Cracking zip files passwords using “John the Ripper”.

While looking up an old document in my Archive, i found a bunch of old .zip files (20+ years old) that i remember protecting long long time ago with a password that i actually forgot. You must have faced an similar situation, or you might have been asked to recover a password protected .zip files, otherwise you would not be reading this post.

All hope is not lost. There are many tools and services that provide .zip files password recovery. I will not address them in this post. As the title implies, i would show how to use the famous tool JohnTheRipper to crack the .zip file and recover the password.

John the Ripper

John the Ripper is one of the most famous command-line tools to crack passwords. It is a free and open-source tool that was originally developed for UNIX based systems, but now run on many other platforms, such as Windows, Linux and Mac OS X. It combines a number of password crackers into one package.

It is possible to download a pre-compiled version of John, but to ensure the best performance, it is recommended to compile John from source on the machine(s) you want to use for passwords-cracking. Because that ensures that John with use all the and computing capabilities of the machine and the operating system, among which, using available GPUs, available CPUs and cores, taking advantage of multi-threading.

To compile John the ripper from source, you will have to follow the instructions mentioned in the website of OpenWall, the maintainers of the package, under https://www.openwall.com/john/. If you are not familiar with compiling source code, I recommend that you reading about it as it is a handy skill.

Installing John

For completeness, I added the steps that works for me on a Debian Linux Machine, when this article was written 20.10.2020. If this is out of the question for you, use the pre-compiled version, and skip this part.

First let’s install libraries and tools essentials for the compiling from source, and the libraries system libraries required by john on Debian:

$ sudo apt install build-essential libssl-dev zlib1g-dev

Now let’s download the source code to a temporary folder then compile it and at the end install it system wide for the current user. Make sure to adjust the wget command argument to the link to the current john sources tar file by checking this page https://www.openwall.com/john/.

$ mkdir -p ~/temp
$ cd ~/temp
$ wget https://www.openwall.com/john/k/john-1.9.0-jumbo-1.tar.xz
$ tar xf john-1.9.0-jumbo-1.tar.xz

Now let’s configure the make file for system wide installation, then compile the source code:

$ cd ~/temp/john-1.9.0-jumbo-1/src
$ ./configure CFLAGS="-DJOHN_SYSTEMWIDE=1"
$ make -sj4

If everything went smoothly, the compiled software will be placed the run directory. Let us move it to another folder that is not “temporary”, and at the same time let’s move the configuration files of john to a hidden folder at and let’s call it ~/.john.

$ mkdir -p ~/Apps/john
$ cp ~/temp/john-1.9.0-jumbo-1/run/* ~/Apps/john
$ mkdir ~/.john
$ mv ~/Apps/john/*.{conf,chr,lst} ~/.john/
$ mv ~/Apps/john/rules ~/.john/
$ sed -i -e "s|\$JOHN|~/.john|" ~/.john/john.conf
$ sed -i -e "/.include/ s|<\(.*\)>|\"~/.john/\1\"|" ~/.john/*.conf

Finally we add the ~/App/john folder to the environment PATH variable by adding an export command at the end of the .bashrc file, and we are set.

$ echo "export PATH=\$PATH:~/Apps/john" >> ~/.bashrc
$ source ~/.bashrc

Testing John

You can test and benchmark the installation by using:

$ ./run/john --test

Using John

Now that we have john installed and running. Before starting to crack the password of the protected .zip file, we need to prepare the “cracking environment” which means:

  • Prepare the cracking project folder
  • Extract the hash(es) from the password protected .zip file
  • Prepare wordlist(s)
  • Edit the john configuration file

The project folder

This is not a mandatory, but it is recommended for a clean and manageable digital environment.

create a folder that will contain, the .zip file to be cracked, the hash of that .zip file, a project configuration file for john, a special project words list.

This folder will also contain the john session files which are files that store the progress of john so that the process can resume from where it was last interrupted.

Extracting the hash of the .zip file

John the Ripper comes with many utilities that extracts the password hash from the protected file and pipe it to the standard output. for .zip files protected with a pkzip password, the tool is called zip2john. Let’s assume the file in question is called encrypted.zip.

$ zip2john encrypted.zip > encrypted.zip.hash

This will extract the hash from the .zip file and put it in the encrypted.zip.hash file.

What we are trying to attempt is to use john to go through many possible passwords until one generates the same hash that we extracted from the .zip file.

Running John with default configurations

To run John with the default configuration that are stored in ~/.john/john.conf and using the default dictionary and the default rules simply pass the extracted hash to john in the command line, and do not forget to specify a session name, for example “cracking”:

$ john --session=cracking encrypted.zip.hash

John will start testing passwords using the default configurations. It will also create the session files. To quit the process press “q” or Ctrl-C, and to get the status press Enter.

To resume the session from where it was last interrupted use the commend:

$ john --restore=cracking

After cracking is successful, John store the cracked password and you can display it by running:

$ john --show encrypted.zip.hash

Final thoughts…

Using the default configurations might not be the best and fastest way to crack a password, for instance, it took my 4 CPU desktop more than 4 days to crack a 10-characters-long password that contained numbers, special characters, small and capital letters.

You could for example use a better dictionary, or change the rules for the rule-based cracking attack. Also you could use John on the cloud (like AWS). That will be the topic for one or more future posts.

Good luck.