Introduction
In this lab, you will gain practical experience in password cracking techniques specifically targeting ZIP archives. You will use John the Ripper, a powerful open-source password cracking tool, in conjunction with zip2john, a utility to convert ZIP files into a hash format that John the Ripper can understand. This lab will guide you through creating a password-protected ZIP file, extracting its hash, and then attempting to crack it. Furthermore, you will learn about the inherent weaknesses in older ZIP encryption methods and discover more secure alternatives to protect your sensitive data.
Create a Password-Protected ZIP File
In this step, you will create a simple text file and then compress it into a password-protected ZIP archive. This ZIP file will serve as our target for the subsequent cracking attempts. We will use a simple, easily guessable password for demonstration purposes.
First, ensure you are in your home directory's project folder.
cd ~/project
Now, create a file named secret.txt with some content.
echo "This is a secret message." > secret.txt
Next, create a password-protected ZIP archive named archive.zip containing secret.txt. When prompted, enter password123 as the password.
zip -e archive.zip secret.txt
You will be prompted to enter a password:
Enter password:
Verify password:
adding: secret.txt (deflated 29%)
You can verify the creation of the ZIP file by listing the contents of the current directory.
ls -l
You should see archive.zip and secret.txt listed.
Extract Hash from ZIP File using zip2john
In this step, you will use the zip2john utility to extract the password hash from the archive.zip file. This hash is a representation of the password that John the Ripper can use to attempt to crack the original password.
First, ensure you are in the ~/project directory.
cd ~/project
Now, run zip2john on archive.zip and redirect its output to a file named zip_hash.txt.
zip2john archive.zip > zip_hash.txt
This command will extract the hash and save it into zip_hash.txt. The output of zip2john typically looks like this (the actual hash will be different):
archive.zip:$zip$*0*1*0*...*secret.txt*$/zip$
You can view the content of the zip_hash.txt file to confirm the hash has been extracted.
cat zip_hash.txt
The output should show the extracted hash string.
Crack ZIP Hash with John the Ripper
Now that you have extracted the hash, you will use John the Ripper to attempt to crack the password. We will use a simple wordlist for this demonstration, which includes the password we set earlier.
First, ensure you are in the ~/project directory.
cd ~/project
John the Ripper often uses a wordlist to try common passwords. For this lab, we will create a small custom wordlist that includes our target password.
echo -e "test\npassword\n123456\npassword123\nadmin" > wordlist.txt
Now, run John the Ripper using the zip_hash.txt file and the wordlist.txt.
john --wordlist=wordlist.txt zip_hash.txt
John the Ripper will process the hash and the wordlist. If successful, it will display the cracked password. The output will look similar to this:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (archive.zip)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100.0g/s 100.0p/s 100.0c/s 100.0C/s password123
You can also check the cracked passwords that John has found by running:
john --show zip_hash.txt
This command will display any passwords that John the Ripper has successfully cracked and stored in its internal pot file.
archive.zip:password123
1 password hash cracked, 0 left
Understand ZIP Encryption Weaknesses
In this step, you will learn about the inherent weaknesses in the standard ZIP 2.0 encryption method, which was used in the previous steps. Understanding these weaknesses is crucial for appreciating why stronger encryption methods are necessary.
The default encryption used by the zip command (often referred to as "traditional PKZIP encryption" or "ZIP 2.0 encryption") is known to be weak. It uses a proprietary algorithm that is susceptible to various attacks, including known-plaintext attacks and brute-force attacks, especially with modern computing power.
Key Weaknesses:
- Proprietary Algorithm: The algorithm is not publicly vetted like modern cryptographic standards (e.g., AES).
- Weak Key Derivation: The key derivation function is simple and makes it easier for attackers to guess or brute-force passwords.
- Known-Plaintext Attacks: If an attacker has access to both the encrypted ZIP file and an unencrypted version of at least one file inside it (even a small one), they can often recover the encryption key very quickly. This is a significant vulnerability.
- Limited Key Space: For shorter passwords, the effective key space is small, making brute-force attacks feasible.
Because of these weaknesses, using standard ZIP 2.0 encryption for sensitive data is highly discouraged. Even a moderately complex password can be cracked relatively quickly if an attacker has sufficient resources or a known plaintext.
This step does not require any command execution, but it's important to grasp these concepts for secure data handling.
Secure ZIP Archives Effectively
Given the weaknesses of traditional ZIP encryption, it's essential to use stronger methods when securing sensitive data. In this step, you will learn about and use a more robust encryption standard: AES-256.
Many modern zip implementations, including the one installed on your LabEx VM, support AES encryption. When creating a ZIP archive, you can specify the encryption method.
To create a ZIP archive with AES-256 encryption, you typically use the -P flag for password and the -m flag for method, or rely on the default strong encryption if available. However, the zip command's -e flag often defaults to the weaker PKZIP 2.0 encryption. For stronger encryption like AES-256, it's often better to use 7z (7-Zip) or WinRAR which explicitly support it.
Since 7z is a widely used tool for strong archiving, let's demonstrate how to create an AES-256 encrypted archive using 7z. First, install p7zip-full.
sudo apt-get install -y p7zip-full
Now, create a new file for this demonstration.
echo "This is a highly secret message." > super_secret.txt
Next, create a 7z archive named secure_archive.7z with AES-256 encryption. When prompted, enter a strong password (e.g., StrongPassword!23).
7z a -p secure_archive.7z super_secret.txt
You will be prompted to enter a password:
Enter password (will not be echoed):
Verify password (will not be echoed):
This command creates a 7z archive using AES-256 encryption by default, which is significantly more secure than the traditional ZIP 2.0 encryption. 7z archives are much harder to crack due to their strong encryption algorithms and key derivation functions.
You can verify the creation of the 7z archive.
ls -l
You should see secure_archive.7z listed.
Best Practices for Secure Archives:
- Use Strong Encryption: Always prefer AES-256 encryption (e.g., with
7zor modernziptools that explicitly support AES). - Use Strong Passwords: Combine uppercase and lowercase letters, numbers, and symbols. Aim for a length of at least 12-16 characters.
- Avoid Known-Plaintext: Do not include easily guessable or publicly available files in your encrypted archives.
- Regularly Update Tools: Ensure your archiving software is up-to-date to benefit from the latest security patches and improvements.
By following these practices, you can significantly enhance the security of your archived data.
Summary
In this lab, you have successfully learned how to create password-protected ZIP archives, extract their hashes using zip2john, and then crack those hashes with John the Ripper. This hands-on experience demonstrated the process of password cracking and highlighted the vulnerabilities of older encryption methods. Crucially, you also gained an understanding of the weaknesses inherent in traditional ZIP 2.0 encryption and learned about more secure alternatives like AES-256 encryption using tools like 7z. By applying the best practices discussed, you can ensure your sensitive data is protected with robust cryptographic standards.
