How to Crack Password-Protected ZIP Files, PDFs & More with Zydra

Jul 15, 2020 11:18 PM
Aug 17, 2020 09:13 PM
637051822304556466.jpg

Everybody knows not to store sensitive information in unencrypted files, right? PDFs and ZIP files can often contain a treasure trove of information, such as network diagrams, IP addresses, and login credentials. Sometimes, even certain files that are encrypted aren't safe from attackers. That's where Zydra comes in — a tool for cracking RAR files, ZIP files, PDF files, and Linux shadow files.

How Are These Files Encrypted?

Depending on the program used and its version, these sorts of files could be password protected using various encryption algorithms.

For example, the Linux command line zip utility uses the older PKZIP algorithm, which is insecure and easy to crack. Other programs, like WinZip and 7-Zip, use strong AES-256 encryption. Earlier versions of the RAR protocol use a proprietary encryption algorithm, while newer versions use AES. WinRAR and PeaZip, popular choices that can deal with RAR files, also use the AES standard.

If you're using Linux, it's easy to create PDFs in LibreOffice by exporting regular word documents, and there's even an option to password protect the newly created file. Older versions of LibreOffice use the Blowfish algorithm to encrypt files, but versions 3.5 and up use AES. Other methods to create PDF files include Microsoft Office and Adobe Acrobat — Office versions 2007+ and Acrobat versions 7+ all support AES encryption.

Linux shadow files themselves are not encrypted, but the passwords contained within them are. Encryption algorithms used for these can vary depending on the system, but MD5, SHA-512, SHA-256, Blowfish, and DES are all commonly used.

Download & Set Up Zydra

To begin, we need to download Zydra from GitHub — use the wget utility to grab the Python file right from the command line:

~$ wget https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py

--2020-07-15 18:41:25--  https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30544 (30K) [text/plain]
Saving to: ‘Zydra.py’

Zydra.py             100%[======================>]  29.83K  --.-KB/s    in 0.04s

2020-07-15 18:41:26 (764 KB/s) - ‘Zydra.py’ saved [30544/30544]

Next, and this step is completely optional, let's rename the script making it entirely lowercase. If you're lazy like me, it's just one less key to press:

~$ mv Zydra.py zydra.py

We also need to install some dependencies for Zydra to work properly — it uses Python 3, so we can use pip3 to install the extra modules:

~$ pip3 install rarfile pyfiglet py-term

Collecting rarfile
  Downloading rarfile-3.1.tar.gz (121 kB)
     |████████████████████████████████| 121 kB 1.0 MB/s
Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (0.8.post0)
Collecting py-term
  Downloading py-term-0.6.tar.gz (5.4 kB)
Building wheels for collected packages: rarfile, py-term
  Building wheel for rarfile (setup.py) ... done
  Created wheel for rarfile: filename=rarfile-3.1-py3-none-any.whl size=24908 sha256=6f16c1h4b06a3f7a7d8v4baa34e9a6d58a949b5a78c2b23bb60c0d62791372e3
  Stored in directory: /home/kali/.cache/pip/wheels/21/50/d0/8da8b10f46113f46c6f0247c5f59401293fb5b15aa7888a4ce
  Building wheel for py-term (setup.py) ... done
  Created wheel for py-term: filename=py_term-0.6-py3-none-any.whl size=6268 sha256=ab75424c7aa6ef71001a24c3e3a558ad3748ee0d6a3c0153c3a0cf955f814a13
  Stored in directory: /home/kali/.cache/pip/wheels/76/cc/73/8ac13320a2a98600008575b936742bbb6025d21d674ca6e2fd
Successfully built rarfile py-term
Installing collected packages: rarfile, py-term
Successfully installed py-term-0.6 rarfile-3.1

Now we should be ready to run Zydra using the python3 command:

~$ python3 zydra.py

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f <file> -d <wordlist>

Brute force Mode:
   zydra.py -f <file> -b <char_type> -m <min_length> -x <max_length>

   Available char_type:
    <lowercase>  The lowercase letters abcdefghijklmnopqrstuvwxyz
    <uppercase>  The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
    <letters>    The concatenation of the lowercase and uppercase
    <digits>     numbers 0123456789
    <symbols>    punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
    <space>      space character
   You can select multiple character types.
    Example: zydra.py -f <file> -b <space,digits> -m 1 -x 8

zydra.py: error:  Choose a file, Use --help for more info

This gives us a nice little banner, a usage example, and some information about some of the options available. It also gives us an error stating it needs a file, and tells us to use --help for more info; this will give us more details and options:

~$ python3 zydra.py --help

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f <file> -d <wordlist>

Brute force Mode:
   zydra.py -f <file> -b <char_type> -m <min_length> -x <max_length>

   Available char_type:
    <lowercase>  The lowercase letters abcdefghijklmnopqrstuvwxyz
    <uppercase>  The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
    <letters>    The concatenation of the lowercase and uppercase
    <digits>     numbers 0123456789
    <symbols>    punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
    <space>      space character
   You can select multiple character types.
    Example: zydra.py -f <file> -b <space,digits> -m 1 -x 8

Options:
  -h, --help    show this help message and exit
  -d DICTFILE   Specifies dictionary file
  -f FILE       Specifies the file
  -b CHARTYPE   Specifies the character type
  -m MINLENGTH  Specifies minimum length of password
  -x MAXLENGTH  Specifies maximum length of password

Before we can run Zydra, we will need some files to test it out on. I have created a RAR file, ZIP file, and PDF file that you can download and use to follow along. The password for all three of these is "password1" as you'll soon find out. There is also a shadow file you can download, which I got from the Metasploitable virtual machine.

We'll also need a suitable wordlist. Since our password for these files is pretty simple, we'll use a minimal list for demonstration purposes — this one from the SecLists GitHub repo will work:

~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt

--2020-07-15 19:08:05--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81 [text/plain]
Saving to: ‘darkweb2017-top10.txt’

darkweb2017-top10.tx 100%[======================>]      81  --.-KB/s    in 0s

2020-07-15 19:08:05 (3.10 MB/s) - ‘darkweb2017-top10.txt’ saved [81/81]

At this point, we are ready to get cracking.

Option 1: Cracking RAR Files

Zydra can operate in two modes: dictionary and brute force. In dictionary mode, we just need to supply a wordlist with the -d flag. We also need to specify the file we are trying to crack using the -f flag:

~$ python3 zydra.py -f nb-rar.rar -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:08:15 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:08:41 2020
Execution time ==> 0:00:25.876620

Once it starts, it gives us the possible password count (basically, how many lines there are in the wordlist) and a progress bar. It doesn't take long before it finds the password and tells us what it is.

For brute force mode, we need to set a few more options. We still specify the file to crack, but now we can use the -b flag to set the character types to use for brute forcing. The minimum and maximum length of the password can also be set now, using the -m and -x flags, respectively:

~$ python3 zydra.py -f nb-rar.rar -b letters,digits -m 1 -x 10

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:01 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 853058371866181866
    Progress : [                                          ] 0.000 %

As you can see, the number of potential passwords is quite large, so while this feature can be useful in certain cases, most of the time it is wise to use the dictionary mode.

Now that we have the password, we can extract the contents of the RAR file with the following command:

~$ unrar x nb-rar.rar

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal

Extracting from nb-rar.rar

Enter password (will not be echoed) for test.txt:

Option 2: Cracking ZIP Files

Cracking ZIP files works pretty much the same way — we'll only use dictionary mode from here on out since it is way more efficient. Just specify the file to crack and wordlist to use:

~$ python3 zydra.py -f nb-zip.zip -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:45 2020

Starting password cracking for /root/nb/nb-zip.zip /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:10:10 2020
Execution time ==> 0:00:25.062398

We can see it found the password again with no issues.

To extract the contents of the ZIP archive, use the unzip command:

~$ unzip nb-zip.zip

Archive:  nb-zip.zip
[nb-zip.zip] example.txt password:

Option 3: Cracking PDF Files

For Zydra to work with PDF files, we need to install a program called qpdf first:

~$ sudo apt install qpdf

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libqpdf28
The following NEW packages will be installed:
  libqpdf28 qpdf
0 upgraded, 2 newly installed, 0 to remove and 568 not upgraded.
Need to get 1,015 kB of archives.
After this operation, 2,690 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libqpdf28 amd64 10.0.1-2 [479 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 qpdf amd64 10.0.1-2 [537 kB]
Fetched 1,015 kB in 1s (830 kB/s)
Selecting previously unselected package libqpdf28:amd64.
(Reading database ... 377060 files and directories currently installed.)
Preparing to unpack .../libqpdf28_10.0.1-2_amd64.deb ...
Unpacking libqpdf28:amd64 (10.0.1-2) ...
Selecting previously unselected package qpdf.
Preparing to unpack .../qpdf_10.0.1-2_amd64.deb ...
Unpacking qpdf (10.0.1-2) ...
Setting up libqpdf28:amd64 (10.0.1-2) ...
Setting up qpdf (10.0.1-2) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

Now we can crack the PDF by providing the file and wordlist to use, just like before:

~$ python3 zydra.py -f nb-sample.pdf -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:10:30 2020

Starting password cracking for /root/nb/nb-sample.pdf /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1
    [*] Your decrypted file is decrypted_nb-sample.pdf

End time ==> Wed Jul 15 19:10:55 2020
Execution time ==> 0:00:25.118694

Again, we can see it found the password, but this time there is an additional dialogue. This is simply telling us the file is a decrypted version of the original, which we can verify with the file command:

~$ file decrypted_nb-sample.pdf

decrypted_nb-sample.pdf: PDF document, version 1.4

Option 4: Cracking Shadow Files

Zydra will automatically attempt to crack the password hashes for any users found in Linux shadow files. While it's not always successful, this can be a good method to try out first since it is quick and easy.

All we need to do is specify the file with the -f flag and the wordlist with the -d flag:

~$ python3 zydra.py -f nb-shadow -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:11:03 2020

Starting password cracking for /root/nb/nb-shadow /

 [*] Count of possible passwords: 10
  [**] cracking Password for: root
    Progress : [##############################################] 100.000 %
    [-] password not found

  [**] cracking Password for: sys
  [**] cracking Password for: klog
  [**] cracking Password for: msfadmin
  [**] cracking Password for: postgres
  [**] cracking Password for: user
  [**] cracking Password for: service
End time ==> Wed Jul 15 19:11:26 2020
Execution time ==> 0:00:22.062705

We can see it finds several users, but since we are only using a simple wordlist, it fails to find the password for any of them. Like any other cracking tool, using a more extensive wordlist will increase your chances of successfully recovering a password, but it will also take longer.

Wrapping Up

In this tutorial, we explored a tool called Zydra and how it can be used to crack password-protected RAR files, ZIP files, PDF files, and Linux shadow files. While we cracked these with little to no difficulty, using strong passwords will greatly increase the time and effort it takes to do so.

Cover image by Nikhiel CS/Pexels

Comments

No Comments Exist

Be the first, drop a comment!