Possibility of zip archive password cracking?
#12
Tarcel, you have 4 or more files in your archive and it was generated with WinZIP version prior to 8? In that case, the entropy of the IVs is much lower due to a bug in winzip implementation and such an archive can be broken easily in 2-3 hours on a CPU (BTW that attack is not applicable on GPUs) even if a complex password was used. ElcomSoft's software does that I think.

Other than that, there is no GPU-enabled cracker that can crack classic (ZIP 2.0) encryption on AMD GPUs yet . Mine would be the first to do that Smile

Also, cracking speed with classic encryption depends a LOT on the number of files in archive. Optimal speeds are reached when there are at least 3 files. The reason for that is that the password verifier is just one byte long and you have 1/256 chance of a false positive - in that case you need to decrypt the whole file, decompress it, calculate CRC and compare it to the header CRC. There are some early heuristic checks that can be done that gets the possibility for a false positive from 1/256 to say 1/1024 or more, but that's still not enough. If you have say 3 files in archive, then you have 3 verifier values available that get the possibility for false positive down to 1/16 million. With 4 files it gets down to 1/4 billion.

To summarize: if your zip file has just one big file in the archive, password recovery proceeds at very low speed. If you have 3 or more files, you can utilize the GPU at 100% to recover the password - my program achieves speeds of 630 million c/s on 5870 at stock clocks. Paradox is that NVidia is faster than AMD in that particular algo and a GTX580 can get you about 700-800M/s.

ZIP 3.0 (strong AES encryption) is a completely different beast, it is rather ALU-bound (PBKDF2, 1000 iterations) and it does not matter how much files you have in the archive. Smaller files typically lead to faster cracking though.

As far as RAR is concerned, things get very ugly. There are two options here - using header encryption (-hp mode) and not using header encryption (-p mode).

-hp mode is very easy and does not depend on the number or size of files in archive. All you need is do the SetCryptKeys transformation (apply ~262000 times password+salt then do sha1 on it) then get the encryption key and IV, decrypt the header and compare part of it to a well-known value.

-p mode is very nasty because there is no "early check" - you basically need to replicate the complete unrar functionality, decrypt the file, decompress it, calculate CRC, compare. The RAR compression algorithm is proprietary and badly documented. I am currently working on that and at that point I successfully crack both types on CPU (GPU support not ready yet). Unfortunately there is a big problem with -p mode and large files in archive - speed drops a lot and it all becomes a disaster. I am now working on some early heuristic checks but still it's not adequate and I am kinda desperate. It works like charm with archives in -p mode with files less than 1-2MB in size though.

Also, RAR password hashing is a _BRUTAL_ one, much much worse than WPA or MSCASH2. My speed projections on 5870 are about 14000-15000 c/s although it depends on password length and this is for length=8. As a comparison, WPA on 5870 does about 100000 c/s, almost 8 times faster.


Overall, I think cracking archives is an interesting thing to do. I can also help if you decide to implement it in oclhashcat.


Messages In This Thread
RE: Possibility of zip archive password cracking? - by gat3way - 02-03-2012, 11:26 AM