Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FCRACKZIP(1)		    General Commands Manual		  FCRACKZIP(1)

       fcrackzip - a Free/Fast Zip Password Cracker

       fcrackzip  [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark]
       [--charset characterset]	 [--help]  [--validate]	 [--verbose]  [--init-
       password	 string/path] [--length	min-max] [--use-unzip] [--method name]
       [--modulo r/m] file...

       fcrackzip searches each zipfile given for encrypted files and tries  to
       guess the password. All files must be encrypted with the	same password,
       the more	files you provide, the better.

       -h, --help
	      Prints the version number	and (hopefully)	some helpful insights.

       -v, --verbose
	      Each -v makes the	program	more verbose.

       -b, --brute-force
	      Select brute force mode. This tries all possible combinations of
	      the letters you specify.

       -D, --dictionary
	      Select  dictionary mode. In this mode, fcrackzip will read pass-
	      words from a file, which must contain one	password per line  and
	      should be	alphabetically sorted (e.g. using sort(1)).

       -c, --charset characterset-specification
	      Select  the  characters  to use in brute-force cracking. Must be
	      one of

		a   include all	lowercase characters [a-z]
		A   include all	uppercase characters [A-Z]
		1   include the	digits [0-9]
		!   include [!:$%&/()=?{[]}+*~#]
		:   the	following characters upto the end of the spe-
		    cification string are included in the character set.
		    This way you can include any character except binary
		    null (at least under unix).

	      For example, a1:$% selects lowercase characters, digits and  the
	      dollar and percent signs.

       -p, --init-password string
	      Set  initial  (starting)	password  for brute-force searching to
	      string, or use the file with the name string to supply passwords
	      for dictionary searching.

       -l, --length min[-max]
	      Use  an  initial password	of length min, and check all passwords
	      upto passwords of	length max (including).	You can	omit  the  max

       -u, --use-unzip
	      Try  to  decompress  the	first  file  by	calling	unzip with the
	      guessed password.	This weeds out false positives when not	enough
	      files have been given.

       -m, --method name
	      Use method number	"name" instead of the default cracking method.
	      The switch --help	will print a list of  available	 methods.  Use
	      --benchmark  to  see  which method does perform best on your ma-
	      chine. The name can also be the number of	the method to use.

       -2, --modulo r/m
	      Calculate	only r/m of the	password. Not yet supported.

       -B, --benchmark
	      Make a small benchmark, the output is nearly meaningless.

       -V, --validate
	      Make some	basic checks wether the	cracker	works.

       Have you	ever mis-typed a password for unzip? Unzip reacted pretty fast
       with 'incorrect password', without decrypting the whole file. While the
       encryption algorithm used by zip	is relatively secure, PK made cracking
       easy  by	 providing  hooks for very fast	password-checking, directly in
       the zip file. Understanding these is crucial to zip password cracking:

       For each	password that is tried,	the first twelve bytes of the file are
       decrypted.  Depending  on  the  version of zip used to encrypt the file
       (more on	that later), the first ten or eleven bytes  are	 random,  fol-
       lowed  by one or	two bytes whose	values are stored elsewhere in the zip
       file, i.e. are known beforehand.	If these last  bytes  don't  have  the
       correct	(known)	 value,	the password is	definitely wrong. If the bytes
       are correct, the	password might be correct, but the only	method to find
       out is to unzip the file	and compare the	uncompressed length and	crc's.

       Earlier	versions  of  pkzip (1.xx) (and, incidentally, many zip	clones
       for other operating systems!) stored two	known bytes.  Thus  the	 error
       rate  was  roughly  1/2^16 = 0.01%. PKWARE 'improved' (interesting what
       industry	calls improved)	the security of	their format by	only including
       one  byte, so the possibility of	false passwords	is now raised to 0.4%.
       Unfortunately, there is no real way to distinguish one  byte  from  two
       byte formats, so	we have	to be conservative.

       By default, brute force starts at the given starting password, and suc-
       cessively tries all combinations	until they are exhausted, printing all
       passwords that it detects, together with	a rough	correctness indicator.

       The  starting  password	given  by the -p switch	determines the length.
       fcrackzip will not currently increase  the  password  length  automati-
       cally, unless the -l switch is used.

       This  mode  is  similar	to brute force mode, but instead of generating
       passwords using a given set of characters and a length,	the  passwords
       will be read from a file	that you have to specify using the -p switch.

       A  CP  mask  is	a  method to obscure images or parts of	images using a
       password.  These	obscured images	can be restored	 even  when  saved  as
       JPEG  files. In most of these files the password	is actually hidden and
       can be decoded easily (using one	of the many available viewer and mask-
       ing programs, e.g. xv). If you convert the image	the password, however,
       is lost.	The cpmask crack method	can be used to brute-force  these  im-
       ages.  Instead  of a zip	file you supply	the obscured part (and nothing
       else) of	the image in the PPM-Image Format (xv and  other  viewers  can
       easily do this).

       The  cpmask  method  can	 only cope with	password composed of uppercase
       letters,	so be sure to supply the --charset A or	equivalent option, to-
       gether with a suitable initialization password.

       fcrackzip -c a -p aaaaaa
	      checks  the  encrypted  files  in for all lowercase 6
	      character	passwords (aaaaaa ... abaaba ... ghfgrg	... zzzzzz).

       fcrackzip --method cpmask --charset A --init AAAA test.ppm
	      checks the obscured image	test.ppm for all four character	 pass-
	      words.   -TP  fcrackzip -D -p passwords.txt check for
	      every password listed in the file	passwords.txt.

       fzc, which seems	to be widely used as a fast password  cracker,	claims
       to  make	 204570	 checks	per second on my machine (measured under plain
       dos w/o memory manager).

       fcrackzip, being	written	in  C  and  not	 in  assembler,	 naturally  is
       slower. Measured	on a slightly loaded unix (same	machine), it's 12 per-
       cent slower (the	compiler used was pgcc,	from

       To remedy this a	bit, I converted small parts of	the encryption core to
       x86 assembler (it will still compile on non x86 machines), and now it's
       about 4-12 percent faster than fzc (again,  the	fcrackzip  performance
       was  measured  under  a	multitasking  os, so there are inevitably some
       meaurement errors), so there shouldn't be a tempting reason  to	switch
       to other	programs.

       Further	improvements  are definitely possible: fzc took	4 years	to get
       into shape, while fcrackzip was hacked together in under	10 hours.  And
       not  to	forget	you  have the source, while other programs (like fzc),
       even come as an encrypted .exe file (maybe  because  their  programmers
       are  afraid  of	other people could having a look at their lack of pro-
       gramming	skills?	 nobody	knows...)

       The reason I wrote fcrackzip was	NOT to have the	 fastest  zip  cracker
       available, but to provide a portable, free (thus	extensible), but still
       fast zip	password cracker. I was	 really	 pissed	 of  with  that	 dumb,
       nonextendable  zipcrackers  that	were either slow, were too limited, or
       wouldn't	run in the background (say, under unix). (And  you  can't  run
       them on your superfast 600Mhz Alpha).

       No automatic unzip checking.

       Stop/resume facility is missing.

       Should  be  able	 to distinguish	between	files with 16 bit stored CRC's
       and 8 bit stored	CRC's.

       The benchmark does not work on all systems.

       It's still early	alpha.

       Method "cpmask" only accepts ppms.

       Could be	faster.

       fcrackzip  was  written	by  Marc  Lehmann  <>.  The	  main
       fcrackzip page is at

			Free/Fast Zip Password Cracker		  FCRACKZIP(1)


Want to link to this manual page? Use this URL:

home | help