.\" Copyright (C) 2012-2018 Marc Ferland
.\"
.\" This program is free software: you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
.\" Process this file with
.\" groff -man -Tascii yazc.1
.\"
.TH YAZC 1
.SH NAME
yazc \- yet another zip cracker
.SH SYNOPSIS
.\" set vertical line break space to 0
.PD 0
.B yazc\fR [\fB\-h\fR] [\fB\-V\fR]
.PP
.B yazc
.I COMMAND OPTIONS\fR... \fIFILE
.PD 1
.SH DESCRIPTION
.B yazc
cracks password protected zip files. Three attack methods are
supported: \fIbruteforce\fR, \fIdictionary\fR and \fIplaintext\fR.
.PP
Note: Only files encrypted using the legacy Pkware encryption method
are supported.
.PP
.SH BRUTEFORCE
The \fIbruteforce\fR command tries every possible character
combination. A general rule of thumb is to use this command when you
suspect the password to be 8 characters or less.
.TP
.BR \-c ", " \-\-charset=\fICHARSET\fR
Set the character set to CHARSET.
.TP
.BR \-i ", " \-\-initial=\fISTRING\fR
Set the initial password to STRING.
.TP
.BR \-l ", " \-\-length=\fINUM\fR
Set the maximum password length to LENGTH characters.
.TP
.BR \-a ", " \-\-alpha
Use characters [a-z].
.TP
.BR \-A ", " \-\-alpha-caps
Use characters [A-Z].
.TP
.BR \-n ", " \-\-numeric
Use characters [0-9].
.TP
.BR \-s ", " \-\-special
Use special characters "!:$%&/()=?{[]}+-*~#@|;".
.TP
.BR \-t ", " \-\-threads=\fINUM\fR
Distribute load to NUM threads. For maximum performance, this should
be set to the number of logical processors available.
.TP
.BR \-h ", " \-\-help
Display help and exit.
.SH DICTIONARY
The \fIdictionary\fR command reads passwords from a text file (or
stdin if no file argument is provided). It is assumed that each
password is separated by a newline.
.TP
.BR \-d ", " \-\-dictionary=\fIFILE\fR
Read passwords from FILE.
.TP
.BR \-h ", " \-\-help
Display help and exit.
.SH PLAINTEXT
The \fIplaintext\fR command uses a known vulnerability in the pkzip
stream cipher to find the internal representation of the encryption
key. To use this attack type, you need at least 13 known plaintext
bytes from any file in the archive. Generally, this means that you
need to obtain at least 13 bytes of the \fBcompressed\fR stream before
it was encrypted.
.PP
The \fIplaintext\fR command can be used either with the raw byte
offsets (\-o option) or by using the zip file entry name.
.TP
.BR \-o ", " \-\-offset
Use raw byte offsets instead of entry names.
.TP
.BR \-t ", " \-\-threads=\fINUM\fR
Distribute load to NUM threads.
.TP
.BR \-h ", " \-\-help
Display help and exit.
.RE
.SH INFO
The \fIinfo\fR command lists the filenames, offsets and the encryption
header for each file in the archive. This is useful to determine what
configuration to pass to the \fIplaintext\fR command.
.SH EXAMPLES
Use a \fIbruteforce\fR attack on file archive.zip using only lower case
letters and distribute the load to 8 threads:
.PP
.nf
.RS
yazc bruteforce -a -t8 archive.zip
.RE
.fi
.PP
Use a \fIdictionary\fR attack on file archive.zip and use passwords from
rockyou.txt:
.PP
.nf
.RS
cat rockyou.txt | yazc dictionary archive.zip
.RE
.fi
.PP
Use a \fIplaintext\fR attack on archive.zip. Take plaintext bytes 100
to 650 and map them to ciphertext bytes 112 to 662. Use these bytes to
reduce the number of keys and perform the attack. Once the
intermediate key is found, decrypt the rest of the cipher (begins at
offset 64) to get the internal representation (the encryption key
derived from the password). If possible the actual (or equivalent)
password will also be recovered and printed.
.PP
.nf
.RS
yazc plaintext -o plain.bin 100 650 archive.zip 112 662 64
.RE
.fi
.SH AUTHOR
Marc Ferland <marc.ferland at gmail dot com>
.PP
Part of this software was inspired by fcrackzip by Marc Lehmann and
pkcrack by Peter Conrad. The original plaintext algorithm was
developed by Eli Biham and Paul C. Kocher.