Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABwuPXd8PqPYmgU7LnMvc=i9PoiTfZaweR3-zTbvArLzhPXEfg@mail.gmail.com>
Date: Wed, 16 Sep 2020 06:57:09 +0100
From: Jasper Jones <jazjones9292@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking encrypted zip file

> I'm going to run a test to see if it finds a known password.

Okay, so that works, which means I can now work on getting together the
right combination of words to have a stab at the real thing. I have a nasty
suspicion that I may be back looking for help with mask mode at some point,
but thanks so much for your help magnum, I appreciate it.

Jasper

On Wed, 16 Sep 2020 at 06:47, Jasper Jones <jazjones9292@...il.com> wrote:

> I just tried running it on a short list of the most likely words to see if
> anything jumps out. Ran for ~5 mins and just got "session completed" at the
> end, which I assume means nothing was found.
>
> I got the following message when I started it:
> "Warning: detected hash type "ZIP", but the string is also recognised as
> "ZIP-opencl"
> Use the "--form=ZIP-opencl" option to force loading these as that type
> instead"
>
> Any issue with that?
>
> Then:
> "Using default input encoding: UTF8
> Loaded 1 password hash (ZIP, WinZip, [PKDF2-SHA1 128/128 AVX 4x1)"
>
> Does that look right? The reference to PKDF2-SHA1 instead of AES concerns
> me, but I appreciate that could just be my ignorance showing.
>
> I'm going to run a test to see if it finds a known password.
>
> Thanks again
> Jasper
>
> On Wed, 16 Sep 2020 at 06:26, Jasper Jones <jazjones9292@...il.com> wrote:
>
>> Thanks very much magnum. I was pretty stressed while doing this last
>> night and missed out the '>'before the file name when using zip2john. I now
>> have a txt file with what looks like a hash.
>>
>> That said, I'm still getting an error as well: "ver 5.1
>> wallet.zip/wallet.dat is not encrypted, or stored with non-handled
>> compression type".
>>
>> > It sounds like you got a proper hash (you need to redirect that screen
>> output to a file) and the warning you got later is probably from some
>> > other (not encrypted) file in the archive. Perhaps you accidentally
>> added a non-encrypted version to the archive? Try extracting it...
>>
>> There's definitely only a single file - wallet.dat - in the archive, so
>> this is a little puzzling. I'm not sure how adding a password with AES-256
>> encryption works - I assume encrypts just the file after compression?
>>
>> > What does "zipinfo <file>" or similar tool say? Or just "zip -l
>> <file>".
>>
>> I don't have zipinfo (I'm on Windows), but I could download a bootable
>> Linux distribution if that would help. 7zip itself gives some info about
>> the compressed file:
>>
>> - attributes: An
>> - Encrypted: +
>> - Method: AES-256 Deflate
>>
>> (There's some other stuff about file size, dates, etc, but  assume it's
>> the encryption info that's needed?)
>>
>> Many thanks
>> Jasper
>>
>>
>>
>> On Tue, 15 Sep 2020 at 23:10, magnum <john.magnum@...hmail.com> wrote:
>>
>>> On 2020-09-15 19:43, Jasper Jones wrote:
>>> > I'm reasonably certain the password contains two or three main
>>> components,
>>> > selected from a couple of words and a long number, linked with some
>>> > combination of punctuation.
>>>
>>> Try adding all such components, one on each line, to a short wordlist
>>> eg. "components.txt". Add punctuation and numbers (either simply digits
>>> 0 through 9 on separate lines, or/and longer numbers like 2020 if you
>>> know them) as well, on separate lines. Then use PRINCE mode.
>>>
>>> > The first issue is that I believe I need to use zip2john.exe to get the
>>> > hash from the zip file. It spits out a very long string of data,
>>> starting
>>> > with $zip2$, but ends with a message saying that
>>> "wallet.zip/wallet.dat is
>>> > not encrypted, or stored with a non-handled compression type".
>>>
>>> What does "zipinfo <file>" or similar tool say? Or just "zip -l <file>".
>>>
>>> It sounds like you got a proper hash (you need to redirect that screen
>>> output to a file) and the warning you got later is probably from some
>>> other (not encrypted) file in the archive. Perhaps you accidentally
>>> added a non-encrypted version to the archive? Try extracting it...
>>>
>>> > I wondered whether I needed to use the 7z2john.pl (a perl script?),
>>> given I
>>> > used 7-zip to generate the encrypted file?
>>>
>>> No, if it's zip format, zip2john is needed.
>>>
>>> zip2john archive.zip > hashfile.txt
>>> john hashfile.txt --prince=components.txt
>>>
>>> magnum
>>>
>>>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.