zip file(s) problems
I am testing the hashcat with zip files and it turns to be quite picky.

I am starting by creating a password protected zip file, generating the hash file with zip2john, modifying the hash file so that it can work with hashcat, and running 

hashcat -m 17200 -a 3 hashfile password

It works correctly, confirming I am on the right track, but only for zip files prepared with a 30 years old shareware version pkzip run in a DOS Box (yes, I am that old that I still have backups from 80/90s Wink ). For these files after a second or two required to initialize everything hashcat shows a status of "cracked" and adds result to the pot file. But it doesn't work neither for zip files made with current versions of 7zip , nor WinRAR (with selected ZIP legacy encryption) nor with standard linux zip (ver. 3.0). In all cases hash file looks as expected (starts with $pkzip2$1*1*2*0*) and no errors are reported on start. hashcat runs not reporting any problems, but in the end it always shows status "Exhausted". I tried also other zip related modes than 17200, but to no avail. 

I admit I don't have the newest pkzip from pkware, but I am kinda wary of paying for a software that may or may not solve the problem.

Am I doing something wrong, or is it just the way hashcat works? JtR cracks all these files with no complaints, but hashcat is substantially faster with GPU usage. 

To add some background to what and why I am testing: I am working on an OSINT and Digital Forensics based Alternate Reality game, where cracking/guessing passwords to get access to real files is part of the gameplay. Players are free to choose their own tools, but I want to be sure things work more or less as expected, to not add unnecessary frustration to the experience. As part of that I want to check how long it takes to crack passwords to zip files to make sure players will be able to brute force passwords in reasonable time (say 24h, not 24 weeks) on a reasonably priced computer (reference being my eight core i7 with 3060).
Hashcat doesn't support all versions of zip/7z/rar yet. You can see supported hashes by running hashcat --help. You can also test with John the ripper hashes that don't work with Hashcat.
(06-19-2023, 06:03 PM)marc1n Wrote: Hashcat doesn't support all versions of zip/7z/rar yet. You can see supported hashes by running hashcat --help.

Sadly that's at best a half true. Yes, it lists hashes. But there is no way to tell if the hash extracted from the zip file is supported. In all cases I described hashes produced by zip2john looked correctly and were read by hashcat, it just didn't crack the password even after exhausting the search space for a given mask.

How am I going to know whether the problem is with a wrong mask, or whether for this specific zip I am just wasting time with hashcat? No way to tell.

I belive this deserves some additional info in documentation. Fact that none of the tutorials/sources I checked while searching for what I am doing wrong mentioned it makes me believe I am not the first one to miss the problem.