Command: zip2john file output.txt. File = name of the zip file. After using this command, you will see an output.txt file which has the hashes of the zip file stored in it. To crack the hash of the zip file, type: Command: john –format=zip output.txt. ”John the Ripper” – is a fast password cracker. Its primary purpose is to detect weak Unix passwords. Most likely you do not need to install “John the Ripper” system-wide. Instead, after you extract the distribution archive and possibly compile the source code (see below), you may simply enter the “run” directory and invoke John. ./zip2john On path I can not help you as I am still having some issues when I figure out the guide I will try to edit in the information so that you do not have to type so much when using John Jumbo. Again thank you to the community for helping me. To move 1 up it is cd. Root@Kali699:/Documents/jtr/run# zip2john '/root/Documents/jtr/run/crispyy01.zip' asdf01.txtroot@Kali699:/Documents/jtr/run# john -wordlist=password.lst as. John the Ripper (a password recovery program) comes with a utility called zip2john that is used to extract the encrypted hash from the file. This hash is the key to the file. When attacking the file in an effort to “crack” the password you use this hash to try and find a matching known string.
I am trying to recover a password from a zip file and have had issues getting hashcat to accept the zip file hash. I created the has using zip2john and jtr ids the hash as: ZIP, WINZIP, PBKDF2-SHA1 4x SSE2.
If I try and use:
hashcat -m 13600 -a 3 -o answer.txt -d 2 myhash.hash I get the error:
Hashfile on line 1 () Salt-value exception
No Hashes loaded
The has file itself looks like this:
[redacted]
Raw output from zip2john at the terminal gives this:
[code][redacted]
[redacted]
If I use the full output from the terminal of zip2john then Hashcat complains of Signature unmatched - no hashes loaded.
[color=#000000][size=small]Any help would be well received. JTR is much slower than using my GPU/hashcat
It seems silly to me that someone would give me a zip file but not the password to open it. I have all of the data, just not the ability to easily read it. So why send the file at all?
Regardless of the answer, this was a fun opportunity to learn a little about John The Ripper (JTR or just ‘john’). There are two versions of john. The normal release and the community “jumbo” release. So which do you use? It depends on what you want to do. Each has a different set of non-overlapping features, and the docs are not always clear on which does what. For the rest of this post I will specifically guide you through using john on OSX to crack a zip file.
Zip2john Download
Zip support currently only exists in the jumbo release of john, so thats the best place to start, but right away you might notice that by default john is single threaded. Is there a mac today that isn’t multi-core? Cracking can take a long time, so we’ll want to use as much of the CPU as possible to make it faster. Luckily for me, the jumbo release supports OpenMP which can make parts of the program run in parallel.
Sadly for me, OSX Mavericks does not support OpenMP out of the box.
If only I ran linux, this would be so much easier. Of course many other things would be so much harder, but really Apple?
To build john with OpenMP, I need a modern version of gcc which Apple does not provide. In fact, I’m about to spend the next few hours setting up development environment just so I can build john.
- Download and Install Xcode via the AppStore (and grab a snickers, cause this is going to take some time)
- Once thats working, install the command line tools:
- open a terminal & run:
- > xcode-select
- If you are me, spend the next 1.5hours debugging why xcode-select doesn’t run (my Xcode install was totally messed up. It seems like some previous version didn’t get fully uninstalled and my environment was a mix of the two)
- Now download and install macports
- In your terminal, install gcc4.8 via macports (this will also take a long time):
- > sudo port install gcc48
- > sudo port select –set gcc mp-gcc48
- > hash gcc
- OMG, 4 hours later, I’m finally ready to start on the actual project!
UPDATE: As Mems pointed out below in the comments, you can just grab the jumbo version of john from macports as well (I’m assuming it is also built with openmp support):
> sudo ports install john-jumbo
Or you can compile it yourself and fiddle with more optimizations (which is likely unnecessary):
- Download and untar john (jumbo)
- Back in the terminal go to the john directory:
- > cd /path/to/john/
- > cd src
- Open the Makefile and uncomment this line: MPFLAGS = -fopenmp -msse2
- Now build john:
- > make clean macosx-x86-64
UPDATE: If you installed john from macports, the tools below should already be in your path. See Mem’s comments below…
Before we can start cracking, we first need to setup an input file for john:
- > cd ../run/
- > ./zip2john /path/to/file.zip > zip_hash.txt
Potentially the fastest way to crack the zip file is to use a dictionary attack. There are a lot of dictionaries/wordlists online, and john can iterate through them and through variations on the words in the list. Skull Security has a nice set to get you started. After you have downloaded one, then you can start running john:
- > ./john –wordlist=/path/to/wordlist.txt zip_hash.txt
If this doesn’t work, you can try brute forcing the password:
- ./john zip_hash.txt
Zip2john Mac
Other features worth mentioning:
How To Use John The Ripper
- John might take several days (or even weeks) to crack the password. You can safely stop it at any time by hitting Ctrl-C. When you are ready to resume again, add the “–restore” option and restart john. It will pickup from where it left off!
- It may not look like john is doing anything once you start it. Hit enter/return in the terminal and john will print the current status of what it is doing.
- The activity monitor can show you how much CPU john is using. It should be more than 100% if openMP is enabled.