Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <107b01db75ce$42835e60$c78a1b20$@us>
Date: Sun, 2 Feb 2025 17:57:47 -0600
From: "Scott Techlist" <techlist06@...a.us>
To: <john-users@...ts.openwall.com>
Subject: RE: Zip file assistance

(SOLVED)
To wrap up this thread...  Once I figured out how to work the mask, and figured out an incorrect character I had in my guess, all I had left were 8 digits.  That resulted in a crack that took less than a second.  It appears a full ASCII brute force would have found it eventually with no hint.

I appreciate the JTR-noob assist and pointer to the mask, and the newer version, it was a little buried in there.

And I found after the fact, the instruction file in one of the folders on how-to work the zip.  

Thanks again.



>-----Original Message-----
>From: Scott Techlist [mailto:techlist06@...a.us]
>Sent: Saturday, February 01, 2025 9:25 PM
>To: john-users@...ts.openwall.com
>Subject: RE: [john-users] Zip file assistance
>
>Alexander, thank you for the friendly, very helpful reply.  Just before your reply I figured out the
>mask business was an issue, from seeing that default and digging into what it meant.  I found and used
>maskprocessor to vet my new mask.
>
>I tried just the numerical digits I thought were there at the end and it didn't work so I included all
>type-able ASCII (I think) and figured out how to get it to increment, I think.  It might maybe have a
>")" or a "/" in it from an old hint I had.
>
>Also, once I saw the GUI-generated syntax I just skipped the GUI and moved to the command line.  The
>GUI helped me get over the how to get the Hash part.  But I think I see how to do it without that
>helper now.
>
>Right now it's working on:
>
>	john.exe --format=PKZIP --mask=MyKnwnPart?a?a?a?a?a?a?a?a?a?a?a --min-length=11 --max-length=20
>C:/Users/scott/pw.lst
>
>I forgot what the (16) means, I'm guessing the number of the increment?  I'll give it some time.  If
>that does not work (assuming I now have a proper mask), I'll update the version via the link you sent.
>
>Using default input encoding: UTF-8
>Loaded 1 password hash (PKZIP [32/64])
>Will run 8 OpenMP threads
>Press 'q' or Ctrl-C to abort, almost any other key for status
>0g 0:00:00:00  (13) 0g/s 0p/s 0c/s 0C/s
>0g 0:00:00:00 1.04% (14) (ETA: 20:51:47) 0g/s 8693Kp/s 8693Kc/s 8693KC/s MyKnwnPartI}..MyKnwnPartH5aa
>0g 0:00:00:05 1.05% (15) (ETA: 20:59:42) 0g/s 15248Kp/s 15248Kc/s 15248KC/s
>MyKnwnPart~!||..MyKnwnPartAEeaa
>0g 0:00:00:28 5.79% (15) (ETA: 20:59:50) 0g/s 15812Kp/s 15812Kc/s 15812KC/s
>MyKnwnPartVs[Ho..MyKnwnPartt~^Ho
>0g 0:00:08:34 1.05% (16) (ETA: 10:25:37) 0g/s 15214Kp/s 15214Kc/s 15214KC/s
>MyKnwnParty(}||..MyKnwnPart  aaaa
>0g 0:00:23:08 2.82% (16) (ETA: 10:32:22) 0g/s 15089Kp/s 15089Kc/s 15089KC/s MyKnwnPart$[
>tZe..MyKnwnParty,VtZe
>0g 0:00:24:07 2.94% (16) (ETA: 10:32:26) 0g/s 15087Kp/s 15087Kc/s 15087KC/s
>MyKnwnPartZy,1?e..MyKnwnPartce&1?e
>
>Scott
>
>
>>-----Original Message-----
>>From: Solar Designer [mailto:solar@...nwall.com]
>>Sent: Saturday, February 01, 2025 7:45 PM
>>To: john-users@...ts.openwall.com
>>Subject: Re: [john-users] Zip file assistance
>>
>>Hi Scott,
>>
>>What you're doing is almost right, but not exactly.
>>
>>On Sat, Feb 01, 2025 at 06:01:44PM -0600, Scott Techlist wrote:
>>> JTR jumbo compiled for windows (1.9.0-jumbo-1 64-bit Windows)
>>
>>That's fine, but you could get better results by using a more recent
>>Windows build over the "Download Windows Build" badge/link off our GitHub:
>>
>>https://github.com/openwall/john
>>
>>It currently links to:
>>
>>https://github.com/openwall/john-packages/releases
>>
>>There have been bug fixes related to PKZIP file support since the
>>1.9.0-jumbo-1 release.
>>
>>That said, if you only need to crack one password, then you can continue
>>with your currently installed version first - just correct its usage
>>(see below).  Only if that doesn't crack the password, you upgrade and
>>try again.
>>
>>> Johnny Windows GUI (2.2)
>>
>>Few of us in here are familiar with Johnny (we normally use the
>>command-line directly).
>>
>>> I have a couple of zip files I password protected several years ago, almost surely created with
>>PKZip, file dates 2009 and 2015 , I've forgotten the tail end of what I am confident is a 1 word
>>password.  I have a high confidence in knowing the first 10 characters of the password, with the
>>remainder probably up to 8 numbers.
>>
>>You can write this as a mask - first the 10 known characters verbatim,
>>then ?d?d?d?d?d?d?d?d for 8 digits (adjust the number to try other than
>>8 as well).
>>
>>> In the GUI, I enter a value for "guess password"
>>
>>You shouldn't.  That's a weird feature, which merely tests _one_
>>password guess you enter.
>>
>>> The command line generated is apparently:
>>>
>>> C:/Users/scott/Downloads/john-1.9.0-jumbo-1-win64/john-1.9.0-jumbo-1-win64/run/john.exe --
>>format=PKZIP --mask= --session=C:/Users/scott/.john/sessions/02-01-25-17-34-36 C:/Users/scott/pw.lst
>>
>>It looks like you chose mask mode (good!) but did not specify a mask, so
>>it's using the default mask instead of what you need.  That's the main
>>issue.  You'll wan to enter your mask with the known portion and ?d's
>>into the right Johnny input field in the Mask tab.
>>
>>> My questions are:
>>>
>>> 1) Does this look like the correct procedure and resulting command line for my single zip file
>>password retrieval?
>>
>>Almost, but you need the correct mask.
>>
>>> 2) Is there anything I can do to improve my command?  Particularly since I know the start of the
>>password.
>>
>>Yes, see above.
>>
>>> 3) Any estimate on how long this would take with this single word password?
>>
>>With the correct mask and given the speed you show, it should take a few
>>seconds to find the missing 8 digits.
>>
>>However, if you're wrong that it's 8 or that it's just digits, then
>>it'll take longer for you and John to also try other possibilities.
>>
>>Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.