ZIP - AES256
#1
Hello,
i have old ZIP document with forgotten password. I checked encryption:

7z.exe l -slt s:\test.zip

Path = screenshots\056413.jpg
Folder = -
Size = 1281924
Packed Size = 1280035
Modified = 2005-07-19 21:58:14
Created =
Accessed =
Attributes = ....A
Encrypted = +
Comment =
CRC =
Method = AES-256 Deflate
Host OS = FAT
Version = 20


Can I use hashcat (CPU or GPU decrypt)? 


Thank for your answer
Reply
#2
First you need to extract the hash(*) from your encrypted 7z:
1) via offline tool https://github.com/openwall/john/blob/bl...7z2john.pl
2) or via online tool

Then use hashcat mode 11600 (7-Zip) to try to crack it.

(*) sample hash : (password hashcat) : $7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c419a25acd40c0c2d75421cf23263f69c51b13f9b1aada41a8a09f9adeae45d67c60b56aad338f20c0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cb1ac7bb7d771f546b82cf4e6f11a5ecd4b61751e4d8de66dd6e2dfb5b7d1022d2211e2d66ea1703f96
Reply
#3
Hello,
thank you for your answer but - this is .zip file, no .7z file.... Are you sure that I can use 7z2john?

For hash I used zip2john - I have it.

I tried to use this hash with mode 11600:
hashcat -a 0 -m 17220 s:\x1.txt D:\HACK\realuniq.lst

and I got error:
hashcat (v6.1.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
CUDA API (CUDA 11.1)
====================
* Device #1: GeForce RTX 3070, 7132/8192 MB, 46MCU

OpenCL API (OpenCL 1.2 CUDA 11.1.114) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce RTX 3070, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 's:\hash.txt' on line 1 (1.zip/...e/screenshots/aaa.jpg:1.zipConfused:\1.zip): Separator unmatched
Hashfile 's:\hash.txt' on line 2 (1.zip:... /screenshots/aj.jpgConfused:\1.zip): Separator unmatched
No hashes loaded.

Started: Tue Dec 08 16:08:25 2020
Stopped: Tue Dec 08 16:08:27 2020

Before I sent this post i tried this modes on that hash
  17200 | PKZIP (Compressed)                              | Archives
  17220 | PKZIP (Compressed Multi-File)                    | Archives
  17225 | PKZIP (Mixed Multi-File)                        | Archives
  17230 | PKZIP (Mixed Multi-File Checksum-Only)          | Archives
  17210 | PKZIP (Uncompressed)                            | Archives
  20500 | PKZIP Master Key                                | Archives
  20510 | PKZIP Master Key (6 byte optimization)          | Archives
  23003 | SecureZIP AES-256                                | Archives
 
and now
  11600 | 7-Zip                                            | Archives
Reply
#4
Sorry, read too fast Big Grin
1) use offline zip2john tool
2) or same online tool

mode depends on the hash ($zip$ or $pkzip$)
winzip = 13600, pkzip : https://hashcat.net/wiki/doku.php?id=example_hashes
Reply
#5
(12-08-2020, 10:48 PM)Mem5 Wrote: Sorry, read too fast Big Grin
1) use offline zip2john tool
2) or same online tool

mode depends on the hash ($zip$ or $pkzip$)
winzip = 13600, pkzip : https://hashcat.net/wiki/doku.php?id=example_hashes

I tried this:

zip2john.exe "C:\HACK\1.zip" > c:\hack\hash.txt

A got some messages on screen:
[Image: 5AY8l7G.png]

And in hash file I have
[Image: IlDUCHI.png]

and
[Image: w6erPDA.png]

I tried that hashfile in hashcat - 13600, 17200, 17220, 17225, 17230, 17210, 20500, 20510 - all with error
[Image: hOPjbpl.png]
Reply
#6
I tried compress it the same method but there is a difference 
AES-256 Deflate:Maximum vs AES-256 Deflate

OLD file vs New file

[Image: ToHskt5.png]
Reply
#7
Post the cmd output of mode 17220

Also: https://github.com/hashcat/hashcat/issue...-530489997

Not sure if above is still relevant and/or relevant to you.
Reply
#8
(12-23-2020, 09:20 AM)x34cha Wrote: Post the cmd output of mode 17220

Also: https://github.com/hashcat/hashcat/issue...-530489997

Not sure if above is still relevant and/or relevant to you.

[Image: ZE97ukT.png]
Reply
#9
(12-23-2020, 09:55 AM)Kardokip Wrote: [quote="x34cha" pid='51070' dateline='1608708005']
Post the cmd output of mode 17220

Also: https://github.com/hashcat/hashcat/issue...-530489997

Not sure if above is still relevant and/or relevant to you.

I see it now....
hashcat supports a data length of about 8 KB (compressed of course) for -m 13600 = Winzip

My hash file is to big Sad Can I make it smaller?
Reply
#10
I decided to make a little test - I created a zip file with 7zip:


[Image: QeeKJxC.png]

[Image: 7ml3T0B.png]

I made a hash
[Image: FMJ6lDm.png]

[Image: wKLbOcv.png]

And I tried to get password and failed - where is the problem? All modes - 11600,13600,17200,17220,17225,17230,17210,2050,20510,23003

[Image: I1auPFC.png]
Reply