs (like _�f_�z_�c), |
| 163 |
|
|
even come as an _�e_�n_�c_�r_�y_�p_�t_�e_�d _�._�e_�x_�e file (maybe because their programmers |
| 164 |
|
|
are afraid of other people could having a look at their lack of pro- |
| 165 |
|
|
gramming skills? nobody knows...) |
| 166 |
|
|
|
| 167 |
|
|
R�RA�AT�TI�IO�ON�NA�AL�LE�E |
| 168 |
|
|
The reason I wrote _�f_�c_�r_�a_�c_�k_�z_�i_�p was N�NO�OT�T to have the fastest zip cracker |
| 169 |
|
|
available, but to provide a _�p_�o_�r_�t_�a_�b_�l_�e, _�f_�r_�e_�e (thus _�e_�x_�t_�e_�n_�s_�i_�b_�l_�e), but still |
| 170 |
|
|
_�f_�a_�s_�t zip password cracker. I was really pissed of with that dumb, |
| 171 |
|
|
nonextendable zipcrackers that were either slow, were too limited, or |
| 172 |
|
|
wouldn't run in the background (say, under unix). (And you can't run |
| 173 |
|
|
them on your superfast 600Mhz Alpha). |
| 174 |
|
|
|
| 175 |
|
|
B�BU�UG�GS�S |
| 176 |
|
|
No automatic unzip checking. |
| 177 |
|
|
|
| 178 |
|
|
Stop/resume facility is missing. |
| 179 |
|
|
|
| 180 |
|
|
Should be able to distinguish between files with 16 bit stored CRC´s |
| 181 |
|
|
and 8 bit stored CRC´s. |
| 182 |
|
|
|
| 183 |
|
|
The benchmark does not work on all systems. |
| 184 |
|
|
|
| 185 |
|
|
It's still early alpha. |
| 186 |
|
|
|
| 187 |
|
|
Method "cpmask" only accepts ppms. |
| 188 |
|
|
|
| 189 |
|
|
Could be faster. |
| 190 |
|
|
|
| 191 |
|
|
A�AU�UT�TH�HO�OR�R |
| 192 |
|
|
_�f_�c_�r_�a_�c_�k_�z_�i_�p was written by Marc Lehmann <pcg@goof.com>. The main |
| 193 |
|
|
_�f_�c_�r_�a_�c_�k_�z_�i_�p page is at h�ht�tt�tp�p:�:/�//�/w�ww�ww�w.�.g�go�oo�of�f.�.c�co�om�m/�/p�pc�cg�g/�/m�ma�ar�rc�c/�/f�fc�cr�ra�ac�ck�kz�zi�ip�p.�.h�ht�tm�ml�l) |
| 194 |
|
|
|
| 195 |
|
|
|
| 196 |
|
|
|
| 197 |
|
|
|
| 198 |
|
|
Free/Fast Zip Password Cracker FCRACKZIP(1) |
