search

openwall / john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
https://www.openwall.com/john/
Other
9.98k stars 2.06k forks source link

zip2john support for AES-256 Deflate #3012

Closed hwkongsgaard closed 6 years ago

hwkongsgaard commented 6 years ago

Add support for "AES-256 Deflate".

kholia commented 6 years ago

@hwkongsgaard Your report is missing necessary details. Opening an issue with "low quality" is unlikely to yield desired results.

Provide all the necessary details, and answers to following questions.

Do you have a sample ZIP file with this encryption + compression method? How does zip2john handle such files currently? Which software created this ZIP file? How do I generate a similar ZIP file?

kholia commented 6 years ago

I took a quick look,

$ head secret.txt
secret!
secret!
secret!
secret!
<same line repeated>

$ wc -l secret.txt 
50038 secret.txt

$ 7z a -popenwall -mem=AES256 -tzip secret-openwall-2.zip secret.txt

$ 7z l -slt secret-openwall-2.zip
...
CRC = 
Method = AES-256 Deflate

Note the "AES-256 Deflate" string.

$ ../run/zip2john secret-openwall-2.zip
secret-openwall-2.zip:$zip2$*0*3*0*39c93819b77056b056caef08a578f7ca*eb9e*2b2*a908e2f926685054bbc860f06ce77668000d78bc67c521c4ca6e9089c93e6a465eceea549f319d95f4c1227e2291634356bcc06d8c4bdbd85ea330e9633795f554b042240259205b9d2e29c508c2db36176d627ccf4b4fdff0bb74153fe40b19f66723a7d37b715e333f7ae86c17b418be83b0799a04aa8f268fde9f1bdcf81d6e83657f8bac68d9f1ec77ca35936bb846ede4ba1c5bec291fa21d8e6fc9aa99c5cbe6bd68b11c1462901cc7880ab7d591e205d01d4c18112442de22858d09a56d9e5db2bf6a7353c80a4f027b4aa3c73df5f751d34e65304e2b7af15172ae4d20f742626f56a28bcde01cf06b7117b4222af1cc31371897252a7796808c5e2080c80e9c623a2b4918fd1368cee5ea3c1384d213f521bde2eaf4c6d218bf1d6bc915b301726e444486e3d173fd0a19a4cbb627d82ac3ce035283a2bb31db161b386a6e9ad084ff3ebe1fdb0e81c4a038f60ca13d3444aa0b6bee63d9e5bc29e0e1ae9e63d2bb937e91d30a639a9138a8ec683574e8d09cc9e0620ea54b56b3d9788d2c4ac89939fa77dad7d5536ac2403ea2ea35d64fd4e7bdf052184e281234a038b8d0ec3da4fae21884e0148c35a5c413f57fc9561e82dfdb11afdbd2582754e3c035a742a1e61bba12c9329e2e6a7b68286092a086878625bd992c117a075d42b3065954cab525291c20a7f42269e6d410674ed2854fb6078a824a54fc8e153f224a8bbfe589484dbd6126fe24f0da1bf727ed053a95ef3ba1b08810f9b548431f8a838ccaee0cba5b73b8a990482279856009f9265bf27f96b9496c31c653e100e33f4ac210259fc85ef55ae51515ccaa7d4b7e297338761b5b53302cc739fc216b7a5c2fd1c2f221498c5ea32fbb3fa62376739dd90434f49ffb8b10c1109a150cdcde1527b4e98a8dea6ae4a41b12139f68b1de33c7992b62139ff5a3709c364317e5d18579f91069f1e4f0027c48*c9e0e79162b92423c6e0*$/zip2$:::::secret-openwall-2.zip-secret.txt

$ ../run/john hash   # contains the above hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
openwall         (secret-openwall-2.zip)
1g 0:00:00:00 DONE 1/3 (2017-12-15 17:23) 25.00g/s 800.0p/s 800.0c/s 800.0C/s secret-openwall-2.zip..zopenwall
Use the "--show" option to display all of the cracked passwords reliably
Session completed

It seems that such files are already supported.

You really need to invest time, and attention in learning and understanding your tools first. Use john-users mailing list for support.

hwkongsgaard commented 6 years ago

Hi, my file is,

Method = AES-256 Deflate Host OS = FAT Version = 20

It does not work with zip2john.

rahuljeet commented 4 years ago

@hwkongsgaard Did you find any solution for this, because I'm facing the same problem?

magnumripper commented 4 years ago

@rahuljeet zip2john got some recent improvement. Did you try the latest github version?

freeman412 commented 11 months ago

I think this is partially true. I confirmed that zip2john.exe does report that the file is not encrypted, or has a non-handled compression, but it in fact does print the correct extracted hash on AES25 zip files, to stdout, while printing the error to stderr. Line 781 in zip2john.c should not run if it successfully extracted hash, but is getting executed. There is not an error for ZipCrypto files.

    if (p->cmptype != 0 && p->cmptype != 8) {
        fprintf(stderr, "%s/%s is not encrypted, or stored with non-handled compression type=%"PRIu16"\n",
                zfp->fname, p->file_name, p->cmptype);
        return 0;
    }

AES256.zip AES256.zip.hash.txt

I have attached examples file that replicates the issue. Since this is old and marked invalid, I will open a new related issue.

claudioandre-br commented 11 months ago

I think this is partially true.

Latest github version can handle the attached file without warnings.

rahul-gupta7688 commented 11 months ago

@magnumripper thanks for your suggestion. I'll try