Introduction to ZIP
The zip binary allows users to package and compress archive files. The companion program unzip unpacks ZIP archives. As stated in the man page, zip "puts one or more compressed files into a single ZIP archive". It also adds information such as the "name, path, date" along with the archive.
Note: ZIP uses the PKZIP encryption algorithm which has known security weaknesses. In the modern day, using stronger algorithms like AES-256 will offer far greater security.
We will first create a test ZIP archive within the /tmp/zip/ directory. One must have zip installed on their distribution of choice; install it using your package manager.
sudo pacman -S zip
sudo apt install zip
Creating a ZIP archive
We can use the -p argument to supply a password to the ZIP command.
zip -p test archive.zip test-archive/We supply the password, the name of the ZIP file and the target folder. It must be noted, using the -p argument is extremely insecure. As the password is supplied like any other argument, it is saved in clear-text in ~/.bash_history. Therefore, if an attacker compromised the system; attempts to protect the archive would be in vain.
Thus, using -e or --encryptwill prompt the user for a password, and it will not be stored. For example:
That's it! It is pretty simple. Now, let's get on to cracking.
Cracking a ZIP archive
In order to crack this ZIP file, we first need the hash to brute-force against. Then, tools such as hashcat and john will do the hard work for us. To obtain a hash, we need to use the the zip2john program. This should come installed with john automatically.
To install:
sudo pacman -S john [arch base]
sudo apt install john [debian base]
Procuring the hash is simple. Invoke ssh2john with the target ZIP file as the argument and output the hash to another file. For example:
ssh2john archive.zip > zip-hash
Now, we have the hash of the ZIP file. It will look something similiar to this:
Note: I used a ZIP file from a machine on TryHackMe to crack.
Forjohn, we simply specify the format, the wordlist to use in the attack and the hash of the ZIP file. I'll be using rockyou.txt, a well-known wordlist.
Format: zip or zip-opencl (for use with dedicated graphics cards). However, you don't need to specify the format as john will automatically detect it.
john --wordlist=/opt/wordlists/rockyou.txt zip-hashAnd like magic:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannah (archive.zip)
1g 0:00:00:00 DONE (2022-08-24 17:21) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completedWe get the password.
Conclusion
Cracking ZIP files are pretty simple. Obtain a hash, create or use an existing wordlist, specify formats if necessary, and wait. Again, the PKZIP algorithm is weaker compared to AES-256. Thus, tools like 7zip will offer greater protection in terms of security.
