How hackers crack password protected ZIP files
Вставка
- Опубліковано 27 лип 2023
- Get ZEGOCLOUD UIKit (low code) for 10,000 free mins: bit.ly/3JnuOqW
· ZEGOCLOUD 100% customized video call API: bit.ly/3Jow2ST
· Learn more about ZEGOCLOUD: bit.ly/3XjJRb0
· How to Make A Video Call App in Android: bit.ly/3CCtpsG
In this video, I demonstrate how hackers crack protected ZIP archive passwords with tools like john the ripper and hashcat.
Disclaimer: This video is intended only for educational purposes. I do not encourage anyone to perform illegal activities. I am only teaching you open source knowledge from the perspective of an ethical hacker or a cyber security enthusiast.
We first start by writing our own ZIP password cracking tool in python, and then learn to use john to crack zip archives using dictionary attack. Then, we use hashcat to take advantage of GPU processing, and then move on to brute force attack which is a more powerful attack than dictionary attack.
Official page of John The Ripper: www.openwall.com/john/
Official page of Hashcat: hashcat.net/hashcat/
Official page of Nvidia CUDA toolkit: developer.nvidia.com/cuda-dow...
Thanks for watching!
SUBSCRIBE for more videos!
Join my Discord: / discord
Follow me on Instagram: / teja.techraj
Website: techraj156.com
Blog: blog.techraj156.com
Tech Raj - Наука та технологія
Watch how hackers hack your social media accounts with Phishing Attacks: ua-cam.com/video/RNzMKEYi2_0/v-deo.html
If the password is too long, you cant crack the password cz it will take forever to guess all the cpmbination
What if I have *.rar files?
Many people are connected to my wifi but i can't see their mobile name only mac address and ip address i can see ...can u tell me solution how can i see their mobile name
Thanks for educational proposes.
Hentau yeahhhhh
fr
yes…me too
😂😂
Purposes bro 😂
This is a very educational video, for education talk purposes! That being said, this will be fun to *demonstrate* to my friends :)
on the “homework” folder huh
Well, i can't go through 9 minutes of video. Why not just a simple document explaining the same thing?
By the power of exponents its simply better to have a longer password than it is to have a more complicated one, that is why I always suggest pass phrases over passwords. Pass phrases are easier to remember and don't require special characters. Of course if you are restricted to shorter but more complicated passwords, you SOL lol.
Raj woke up and said to himself hey lets make a video on ancient old cracking technique.
Not a cracking technique, a guessing technique. If you encrypt using the word 'rainbow' and I guess some words from a list I have not cracked anything. I simply guessed the correct password. Also: this becomes much harder if the filenames are also encrypted because if you do not know what the contents should look like you do not know if the 'password' (encryption key would be a better name) was correct.
No No he woke up and thought "let make a Wideo".
Zip files are literally the fastest stuff to crack if you are bored
Can also be impossible entirely 😅
Eggs:
Nonsense, any ZIP 8 alphanum chars + u won’t bruteforce
@@KimYoungUn69 Back in my days zip files even with 20 chars were doable in 30 minutes
Help me please
What is shown in the end of the video as a "strong" password is not really strong. There are just lowercase letters, uppercase letters, numbers and a few common special characters. In total, thats probably less than 100 different character posibilities. And the password is just 14 characters long. So you have 100^14 possible combinations. Which seems like a lot, but then again, the algorithms are really fast.
Now imagine a password like
"Oh my Gosh I'd L0VE to eat a chocolate bar ryght now.". That's 52 characters, easy to remember and because of the spelling mistake in "right", dictionary attacks will fail. The long password would be much harder to crack by a brute force attack.
As a Software Engineer, I can say stand that this is what I call a basic brute force for a Zip File.
have you done it?
@@Rackzzy reverse engineering is my job
can you help, idk how to get hashcat working
@@iota077 you should be a part of the avengers
@@Rackzzy Tony is dead , my work there is done.
yo can you help me with this zip file, I am trying to crack I cant get the exact hash of the zip cause there are multiple files inside of it. It kept telling me to use the -o command cause assuming that the pass is all the same with each file I just need to get the hash of one file and get the pass of that file and everything else should also open. I am still kinda new to this so I really need some help cause there arent any videos crack open zips with multiple files inside so I am really struggling here
what you do if trying the zip2hjohn to obtained the hash but it said file is not encrypted, but the zip have password
You have totally encouraged me to pursue the life of criminal hacker. You are the best. I subbed for more tips on how to be successful at crime!
When i try to get zip.hash nothing appears immediately and for a long time windows command processor will increase and increase my ram usage up to over 3.5 gigs of ram. Then after a few minutes i will get some cplen decmplen and crc but not a hash. My file is 1.7 gigs. What can i do?
Finally,
I can extract password protected cracks that the provider did not give me
Only if they are in zip file
@@InnerEagle 99% of passworded compressed files happen to work similar the same bruteforce with a wordlist vulnerability
@@spykillergames8402 Yes, in the case you use a wordlist, but if you bruteforce 100%
A zip file it's like couple minutes if the password it's extremely long, while if you do the same with rar or 7zip it would take days if not weeks
thats what i wanted 😂 turns out they r viruses
@@AlexYazanGames the method of brute force with UTF-8 code x + 1 will work for most password in the UTF-8 character set. Most passwords do not go outside of UTF-8 and really most can be found in the ASCII character set which takes a lot less time to go through as even the "strong" password he showed is in the 128 codes of ASCII. Really you only need them from 32 to 127 to type everything on a modern keyboard. As most passwords either do not use or the system does not allow you to use letters with accident marks ASCII is enough. Going through 95 characters then repeating adding a string place then repeating is a lot quicker than using UTF-8 which supports a lot more characters but also what is supported is normally lower and upper case English alphabet letters than numbers 0 through 9. UTF-8 supports it all and more the more part is why it isn't a straight +1 to each code in the process of brute forcing it.
So if you are copying his code i would say to go with ASCII not UTF-8. The reason to start on 32 is 0 through 21 are function keys some that no longer are used for example the carriage return key as now we just use the new line key which one most keyboards is labeled Enter. To not break backwards compatibility it is kept the same as it was when made in 1963. Pretty old but still useful as it covers everything most people would use on a keyboard ... until you get to the function keys, insert, home, end, print screen, scroll lock, windows key, and app key anyways but all those keys cannot be used in a password.
Thankfully I use a password manager. I actually started to use a password manager because I couldn't remember all my passwords. I have now changed all my passwords to passwords generated by my password manager, which are all strong. Of course there are a few websites that just force me to have a shorter password than 26 characters, which I really hate.
Just remember, you are only as safe as your password manager, LastPass kinda gave the whole world a freeby to hackers. Lol..
what app did u use?
@@syariefrahman7411 I use KeePassXC on my computer, KeePasium on my ipad, and KeePassDX on my android phone. I also use google drive to sync the password database between all my devices.
@@ego-lay_atman-bay wow cool, i just intalled on my laptop.. can u explain how you sync that from laptop to android?
@@syariefrahman7411 I don't know what he used but I highly recommend dashlane.
Yeh, thanks for educational purpose 😂
Brute force is effective, if you have time to wait.
Depends on the password length and entropy. Sometimes you have to wait forever and it may be not worth it.
@@phoenix5171well it’s effective, not efficient. You get to crack the password, congrats, who cares how efficient it is
How i crack winrar password@@phoenix5171
This is a very educational video, for education talk purposes! That being said, this will be fun to demonstrate to my friends :) yes right
Wjat if the passcode is not a number or a name and you cant remember???...
Thank you. I have two old zip files (Late 2000-Early 2001) for which I forgot the password. I tried hashcat following your instructions but got this message:
"No hash-mode matches the structure of the input hash."
Could I be doing something wrong, or is there a way to solve this?
Thanks
i want that file xD
XD I actually managed to crack it in the meantime but there wasn't anything really interesting on it 😂😂
Sir is it possible that the cracked who created the software is posible to hack or copy a data files like videos to the one who download the app with cracked cause im afraid im using recovery app with cracked lassweek and may own x videos was recover sucses now im afraid that it may be hack or copy to thier system who created the cracked is it posiible to hack sir?
I remember needing this video like 7-8 years ago
How to do it with excel files?
Chances are, a layman has no idea what a hash is.
By the way, what does it mean to convert a zip file into a hash?
I have no idea how zip files are encrypted using a password and what the format of the hash value stored in the file is.
I cannot reproduce what you did.
Basically a hash is a one-way encryption method. You can create a hash, but not convert it back. Converting a ZIP into a hash means taking the contents of the file and run it through the hashing algorithm that spits out the hash.
its not converting a zip file to a hash, it's TAKING the hash of the zip file (actually you can do this to any file if you know how to do it). So basically passwords are not stored in plain text, they go through a hashing algorithm like NTLM for windows, etc. but those algorithms are secure. So, you cant just reverse a hashing algorithm, but you can try every password and check if it gets the same result as in the hash that was stored. If it is, then password cracked.
Still feel like neither of the explanation is exactly right.
Basically hashing in computer security is used to verify information without having to have a copy of it. In our case it's checking a password without storing it in the file (because it could just get stolen or decrypted directly same way the authentication software would do it).
In practice it means that when you create an archive, it gets encrypted using the password you put in. Then the password gets converted into a hash (using a standard, irreversible algorithm) and stored in the file. When you try to open the archive, the hash of the password you type in gets compared to the hash of the password initially put in and if they match, it means the password is correct. Then the actual password (which was never stored anywhere) is used to decrypt the archive.
Now how the cracking software works. Basically it pulls the hash from the archive and then tries to run the same hashing algorithm using various passwords. If the hash that comes out from one of them is correct, that's what the correct password is.
@@Tomas-yg1xz wow great explanation 😃
@@Tomas-yg1xz Thank you very much.
I needed this video a few months ago. I forgot the password of a very important zip file and tried everything but I'm vain
why I cannot extract the hash number? My zip.hash file has nothing.....
only finds the key if that file was compressed on that machine
i tried this once and let it run for a few days without sucess....so yes 8chars long at least with upper/lower case numbers and special char is the way togo....until qbit computer comes online......
It's all about ZIP files that were invented 30 years ago. What about RAR or 7Z file formats? 🤨
Raj, what if you have an AMD graphics card instead of NVIDIA?
i encountered a pdf file that has password, is it possible to crack it?
Actualy when youtuber sayed link and says have password password is wrong so i can use this video
Many people are connected to my wifi but i can't see their mobile name only mac address and ip address i can see ...can u tell me solution how can i see their mobile name
Good refresher. Thanks bro
Thank you now i can get into my friends "homework folder"
He says There is somethkng bad inside idk whats bad about homework
"Don't Open it, i repeat DON'T OPEN IT!"
Yeah, that's strange, I wonder what it could be. Open it up and let us know! 😁
My friend has a folder on his pc called phone pronhbu and it has a pass I'll crack it and tell what there is
Given the age of the zip format, it's surprising that cryptanalysis has not found a way to speed this up and in 2023 our best method is still plain brute force
That's because the encryption cipher has changed over the years. The default is AES now which hasn't been cracked except through bruteforce as far as i'm aware. If you use any of the old encryptions there's possibly vulnerabilities but i haven't looked that up so i can't tell if there are
If using the old pkzip encryption instead of AES, you can use a "known plain text attack". Say if a zip file has 20 files inside it and the file has a password. However, you have one of those files separate from the zip file i.e. unencrypted. That file you have can be used to calculate the encryption key which matches the encrypted version in the zip file, then that key can be used to extract all the other files, as well as any other zip file which uses the same password. I did this for some zip files around 15 years ago and even back then this process would take less than 10 seconds using only the one unencrypted file I had and no knowledge of the zip password. In addition, I remember reading at the time that the implementation of the random number generator in the pkzip encryption has a bug so isn't as random as it should be, which reduces the number of possibilities for the encryption key as well.
If the zip file is using AES, then the above doesn't apply, since it would mean that AES itself (used in just about everything) is vulnerable to that attack. Vulnerabilities have been found in AES but they don't reduce the cracking time by enough to matter.
thanks - was very interesting. What about XLSX and DOCX files with pwd
Depending on the version they were created with BUT there is POC's for cracking XLSX, DOCX, etc. format files :)
Super educational, thanks for the video ❤
Obvs this in windows beacuse majority uses windows but if you are able to copy the file to Linux John will do it even faster then
Yes if you have supercomputer.
Otherwise forget about it
not nessacarily
@@ZephyrysBaum If the password is lengthy with alphabets, numbers and symbols, then you have to wait forever, which is not worth it.
@@phoenix5171 well lots of people don’t have good passwords. I wasn’t disagreeing with jw, but I think it is not inherently nessasary to use a supercomputer to perform these brute forcings.
I'm not sure I would trust the binaries downloaded for free from a cracking tools website. I mean... how do they find the money to pay for the servers and the bandwidth?
donations and you your pc is the one cracking not the website
@@Filipex13
How delusional.
Oh, so that explains why I got my Steam account hacked on 4/20/2023. My Steam account wasn’t fully recovered until 4/23/2023. I’m sure a good handful of people who played games through Steam got their accounts hacked at least once tbh.
I never got my steam acc hacked
@@enigmapanzers Good. You must have that Steam app with that Authenticator, right?
you can use python threading to crack zips quicker
if you use a complicated password this would be impossible to crack.
Is it possible to do that by cheat engine?
Can this app also do on rar and pdf file?
Hey dude, are you the indian in catching scammers video by jim ?!
That's stereotypicall my fella.
bro show us some app that helps to edit all file types like doc,pdf,xls etc if possible please help with some open source software
Notepad++, Libreoffice, Atom
what are the characters he is using in -> "-l" or "-1" and what the hell are those in ?1 or ?l
its not cracking its bruteforcing and works bcoz we can unlimited quess. what if we could not login ssh or server what eva multiple thousent time lol.
after 3 wrong password account should be blocked. if you real owner of account you get it unlogged fast contacting admin. most case you are admin
Bruteforce 🙅🏻♂️ good video and explaination
no matter how many gpus you have ? thats a false statement, with many gpus cracking will takes a few sec even hard passwords, unless its a 32+ char with everything of each which can take months
my password 50 char
How do you know that? 16 char with random Aa0! type characters with no words in a few seconds? hard to believe.
the difficulty grows exponentially, at one point you will need more GPUs on earth to deal with just another char
You are so wrong
What if i use different languages? Like arabian, chinese etc
can this password cracker crack a 30-character password which is a combination of alpha-numeric and special characters?
yes but u need like 20k$ in gpus
how do I open the PS zip cracking?
Bro what about Karaken Software
Which os do you use? If linux, which particular one in linux...?
And what should i use as a beginner if i want to go into this cyber security field...?
7 years ago I saved a rar file on my drive, and now I want to know what the fuck I left in that rar with a stupid password that I don't remember anymore 😅
😳😂
Thank you bro, keep share 😊
You just pull the zipper down, duh.
does this work on rar file?
nobody cracks my gigantic phrases-oriented passwords. small pass strings are for woosies. Throw as many gpus you want to crack mine, it won't work. Me phrases contains more than 200 - 300 chars if the password field allows it. If not i push it to its limit.
Cool, but long strings are still able to be cracked with the new weighted streaming tech that's coming. You can have a simple 8 character password that remains safe. Just alter a byte of your choosing in the Binary code of the zip file.
It would be extremely unlikely for anyone to guess which byte you altered. Open your locked zip in Notepad++ and play around in the Binary code.
It looks confusing a first, but hex manipulation... so give it try.
First❤
can i do this with rar too?
This won't work for long complex passwords.
How can I find out what my Windows desktop login password is if I forgot the password when I first set up the computer?
This one is pretty easy but hard to explain
@@Roxve can you do a tutorial? I can follow instructions & a little tech savvy.
@@carlos_mann it seems like the method i knew is patched but still try it you might have an old version of windows
@@Roxve I think I originally purchased it back in 2019.
on zip files you dont need the passwort to extract the password protected zip ^^
Fact: you can use multiple gpus to crack passwords. And you don't even need a dictionary or wordlist attack. 8 digit random character password are nothing. It takes less then 1 day with new technology. (with 21 Quadro RTX 4000 GPUs)
So what do you advise to avoid being cracked?
@@dreadowen616use 16 characters
@@dreadowen616 longer passwords with special symbols, lowercase uppercase characters, number and such, a 16 long one is already pretty hard to crack (around 50-100 years), but 32 or above is basically impossible unless you have a lot of time (centuries or even millennias)
@@mackofi 16 character is enough. But i use 20 digit Random generated password and also use a password manager (nord) so i dont have have to write anything. I just have to remember 2 password 1st nord account and a master password for daily use.
@@rustinreactsTrusting Nord so much, when Nord collapses, all your password gone forever
My pc is broken and i need to unlock zip file.Will you help me bro
Make a video on how hackers hack our social media accounts with demo (2023)
This is done through social engineering and impersonation. Your digital footprint is the hacker's toolkit. The more information you post about yourself online, the easiest it gets. You will be monitored and then targeted directly or indirectly. Example: fool you into accessing a fake login page. They don't hack your account like you think! You are the fool that gives us entry. There's no demo for this. It's an old trick that's been used for as long as I can remember. Remember that to attack the system, the human gets attacked first. There's no fancy tool like you think
ummmmm
Is it possible to crack password of pdf.
Love from tamilnadu
Your password advice is wrong.
The creator of the standards apologized for his mistake in settings those rules of upper case, lower case, number, symbol, etc...
Turns out, doing so creates a whole new problem that is much worse. Users forget passwords, and write them down. Because they are hard to remember. He then went on to suggest "phrases". You have 0..255 combinations per byte (2^8) and if your password is 9 characters long you have 256^9 combinations. This number is kinda small. There are WAY more then 256 words in the human dictionary which means a 9 word phrase is much more secure then a 9 character phrase.
That all being said, I mean if you can remember your passwords and they meet either the obsolete old standards you mentioned or the newer standards you will be fine.
P.S. that's sorta why Bitcoin is so secure and uses phrases not just random stuff. ;) entropy can be a cool topic to look into ;)
Bitcoin is secure because it uses Blockchain, making it impossible to manipulate.
And isn't it obvious that the password could be anything?
@@itsjustsomeguy. Not quite. Blockchain only means you cannot edit past transactions because it would invalidate everything after that.
What I am referring to is the "seed words" which are dictionary words. Think of it like your 8 character password is 255^8 combinations where-as bitcoin's BIP protocol uses 2046^12 or 2046^24 power.
Essentially there are more combinations then stars in the universe for bitcoin, where-as I can probably crack your password of 8 characters even if you use all kinds of crazy numbers and symbol combinations.
P.S. I actually build a password cracking website some 15+ years ago and it was able to crack 50,000 passwords per SECOND...
Still to date no one has cracked bitcoin wallets. And no one will.. as I said, entropy is a cool topic ;)
Who's than important
What if I have *.rar files?
Error: UTF-16 BOM seen in input file.
He mentions that in 6:31.
If we use non-English password ?
use a non-english wordlist
Bhai rar file ke liye bhi btado please
Without having wordlist or doesn't having any idea of the password
How about .rar file?
Some UA-camr:
Builds a bomb
*Only for educational purposes
Does this work on pdf too?
Yeah If file is encrypted with zip
to see* what's inside
not, to look what's inside
You're welcome
what about rar file ?
Could yo do something similar for a password protected Word file?
yes!
I dead ass just wrote a python script that did the password brute force for me.
My algorithm started with length of 1 password. Try every possible letter/digit. If not match, increase length by one and continue
But if i have a quantum computer it's gonna take 0.000000001 sec
To crack it... 😂
Can you now do the same on Linux please ? Thank you Great vid as ever
he literally said "john the ripper is designed for linux" just google "how to use john the ripper linux" (i use arch btw)
my first guess is right, brute force the shit out of it.
but kinda disappointed as well, since brute force is slow, try rainbow tables
3:07 ok
Very good 👍
I HAVE THE COMPLETE COLLECTION OF CONFLICT DESERT STORM AND FORGOT MY PW, LOL!!!!
i create in idea. Asic many asics can hack zip archive password
Thank you, random indian guy
brute isn't really efficient sadly
Can you please do on Android
how to accesses live web front camera and back camera use kali
there's a typo in your pfp
dictonairy attack dont wrk, now aday people use letter/numbers/symbols. so good luck this is useless.
I will use it for steam unlock
Love from Maharashtra
how long would take if the password is {`57h'~;2)WpL486z ?
15 seconds
@@Fifasher2K
To copy and paste or typed?
@@capulini To copy and paste
fantastic video! do you have a link where i can get the code you made in poython?
thanks you so much
Damn, I guess my 512 character password will be cracked anyway