It seems silly to me that someone would give me a zip file but not the password to open it. I have all of the data, just not the ability to easily read it. So why send the file at all?
Regardless of the answer, this was a fun opportunity to learn a little about John The Ripper (JTR or just ‘john’). There are two versions of john. The normal release and the community “jumbo” release. So which do you use? It depends on what you want to do. Each has a different set of non-overlapping features, and the docs are not always clear on which does what. For the rest of this post I will specifically guide you through using john on OSX to crack a zip file.
Where Do I Begin
Zip support currently only exists in the jumbo release of john, so thats the best place to start, but right away you might notice that by default john is single threaded. Is there a mac today that isn’t multi-core? Cracking can take a long time, so we’ll want to use as much of the CPU as possible to make it faster. Luckily for me, the jumbo release supports OpenMP which can make parts of the program run in parallel.
Sadly for me, OSX Mavericks does not support OpenMP out of the box.
Why Sometimes I Hate My Mac
If only I ran linux, this would be so much easier. Of course many other things would be so much harder, but really Apple?
To build john with OpenMP, I need a modern version of gcc which Apple does not provide. In fact, I’m about to spend the next few hours setting up development environment just so I can build john.
- Download and Install Xcode via the AppStore (and grab a snickers, cause this is going to take some time)
- Once thats working, install the command line tools:
- open a terminal & run:
- > xcode-select
- If you are me, spend the next 1.5hours debugging why xcode-select doesn’t run (my Xcode install was totally messed up. It seems like some previous version didn’t get fully uninstalled and my environment was a mix of the two)
- Now download and install macports
- In your terminal, install gcc4.8 via macports (this will also take a long time):
- > sudo port install gcc48
- > sudo port select –set gcc mp-gcc48
- > hash gcc
- OMG, 4 hours later, I’m finally ready to start on the actual project!
Setting Up John
UPDATE: As Mems pointed out below in the comments, you can just grab the jumbo version of john from macports as well (I’m assuming it is also built with openmp support):
> sudo ports install john-jumbo
Or you can compile it yourself and fiddle with more optimizations (which is likely unnecessary):
- Download and untar john (jumbo)
- Back in the terminal go to the john directory:
- > cd /path/to/john/
- > cd src
- Open the Makefile and uncomment this line: MPFLAGS = -fopenmp -msse2
- Now build john:
- > make clean macosx-x86-64
UPDATE: If you installed john from macports, the tools below should already be in your path. See Mem’s comments below…
Before we can start cracking, we first need to setup an input file for john:
- > cd ../run/
- > ./zip2john /path/to/file.zip > zip_hash.txt
Potentially the fastest way to crack the zip file is to use a dictionary attack. There are a lot of dictionaries/wordlists online, and john can iterate through them and through variations on the words in the list. Skull Security has a nice set to get you started. After you have downloaded one, then you can start running john:
- > ./john –wordlist=/path/to/wordlist.txt zip_hash.txt
If this doesn’t work, you can try brute forcing the password:
- ./john zip_hash.txt
Other features worth mentioning:
- John might take several days (or even weeks) to crack the password. You can safely stop it at any time by hitting Ctrl-C. When you are ready to resume again, add the “–restore” option and restart john. It will pickup from where it left off!
- It may not look like john is doing anything once you start it. Hit enter/return in the terminal and john will print the current status of what it is doing.
- The activity monitor can show you how much CPU john is using. It should be more than 100% if openMP is enabled.