Newbie Question - Zip file with Images
#1
I have am encrypted Zip file containing 20 JPG files each in the 4-12 MB range. I know that the somewhere in the first 256 bytes of each of the original files is the Camera metadata ("Canon EOS 5D Mark III"). Is there anyway of leveraging the fact that I  know that this text must exist in the first 256 bytes of each file to use hashcat and/or Zip2John to determine what  the password is for this file. I believe the password is probably around 20 characters long but have absolutely no idea what it might be.
Reply
#2
(08-07-2021, 02:55 AM)Mdd Wrote: I have am encrypted Zip file containing 20 JPG files each in the 4-12 MB range. I know that the somewhere in the first 256 bytes of each of the original files is the Camera metadata ("Canon EOS 5D Mark III"). Is there anyway of leveraging the fact that I  know that this text must exist in the first 256 bytes of each file to use hashcat and/or Zip2John to determine what  the password is for this file. I believe the password is probably around 20 characters long but have absolutely no idea what it might be.

There are some well known attacks with known plaintext for protected zip file.
Take a look on this for some info:

https://crypto.stackexchange.com/questio...t-password

And this:
https://math.ucr.edu/~mike/zipattacks.pdf
Reply
#3
great answer TheAleph

and if your zip file is using PKZIP and you want to use hashcat modes -m 20500 = PKZIP Master Key or -m 20510 = PKZIP Master Key (6 byte optimization), we recommend you to use https://github.com/kimci86/bkcrack which was tested (by s3in!c et al.) together with -m 20500/-m 20510 . this only works for the older versions of the zip files of course, winzip is much different/harder
Reply
#4
Guys

I appears to be missing something

└─# zip2john Kendall.zip  > foo.txt
Kendall.zip/Kendall/ is not encrypted!
ver 2.0 Kendall.zip/Kendall/ is not encrypted, or stored with non-handled compression type
ver 2.0 Kendall.zip/Kendall/RA9A2280.JPG PKZIP Encr: cmplen=4686704, decmplen=4721153, crc=CB2DC226
ver 2.0 Kendall.zip/Kendall/RA9A2284.JPG PKZIP Encr: cmplen=4446209, decmplen=4475193, crc=AE0B9B6F
ver 2.0 Kendall.zip/Kendall/RA9A2285.JPG PKZIP Encr: cmplen=6512258, decmplen=6533864, crc=516A5A2F
ver 2.0 Kendall.zip/Kendall/RA9A2286.JPG PKZIP Encr: cmplen=7092889, decmplen=7115928, crc=244D4FAA
ver 2.0 Kendall.zip/Kendall/RA9A2288.JPG PKZIP Encr: cmplen=6138845, decmplen=6160081, crc=859D9DAC
ver 2.0 Kendall.zip/Kendall/RA9A2289.JPG PKZIP Encr: cmplen=6116614, decmplen=6129588, crc=2530C17A
ver 2.0 Kendall.zip/Kendall/RA9A2291.JPG PKZIP Encr: cmplen=6341954, decmplen=6353870, crc=B9CCECFD
ver 2.0 Kendall.zip/Kendall/RA9A2293.JPG PKZIP Encr: cmplen=7796381, decmplen=7805670, crc=A043B18E
ver 2.0 Kendall.zip/Kendall/RA9A2294.JPG PKZIP Encr: cmplen=7541687, decmplen=7550439, crc=7941E228
ver 2.0 Kendall.zip/Kendall/RA9A2295.JPG PKZIP Encr: cmplen=8776684, decmplen=8784482, crc=964008F5
ver 2.0 Kendall.zip/Kendall/RA9A2296.JPG PKZIP Encr: cmplen=8893692, decmplen=8912584, crc=F5D74BBB
ver 2.0 Kendall.zip/Kendall/RA9A2297.JPG PKZIP Encr: cmplen=7034840, decmplen=7044358, crc=CF9AC5D5
ver 2.0 Kendall.zip/Kendall/RA9A2308.JPG PKZIP Encr: cmplen=5155305, decmplen=5173074, crc=54C443B3
ver 2.0 Kendall.zip/Kendall/RA9A2309.JPG PKZIP Encr: cmplen=6142349, decmplen=6161284, crc=234F66B6
ver 2.0 Kendall.zip/Kendall/RA9A2311.JPG PKZIP Encr: cmplen=9873997, decmplen=9881196, crc=4A4B81B3
ver 2.0 Kendall.zip/Kendall/RA9A2312.JPG PKZIP Encr: cmplen=8333796, decmplen=8341639, crc=B345E163
ver 2.0 Kendall.zip/Kendall/RA9A2313.JPG PKZIP Encr: cmplen=12422880, decmplen=12434306, crc=20ABF5C2
ver 2.0 Kendall.zip/Kendall/RA9A2314.JPG PKZIP Encr: cmplen=12765727, decmplen=12777746, crc=F2306E9A
ver 2.0 Kendall.zip/Kendall/RA9A2315.JPG PKZIP Encr: cmplen=12080168, decmplen=12091359, crc=933F9838
ver 2.0 Kendall.zip/Kendall/RA9A2316.JPG PKZIP Encr: cmplen=11916626, decmplen=11940117, crc=BDB516F7
ver 2.0 Kendall.zip/Kendall/Thumbs.db PKZIP Encr: cmplen=549681, decmplen=592896, crc=FFAC8EC1
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.


┌──(root💀49a88fafa9e2)-[/tmp]
└─# more foo.txt
Kendall.zip:$pkzip2$3*1*1*0*8*24*cb2d*5e94*9997e453f66ed7f4f360c2f2ae1e132be029dbc1aed4f62226a0ca87dd08590ca84c1c9f*1*0*8*24*516a*5e99*34448838d45a46657ccfad0b0a526d00dcd7f5a85fb58f137520ed1ae666364c9ccda218*2*0*86331*90c00*ffac8ec1*98a7bf3...

cat foo.txt | grep -E -o '(\$pkzip2\$.*\$/pkzip2\$)|(\$zip2\$.*\$/zip2\$)' > zip.hash


┌──(root💀49a88fafa9e2)-[/tmp]
└─# hashcat -m 17220 -a 3 zip.hash
hashcat (v6.1.1) starting...

Segmentation fault

┌──(root💀49a88fafa9e2)-[/tmp]
└─#
Reply