How hackers crack password protected ZIP files

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so you have a zip file and you want to extract it to look what's inside but it prompts you to enter a password which you do not know is there any way you can crack this password absolutely yes since extracting an encrypted zip archive is an offline task there are no limitations to the number of tries that you have to guess the password so you can simply Brute Force the password of a zip file to crack it and in this video I'm going to show you exactly that before moving on let's take a quick moment to thank the sponsors of this video this video is sponsored by zigocloud zigo cloud is a platform that provides different services like voice and video call live streaming real-time messaging Cloud recording AI video effects etc etc and all of these features can be integrated to your app seamlessly with their easy to use SDK the first thing you would want to do to use any of zigocloud's services is to create an account on zigocloud.com ego Cloud gives 10 000 free minutes for you to use and that should be more than enough to get you started once you create an account create a new project and choose a service that you want to use as a demo let me select voice and video call there are two ways to integrate this to your project and using UI kits is an easier option because you don't even have to design the UI yourself in the next screen you can choose a basic configuration for your app and then click on Save and start integration this generates your app ID and your server secret you can now simply download the HTML file it automatically generated for you that already contains your app ID and server secret embedded inside and all the necessary code to communicate with zigo Cloud's API this also includes the CSS for your user interface and that's it you now have yourself a video and voice calling web app that you can easily integrate into your existing application that's how easy it is so go ahead and check out zigocloud the link will be in the description below as I said you also get 10 000 free minutes to try out their services so go ahead and check them out let me create an encrypted zip archive with a free tool called 7-Zip I will right click the file that I want to compress and click add to Archive and then set a password this will create a dot zip file which requires a password to be extracted in order to crack the password of this ZIP file we can perform a dictionary attack that takes a list of potential passwords called a word list and tries each password from this word list until the correct password is found but before I do this I'd like to give a quick disclaimer this video is intended only for educational purposes I do not encourage anyone to perform illegal activities through this video I am only teaching you open source Knowledge from the perspective of an ethical hacker or a cyber security Enthusiast so keep this in your mind while watching this video there are already some very powerful password cracking tools available to do this kind of task but let's first write our own Python program to crack the password of a zip archive first I'll import a utility called zip file that can be used to extract zip files from python I will create an object of the zip file that I want to crack now I'll open the word list file read each line from this file and try to extract the zip file with it the word list I'm using here is a popular one called rocky.txt which contains more than 14 million most commonly used passwords if the extraction is successful with any password from the word list the program prints the password that worked and then just terminates and just like that we built ourselves a zip password cracking tool that works well I hate to say this to you but our tool is not really efficient it's not fast and it would be much much better if we use industry standard tools like hashcat or John the Ripper which are two of the most incredibly fast password tracking tools that can crack zip archives let me show you how to use a tool called John the Ripper to crack the zip file passwords if you are on Windows you can just download the pre-compiled binaries from the official website the first step is to convert the zip file into a format that John can process to do this we can use a utility called zip2jon that comes pre-bundled with John I will write the output of this to a file called zip dot hash which I can later pass to John for cracking now that I have the hash of the zip file that John can process I will pass the file directly to John and also mention the word list that I want to use which is rocky.txt and that's it John cracked the password in less than a second that's how fast it is compared to our tool that we have written in Python note that Jon uses CPU by default for cracking passwords but gpus are way better than CPUs when it comes to tasks like this so we can increase the speed of our password cracking attack a lot more by using a GPU or a graphics card instead of a CPU John does support GPU processing but it's designed for Linux and it's a little bit complicated to set it up on windows so we'll use another very popular cracking tool called hashcat which claims to be the fastest tool on the market you can download the hashtag binaries for Windows from the official website for hashcad to support GPU processing you first need to install nvidia's Cuda kit you can download it from the official Nvidia website and install it on your computer this kit enables hashcad to communicate with your Nvidia graphics card once you have that installed you can run hashcat with the dash iflag to see if Cuda is directly detected by hashcad now you can go ahead and run your password cracking attack with hashcat by taking advantage of your GPU we will use the same zip to John utility to convert the zip file into a hash but after converting you need to remove the archive name and the file names from the hash value because hashcad only wants the hash and not defile an archive names like John does so I will just open this file in a text editor like notepad plus plus and remove the file names and archive names from the content and make sure the file only contains the hash value before you save it make sure you convert it to UDF 8 with no byte order mark because if the file starts with a bom hashcad will simply fail to recognize the hash once you have your hash ready you can fire up hashcad and run it with a dash dash identify flag and pass the zip dot hash file as the input this will identify the type of hash and display the corresponding hash mode number once it identifies the hash type you can run hash cat again and this time pass the hash mode number with the dash m flag and then input the zip dot hash and also the word list to use for the attack hashcat will by default use your GPU for this cracking attack which is going to be a lot lot faster than Jon once the attack is done it will print the correct password if it was able to crack it but what we have done so far is only a dictionary attack if the password for the zip archive doesn't exist in the word list it means the password cracking will fail a more powerful attack than dictionary attack is called Brute Force attack in this attack we try all the combinations of characters from a given character set as the password until we find the correct one this is obviously more intensive and takes more time than a dictionary attack but it is guaranteed to crack the password because we are literally trying all the combinations strong passwords like this are obviously going to take forever to crack but a weak password like this would not take much time especially considering that we are using a GPU to crack passwords so let's try it I first defined the character set of my password which is going to be only lowercase alphabets in this case then I Define the format of my password in this case I am generating all the combinations from the lowercase alphabets that are 9 characters in Lan a hit enter and hash cat is now running the Brute Force attack which is also called as mask attack in hashcat stems in less than 20 seconds hashcad was able to crack the password with Brute Force attack and this ladies and gentlemen is why you use a strong password that contains a combination of uppercase letters lowercase letters numbers and special characters because it would be incredibly hard to crack such a password by brute force it no matter how many gpus you have so that will be all for this video I hope you learned something new if you did please do not forget to leave a thumbs up below if you're not yet a subscriber please do hit that subscribe button and also turn on the Bell icon to receive instant updates from my channel thanks for watching I'll see you in the next video Until Then cheers
Info
Channel: Tech Raj
Views: 291,942
Rating: undefined out of 5
Keywords: zip cracking, zip password cracking, crack zip passwords, john the ripper, hashcat, ethical hacking, cyber security, hacking, crack passwords, password cracking, best password cracker, tech raj
Id: tpoPdlBr_Gk
Channel Id: undefined
Length: 9min 7sec (547 seconds)
Published: Sat Jul 29 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.