[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABwuPXdehfJKHhzOdn79FPdNU-MeXWose48A0tpVPTPr9roDGg@mail.gmail.com>
Date: Wed, 16 Sep 2020 13:53:29 +0100
From: Jasper Jones <jazjones9292@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking encrypted zip file
Just a brief update on this: I've started it running in Prince mode with a
reasonable word list, and it looks like I have (up to) about three days to
wait for an outcome.
I also did some more reading about how AES-256 is implemented. Please
ignore my comment above about the reference to SHA-1. As I now understand
it, this relates to how the AES-256 key is generated from the password (and
salt) before being used to encrypt the data.
Thanks again.
Jasper
On Wed, 16 Sep 2020 at 06:57, Jasper Jones <jazjones9292@...il.com> wrote:
> > I'm going to run a test to see if it finds a known password.
>
> Okay, so that works, which means I can now work on getting together the
> right combination of words to have a stab at the real thing. I have a nasty
> suspicion that I may be back looking for help with mask mode at some point,
> but thanks so much for your help magnum, I appreciate it.
>
> Jasper
>
> On Wed, 16 Sep 2020 at 06:47, Jasper Jones <jazjones9292@...il.com> wrote:
>
>> I just tried running it on a short list of the most likely words to see
>> if anything jumps out. Ran for ~5 mins and just got "session completed" at
>> the end, which I assume means nothing was found.
>>
>> I got the following message when I started it:
>> "Warning: detected hash type "ZIP", but the string is also recognised as
>> "ZIP-opencl"
>> Use the "--form=ZIP-opencl" option to force loading these as that type
>> instead"
>>
>> Any issue with that?
>>
>> Then:
>> "Using default input encoding: UTF8
>> Loaded 1 password hash (ZIP, WinZip, [PKDF2-SHA1 128/128 AVX 4x1)"
>>
>> Does that look right? The reference to PKDF2-SHA1 instead of AES concerns
>> me, but I appreciate that could just be my ignorance showing.
>>
>> I'm going to run a test to see if it finds a known password.
>>
>> Thanks again
>> Jasper
>>
>> On Wed, 16 Sep 2020 at 06:26, Jasper Jones <jazjones9292@...il.com>
>> wrote:
>>
>>> Thanks very much magnum. I was pretty stressed while doing this last
>>> night and missed out the '>'before the file name when using zip2john. I now
>>> have a txt file with what looks like a hash.
>>>
>>> That said, I'm still getting an error as well: "ver 5.1
>>> wallet.zip/wallet.dat is not encrypted, or stored with non-handled
>>> compression type".
>>>
>>> > It sounds like you got a proper hash (you need to redirect that screen
>>> output to a file) and the warning you got later is probably from some
>>> > other (not encrypted) file in the archive. Perhaps you accidentally
>>> added a non-encrypted version to the archive? Try extracting it...
>>>
>>> There's definitely only a single file - wallet.dat - in the archive, so
>>> this is a little puzzling. I'm not sure how adding a password with AES-256
>>> encryption works - I assume encrypts just the file after compression?
>>>
>>> > What does "zipinfo <file>" or similar tool say? Or just "zip -l
>>> <file>".
>>>
>>> I don't have zipinfo (I'm on Windows), but I could download a bootable
>>> Linux distribution if that would help. 7zip itself gives some info about
>>> the compressed file:
>>>
>>> - attributes: An
>>> - Encrypted: +
>>> - Method: AES-256 Deflate
>>>
>>> (There's some other stuff about file size, dates, etc, but assume it's
>>> the encryption info that's needed?)
>>>
>>> Many thanks
>>> Jasper
>>>
>>>
>>>
>>> On Tue, 15 Sep 2020 at 23:10, magnum <john.magnum@...hmail.com> wrote:
>>>
>>>> On 2020-09-15 19:43, Jasper Jones wrote:
>>>> > I'm reasonably certain the password contains two or three main
>>>> components,
>>>> > selected from a couple of words and a long number, linked with some
>>>> > combination of punctuation.
>>>>
>>>> Try adding all such components, one on each line, to a short wordlist
>>>> eg. "components.txt". Add punctuation and numbers (either simply digits
>>>> 0 through 9 on separate lines, or/and longer numbers like 2020 if you
>>>> know them) as well, on separate lines. Then use PRINCE mode.
>>>>
>>>> > The first issue is that I believe I need to use zip2john.exe to get
>>>> the
>>>> > hash from the zip file. It spits out a very long string of data,
>>>> starting
>>>> > with $zip2$, but ends with a message saying that
>>>> "wallet.zip/wallet.dat is
>>>> > not encrypted, or stored with a non-handled compression type".
>>>>
>>>> What does "zipinfo <file>" or similar tool say? Or just "zip -l <file>".
>>>>
>>>> It sounds like you got a proper hash (you need to redirect that screen
>>>> output to a file) and the warning you got later is probably from some
>>>> other (not encrypted) file in the archive. Perhaps you accidentally
>>>> added a non-encrypted version to the archive? Try extracting it...
>>>>
>>>> > I wondered whether I needed to use the 7z2john.pl (a perl script?),
>>>> given I
>>>> > used 7-zip to generate the encrypted file?
>>>>
>>>> No, if it's zip format, zip2john is needed.
>>>>
>>>> zip2john archive.zip > hashfile.txt
>>>> john hashfile.txt --prince=components.txt
>>>>
>>>> magnum
>>>>
>>>>
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
