This is from an assignment that i got when studying IT-SEC.
The assigment was to recover the content of a file stored in an encrypted zip file.
The zip file was encrypted using winzip and a 12 character long password, after som quick calculation i realized that even with GPU acceleration it would take far to long time to use bruteforce. I tried using a directorylist but that was unsuccesful.
After somequick looking around i realized that it is possible to do a Know Plain text Attack against winzip files encrypted with ZipCrypto.
First of all i need to make sure what encryption and compression my file is using. After checking the date of my files 2006 i went to www.oldversions.com and downloaded a winzip version from about that time.
When opening the encrypted file using that version of Winzip i am able to see the metadata of the files. So i know that there are 4 files in the zip file. 3 jpg and a txt file. To check the compression and encryption of the file i simply click properties and then details, when prompted to enter a password i just enter any dummy password and press skipp.
After that i get the output from the Winzip file.
As you can see in the picture there is a line that says compression method and compression subtype.
The method used is deflated and the subtype is normal.
To be able to do a know plaintext attack i need to have some of the content in plaintext.
In my case i have the jpg files in plaintext (unencrypted)
Now i need to download and install PKCRACK, it can be found here
http://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html
Just download and extract.
Then run make
Next i need to extract the encrypted files that will be used for the known plaintext attack.
It is done by using the ./extract command
I extract the jpg files from the encrypted zip these will be the ciphertext.
Now we need to do the same thing with a zipfile that contain the plaintext files without encryption.
Create a new zipfile with the plaintext files and user the same compression e.g defalted and normal.
Before extracting the unencrypted files from the newly created zip with plaintext files, rename the already extracted files from the encrypted zip.
Then extract the files from the unencrypted zip file.
If you compare the files from the encrypted and unencrypted zip the file size of the plaintext should differ 12bytes, if they do not, then you’ve done something wrong. Prehaps try another version of winzip to make sure have have the same compression.
Now we can run Pkcrack
Run Pkcrack and specify the extracted file from the encrypted file and the unencrypted.
It will start to eliminate keys untill it has a number of keys left and will try thoes untill it finds the keys that can be used to decrypt the file.
Once it has found the key you can use that key to decrypt the file, or you can wait until it has found the Password that was used (this might take some time)
It this case let’s not wait for the password since we know it is 12 charachters long and will take some time.
To decrypt the files we use the zipdecrypt command.
And now we have all the files in plaintext and can view the content.
As far as i know this attack does not work against AES encrypted files.
Leave a comment