was following along really well until you just completely skipped what it actually looks like when you run hashcat. what's the point if i can't compare what my end looks like to troubleshoot it against yours??
I have an odd issue. My gpu usage is at 100% which is fine/normal. but then 1 minute later it goes to 0% then my cpu goes to 100% and my gpu just sits there idle... and it never picks it back up. hashing gets halted. what's up with that?
So this only worked because it was a simple password included in the word list, right? What if it's a very long and complex password not in the list? Can it still be cracked? Is there a file encryption tool that cannot be cracked you would recommend? Thanks!
7z format uses AES-256 (Rijndael cypher). AES cannot be cracked, it can only be brute forced, which is what he's done here. Brute force is using a wordlist and/or attempting as many combinations as your machine and time will allow. Cracking means there is a weakness in the algorithm that can be exploited. I know the two terms are often used interchangeably but for encryption they mean two very different things. Brute forcing long passwords can take far too long even for the biggest supercomputers in the world to work out. For example, if you have a GPU-accelerated brute force 'cracker' and the password is something like 'gYtzM991786%$' and you remembered 'gYtzM9917' but forgot the remaining part, then you can use that to solve the password. But having to do the entire thing with randomization, then with current computing power it would take over 2 million years. But solving '86%$' may only take ~7 seconds. Each additional character increases the difficulty exponentially. Also using a larger set of characters dramatically increases difficulty. i.e. avoid just using only 0-9, a-z, A-Z sets. Characters such as Å, č, etc are even better. Many 'cracker' programs allow the configuration of sets to use to speed up the solving. 7z is likely good enough for most things. However there could be issues with it that a cryptographic wiz could use to speed up the process. For example, how it obtains entropy for the cypher. If you want to REALLY protect something, then I would recommend booting to a USB Linux distro (Tails is great) and using something like VeraCrypt to containerize files. VC is open source, the source has been audited, and it uses a number of methods to create its keys and obtain sufficient entropy. Booting to a USB is added OPSEC as a daily driver OS could be compromised in many different ways.
"What if it's a very long and complex password not in the list? Can it still be cracked?" Basically, no, not possible, even with supercomputers. Seemingly simply passphrases are even worse than typical gibberish "strong" passwords since the potential entropy goes astronomical. "Yourbluedoglickshisbutt" is basically uncrackable since even if you stick with the 1000 most-common English words, that's 6^1000 possible combinations!
BZip2 7zAES method isn't supported by hashcat, also doesn't start the password breaking due to the fact it doesn't recognize the hash generated in the first place. I got the error - Salt value exception with no hash recognized.
AES 256 is not easily cracked. Its only easily cracked if you password is password123. If your password is over 60 characters long with special characters its not going to be easily cracked
@@thangchanh2932 60 characters? Even 25 would be impossible. 60 would probably be impossible to crack even in 20000 years with the hardware we will have then.
Do I understand this correctly: no matter how many characters the password of a 7zip archive has, you can find it out via the method shown? Even if the password has for example 80 random characters or more?
@@DirkKuepper we already have quantum computing, and it doesn't work like that. They aren't much better than regular computing for this kind of work. An still you have to understand math. Every character you add it grows exponentially the number of possibilities. ^80 is a massive number. We are far far away from calculating anything like this
Nahh this is just brute force 'cracking' which also uses a word list to speed up the process if a common word is used or the password is often used and seen in cracked password databases. They're especially useful if you obtain a large login database (say, from a website server) and you don't expect to crack all of the hashed and SALTed passwords, but you expect there will be enough low-hanging fruit there to pick. This dramatically speeds up the time rather than attempting character combinations on every password. AES itself has no known way to exploit its algorithm. The complexity, length, and unpredictability of the password matters. Let's say you use a set of 0-9, a-z, A-Z, and some special characters such as $%&, etc. That's a character set of about 72. Then for the length, you have to add it as an exponent to 72. An 8-character long password is 72^8 = ~722 trillion combinations. It's very breakable these days. But with 16 characters, 72^16 = ~521 octillion combinations. Or to put it another way, it's ~722 trillion times more difficult to brute force than the 8-character password. Now, use characters such as ÆĎð, etc. and the password is significantly stronger. It's likely someone doing a brute force won't even be utilizing those character sets since doing so drastically increases the time. A standard way that password complexity is measured is by 'bit strength' or 'bit entropy.' This can be calculated with the formula: L*(logN/log2) 'L' is the length in characters, 'N' is the size of the set of characters. As with the 72 character set example above: log72/log2 = ~6.167 bit strength per character length of the password. A good password will be in excess of 80 bit strength entropy. A really good password will exceed 100 bits. If said password is 16 characters in length, then its bit strength entropy is ~98.72 that we get from 16*(log72/log2). A good password needs length and complexity, but it also needs unpredictability. Many passwords I see are in a predictable format: This is likely due to human nature and meeting password requirements. These days it's too easy to learn a lot about someone on the internet. The first part of the password often is going to be a university, home town, favorite sports team, spouse, child, or pet name. The best password brute force crackers allow a great deal of customization, such as having it always include a list of terms to use before the randomized characters. This significantly simplifies the process. Best bet for PW security is random password generation, such as with KeePassXC (free, open source). Every site can have a unique and strong PW. However, it also requires keeping the database extremely safe since it can become a master key. Also, a good backup solution for the database is critical.
@@krozareq You're stuck in the mindset of old school "passwords". Simple passphrases, like: "Yourbluedoglickshisbutt" is basically uncrackable since even if you stick with the 1000 most-common English words, that's 6^1000 possible combinations! There are currently no tools that can even _try_ to attack passpharases and honestly, it's a fool's errand in any case. If someone tried to do it and attempted to create generic grammar rules, it would still fail with "Yodaspeak" or simple nonsense phrases: "Correctbatteryhorsestaple", et al..
Hi. I've been affected by Qlocker ransomware attack that used 7zip to encrypt QNAP devices. All my files except Videos on my Qnap NAS are now under a 7zip password. Any chance to get that password? Thank you very much
brother please guide me how to secure my files oh hard drive. i am using bitlock. i wanted to encrypt the files using 7zip and also use bitlocker on my backup drives. will it secure my files. please tell me.
Hi there. Noob here. I'm using the Windows Kali WSL to try this out. The archive is in the E drive and I managed to install both John and libcompress-raw-lzma-perl but can't seem to use the /usr/share/john/7z2john.pl backup.7z command. Any help would be appreciated.
I forgot password to my file and found this video. I installed Kali on virtual machine using UTM as I have a M1 Mac, did run in various issues like I couldn't get the commands to work and Googling for hours etc. After I finally managed to get it work, which took like 3 hours, I then followed the steps in this video, run into another issues and then once I finally got the hash.txt, you said that you need file with the possible passwords... :D And I am pretty sure that my password is not in the any list, so this didn't work for me... :( At least I learned few things along the way... :D
I'm so glad that you gave it a shot! I'm sorry it didn't help.. but now you know! Check out rockyou2021, or realuniq. They're pretty solid wordlists and you may get lucky!
fyi, brute-force mode is a thing, you can try that with different mask combinations (i.e., hashcat -a 3 examplehash.txt ?a?a?a?d) "a" meaning a character and "d" a digit. In this case, the total length of the password is 4.
I know brute force method, but I am setting complicated passwords with at least 16 characters like letters, special signs, numbers etc. So it would take like forever. Thanks for the tip anyway, appreciate!
@@ophelia6044 Only for the shortest passwords, say 8 characters or less. Any longer and the time it takes goes completely exponential. Even with totally obsolete MD5, an 8-character brute force took me 14 hours on a 4070Ti!
Cracking 7z password is easy only for weak passwords (less than 11 characters). You can apply cracking tutorials for strong passwords (more than 19 random characters), but it's going to lead you nowhere.
I didn't really follow all of that - mostly because it's something I don't need to do, so it wasn't worth the intellctual effort to follow it in-depth, but I get the general idea that cracking a 7z encrypted file, which I thought was pretty secure, is not that big a deal for somebody who is really into low-level software. It strikes me that regardless of what program is used to encrypt a file, the password used must be inside that file somewhere, so that somebody who understands the encrypting program must be able to find it. Of course, if the program hashes the password to make it unintelligible, that would make things harder. Would this method work with other programs such as Safehouse?
Not exactly. Cracking a 7z password with today hardware and software is only possible for weak passwords. If the password is strong the attacker will be wasting time and energy.
@@thgoodboy OK, thanks for the response. I think my passwords are usually pretty strong - 25-30 characters with a mix of punctuation symbols, upper and lower case letters and numbers, all stored in a password bank. I wrote software about 15 years ago and password protected it, but although my algorithm was pretty basic, none of my 200 or so users ever cracked it - though I don't know if anybody ever tried.
@@DownhillAllTheWay I also have the same thoughts as you. I'm sure of one thing that the people who wrote 7z have the algorithm and can decode it easily
hey dude i really need your help, i password protected my company files but now i cant remember the password do i follow this video and how do i get those other programs and wordlists? Really need your help =(
Your guide has absolute zero valvulae for someone who doesn't know anything about this, like how to set up, which files I need to do like your guide, you give none of that information to viewer. Really?
You keep typing "clear" to clear the screen. You know you can press Ctrl+L right? even in the middle of typing the command line. Just a friendly PSA. It's just it's painful to see you type "clear" every single time, when you seem "linux fluent" otherwise...
@@baliDOTid if that's the case that it's so dark you can miss literally ANY command you type as well since you know, it's a terminal you type things that have to be spelled accurately. And ctrl+K doesn't do anything. You are unnecesarily splitting hairs to jusitfy being right about the most retarded thing. So keep typing clear like an idiot I guess.
was following along really well until you just completely skipped what it actually looks like when you run hashcat. what's the point if i can't compare what my end looks like to troubleshoot it against yours??
I have an odd issue. My gpu usage is at 100% which is fine/normal. but then 1 minute later it goes to 0% then my cpu goes to 100% and my gpu just sits there idle... and it never picks it back up. hashing gets halted. what's up with that?
I really appreciate how educational and visual this is-it clearly demonstrates the need for a long pass without relying on overly common phrases.
Hey.
How i get this Search Function beginning at 03:57 and marked in orange?
So this only worked because it was a simple password included in the word list, right? What if it's a very long and complex password not in the list? Can it still be cracked? Is there a file encryption tool that cannot be cracked you would recommend? Thanks!
Exactly. If a strong encryption key is being used, odds are you are not cracking it.
7z format uses AES-256 (Rijndael cypher). AES cannot be cracked, it can only be brute forced, which is what he's done here. Brute force is using a wordlist and/or attempting as many combinations as your machine and time will allow. Cracking means there is a weakness in the algorithm that can be exploited. I know the two terms are often used interchangeably but for encryption they mean two very different things.
Brute forcing long passwords can take far too long even for the biggest supercomputers in the world to work out. For example, if you have a GPU-accelerated brute force 'cracker' and the password is something like 'gYtzM991786%$' and you remembered 'gYtzM9917' but forgot the remaining part, then you can use that to solve the password. But having to do the entire thing with randomization, then with current computing power it would take over 2 million years. But solving '86%$' may only take ~7 seconds. Each additional character increases the difficulty exponentially. Also using a larger set of characters dramatically increases difficulty. i.e. avoid just using only 0-9, a-z, A-Z sets. Characters such as Å, č, etc are even better. Many 'cracker' programs allow the configuration of sets to use to speed up the solving.
7z is likely good enough for most things. However there could be issues with it that a cryptographic wiz could use to speed up the process. For example, how it obtains entropy for the cypher. If you want to REALLY protect something, then I would recommend booting to a USB Linux distro (Tails is great) and using something like VeraCrypt to containerize files. VC is open source, the source has been audited, and it uses a number of methods to create its keys and obtain sufficient entropy. Booting to a USB is added OPSEC as a daily driver OS could be compromised in many different ways.
@@krozareq Thanks for the explanation
"What if it's a very long and complex password not in the list? Can it still be cracked?" Basically, no, not possible, even with supercomputers. Seemingly simply passphrases are even worse than typical gibberish "strong" passwords since the potential entropy goes astronomical. "Yourbluedoglickshisbutt" is basically uncrackable since even if you stick with the 1000 most-common English words, that's 6^1000 possible combinations!
In your example it's 1000^6 not 6^1000. That makes a huge difference.@@awebuser5914
I will try that. I recently placed all my important files into a 7z folder and I forgot the password of it 😅
BZip2 7zAES method isn't supported by hashcat, also doesn't start the password breaking due to the fact it doesn't recognize the hash generated in the first place. I got the error - Salt value exception with no hash recognized.
Which encryption that U think the most safety? Is all 256 AES easily be crack as long there are hashcat supported ?
AES 256 is not easily cracked. Its only easily cracked if you password is password123. If your password is over 60 characters long with special characters its not going to be easily cracked
@@thangchanh2932 If i make password with 128 charterer long and using Upper Lower cases symbols numbers. Is it possible to crack?
@@nijerashikhi no , it will take trillion years to crack
@@thangchanh2932 60 characters? Even 25 would be impossible. 60 would probably be impossible to crack even in 20000 years with the hardware we will have then.
Can not install libcompress-raw-lzma-perl -y...it says package not found
sudo apt-get install libcompress-raw-lzma-perl
i have 7z file with 32 bit password. attacked by Qnap Qlocker ransomware. where will get password list for that. any help for this.
www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/
this is the attacker tactics
I'm not sure what password they used - but you could use the methods mentioned in this video to try and crack it.
@@vasudevanayak4439 Hi same issue here, did you get anywhere with this?
Do I understand this correctly: no matter how many characters the password of a 7zip archive has, you can find it out via the method shown? Even if the password has for example 80 random characters or more?
yes.. assuming you can keep it running billions of years mate..
@@Koew I believe that quantum computers will only need a few seconds in the future.
@@DirkKuepper we already have quantum computing, and it doesn't work like that. They aren't much better than regular computing for this kind of work. An still you have to understand math. Every character you add it grows exponentially the number of possibilities. ^80 is a massive number. We are far far away from calculating anything like this
Nahh this is just brute force 'cracking' which also uses a word list to speed up the process if a common word is used or the password is often used and seen in cracked password databases. They're especially useful if you obtain a large login database (say, from a website server) and you don't expect to crack all of the hashed and SALTed passwords, but you expect there will be enough low-hanging fruit there to pick. This dramatically speeds up the time rather than attempting character combinations on every password.
AES itself has no known way to exploit its algorithm. The complexity, length, and unpredictability of the password matters. Let's say you use a set of 0-9, a-z, A-Z, and some special characters such as $%&, etc. That's a character set of about 72.
Then for the length, you have to add it as an exponent to 72. An 8-character long password is 72^8 = ~722 trillion combinations. It's very breakable these days. But with 16 characters, 72^16 = ~521 octillion combinations. Or to put it another way, it's ~722 trillion times more difficult to brute force than the 8-character password. Now, use characters such as ÆĎð, etc. and the password is significantly stronger. It's likely someone doing a brute force won't even be utilizing those character sets since doing so drastically increases the time.
A standard way that password complexity is measured is by 'bit strength' or 'bit entropy.' This can be calculated with the formula: L*(logN/log2) 'L' is the length in characters, 'N' is the size of the set of characters. As with the 72 character set example above: log72/log2 = ~6.167 bit strength per character length of the password. A good password will be in excess of 80 bit strength entropy. A really good password will exceed 100 bits. If said password is 16 characters in length, then its bit strength entropy is ~98.72 that we get from 16*(log72/log2).
A good password needs length and complexity, but it also needs unpredictability. Many passwords I see are in a predictable format: This is likely due to human nature and meeting password requirements. These days it's too easy to learn a lot about someone on the internet. The first part of the password often is going to be a university, home town, favorite sports team, spouse, child, or pet name. The best password brute force crackers allow a great deal of customization, such as having it always include a list of terms to use before the randomized characters. This significantly simplifies the process. Best bet for PW security is random password generation, such as with KeePassXC (free, open source). Every site can have a unique and strong PW. However, it also requires keeping the database extremely safe since it can become a master key. Also, a good backup solution for the database is critical.
@@krozareq You're stuck in the mindset of old school "passwords". Simple passphrases, like: "Yourbluedoglickshisbutt" is basically uncrackable since even if you stick with the 1000 most-common English words, that's 6^1000 possible combinations! There are currently no tools that can even _try_ to attack passpharases and honestly, it's a fool's errand in any case. If someone tried to do it and attempted to create generic grammar rules, it would still fail with "Yodaspeak" or simple nonsense phrases: "Correctbatteryhorsestaple", et al..
I guess this method would not gonna work if the 7z file has the file names encrypted too.
hai .. I forgotted .7zip encrypted password. Plz help me to recover the files .. those files are very important to me.. Anyone plz help me
You are fucking lazy or what, Just watch the tutorial
Can we crack hash without wordlist ?
Hi. I've been affected by Qlocker ransomware attack that used 7zip to encrypt QNAP devices. All my files except Videos on my Qnap NAS are now under a 7zip password. Any chance to get that password? Thank you very much
Hey Daniel. Using the tips mentioned in this video may help you. Sorry that you're going through that.
Jayhackz12 on Instagram is highly recommended for this.
Hi Daniel, same issue here, did you get anywhere with this?
Hi, I have used REC Recovery but files has been all in one folder and no same name.
brother please guide me how to secure my files oh hard drive. i am using bitlock. i wanted to encrypt the files using 7zip and also use bitlocker on my backup drives. will it secure my files. please tell me.
Hi there. Noob here.
I'm using the Windows Kali WSL to try this out. The archive is in the E drive and I managed to install both John and libcompress-raw-lzma-perl but can't seem to use the /usr/share/john/7z2john.pl backup.7z command. Any help would be appreciated.
Will this program run on windows 10?
How do you do it for windows?
There are probably other tools for Windows. Worst case, you could use WSL or set up a Kali VM.
Jayhackz12 on Instagram is highly recommended for this
How to do this on windows 10?
Currently using windows? can you help me crack the file
zip2john isn't working on my mac
I forgot password to my file and found this video. I installed Kali on virtual machine using UTM as I have a M1 Mac, did run in various issues like I couldn't get the commands to work and Googling for hours etc. After I finally managed to get it work, which took like 3 hours, I then followed the steps in this video, run into another issues and then once I finally got the hash.txt, you said that you need file with the possible passwords... :D And I am pretty sure that my password is not in the any list, so this didn't work for me... :( At least I learned few things along the way... :D
I'm so glad that you gave it a shot! I'm sorry it didn't help.. but now you know! Check out rockyou2021, or realuniq. They're pretty solid wordlists and you may get lucky!
fyi, brute-force mode is a thing, you can try that with different mask combinations (i.e., hashcat -a 3 examplehash.txt ?a?a?a?d) "a" meaning a character and "d" a digit. In this case, the total length of the password is 4.
I know brute force method, but I am setting complicated passwords with at least 16 characters like letters, special signs, numbers etc. So it would take like forever. Thanks for the tip anyway, appreciate!
@@ophelia6044 Only for the shortest passwords, say 8 characters or less. Any longer and the time it takes goes completely exponential. Even with totally obsolete MD5, an 8-character brute force took me 14 hours on a 4070Ti!
Good video.... is cryptomator also just as easy to crack as 7zip?
Cracking 7z password is easy only for weak passwords (less than 11 characters). You can apply cracking tutorials for strong passwords (more than 19 random characters), but it's going to lead you nowhere.
I didn't really follow all of that - mostly because it's something I don't need to do, so it wasn't worth the intellctual effort to follow it in-depth, but I get the general idea that cracking a 7z encrypted file, which I thought was pretty secure, is not that big a deal for somebody who is really into low-level software. It strikes me that regardless of what program is used to encrypt a file, the password used must be inside that file somewhere, so that somebody who understands the encrypting program must be able to find it. Of course, if the program hashes the password to make it unintelligible, that would make things harder. Would this method work with other programs such as Safehouse?
Not exactly. Cracking a 7z password with today hardware and software is only possible for weak passwords. If the password is strong the attacker will be wasting time and energy.
@@thgoodboy OK, thanks for the response. I think my passwords are usually pretty strong - 25-30 characters with a mix of punctuation symbols, upper and lower case letters and numbers, all stored in a password bank.
I wrote software about 15 years ago and password protected it, but although my algorithm was pretty basic, none of my 200 or so users ever cracked it - though I don't know if anybody ever tried.
@@DownhillAllTheWay I also have the same thoughts as you. I'm sure of one thing that the people who wrote 7z have the algorithm and can decode it easily
The wordlist is essential ?
You could also try other brute-force attacks.
Thanks, this worked for me. My password was very simple so it was able to get it.
hey dude i really need your help, i password protected my company files but now i cant remember the password do i follow this video and how do i get those other programs and wordlists? Really need your help =(
sketchy much?
@@galiare9474 how is it sketchy I 7ziped my 3d models from one of my projects and forgot the password. Not sketchy......
Thanks, this video really helps me bro!
WARNING: could not open file '/home/tony/Downloads/VenomRAT5.6.7z'
You start from the middle of explaining how you got to the window you are working on?
Can encrypted videos also be cracked?
So you are encrypting anime episodes? (According to your profile picture)
Your guide has absolute zero valvulae for someone who doesn't know anything about this, like how to set up, which files I need to do like your guide, you give none of that information to viewer. Really?
Can U crack Veracrypt and Cryptomator?
I don't know about Cryptomator, but there is support in Hashcat for Veracrypt!
tanks verymuch
Some guys don't know how to teach
You keep typing "clear" to clear the screen. You know you can press Ctrl+L right? even in the middle of typing the command line. Just a friendly PSA. It's just it's painful to see you type "clear" every single time, when you seem "linux fluent" otherwise...
definitely easier to type clear, u could miss the L especially in the dark and end up pressing CTRL + K or something like that
@@baliDOTid if that's the case that it's so dark you can miss literally ANY command you type as well since you know, it's a terminal you type things that have to be spelled accurately. And ctrl+K doesn't do anything. You are unnecesarily splitting hairs to jusitfy being right about the most retarded thing. So keep typing clear like an idiot I guess.
ALgorithm.
hi
id like you to crack me a 7zip file please
Sorry, can't help.
@@InfiniteLogins ok but can you help me on a project am doing
Is there any chance you could make this entire video again, except this time around speak in English instead of Robo-Martian? Thanks.
Great advice
W9
8
9