1 |
root |
1.1 |
FCRACKZIP(1) FCRACKZIP(1) |
2 |
|
|
|
3 |
|
|
|
4 |
|
|
|
5 |
|
|
NNAAMMEE |
6 |
|
|
_f_c_r_a_c_k_z_i_p - a Free/Fast Zip Password Cracker |
7 |
|
|
|
8 |
|
|
SSYYNNOOPPSSIISS |
9 |
|
|
ffccrraacckkzziipp [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] |
10 |
|
|
[--charset characterset] [--help] [--validate] [--verbose] [--init- |
11 |
|
|
password string/path] [--length min-max] [--use-unzip] [--method name] |
12 |
|
|
[--modulo r/m] file... |
13 |
|
|
|
14 |
|
|
DDEESSCCRRIIPPTTIIOONN |
15 |
|
|
_f_c_r_a_c_k_z_i_p searches each zipfile given for encrypted files and tries to |
16 |
|
|
guess the password. All files must be encrypted with the same password, |
17 |
|
|
the more files you provide, the better. |
18 |
|
|
|
19 |
|
|
OOPPTTIIOONNSS |
20 |
|
|
--hh,, ----hheellpp |
21 |
|
|
Prints the version number and (hopefully) some helpful insights. |
22 |
|
|
|
23 |
|
|
--vv,, ----vveerrbboossee |
24 |
|
|
Each -v makes the program more verbose. |
25 |
|
|
|
26 |
|
|
--bb,, ----bbrruuttee--ffoorrccee |
27 |
|
|
Select brute force mode. This tries all possible combinations of |
28 |
|
|
the letters you specify. |
29 |
|
|
|
30 |
|
|
--DD,, ----ddiiccttiioonnaarryy |
31 |
|
|
Select dictionary mode. In this mode, fcrackzip will read pass- |
32 |
|
|
words from a file, which must contain one password per line and |
33 |
|
|
should be alphabetically sorted (e.g. using ssoorrtt((11))). |
34 |
|
|
|
35 |
|
|
--cc,, ----cchhaarrsseett cchhaarraacctteerrsseett--ssppeecciiffiiccaattiioonn |
36 |
|
|
Select the characters to use in brute-force cracking. Must be |
37 |
|
|
one of |
38 |
|
|
|
39 |
|
|
a include all lowercase characters [a-z] |
40 |
|
|
A include all uppercase characters [A-Z] |
41 |
|
|
1 include the digits [0-9] |
42 |
|
|
! include [!:$%&/()=?{[]}+*~#] |
43 |
|
|
: the following characters upto the end of the spe- |
44 |
|
|
cification string are included in the character set. |
45 |
|
|
This way you can include any character except binary |
46 |
|
|
null (at least under unix). |
47 |
|
|
|
48 |
|
|
For example, a1:$% selects lowercase characters, digits and the |
49 |
|
|
dollar and percent signs. |
50 |
|
|
|
51 |
|
|
--pp,, ----iinniitt--ppaasssswwoorrdd ssttrriinngg |
52 |
|
|
Set initial (starting) password for brute-force searching to |
53 |
|
|
_s_t_r_i_n_g, or use the file with the name _s_t_r_i_n_g to supply passwords |
54 |
|
|
for dictionary searching. |
55 |
|
|
|
56 |
|
|
--ll,, ----lleennggtthh mmiinn[[--mmaaxx]] |
57 |
|
|
Use an initial password of length min, and check all passwords |
58 |
|
|
upto passwords of length max (including). You can omit the max |
59 |
|
|
parameter. |
60 |
|
|
|
61 |
|
|
--uu,, ----uussee--uunnzziipp |
62 |
|
|
Try to decompress the first file by calling unzip with the |
63 |
|
|
guessed password. This weeds out false positives when not enough |
64 |
|
|
files have been given. |
65 |
|
|
|
66 |
|
|
--mm,, ----mmeetthhoodd nnaammee |
67 |
|
|
Use method number "name" instead of the default cracking method. |
68 |
|
|
The switch ----hheellpp will print a list of available methods. Use |
69 |
|
|
----bbeenncchhmmaarrkk to see which method does perform best on your |
70 |
|
|
machine. The nnaammee can also be the number of the method to use. |
71 |
|
|
|
72 |
|
|
--22,, ----mmoodduulloo rr//mm |
73 |
|
|
Calculate only r/m of the password. Not yet supported. |
74 |
|
|
|
75 |
|
|
--BB,, ----bbeenncchhmmaarrkk |
76 |
|
|
Make a small benchmark, the output is nearly meaningless. |
77 |
|
|
|
78 |
|
|
--VV,, ----vvaalliiddaattee |
79 |
|
|
Make some basic checks wether the cracker works. |
80 |
|
|
|
81 |
|
|
ZZIIPP PPAASSSSWWOORRDD BBAASSIICCSS |
82 |
|
|
Have you ever mis-typed a password for unzip? Unzip reacted pretty fast |
83 |
|
|
with ´incorrect password´, _w_i_t_h_o_u_t decrypting the whole file. While the |
84 |
|
|
encryption algorithm used by zip is relatively secure, PK made cracking |
85 |
|
|
easy by providing hooks for very fast password-checking, directly in |
86 |
|
|
the zip file. Understanding these is crucial to zip password cracking: |
87 |
|
|
|
88 |
|
|
For each password that is tried, the first twelve bytes of the file are |
89 |
|
|
decrypted. Depending on the version of zip used to encrypt the file |
90 |
|
|
(more on that later), the first ten or eleven bytes are random, fol- |
91 |
|
|
lowed by one or two bytes whose values are stored elsewhere in the zip |
92 |
|
|
file, i.e. are known beforehand. If these last bytes don't have the |
93 |
|
|
correct (known) value, the password is definitely wrong. If the bytes |
94 |
|
|
are correct, the password _m_i_g_h_t be correct, but the only method to find |
95 |
|
|
out is to unzip the file and compare the uncompressed length and crc´s. |
96 |
|
|
|
97 |
|
|
Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones |
98 |
|
|
for other operating systems!) stored two known bytes. Thus the error |
99 |
|
|
rate was roughly 1/2^16 = 0.01%. PKWARE ´improved´ (interesting what |
100 |
|
|
industry calls improved) the security of their format by only including |
101 |
|
|
one byte, so the possibility of false passwords is now raised to 0.4%. |
102 |
|
|
Unfortunately, there is no real way to distinguish one byte from two |
103 |
|
|
byte formats, so we have to be conservative. |
104 |
|
|
|
105 |
|
|
BBRRUUTTEE FFOORRCCEE MMOODDEE |
106 |
|
|
By default, brute force starts at the given starting password, and suc- |
107 |
|
|
cessively tries all combinations until they are exhausted, printing all |
108 |
|
|
passwords that it detects, together with a rough correctness indicator. |
109 |
|
|
|
110 |
|
|
The starting password given by the _-_p switch determines the length. |
111 |
|
|
fcrackzip will not currently increase the password length automati- |
112 |
|
|
cally, unless the _-_l switch is used. |
113 |
|
|
|
114 |
|
|
DDIICCTTIIOONNAARRYY MMOODDEE |
115 |
|
|
This mode is similar to brute force mode, but instead of generating |
116 |
|
|
passwords using a given set of characters and a length, the passwords |
117 |
|
|
will be read from a file that you have to specify using the _-_p switch. |
118 |
|
|
|
119 |
|
|
CCPP MMAASSKK |
120 |
|
|
A CP mask is a method to obscure images or parts of images using a |
121 |
|
|
password. These obscured images can be restored even when saved as |
122 |
|
|
JPEG files. In most of these files the password is actually hidden and |
123 |
|
|
can be decoded easily (using one of the many available viewer and mask- |
124 |
|
|
ing programs, e.g. xv). If you convert the image the password, however, |
125 |
|
|
is lost. The ccppmmaasskk crack method can be used to brute-force these |
126 |
|
|
images. Instead of a zip file you supply the obscured part (and nothing |
127 |
|
|
else) of the image in the PPPPMM-Image Format (xxvv and other viewers can |
128 |
|
|
easily do this). |
129 |
|
|
|
130 |
|
|
The ccppmmaasskk method can only cope with password composed of uppercase |
131 |
|
|
letters, so be sure to supply the ----cchhaarrsseett AA or equivalent option, |
132 |
|
|
together with a suitable initialization password. |
133 |
|
|
|
134 |
|
|
EEXXAAMMPPLLEESS |
135 |
|
|
ffccrraacckkzziipp --cc aa --pp aaaaaaaaaaaa ssaammppllee..zziipp |
136 |
|
|
checks the encrypted files in sample.zip for all lowercase 6 |
137 |
|
|
character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz). |
138 |
|
|
|
139 |
|
|
ffccrraacckkzziipp ----mmeetthhoodd ccppmmaasskk ----cchhaarrsseett AA ----iinniitt AAAAAAAA tteesstt..ppppmm |
140 |
|
|
checks the obscured image tteesstt..ppppmm for all four character pass- |
141 |
|
|
words. -TP ffccrraacckkzziipp --DD --pp ppaasssswwoorrddss..ttxxtt ssaammppllee..zziipp check for |
142 |
|
|
every password listed in the file ppaasssswwoorrddss..ttxxtt. |
143 |
|
|
|
144 |
|
|
PPEERRFFOORRMMAANNCCEE |
145 |
|
|
_f_z_c, which seems to be widely used as a fast password cracker, claims |
146 |
|
|
to make 204570 checks per second on my machine (measured under plain |
147 |
|
|
dos w/o memory manager). |
148 |
|
|
|
149 |
|
|
_f_c_r_a_c_k_z_i_p, being written in C and not in assembler, naturally is |
150 |
|
|
slower. Measured on a slightly loaded unix (same machine), it´s 12 per- |
151 |
|
|
cent slower (the compiler used was _p_g_c_c, from hhttttpp::////wwwwww..ggcccc..mmll..oorrgg//). |
152 |
|
|
|
153 |
|
|
To remedy this a bit, I converted small parts of the encryption core to |
154 |
|
|
x86 assembler (it will still compile on non x86 machines), and now it´s |
155 |
|
|
about 4-12 percent faster than _f_z_c (again, the _f_c_r_a_c_k_z_i_p performance |
156 |
|
|
was measured under a multitasking os, so there are inevitably some |
157 |
|
|
meaurement errors), so there shouldn't be a tempting reason to switch |
158 |
|
|
to other programs. |
159 |
|
|
|
160 |
|
|
Further improvements are definitely possible: _f_z_c took 4 years to get |
161 |
|
|
into shape, while fcrackzip was hacked together in under 10 hours. And |
162 |
|
|
not to forget you have the source, while other programs (like _f_z_c), |
163 |
|
|
even come as an _e_n_c_r_y_p_t_e_d _._e_x_e file (maybe because their programmers |
164 |
|
|
are afraid of other people could having a look at their lack of pro- |
165 |
|
|
gramming skills? nobody knows...) |
166 |
|
|
|
167 |
|
|
RRAATTIIOONNAALLEE |
168 |
|
|
The reason I wrote _f_c_r_a_c_k_z_i_p was NNOOTT to have the fastest zip cracker |
169 |
|
|
available, but to provide a _p_o_r_t_a_b_l_e, _f_r_e_e (thus _e_x_t_e_n_s_i_b_l_e), but still |
170 |
|
|
_f_a_s_t zip password cracker. I was really pissed of with that dumb, |
171 |
|
|
nonextendable zipcrackers that were either slow, were too limited, or |
172 |
|
|
wouldn't run in the background (say, under unix). (And you can't run |
173 |
|
|
them on your superfast 600Mhz Alpha). |
174 |
|
|
|
175 |
|
|
BBUUGGSS |
176 |
|
|
No automatic unzip checking. |
177 |
|
|
|
178 |
|
|
Stop/resume facility is missing. |
179 |
|
|
|
180 |
|
|
Should be able to distinguish between files with 16 bit stored CRC´s |
181 |
|
|
and 8 bit stored CRC´s. |
182 |
|
|
|
183 |
|
|
The benchmark does not work on all systems. |
184 |
|
|
|
185 |
|
|
It's still early alpha. |
186 |
|
|
|
187 |
|
|
Method "cpmask" only accepts ppms. |
188 |
|
|
|
189 |
|
|
Could be faster. |
190 |
|
|
|
191 |
|
|
AAUUTTHHOORR |
192 |
|
|
_f_c_r_a_c_k_z_i_p was written by Marc Lehmann <pcg@goof.com>. The main |
193 |
|
|
_f_c_r_a_c_k_z_i_p page is at hhttttpp::////wwwwww..ggooooff..ccoomm//ppccgg//mmaarrcc//ffccrraacckkzziipp..hhttmmll) |
194 |
|
|
|
195 |
|
|
|
196 |
|
|
|
197 |
|
|
|
198 |
|
|
Free/Fast Zip Password Cracker FCRACKZIP(1) |