Recently one of my friends sent me a zip file which was password protected. Since it contained ‘sensitive data’ he deleted the files from his laptop. But when I tried to open the file, I got an error message informing me that the password is incorrect. I contacted my friend and he confirmed that the password is the same. Now, the chance is that he may have misspelled the password. And the only way to recover the file is to crack the zipped file.

The good thing in this case, is that we have a rough idea regarding the length of the password (and at least some of the letters ). I ,then, looked for various password crackers in order to open the file. I found one ‘fzc’, but I couldn’t customize it in order to meet the needs. And if go for brute force it will eat away all my resources. Later, I found another free and open source password cracking software, which turned out to be an excellent tool. This edition of techblog is about that amazing free software – fcrackzip!

Installing Fcrackzip

You can download the software from this webpage. And you can compile it from the source (If you are stuck here, please search for the tutorial in this blog) .

If you are a Ubuntu or Fedora user, then you can install it from the repository. Since I am using Ubuntu I am simply issue:

sudo aptitude install fcrackzip

You may note that this piece of software is written in ISO-C (as it is not in assembly language, this may take more time for cracking) and it supports a wide range of architectures.

Cracking passwords

After installing fcrackzip, you can go to the terminal and issue commands in the following format:

fcrackzip –method cpmask –charset A –init

As I mentioned before, fcrackzip supports a wide range of options and here are the ones for your reference:

 fcrackzip [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset set] [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] [--use-unzip] [--method name] [--modulo r/m] file_name

Some of the options may be obscure. But the help command will elucidate the purpose of each of these options:

In my case, I simply used the –c and –l (since I have a rough idea regarding those two). In the first case, the process failed to crack.Then, I tried again by setting the length option alone. It gave me 10 possible passwords. And this time it worked!

How it works?

If you use brute force, the program will try all the possible combinations to crack the password and this will eat away all the resources. In dictionary mode, it will use a set of words from a file to crack the password.

The program adopts a simple algorithm for password checking. The author explains:

For each password that is tried, the first twelve bytes of the file are decrypted. Depending on the version of zip used to encrypt the file (more on that later), the first ten or eleven bytes are random, followed by one or two bytes whose values are stored elsewhere in the zip file, i.e. are known beforehand. If these last bytes don’t have the correct (known) value, the password is definitely wrong. If the bytes are correct, the password might be correct, but the only method to find out is to unzip the file and compare the uncompressed length and crc’s.

Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for other operating systems!) stored two known bytes. Thus the error rate was roughly 1/2^16 = 0.01%. PKWARE ‘improved’ (interesting what industry calls improved) the security of their format by only including one byte, so the possibility of false passwords is now raised to 0.4%. Unfortunately, there is no real way to distinguish one byte from two byte formats, so we have to be conservative.

My rating for this application will be 7/10.