Scroll to navigation

YAZC(1) General Commands Manual YAZC(1)

NAME

yazc - yet another zip cracker

SYNOPSIS

yazc [-h] [-V]

yazc COMMAND OPTIONS... FILE

DESCRIPTION

yazc cracks password protected zip files. Three attack methods are supported: bruteforce, dictionary and plaintext.

Note: Only files encrypted using the legacy Pkware encryption method are supported.

BRUTEFORCE

The bruteforce command tries every possible character combination. A general rule of thumb is to use this command when you suspect the password to be 8 characters or less.

Set the character set to CHARSET.
Set the initial password to STRING.
Set the maximum password length to LENGTH characters.
Use characters [a-z].
Use characters [A-Z].
Use characters [0-9].
Use special characters "!:$%&/()=?{[]}+-*~#@|;".
Distribute load to NUM threads. For maximum performance, this should be set to the number of logical processors available.
Display help and exit.

DICTIONARY

The dictionary command reads passwords from a text file (or stdin if no file argument is provided). It is assumed that each password is separated by a newline.

Read passwords from FILE.
Display help and exit.

PLAINTEXT

The plaintext command uses a known vulnerability in the pkzip stream cipher to find the internal representation of the encryption key. To use this attack type, you need at least 13 known plaintext bytes from any file in the archive. Generally, this means that you need to obtain at least 13 bytes of the compressed stream before it was encrypted.

The plaintext command can be used either with the raw byte offsets (-o option) or by using the zip file entry name.

Use raw byte offsets instead of entry names.
Distribute load to NUM threads.
Display help and exit.

INFO

The info command lists the filenames, offsets and the encryption header for each file in the archive. This is useful to determine what configuration to pass to the plaintext command.

EXAMPLES

Use a bruteforce attack on file archive.zip using only lower case letters and distribute the load to 8 threads:

yazc bruteforce -a -t8 archive.zip


Use a dictionary attack on file archive.zip and use
    passwords from rockyou.txt:






cat rockyou.txt | yazc dictionary archive.zip






Use a plaintext attack on archive.zip. Take plaintext bytes
    100 to 650 and map them to ciphertext bytes 112 to 662. Use these bytes to
    reduce the number of keys and perform the attack. Once the intermediate key
    is found, decrypt the rest of the cipher (begins at offset 64) to get the
    internal representation (the encryption key derived from the password). If
    possible the actual (or equivalent) password will also be recovered and
    printed.






yazc plaintext -o plain.bin 100 650 archive.zip 112 662 64










AUTHOR


Marc Ferland <marc.ferland at gmail dot com>


Part of this software was inspired by fcrackzip by Marc Lehmann
    and pkcrack by Peter Conrad. The original plaintext algorithm was developed
    by Eli Biham and Paul C. Kocher.