Making a dummy ZIP file
First we need a zip archive to crack and a password. For this example, we use the password bearbear
which is conveniently part of the widely available RockYou wordlist (if you don't have it yet, you can grab a copy here). Inside the archive we store a plain text file called secret.txt
.
echo "Super secret message" > secret.txt
zip --password bearbear protected.zip secret.txt
rm secret.txt
Note that we used the --password
flag here for simplicity. If you need to create encrypted zip archives, always use -e
instead as this will prevent your password from being stored in log files like ~/.bash_history
.
Exporting the password hash
To export the hash of the encrypted archive we use the zip2john
tool that will print the hash of a zip file in a format readable by john
. This tool prints the formatted hash to stdout
and some debug information to stderr
. To ensure our hash is clean of unnecessary debugging information, we redirect the output directly into a file. As you may have guessed, there are similar programs for other archive formats, such as 7z2john
and rar2john
.
zip2john protected.zip > hash.txt
Note that we assumed all files in the archive have the same password. If the files in the archive have differing passwords, the output of this command will be unusable and you need to specify a target file within the archive using the -o
flag instead.
Cracking the hash
With the hash exported to a text file we can finally crack it using john
. In this example scenario we use a wordlist to try to guess the password that produces the hash in question, but john supports a variety of other methods, including brute-forcing values on the fly or mangling possible passwords from a wordlist on the fly. Using modes outside of wordlist brute-force will only be realistically feasable for very small passwords or if you already know more information about it (such as length, used charset etc).
john --wordlist=rockyou.txt hash.txt
And done! One the first run, john
will print the password to console. On successive runs on the same hash file, it won't try to re-crack or show the password hash again, because it makes a note of all cracked hashes in ~/.john/john.pot
. If you want to view the passwords you previously cracked for a hash file, use the --show
flag on the file containing the cracked hash:
john --show hash.txt