Practical known Plaintext attack against ZIP files
Sometimes in a network far away, which is most of the time not yours, you might encouter zip files protected with passwords. For example for source code archives, there is quite a nice chance to decrypt the ZIPs even without knowing or cracking the password.
TL;DR;
- Find an encrypted ZIP
- Get one of the files from the ZIP as Plaintext from internet or other sources
- Profit!
Details
Maybe at some point, after hours of digging on network shares or buckets you encountered that one ZIP file, which was looking juicy and you were ready to open it. Set up the VM without internet access, to avoid the Honeycred/files/tokens, clicked on the file with the .config and then …
Caption
Caption
A stupid password??? …
But, there are some good chances to come around this. First try would be just to crack the password, as quite often they are really weak.
To demonstrate the things, I took some random file from Malware Bazaar.
Caption
Always remember, if you are working with Malware test if the files will run by double clicking to avoid later problems – just kidding, be careful out there
Standard - Crack it
John the Ripper has a nice zip2john module for it.
So we build a hash over the zip:
user@localhost ~/zip> john/run/zip2john 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip > zip.hash
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ is not encrypted, or stored with non-handled compression type
ver 2.0 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip/Launcher/ActiveSyncProvider.dll PKZIP Encr: cmplen=719649, decmplen=1707520, crc=10BE1B90 ts=06E9 cs=10be type=8
[...]
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
Paste or redirect in a text file and we will see that a strong password is in use…
Caption
user@localhost ~/zip> /opt/john/run/john zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Note: Passwords longer than 21 [worst case UTF-8] to 63 [ASCII] rejected
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2025-04-03 20:49) 0g/s 1021Kp/s 1021Kc/s 1021KC/s Demuxmgr1900..Zip1900
Proceeding with wordlist:/opt/john/run/password.lst
Enabling duplicate candidate password suppressor
2025 (18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip)
1g 0:00:00:00 DONE 2/3 (2025-04-03 20:49) 4.000g/s 851300p/s 851300c/s 851300C/s navy123..kyle24
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Ooooookay 2025, that was a crazy password. For the sake of the more interesting part of the blog, we just ignore this for a moment.
Plaintext attack
At first we want to know, what we have to deal with.
user@localhost ~/zip> unzip -vv 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Archive: 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
0 Stored 0 0% 2025-03-28 21:26 00000000 Launcher/
1707520 Defl:N 719637 58% 2025-02-24 00:55 10be1b90 Launcher/ActiveSyncProvider.dll
0 Stored 0 0% 2025-03-28 20:49 00000000 Launcher/com/
81920 Defl:N 33934 59% 2023-12-04 10:46 c7484291 Launcher/com/AcSpecfc.dll
168448 Defl:N 75753 55% 2025-02-24 00:53 2bf4bfd8 Launcher/com/AdvancedEmojiDS.dll
0 Stored 0 0% 2025-03-28 20:49 00000000 Launcher/data/
26112 Defl:N 10754 59% 2019-12-07 17:08 cd285dbe Launcher/data/AJRouter.dll
1722096 Defl:N 513132 70% 2022-12-23 23:02 161941c4 Launcher/data/alibabacloud-oss-cpp-sdk.dll
0 Stored 0 0% 2024-05-19 02:26 00000000 Launcher/data/changelog.txt
3245 Defl:N 1344 59% 2024-12-04 13:24 6df9108a Launcher/data/COPYRIGHT
163568 Defl:N 55942 66% 2022-12-23 23:02 720eae83 Launcher/data/cpr.dll
0 Stored 0 0% 2024-05-19 02:26 00000000 Launcher/data/CREDITS.txt
44536 Defl:N 18566 58% 2022-12-23 23:03 085af269 Launcher/data/DecoderMgr.dll
58872 Defl:N 25033 58% 2022-12-23 23:03 f147495c Launcher/data/DemuxMgr.dll
0 Stored 0 0% 2024-05-19 02:25 00000000 Launcher/data/joptsimple/
39920 Defl:N 17734 56% 2022-12-23 23:03 39ac13dc Launcher/data/lekeystore.jks
0 Stored 0 0% 2024-05-19 02:27 00000000 Launcher/data/LICENSE.txt
0 Stored 0 0% 2024-05-19 02:25 00000000 Launcher/data/META-INF/
0 Stored 0 0% 2025-03-28 20:49 00000000 Launcher/data/net/
733416 Defl:N 240023 67% 2022-12-23 23:02 a212f349 Launcher/data/net/cef_100_percent.pak
946552 Defl:N 373086 61% 2022-12-23 23:03 03399bb6 Launcher/data/net/cloud-disk.dll
1079024 Defl:N 343964 68% 2022-12-23 23:09 24e1932b Launcher/data/net/FCore.dll
903920 Defl:N 259252 71% 2022-12-23 23:05 cd8d545d Launcher/data/net/FFAdvancedColorAdjust.dll
1460976 Defl:N 462598 68% 2022-12-23 23:06 0060f3b9 Launcher/data/net/FFCore.dll
4426480 Defl:N 1283143 71% 2022-12-23 23:06 9b9f63b4 Launcher/data/net/FFEffectWidgets.dll
0 Stored 0 0% 2024-05-19 02:27 00000000 Launcher/data/profile.json
0 Stored 0 0% 2024-05-19 02:27 00000000 Launcher/data/version.txt
52428800 Stored 52428800 0% 2025-03-13 15:40 6839478a Launcher/data/xNne0sZ2uexW
699806912 Defl:N 1396271 100% 2025-03-26 23:13 1e02bb0a Launcher/The_LauncherV1.exe
2 Stored 2 0% 2025-03-28 20:39 7d65264f Pass-2025.txt
583136 Defl:N 258594 56% 2025-02-24 00:54 42b11630 Launcher/AboutSettings.dll
60416 Defl:N 28851 52% 2023-12-04 10:45 41661930 Launcher/com/adprovider.dll
849165 Defl:N 354895 58% 2022-12-23 23:02 c23824e0 Launcher/data/net/cef_200_percent.pak
-------- ------- --- -------
767295036 58901308 92% 33 files
Defl:N is a good hint, that we need to deal with Deflate mode of zips, which is not great but okay.
There are several modes for ZIP files. Text is from the 7z help and superuser forum:
Method Description
LZMA
It's base compression method for 7z format. Even old versions of 7-Zip can decompress archives created with LZMA method. It provides high compression ratio and very fast decompression.
LZMA2
Default compression method of 7z format. LZMA2 is LZMA-based compression method. It provides better multithreading support than LZMA. But compression ratio can be worse in some cases. For best compression ratio with LZMA2 use 1 or 2 CPU threads. If you use LZMA2 with more than 2 threads, 7-zip splits data to chunks and compresses these chunks independently (2 threads per each chunk).
PPMd
Dmitry Shkarin's PPMdH algorithm with small changes. Usually it provides high compression ratio and high speed for text files.
BZip2
Standard compression method based on BWT algorithm. Usually it provides high speed and pretty good compression ratio for text files.
Deflate
Standard compression method of ZIP and GZip formats. Compression ratio is not too high. But it provides pretty fast compressing and decompressing. Deflate method supports only 32 KB dictionary.
Deflate64
Modified version of Deflate algorithm with bigger dictionary (64KB).
Deflate is the most common method, as it is the standard for 7z and others.
Caption
user@localhost ~/zip> zipinfo -v 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
Archive: 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
There is no zipfile comment.
End-of-central-directory record:
-------------------------------
Zip archive file size: 58907190 (000000000382DA36h)
Actual end-cent-dir record offset: 58907168 (000000000382DA20h)
Expected end-cent-dir record offset: 58907168 (000000000382DA20h)
(based on the length of the central directory and its expected offset)
This zipfile constitutes the sole disk of a single-part archive; its
central directory contains 33 entries.
The central directory is 3542 (0000000000000DD6h) bytes long,
and its (expected) offset in bytes from the beginning of the zipfile
is 58903626 (000000000382CC4Ah).
Central directory entry #1:
---------------------------
Launcher/
offset of local header from start of archive: 0
(0000000000000000h) bytes
file system or operating system of origin: MS-DOS, OS/2 or NT FAT
version of encoding software: 6.3
minimum file system compatibility required: MS-DOS, OS/2 or NT FAT
minimum software version required to extract: 2.0
compression method: none (stored)
file security status: not encrypted
extended local header: no
file last modified on (DOS date/time): 2025 Mar 28 21:26:34
32-bit CRC value (hex): 00000000
compressed size: 0 bytes
uncompressed size: 0 bytes
length of filename: 9 characters
length of extra field: 36 bytes
length of file comment: 0 characters
disk number on which file begins: disk 1
apparent file type: binary
non-MSDOS external file attributes: 000000 hex
MS-DOS file attributes (10 hex): dir
The central-directory extra field contains:
- A subfield with ID 0x000a (PKWARE Win32) and 32 data bytes. The first
20 are: 00 00 00 00 01 00 18 00 17 96 a0 05 e5 9f db 01 00 00 00 00.
There is no file comment.
Central directory entry #2:
---------------------------
There are an extra -36 bytes preceding this file.
Launcher/ActiveSyncProvider.dll
offset of local header from start of archive: 39
(0000000000000027h) bytes
file system or operating system of origin: MS-DOS, OS/2 or NT FAT
version of encoding software: 6.3
minimum file system compatibility required: MS-DOS, OS/2 or NT FAT
minimum software version required to extract: 2.0
compression method: deflated
compression sub-type (deflation): normal
file security status: encrypted
extended local header: no
file last modified on (DOS date/time): 2025 Feb 24 00:55:18
32-bit CRC value (hex): 10be1b90
compressed size: 719649 bytes
uncompressed size: 1707520 bytes
length of filename: 31 characters
length of extra field: 36 bytes
length of file comment: 0 characters
disk number on which file begins: disk 1
apparent file type: binary
non-MSDOS external file attributes: 000000 hex
MS-DOS file attributes (20 hex): arc
[...]
https://buckets.grayhatwarfare.com/files?keywords=ajrouter+dll&sizeFrom=26112&sizeTo=26112
Caption
user@localhost ~/zip> ls -al
total 57572
drwxr-xr-x 3 user user 4096 Apr 2 21:26 ./
drwx------ 39 user user 4096 Apr 2 20:47 ../
-rw-r--r-- 1 user user 58907190 Apr 1 21:07 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip
-rw-r--r-- 1 user user 26112 Apr 2 21:18 AJRouter.dll
drwxr-xr-x 12 user user 4096 Mar 27 20:49 bkcrack/
user@localhost ~/zip> seq 0 10 | xargs -i 7z a -mm=Deflate -mx{} plain{}.zip /home/user/zip/AJRouter.dll
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs 13th Gen Intel(R) Core(TM) i7-13700H (B06A2),ASM,AES-NI)
Scanning the drive:
1 file, 26112 bytes (26 KiB)
Creating archive: plain0.zip
Items to compress: 1
Files read from disk: 1
Archive size: 11438 bytes (12 KiB)
Everything is Ok
[...]
user@localhost ~/zip> ls plain*.zip | xargs -i -t ~/zip/bkcrack/install/bkcrack -P {} -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c "Launcher/data/AJRouter.dll"
/home/user/zip/bkcrack/install/bkcrack -P plain0.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain10.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:15] Z reduction using 10635 bytes of known plaintext
64.3 % (6841 / 10635)
[21:30:16] Attack on 193 Z values at index 4571
100.0 % (193 / 193)
[21:30:16] Could not find the keys.
/home/user/zip/bkcrack/install/bkcrack -P plain1.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain2.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain3.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain4.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
Data error: ciphertext is smaller than plaintext.
/home/user/zip/bkcrack/install/bkcrack -P plain5.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:16] Z reduction using 10747 bytes of known plaintext
84.9 % (9120 / 10747)
[21:30:17] Attack on 256 Z values at index 2656
Keys: 4ba31d26 7d9a4839 a4864fa0
70.3 % (180 / 256)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 180
[21:30:17] Keys
4ba31d26 7d9a4839 a4864fa0
/home/user/zip/bkcrack/install/bkcrack -P plain6.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:17] Z reduction using 10747 bytes of known plaintext
84.9 % (9120 / 10747)
[21:30:18] Attack on 256 Z values at index 2656
Keys: 4ba31d26 7d9a4839 a4864fa0
68.0 % (174 / 256)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 174
[21:30:18] Keys
4ba31d26 7d9a4839 a4864fa0
/home/user/zip/bkcrack/install/bkcrack -P plain7.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:18] Z reduction using 10641 bytes of known plaintext
36.9 % (3931 / 10641)
[21:30:19] Attack on 126 Z values at index 7219
100.0 % (126 / 126)
[21:30:19] Could not find the keys.
/home/user/zip/bkcrack/install/bkcrack -P plain8.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:19] Z reduction using 10641 bytes of known plaintext
36.9 % (3931 / 10641)
[21:30:20] Attack on 126 Z values at index 7219
100.0 % (126 / 126)
[21:30:20] Could not find the keys.
/home/user/zip/bkcrack/install/bkcrack -P plain9.zip -p AJRouter.dll -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -c Launcher/data/AJRouter.dll
bkcrack 1.7.1 - 2024-12-21
[21:30:20] Z reduction using 10635 bytes of known plaintext
64.3 % (6841 / 10635)
[21:30:21] Attack on 193 Z values at index 4571
100.0 % (193 / 193)
[21:30:22] Could not find the keys.
Caption
user@localhost ~/zip [1]> ~/zip/bkcrack/install/bkcrack -C 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70.zip -D withoutpw.zip -k 4ba31d26 7d9a4839 a4864fa0
bkcrack 1.7.1 - 2024-12-21
[21:32:27] Writing decrypted archive withoutpw.zip
100.0 % (27 / 27)
Caption
user@localhost ~/zip> unzip -v -p withoutpw.zip Launcher/data/COPYRIGHT | head
Copyright © 1993, 2025, Oracle and/or its affiliates.
All rights reserved.
This software and related documentation are provided under a
license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws.
Except as expressly permitted in your license agreement or
allowed by law, you may not use, copy, reproduce, translate,
broadcast, modify, license, transmit, distribute, exhibit,
perform, publish, or display any part, in any form, or by
Caption
seq 0 10 | xargs -i 7z a -mm=Deflate -mx{} lmao{}.zip /home/user/workdata/intranet/hosts/X/protected/Microsoft.Practices.ServiceLocation.dll
seq 0 10 | xargs -i ./bkcrack -P "lmao{}.zip" -p "Microsoft.Practices.ServiceLocation.dll" -C /home/user/workdata/intranet/hosts/X/protected/neplan.zip -c "NeplanAzure_10.8.6.2/Microsoft.Practices.ServiceLocation.dll"
ls *.zip | xargs -i -t bash -c 'zipinfo -v {} | grep -ic " encrypted"'