01-10-2022, 01:04 PM
Hi,
I used zip2john yesterday to get the hash for a ZIP file. It turned out to be a PKZIP format file. As far as I can tell, Hashcat currently supports this format, yes? I am uncertain because I came across some discussions about this format specifically that left me with the impression that PKZIP may not be fully supported. Those must have been old forum threads. Or was this in relation to data size limit? There are current discussions in the forums and on GitHub, pointing out that the hash size that Hashcat can handle are limited (to 8 kB compressed WinZip?).
I did get the hash I needed using zip2john. Once I had the hash I was able to brute force it in 3 seconds using Hashcat. But I had to decide between what mode to specify, 17200 for compressed or 17210 for uncompressed. I think my ZIP file was compressed, so it returned some messages about "signature unmatched" (if memory serves me) for one or the other. Once I tried the other mode, it worked like a charm. So my question is, how do you know if a ZIP is compressed or not? How do you decide between 17200 and 17210?
zip2john outputs this first line:
What is this? What do I see here? Specifically, what is "cmplen" and "decmplen" in English? I have searched the web for a while and not found any indication of what this means, other than that it indicates some kind of properties of the file and that "cmplen" is 0 for when the program fails to extract the hash. I suppose "Encr" stands for "encryption"? Can this string tell me if my ZIP file is compressed or not? That would be very useful then so I know how to use Hashcat with it.
The CRC in the output did not match the CRC of the ZIP file when I check it myself. What does this mean then?
I used zip2john yesterday to get the hash for a ZIP file. It turned out to be a PKZIP format file. As far as I can tell, Hashcat currently supports this format, yes? I am uncertain because I came across some discussions about this format specifically that left me with the impression that PKZIP may not be fully supported. Those must have been old forum threads. Or was this in relation to data size limit? There are current discussions in the forums and on GitHub, pointing out that the hash size that Hashcat can handle are limited (to 8 kB compressed WinZip?).
I did get the hash I needed using zip2john. Once I had the hash I was able to brute force it in 3 seconds using Hashcat. But I had to decide between what mode to specify, 17200 for compressed or 17210 for uncompressed. I think my ZIP file was compressed, so it returned some messages about "signature unmatched" (if memory serves me) for one or the other. Once I tried the other mode, it worked like a charm. So my question is, how do you know if a ZIP is compressed or not? How do you decide between 17200 and 17210?
zip2john outputs this first line:
Code:
ver 1.0 FileName.zip/FileName/FileName.zip PKZIP Encr: cmplen=199, decmplen=187, crc=77ED3C74
What is this? What do I see here? Specifically, what is "cmplen" and "decmplen" in English? I have searched the web for a while and not found any indication of what this means, other than that it indicates some kind of properties of the file and that "cmplen" is 0 for when the program fails to extract the hash. I suppose "Encr" stands for "encryption"? Can this string tell me if my ZIP file is compressed or not? That would be very useful then so I know how to use Hashcat with it.
The CRC in the output did not match the CRC of the ZIP file when I check it myself. What does this mean then?