Introduction
In this lab, you will learn the fundamental process of cracking a password-protected ZIP archive. This is a common task in digital forensics and penetration testing. You will use a combination of command-line tools available in Linux to achieve this. The process involves creating a sample protected file, extracting its password hash, and then using a powerful password recovery tool, Hashcat, to crack the hash and reveal the original password.
By the end of this lab, you will be familiar with:
- Creating encrypted ZIP files.
- Using
zip2johnto extract password hashes. - Preparing hashes for use with Hashcat.
- Running a dictionary attack with Hashcat to recover a password.
Create a Password-Protected ZIP File
In this step, you will create a password-protected ZIP file. This will serve as our target for the password cracking exercise. We will use the standard zip command with the -e option, which stands for "encrypt".
First, ensure you are in the ~/project directory. We have already created a file named secret.txt for you in the setup process.
Now, run the following command to create an encrypted ZIP archive named secret.zip from the secret.txt file.
zip -e secret.zip secret.txt
The system will prompt you to enter and verify a password. For this lab, use the password labex. Type labex, press Enter, and then type it again to verify.
Enter password:
Verify password:
adding: secret.txt (stored 0%)
After the command completes, you can use the ls command to verify that the secret.zip file has been created in your current directory.
ls -l
You should see secret.zip listed in the output.
-rw-r--r-- 1 labex labex 218 May 20 10:00 secret.zip
-rw-r--r-- 1 labex labex 23 May 20 10:00 secret.txt
-rw-r--r-- 1 labex labex 32 May 20 10:00 wordlist.txt
Use zip2john to Extract the Hash from the ZIP File
In this step, you will use the zip2john utility to extract the password hash from the secret.zip file. Password cracking tools like Hashcat do not work directly on the encrypted file; they work on its hash. zip2john is a tool from the John the Ripper suite designed specifically for this purpose.
Run the following command to process secret.zip and save the resulting hash into a new file named zip_hash.txt.
zip2john secret.zip > zip_hash.txt
This command produces no direct output to the terminal because we have redirected it to the zip_hash.txt file. To see the extracted hash, you can display the contents of the new file using the cat command.
cat zip_hash.txt
The output will look similar to the following. This string contains all the information needed to crack the password.
secret.zip:$pkzip2$1*1*2*0*8*24*7b4f4718*0*28*0*8*24*7b4f*53a9*$/pkzip2$
Format the Hash for Hashcat Compatibility
In this step, you will format the extracted hash to make it compatible with Hashcat. The output from zip2john includes the original filename (secret.zip:) as a prefix to the hash string. Hashcat requires only the pure hash data.
Let's look at the content of zip_hash.txt again:
secret.zip:$pkzip2$1*1*2*0*8*24*...
We need to remove the secret.zip: part. A simple way to do this is with the cut command, which can split text based on a delimiter. We will use the colon (:) as the delimiter and select the second field.
Execute the following command to extract the hash and save it to a new file called hashcat_ready.txt.
cut -d':' -f2 zip_hash.txt > hashcat_ready.txt
cut: The command to cut parts of lines.-d':': Specifies that the delimiter is a colon.-f2: Specifies that we want the second field.
Now, view the contents of the new file to confirm it contains only the hash.
cat hashcat_ready.txt
The output should be the hash string without the filename prefix.
$pkzip2$1*1*2*0*8*24*7b4f4718*0*28*0*8*24*7b4f*53a9*$/pkzip2$
This file is now ready to be used with Hashcat.
Select the Correct Hashcat Mode for PKZIP
In this step, you will learn how to identify the correct hash mode for Hashcat. Hashcat supports cracking hundreds of different hash types, and you must specify which type you are providing using a mode number.
The hash we extracted begins with $pkzip2$. This indicates the type of ZIP encryption used. We can search Hashcat's help documentation for modes related to "PKZIP" to find the right number.
Use the following command to search for "pkzip" within Hashcat's help output.
hashcat --help | grep -i "pkzip"
The output will list several hash modes related to different versions of PKZIP encryption.
17200 | PKZIP (legacy) | Archives
17210 | PKZIP (legacy) (Compressed) | Archives
17220 | PKZIP (legacy) (Mixed) | Archives
17225 | PKZIP (legacy) (Mixed + Compressed) | Archives
20500 | PKZIP Master Key | Archives
20510 | PKZIP Master Key (Compressed) | Archives
Our hash, generated from a simple password-protected ZIP, corresponds to the "PKZIP (legacy)" type. As you can see from the output, the mode number for this is 17200. We will use this mode in the next step to launch our attack.
Launch an Attack to Recover the ZIP Password
In this step, you will launch the password cracking attack using Hashcat. We will perform a "straight" or dictionary attack, where Hashcat tries every password from a given list. We have already prepared a simple list named wordlist.txt.
The command structure for Hashcat is as follows:
hashcat [options] <hash_file> <wordlist_file>
Based on our previous steps, the full command is:
hashcat -m 17200 -a 0 hashcat_ready.txt wordlist.txt
Let's break down the command:
-m 17200: Specifies the hash mode for PKZIP (legacy), which we identified in the previous step.-a 0: Specifies the attack mode.0stands for a Straight (dictionary) attack.hashcat_ready.txt: The file containing our target hash.wordlist.txt: The file containing the list of potential passwords.
Execute the command. Hashcat will start, initialize its backend, and begin the attack.
hashcat (v6.2.6) starting
...
Session..........: hashcat
Status...........: Cracked
Hash.Name........: PKZIP (legacy)
Hash.Target......: $pkzip2$1*1*2*0*8*24*7b4f4718*0*28*0*8*24*7b4f*53a9*$/pkzip2$
Time.Started.....: ...
Time.Estimated...: 0 secs
Guess.Base.......: File (wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 248.2 kH/s (0.10ms) @ Accel:128 Loops:128 Thr:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 3/4 (75.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: labex -> zzzzzzz
Hardware.Mon.#1..: Temp: 48c
$pkzip2$1*1*2*0*8*24*7b4f4718*0*28*0*8*24*7b4f*53a9*$/pkzip2$:labex
Started: ...
Stopped: ...
Hashcat found the password very quickly because our wordlist was small. The last line of the output shows the hash followed by the recovered password: labex.
Congratulations, you have successfully cracked the password for the ZIP archive!
Summary
In this lab, you have successfully completed the entire workflow for cracking a password-protected ZIP archive using common command-line tools.
You have learned how to:
- Create an encrypted ZIP file using the
zipcommand. - Extract the password hash from the ZIP file using
zip2john. - Format the extracted hash to make it compatible with
Hashcat. - Identify the correct hash type mode for your target within
Hashcat. - Launch a dictionary attack with
Hashcatto successfully recover the password.
These skills form a foundational understanding of password recovery techniques that are crucial in cybersecurity fields like digital forensics and ethical hacking. While we used a simple password and a small wordlist for educational purposes, the same principles apply to more complex, real-world scenarios.
