Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 17 Sep 2020 18:25:35 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking encrypted zip file

On Thu, Sep 17, 2020 at 04:20:30PM +0100, Jasper Jones wrote:
> On Wed, 16 Sep 2020 at 20:51, Solar Designer <solar@...nwall.com> wrote:
> > On Wed, Sep 16, 2020 at 06:47:10AM +0100, Jasper Jones wrote:
> > > Loaded 1 password hash (ZIP, WinZip, [PKDF2-SHA1 128/128 AVX 4x1)"
> > >
> > > Does that look right? The reference to PKDF2-SHA1 instead of AES concerns
> > > me, but I appreciate that could just be my ignorance showing.
> >
> > You've already figured this out (great!), but we might want to revise
> > this algorithm name string to also include AES.
> 
> Cool.

I just looked into this, and no - that algorithm name string is correct
as-is, and adding AES in there would be wrong.  We're able to
distinguish correct vs. wrong passwords without ever using AES in there.

> > As to the error you were getting originally:
> >
> > > > That said, I'm still getting an error as well: "ver 5.1
> > > > wallet.zip/wallet.dat is not encrypted, or stored with non-handled
> > > > compression type".
> >
> > It certainly looks like you have more than one file, or one file more
> > than once, in that archive.  It might even be that you have the
> > wallet.dat file in there in both encrypted and non-encrypted form.
> 
> I'm pretty sure there's just the one file in there. I definitely wouldn't
> have encrypted it first and then zipped it. It was just zipped (using 7Zip)
> with a password and AES256 encryption selected. There's also just the one
> file - wallet.dat - listed when you open the archive.

OK.

> > Alternatively, we have a bug resulting in that spurious message.
> 
> I'll leave that to you to decide! :)

We'd need to reproduce the problem for that.  It would be great if you
manage to generate another encrypted WinZip archive, with dummy content
and a known password, yet trigger the same behavior from zip2john.  This
will serve two purposes: (1) you'll know whether or not the password is
crackable with our current code despite of this error, and (2) we'll be
able to look into the issue on our end (assuming that you'll share that
archive with us).

> > > > I don't have zipinfo (I'm on Windows), but I could download a bootable
> > > > Linux distribution if that would help.
> >
> > I guess you can get zipinfo on Windows if you install Cygwin.
> 
> Do you think it would help at this stage?

It wouldn't help as much as generating a suitable dummy archive would,
but it might provide us with some extra clue.

> Perhaps if the current run
> doesn't work I can look into that and see whether it gives more info than
> I've found so far.

OK.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.