.zip password recov...
 
Notifications
Clear all

.zip password recovery tools

9 Posts
6 Users
0 Likes
4,001 Views
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Hi,

I'm trying to get access to a .zip file that is password protected. The thing is, I don't know the length of the password or what strings are used. I ran some free tool on it for 3 days at a length of 5 characters, upper, lower, nums, but nothing.

I'm trying again with Upper / Lower / 0-9 at 8 characters, brute force attack, but it could take months O

I am currently trying Visual Zip password recovery processor 6.0. I have tried PRTK 6.5 and it told me the password was 282 but that didn't work and it only took about a minute to run, so its obviously wrong and not doing what it should, dunno where it got those numbers from?

I also don't know if its password or password and encryption?

Does anybody have or can suggest any good, reliable tools, or should i just leave it brute force and hope for the best? There are possible indecent images on this, so want to see it through to the end!

Thanks.

 
Posted : 13/09/2010 7:25 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

If password protection was easly broken, it would not be used. Brute force for a long password with characters outside of 0-9 and A-Z is very slow.

One approach is ask the owner.

Another approach is to scan the disk for all words and then try them in different upper and low case combinations.

More than 9 characters on a PC I think will be slow. One free program I tried would do 8 characters in a day, and then 9 chars in in about 90 days. One tip is to set up multiple instances on a machine, I managed to max each core this way on a iCore 7 processor.

 
Posted : 13/09/2010 8:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Depending on

  • actual privacy requirements
  • money involved/expendable

there are professional services (with dedicated hardware), here is one
http//www.pwcrack.com/zip.shtml

Of the various Commercial tools this one is IMHO one of the most featured ones
http//www.elcomsoft.com/archpr.html

But maybe if it's a multi-file archive you can use a known plaintext approach, it usually resolves (if working) in a matter of hours (once you have learned how to perform it).

Unlike what stated in a lot of places (need for a whole unencrypted file) all that is needed is (at least) 12 bytes, so in many case you can use a file header as known plaintext
http//www.elcomsoft.com/help/archpr/index.html?known_plaintext_attack_(zip).html
And a suitable program is available for free
http//www.securiteam.com/tools/5NP0C009PU.html
http//www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html

Also there is the re-known Winzip vulnerability (that is worth a check anyway).

jaclaz

 
Posted : 13/09/2010 9:15 pm
(@ronanmagee)
Posts: 145
Estimable Member
 

I believe WPA Cracker has the ability to crack ZIP files via their cloud architecture for a nominal fee ($40). I can't confirm this at present as it's blocked where I work.

 
Posted : 13/09/2010 9:56 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Its just one file that was on a CD that was mixed in with other stuff, nothing on his PC.

I just found a copy of archpr, so running it against that at the mo. Its pretty fast for text searches, probably crap out when I start on the numbers and symbols.

Dunno if they will justify sending it off to a specialist since there was nothing else found anywhere else… could else up just being run in the background on my PC for 90 days to see if anything happens!

 
Posted : 14/09/2010 2:09 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I'm sure you already tried this but sometimes it's worth throwing in the obvious…..

Find all the other passwords you can from the PC that are easier to access. Things they might have saved in their web browsers, the Windows password is fairly easy particularly with rainbow tables.

Most people don't use that many passwords so it might be the same as one of these. Either that or you will see the pattern they use if each password is different.

As for PRTK I've generally found it to be very good at cracking password protected zip files. Can you see the names of the files and folders in the zip file? I guess it's a case of how relevant might this zip file be and whether it's worth the effort.

Steve

 
Posted : 14/09/2010 2:59 pm
4Rensics
(@4rensics)
Posts: 255
Reputable Member
Topic starter
 

Ah, never thought of that. We have the EnCase image of the hard drive, can check that and see if there anything on there that stands out.

I dunno whats wrong with PRTK, I don't think its working correctly, I borrowed a collegues dongle, but it griping at me?

 
Posted : 14/09/2010 3:41 pm
(@seanmcl)
Posts: 700
Honorable Member
 

Much of what you read about the "ease" of cracking Zip file encryption is a holdover from earlier versions of WinZip which had a very weak, almost useless, method for encrypting archives.

Since WinZip version 9 and up they are using 128 or 256 bit AES and with a sufficiently complicated password, you may be out of luck.

You should be able to list the files in the archive (unless they packed an archive inside an archive), which might give you a clue.

But, unfortunately, in the world of modern encryption, if someone wants to hide something and they are reasonably careful about how they do it, you don't have much of a chance.

 
Posted : 14/09/2010 6:47 pm
(@seanmcl)
Posts: 700
Honorable Member
 

Find all the other passwords you can from the PC that are easier to access. Things they might have saved in their web browsers, the Windows password is fairly easy particularly with rainbow tables.

One way to do this is by using FTK, if you have it, or dtSearch if you don't. Generate an inverted index on all the "words" which can be recovered from the system, including unallocated space, and then use the index as a dictionary in a dictionary attack.

If the creation date is close to the acquisition date, you might start by limiting your indexing to existing files and the pagefile and hiberfil (if one exists).

Also, make sure to look in something like e-mail, especially draft messages. I have seen more than once where someone stored their passwords in draft messages that they could recover from anywhere.

 
Posted : 14/09/2010 6:53 pm
Share: