[Sartux]

Hi all sorry I have been away for a while.
This tutorial will teach you how to crack ANY password protected zip or rar file using a tool called fcrackzip. It's easy to use and its very fast compared to other tools as its written in assembly.

You need to use linux for this. I know lots of people try and use windows but if you are even a bit serious into hacking/cracking you need to start using Linux - its easy to use and takes about 30 minutes to set up.

Seriously. stop using windows. We have a linux help thread here on sinster and you can PM me if you need more help.

Anyway here is the tutorial:

1) create a password protected zip file to practice on. Most distros you can just right click on a file and do 'create archive'. Make sure the password is all lowercase and 3 letters long for speed in testing.

2) type 'sudo apt-get install fcrackzip' to get fcrackzip.

3) navigate to the folder your zip is in (cd ...)

4) type fcrackzip -b -l 3 -c a -u yourzipfilename.zip
What this means is use fcrack zip
-b means use bruteforce (you can use a wordlist instead if you want)
-l 3 means the length of the password (which is 3 in this case), you can specify range or use number but using a range takes a long time.
-c a means use just lowercase, you can use a1 for letters and numbers etc.
-u means that it will do a test unzip to make sure password was correct. If you dont select this it is a bit faster but you will get a few passwords to try/sometimes it will be wrong.

5) wait. It can take a long time, especially if you used a range.

6) PASSWORD FOUND!!!!: pw == xxx

7) profit.

[mothered]

This Is quite effective for easy to guess/commonly used passwords.

If It's a 12 character password consisting of alphanumeric, upper & lowercase, special characters with no two types In the same sequence, dedicate an entire century to crack It.

[Sartux]

This Is quite effective for easy to guess/commonly used passwords.

If It's a 12 character password consisting of alphanumeric, upper & lowercase, special characters with no two types In the same sequence, dedicate an entire century to crack It.

Definitely - you'll never get anywhere with a password like that!

However, I've found that people are much less secure with their rar/zip passwords than they are with internet passwords. As they're usually kept locally most people just want to stop someone accidentally opening/snooping around on an unlocked pc so have a password like '888' or 'apple' - both of which are easy to get through this or using the wordlist option.

[mothered]

This Is quite effective for easy to guess/commonly used passwords.

If It's a 12 character password consisting of alphanumeric, upper & lowercase, special characters with no two types In the same sequence, dedicate an entire century to crack It.

However, I've found that people are much less secure with their rar/zip passwords than they are with internet passwords. As they're usually kept locally most people just want to stop someone accidentally opening/snooping around on an unlocked pc so have a password like '888' or 'apple' - both of which are easy to get through this or using the wordlist option.

Most certainly agree.

The majority of users base their passwords on personal entities, without any form of complexity. You'll also notice that those containing numbers, are mostly at the "end" of the password, seldom at the beginning or somewhere In the middle.

[Sartux]

The majority of users base their passwords on personal entities, without any form of complexity. You'll also notice that those containing numbers, are mostly at the "end" of the password, seldom at the beginning or somewhere In the middle.

Very good point about the numbers being mostly at the end - often it's 1, 2 or 4 digits too. I think you can get even closer/narrow down the wordlist by thinking that the 2 or 4 digit numbers will be years (87 or 1987) or repeated numbers (4444).

I might write a tutorial on making good word lists at some point if you think it might be useful to other forum users?

[Drako]

Yeah, people usually put very weak passwords on archived files. It doesn't cross many peoples' minds that their computers can get infected, and file upload accounts can also get hacked. It just doesn't get reported on very much. So basic passwords that can be cracked with a dictionary attack.

[mothered]

I might write a tutorial on making good word lists at some point if you think it might be useful to other forum users?

I believe quite a few members will find It of benefit.

A wordlist generator named Crunch, does a remarkable job. I remember creating one that was around 220 GB. Good luck trying to open It with any default text editor.

[elyesiano]

It still works in windows or not?

[retroplayer]

Wouldn't John the Ripper do the same job? I am a bit new to cracking, and I have never heard of this tool.

[Sartux]

It still works in windows or not?

No, there's an old version which doesn't work very well available for windows, so you should use linux.

There really isn't any reason you shouldn't be using Linux if you're doing something like this. I'm not a huge linux fanboy or anything, it's just that all the software/capability is on linux, and as I said, it takes about 30 minute to set up. Way less time than trying to struggle along trying to use  windows for something like this..

Wouldn't John the Ripper do the same job? I am a bit new to cracking, and I have never heard of this tool.

John would do the same job, but fcrackzip is an easier solution - no hashes to mess around with etc. If you're happy with john and have the jumbo patch installed theres no real reason to use this - it was mainly for people who want a quick method to try out if they have little experience in cracking.