April 12, 2008 · General · Email This Post

Sponsored Link
If you want to crack zip file passwords use fcrackzip.fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results.

Install fcrackzip in Ubuntu

sudo aptitude install fcrackzip

This will complete the installation.

Fcrack Syntax

fcrackzip [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] [--use-unzip] [--method name] [--modulo r/m] file.

fcrack Options

-h, --help
Prints the version number and (hopefully) some helpful insights.
-v, --verbose
Each -v makes the program more verbose.
-b, --brute-force
Select brute force mode. This tries all possible combinations of the letters you specify.
-D, --dictionary
Select dictionary mode. In this mode, fcrackzip will read passwords from a file, which must contain one password per line and should be alphabetically sorted (e.g. using (1)).
-c, --charset characterset-specification
Select the characters to use in brute-force cracking. Must be one of

a include all lowercase characters [a-z]
A include all uppercase characters [A-Z]
1 include the digits [0-9]
! include [!:$%&/()=?[]+*~#]
: the following characters upto the end of the spe-
cification string are included in the character set.
This way you can include any character except binary
null (at least under unix).

For example, a1:$% selects lowercase characters, digits and the dollar and percent signs.

-p, --init-password string
Set initial (starting) password for brute-force searching to string, or use the file with the name string to supply passwords for dictionary searching.
-l, --length min[-max]
Use an initial password of length min, and check all passwords upto passwords of length max (including). You can omit the max parameter.
-u, --use-unzip
Try to decompress the first file by calling unzip with the guessed password. This weeds out false positives when not enough files have been given.
-m, --method name
Use method number "name" instead of the default cracking method. The switch --help will print a list of available methods. Use --benchmark to see which method does perform best on your machine. The name can also be the number of the method to use.
-2, --modulo r/m
Calculate only r/m of the password. Not yet supported.
-B, --benchmark
Make a small benchmark, the output is nearly meaningless.
-V, --validate
Make some basic checks wether the cracker works.

fcrackzip Examples

fcrackzip -c a -p aaaaaa sample.zip

checks the encrypted files in sample.zip for all lowercase 6 character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).

fcrackzip --method cpmask --charset A --init AAAA test.ppm

checks the obscured image test.ppm for all four character passwords. -TP fcrackzip -D -p passwords.txt sample.zip check for every password listed in the file passwords.txt.

Sponsored Link

Incoming search terms:

Related posts

26 Comments to “Howto Crack Zip Files Password”

  1. rakudave says:

    sounds great!
    I’m still looking for a rar cracker though

    [Reply]

  2. Jason says:

    I’m also looking for a RAR cracker that runs under Linux :)

    [Reply]

  3. Martin says:

    Should be made multi-threading to take advantage of todays CPUs, I’ve got a quad core CPU and only one core works 100% when fcrackzip is running.

    [Reply]

  4. Mark says:

    @Martin:
    If you run fcrackzip 4 times simultaneously (each on a different core) with the starting passwords spaced out about equally and stop the other 3 when one finds the right pass, then that should work about the same as you describe.

    Ex (modified from the one in the article):
    fcrackzip --method cpmask --charset A1 --init 0000 test.ppm
    on the first core…
    fcrackzip --method cpmask --charset A1 --init 9000 test.ppm
    on the second core…
    fcrackzip --method cpmask --charset A1 --init I000 test.ppm
    on the third core, and…
    fcrackzip --method cpmask --charset A1 --init R000 test.ppm
    on the fourth CPU

    I don’t know how to control which CPU handles which copy of fcrackzip because I’ve never had a computer new enough to have multiple cores (I’m posting from a used Compaq Armada M700 circa 2001 with a 1GHz PIII), but I don’t see why this wouldn’t work.

    [Reply]

  5. madelus says:

    For rar cracking try run midnight commander, enter the rar archive lika a folder, and and then copy files from rar anywhere you like.
    I did it only once and that worked, but still I can’t give you guarantee.

    [Reply]

  6. Ricardo Medina says:

    Front-end? GUI?

    [Reply]

  7. Rink says:

    How to use fcrackzip on windows Vista/xp?

    [Reply]

  8. onny says:

    @Rink
    lol

    [Reply]

  9. sidnei says:

    after running all possible combinations, how do i know which one is the real password? i guess i missed something…

    used:
    frackzip -v -b -c Aa1! – l 4 file.zip
    created this file.zip with a password = aB4%

    shows tons of guesses on the screen, but in the end, i didnt get the real password.

    thanks for any help.
    sidnei

    [Reply]

    Alex Reply:

    If you use the -u option it will try to unzip the file using all tested the passwords so as to give you the only one that works.

    frackzip -v -b -c Aa1! -l4 -u file.zip

    Also is the = sine part of the password if it is then the password is more than 4 long so you may need to set a max limit of 5. “-l4-5″

    Also to make it run faster you can specify the character type you want to use such as;

    Aa1:=%

    Hope this helps.

    [Reply]

  10. alex says:

    after running all possible combinations, how do i know which one is the real password? i guess i missed something…

    You should use option -u
    it will try to unzip each guess and leave only the right one

    [Reply]

  11. Saverio says:

    It’s an interesting program, but I must say it’s a huge waste of time. Makes you wonder if anyone ever succeeded at cracking an archive with this method.

    [Reply]

  12. Steve says:

    @Saverio, we us it several times a week for malware analysis of social engineering files that users know the password (that’s how the malware was was introduced) but have either forgotten or won’t tell us. “waste of time” depends if time is money, it’s only processor time, after all. We have a few older P4s in an outer store-room we use for cracking, it’s cooler than the main block in summer ;)

    [Reply]

  13. Steve says:

    @all, make sure you use the -u option, or IIRC just outputs a wordlist for later use. Does that help? Sudden hindsight :)

    [Reply]

  14. Steve says:

    Proof of the pudding :) Our department’s latest malware analysis needed the following file to be unzipped from a squid cache (for security the squid proxy is configured to cache all executables certain non-executable files eg: zips/rars/7zips) for later anaysis and audit trail)
    $ fcrackzip -u -b -l 1-10 -c aA1! ufs_target.zip

    PASSWORD FOUND!!!!: pw == 87ue9o

    took about 8 hours runtime for that one, on a already heavily loaded machine.

    It’s all over virustotal with 39 detections, but because it was passworded, no A/V could open it. We’re having words with the user as we speak ;)

    [Reply]

  15. jc says:

    @Steve, can cracking speed be increased using several CPUs or several CPU cores? I tried it out and did not manage to have all CPU cores do the work….

    [Reply]

  16. pradeesh says:

    It is great.

    [Reply]

  17. PAPilot says:

    Missing hyphen, underscore, carat, pipe, and many other symbols from the symbol character set. It’s not possible to specify most of these on the CLI because they mean something to many shells. These should be in the code.

    [Reply]

  18. PAPilot says:

    How about an option to include all 255 8-bit combinations? Users can easily defeat this program by using ALT-codes to insert binary coded characters in a password.

    [Reply]

  19. realmoonstruck says:

    i am using version 1.0
    the password of the zip file is: aa
    but i can not crack it with fcrackzip

    i am using: fcrackzip -u -b -l 2-2 z.zip
    without the -u flag the output is:
    possible pw found: et ()
    possible pw found: hl ()
    possible pw found: iG ()
    possible pw found: i9 ()
    possible pw found: qK ()
    possible pw found: wo ()
    possible pw found: w5 ()
    possible pw found: Go ()
    possible pw found: Hn ()
    possible pw found: Vj ()
    possible pw found: V& ()
    possible pw found: Yt ()
    possible pw found: ZO ()
    possible pw found: 2R ()
    possible pw found: 3] ()
    possible pw found: 65 ()
    possible pw found: 6} ()
    possible pw found: !E ()
    possible pw found: !L ()
    possible pw found: $F ()
    possible pw found: ?v ()
    possible pw found: {C ()
    possible pw found: [i ()

    am i missing something?
    what am i doing wrong?

    [Reply]

  20. test says:

    realmoonstruck says:
    April 27, 2011 at 9:57 pm

    i am using version 1.0
    the password of the zip file is: aa
    but i can not crack it with fcrackzip

    i am using: fcrackzip -u -b -l 2-2 z.zip
    without the -u flag the output is:
    possible pw found: et ()
    possible pw found: hl ()
    possible pw found: iG ()
    possible pw found: i9 ()
    possible pw found: qK ()
    possible pw found: wo ()
    possible pw found: w5 ()
    possible pw found: Go ()
    possible pw found: Hn ()
    possible pw found: Vj ()
    possible pw found: V& ()
    possible pw found: Yt ()
    possible pw found: ZO ()
    possible pw found: 2R ()
    possible pw found: 3] ()
    possible pw found: 65 ()
    possible pw found: 6} ()
    possible pw found: !E ()
    possible pw found: !L ()
    possible pw found: $F ()
    possible pw found: ?v ()
    possible pw found: {C ()
    possible pw found: [i ()

    am i missing something?
    what am i doing wrong?

    [Reply]

  21. Frink says:

    It doesn’t work; i created a protected zip, wrote a few wrong and the right password into a file and executed:
    fcrackzip -D -p passwords.txt file.zip

    But it didn’t find anything!

    [Reply]

  22. mendo says:

    Yeah, I tried to use wordlist, but just this result:

    $ fcrackzip -v -D -p /home/mendo/cain.txt -u sensitive.zip
    found file ‘sensitive/’, (size cp/uc 12/ 0, flags 9, chk 6884)
    found file ‘sensitive/file’, (size cp/uc 3736/ 26396, flags 9, chk 65a0)
    found file ‘sensitive/dir/’, (size cp/uc 12/ 0, flags 9, chk 79c4)
    found file ‘sensitive/dir/file’, (size cp/uc 12/ 0, flags 9, chk 5f3c)
    found file ‘sensitive/dir/file1′, (size cp/uc 796/ 1608, flags 9, chk 5571)
    found file ‘sensitive/dir/file2′, (size cp/uc 202/ 514, flags 9, chk 79c4)
    found file ‘sensitive/dir/file3′, (size cp/uc 1164/ 8468, flags 9, chk 7703)
    found file ‘sensitive/dir/file4′, (size cp/uc 102/ 103, flags 9, chk 7347)
    8 file maximum reached, skipping further files

    Only what I can assume is that the program don’t know work with zip archive, which is containing more then 8 files?:/

    [Reply]

  23. Alan M says:

    Works like a charm.
    Forgotten a PW I set 15 years ago.
    I used
    fcrackzip -v -c aA1 -l 1-8 m.zip

    After 3 hours

    8 file maximum reached, skipping further files
    possible pw found: atarist ()

    Awesome, thanks for this great utility.
    Alan

    [Reply]

  24. Steven P says:

    rarcrack is a joke.

    The developer pooched the printf function such that the only way it runs is with the “–type rar” switch (it cannot detect normally), and the password generated is NEVER correct. I created an RAR with a password to see. It NEVER found the password, but dutifully spat out a password and called it good.

    That is a two hour span I’ll never get back.

    [Reply]

  25. Amit says:

    Dear sir/Madam,
    i’m using pentium 4 and it’s configuration is Model: AWRDACPI(INTELR),
    Processor:Pentium 4 2390MHz (L1 cache: 0 bytes, L2 cache: 1.00 Mb),
    BIOS:Phoenix – AwardBIOS v6.00PG (10-Nov-2010),
    MotherBoard:Intel Grantsdale-6A79DGBWC-00,

    An error occurs when I tried to to install new OS which
    is RHEL 5.2. When the boot screen appears, after I hit this error comes next :

    Modules linked in:
    CPU : 0
    EIP : 0060 : [] Not tainted VLI
    EFLAGS : 00010202 (2.6.18-92.e15 #1)
    EIP is at powernowk8_init+0x5e/0x1c2
    eax : 00000000 ebx : 00000000 ecx : 0000000e edx : 00000020
    esi : 00000000 edi : c06242c3 ebp : 00000000 esp : c1866fa0
    ds : 007b es : 007b ss: 0068
    Process swapper (pid: 1, ti=c1866000 task=c1867aa0 task.ti=c1866000)
    Stack : 00000000 c071bbe4 00000000 c06ec5a8 c06e7fd8 c0404dee 00000202 c0bec42b
    00000000 00000000 00000000 00000000 00000000 00000000 c06ec42b 00000000
    00000000 c0405c3b 00000000 00000000 00000000 00000000 00000000 00000000

    Call Trace :
    [] init+0x17d/0x24a
    [] ref_from_fork+0×6/0x1c
    [] init+0×0/0x24a
    [] init+0×0/0x24a
    [] kernel_thread_helper+0×7/0×10
    =========================

    Code : 83 3d 20 41 67 c0 01 75 40 83 3d 84 d4 76 c0 00 75 37 68 01 00 00 00 bf c3
    42 62 c0 e8 ba 12 19 00 b9 0f 00 00 00 89 c6 49 78 08 ae 75 08 84 c0 75 f5
    31 c0 eb 04 19 c0 0c 01 85 c0 75 0a c7

    EIP : [] powernowk8_init+0x1c2 SS : ESP 0068 : c1866fa0
    kernel panic – not syncing : Fatal exception

    I tried both way text or ghaphical but it came same and What should be the possible solution for this?

    Please, I’ll be waiting to all of your ideas. And I will respect it also.

    Thanks

    [Reply]

Leave a Reply