LabEx
Log InJoin Free

Crack Password-Protected 7z Archives

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the fundamental process of cracking a password-protected 7z archive. 7-Zip is a popular file archiver with a high compression ratio, and it allows users to encrypt archives with a password. We will simulate a scenario where you need to recover a forgotten password.

You will use a combination of powerful, industry-standard tools: p7zip to create the archive, the John the Ripper suite to extract the password hash, and Hashcat to perform the actual cracking. This hands-on experience will guide you through creating a target, extracting its cryptographic hash, and using a mask attack to efficiently find the password.

Create a Password-Protected 7z Archive

In this step, we will begin by creating a sample file and then compressing it into a password-protected 7z archive. This archive will be our target for the password cracking process in the subsequent steps.

First, let's create a simple text file named secret.txt in your current directory, ~/project.

echo "This is a secret file." > secret.txt

Now, we will use the 7z command to create an archive named secret.7z from secret.txt. We'll protect it with the password LabEx2024. The -p flag is used to specify the password directly.

7z a -pLabEx2024 secret.7z secret.txt

You should see output indicating that the file was successfully created and compressed.

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs LE)

Scanning the drive:
1 file, 25 bytes (1 KiB)

Creating archive: secret.7z

Items to compress: 1


Files read from disk: 1
Archive size: 228 bytes (1 KiB)
Everything is Ok

You have now successfully created the password-protected archive we will be working with.

Use 7z2john.pl to Extract the Hash

In this step, you will extract the password hash from the secret.7z archive. Password cracking tools like Hashcat don't work directly on the archive file; they need a specific string representation of the password's encryption key, known as a hash.

We will use 7z2john, a utility from the John the Ripper suite, which is specifically designed to extract these hashes from 7z archives.

Run the following command to process secret.7z and save its hash into a new file called hash.txt. The > symbol redirects the output of the command to the specified file.

/usr/sbin/7z2john secret.7z > hash.txt

The command will not produce any visible output in the terminal because it has been redirected. To confirm that the hash was extracted, view the contents of hash.txt:

cat hash.txt

The output will be a long string, which is the hash that represents the password. It will be prefixed with the filename.

secret.7z:$7z$2$19$0$$8$d251a688873348860000000000000000$1813433382$112$96$f2172032148f1959a258c28b51933a3c8a00c1781343782d44114a2f311e1ca854028b8243b16a1f5e5811652c546412f213f7a361152b3811443a38c45a3301

You now have the hash ready for the next stage of preparation.

Clean the Extracted Hash for Hashcat

In this step, we need to prepare the extracted hash for Hashcat. The output from 7z2john is formatted for John the Ripper and includes the filename as a prefix (e.g., secret.7z:). Hashcat, however, requires only the pure hash string to work correctly.

We will use the cut command to remove the filename prefix. The cut command is a simple utility for extracting sections from lines of files. We'll tell it to use the colon (:) as a delimiter and to select the second field.

Execute the following command to clean the hash and save it to a new file, hashcat.txt:

cut -d':' -f2 hash.txt > hashcat.txt
  • -d':' sets the delimiter to a colon.
  • -f2 selects the second field after the split.

Let's verify the contents of our new file to ensure the prefix has been removed.

cat hashcat.txt

The output should now be only the hash string, without the secret.7z: part.

$7z$2$19$0$$8$d251a688873348860000000000000000$1813433382$112$96$f2172032148f1959a258c28b51933a3c8a00c1781343782d44114a2f311e1ca854028b8243b16a1f5e5811652c546412f213f7a361152b3811443a38c45a3301

The hash is now in the correct format for Hashcat.

Select the Hash Mode for 7-Zip

In this step, we will identify the correct "hash mode" that Hashcat needs to understand and process our 7-Zip hash. Hashcat supports hundreds of different hash types, and each one has a unique numeric code. You must specify the correct code for Hashcat to work.

We can find the mode for 7-Zip by searching through Hashcat's help menu. We'll use grep to filter the output for the term "7-Zip".

hashcat --help | grep -i "7-Zip"

The -i flag in grep makes the search case-insensitive. The output will show you the mode number associated with 7-Zip archives.

11600 | 7-Zip                                          | Archives

As you can see from the output, the hash mode for 7-Zip is 11600. We will use this number in the next step when we run the cracking attack.

Run a Mask Attack to Crack the 7z Password

In this final step, we will use Hashcat to crack the password. We will perform a "mask attack," which is a type of brute-force attack that is highly effective when you have some knowledge about the password's structure.

Our password is LabEx2024. We can describe its structure with a mask:

  • It starts with an uppercase letter (?u).
  • Followed by two lowercase letters (?l?l).
  • Followed by an uppercase letter and a lowercase letter (?u?l).
  • It ends with four digits (?d?d?d?d).

The complete mask is ?u?l?l?u?l?d?d?d?d.

Now, let's construct the Hashcat command:

  • -m 11600: Specifies the 7-Zip hash mode we found in the previous step.
  • -a 3: Sets the attack mode to "Brute-force / Mask".
  • hashcat.txt: Our file containing the clean hash.
  • ?u?l?l?u?l?d?d?d?d: The password mask.

Run the command to start the attack:

hashcat -m 11600 -a 3 hashcat.txt ?u?l?l?u?l?d?d?d?d

Hashcat will start, and you will see its status screen. Since the password is simple and the mask is precise, it should be cracked very quickly.

...
Session..........: hashcat
Status...........: Cracked
...

Once the status shows Cracked, the password has been found. To view the recovered password, you can use the --show flag with the same command:

hashcat -m 11600 hashcat.txt --show

This will display the hash followed by the cracked password.

$7z$2$19$0$$8$d251a688873348860000000000000000$1813433382$112$96$f2172032148f1959a258c28b51933a3c8a00c1781343782d44114a2f311e1ca854028b8243b16a1f5e5811652c546412f213f7a361152b3811443a38c45a3301:LabEx2024

Congratulations! You have successfully cracked the password for the 7z archive.

Summary

In this lab, you have successfully walked through the complete process of cracking a password-protected 7z archive.

You learned how to:

  • Create a password-protected 7z archive using the 7z command.
  • Use the 7z2john utility to extract the password hash from the archive.
  • Clean and format the extracted hash for use with Hashcat.
  • Identify the correct hash mode in Hashcat for a specific hash type.
  • Execute a targeted mask attack with Hashcat to efficiently recover the password.

This workflow provides a solid foundation for understanding the principles of password cracking and the practical application of powerful tools like John the Ripper and Hashcat.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux