Cracking a password-protected zip file with john

Table of contents

Making a dummy ZIP file

First we need a zip archive to crack and a password. For this example, we use the password bearbear which is conveniently part of the widely available RockYou wordlist (if you don't have it yet, you can grab a copy here). Inside the archive we store a plain text file called secret.txt.

echo "Super secret message" > secret.txt
zip --password bearbear protected.zip secret.txt
rm secret.txt

Note that we used the --password flag here for simplicity. If you need to create encrypted zip archives, always use -e instead as this will prevent your password from being stored in log files like ~/.bash_history.

Exporting the password hash

To export the hash of the encrypted archive we use the zip2john tool that will print the hash of a zip file in a format readable by john. This tool prints the formatted hash to stdout and some debug information to stderr. To ensure our hash is clean of unnecessary debugging information, we redirect the output directly into a file. As you may have guessed, there are similar programs for other archive formats, such as 7z2john and rar2john.

zip2john protected.zip > hash.txt

Note that we assumed all files in the archive have the same password. If the files in the archive have differing passwords, the output of this command will be unusable and you need to specify a target file within the archive using the -o flag instead.

Cracking the hash

With the hash exported to a text file we can finally crack it using john. In this example scenario we use a wordlist to try to guess the password that produces the hash in question, but john supports a variety of other methods, including brute-forcing values on the fly or mangling possible passwords from a wordlist on the fly. Using modes outside of wordlist brute-force will only be realistically feasable for very small passwords or if you already know more information about it (such as length, used charset etc).

john --wordlist=rockyou.txt hash.txt

And done! One the first run, john will print the password to console. On successive runs on the same hash file, it won't try to re-crack or show the password hash again, because it makes a note of all cracked hashes in ~/.john/john.pot. If you want to view the passwords you previously cracked for a hash file, use the --show flag on the file containing the cracked hash:

john --show hash.txt


More articles

Choosing the right database for your application

Understanding different types of databases to find the one that fits your application's needs

DNS Essentials: The Foundation of Web Connectivity

A quick tour of a foundational piece of the internet

Encoding videos for the modern web using ffmpeg

Video encoding done right without wading through outdated tutorials

Modern linux networking basics

Getting started with systemd-networkd, NetworkManager and the iproute2 suite

Understanding how RAID 5 works

Striking a balance between fault tolerance, speed and usable disk space

A practical guide to filesystems

Picking the best option to format your next drive