Cracking password protected zip files on OSX

Posted on by

Background

It seems silly to me that someone would give me a zip file but not the password to open it. I have all of the data, just not the ability to easily read it. So why send the file at all?

Regardless of the answer, this was a fun opportunity to learn a little about John The Ripper (JTR or just ‘john’). There are two versions of john. The normal release and the community “jumbo” release. So which do you use? It depends on what you want to do. Each has a different set of non-overlapping features, and the docs are not always clear on which does what. For the rest of this post I will specifically guide you through using john on OSX to crack a zip file.

Where Do I Begin

Zip support currently only exists in the jumbo release of john, so thats the best place to start, but right away you might notice that by default john is single threaded. Is there a mac today that isn’t multi-core? Cracking can take a long time, so we’ll want to use as much of the CPU as possible to make it faster. Luckily for me, the jumbo release supports OpenMP which can make parts of the program run in parallel.

Sadly for me, OSX Mavericks does not support OpenMP out of the box.

Why Sometimes I Hate My Mac

If only I ran linux, this would be so much easier. Of course many other things would be so much harder, but really Apple?

To build john with OpenMP, I need a modern version of gcc which Apple does not provide. In fact, I’m about to spend the next few hours setting up development environment just so I can build john.

  1. Download and Install Xcode via the AppStore (and grab a snickers, cause this is going to take some time)
  2. Once thats working, install the command line tools:
    1. open a terminal & run:
    2. > xcode-select
  3. If you are me, spend the next 1.5hours debugging why xcode-select doesn’t run (my Xcode install was totally messed up. It seems like some previous version didn’t get fully uninstalled and my environment was a mix of the two)
  4. Now download and install macports
  5. In your terminal, install gcc4.8 via macports (this will also take a long time):
    1. >  sudo port install gcc48
    2. > sudo port select –set gcc mp-gcc48
    3. > hash gcc
  6. OMG, 4 hours later, I’m finally ready to start on the actual project!

Setting Up John

UPDATE: As Mems pointed out below in the comments, you can just grab the jumbo version of john from macports as well (I’m assuming it is also built with openmp support):

> sudo ports install john-jumbo

 

Or you can compile it yourself and fiddle with more optimizations (which is likely unnecessary):

  1. Download and untar john (jumbo)
  2. Back in the terminal go to the john directory:
    1. > cd /path/to/john/
    2. > cd src
  3. Open the Makefile and uncomment this line:  MPFLAGS = -fopenmp -msse2
  4. Now build john:
    1. > make clean macosx-x86-64

Running John

UPDATE: If you installed john from macports, the tools below should already be in your path. See Mem’s comments below…

Before we can start cracking, we first need to setup an input file for john:

  1. > cd ../run/
  2. > ./zip2john /path/to/file.zip > zip_hash.txt

Potentially the fastest way to crack the zip file is to use a dictionary attack. There are a lot of dictionaries/wordlists online, and john can iterate through them and through variations on the words in the list. Skull Security has a nice set to get you started. After you have downloaded one, then you can start running john:

  1. > ./john –wordlist=/path/to/wordlist.txt zip_hash.txt

If this doesn’t work, you can try brute forcing the password:

  1. ./john zip_hash.txt

Other features worth mentioning:

  • John might take several days (or even weeks) to crack the password. You can safely stop it at any time by hitting Ctrl-C. When you are ready to resume again, add the “–restore” option and restart john. It will pickup from where it left off!
  • It may not look like john is doing anything once you start it. Hit enter/return in the terminal and john will print the current status of what it is doing.
  • The activity monitor can show you how much CPU john is using. It should be more than 100% if openMP is enabled.

13 thoughts on “Cracking password protected zip files on OSX

  3. I’ve tried to crack a zip file by typing: ./john /path/to/file, but every time, it gives me ‘No password hashes loaded’

    Reply

  6. fist let me thank you for taking the time to write up a guide like this one for us very new to xcode and terminal in general.

    Now on to my question. Right now im up to installing gcc48 but after the installation concluded and no corrupt files were found message when i run the “sudo port select –set gcc mp-gcc48” it gives me the following warning and does nothing.

    “Warning: The ‘set’ command only expects two arguments. Extra arguments will be ignored.
    Selecting ‘gcc’ for ‘–set’ failed: The specified group ‘–set’ does not exist.”

    If i try to run “sudo port install gcc48” it returns : “—> Computing dependencies for gcc48
    —> Cleaning gcc48
    —> Scanning binaries for linking errors
    —> No broken files found.

    Can anyone please shed any light im really a noob in the subject.

    Reply

    • The zip_hash.txt file gets created in the local directory your are in. In my example, that would be in the run directory. But you can put it anywhere. just change the path to be absolute. For example, this would put it in /tmp:
      > ./zip2john /path/to/file.zip > /tmp/zip_hash.txt

      Reply

Leave a reply to burnsed Cancel reply