Zip password cracker in Python

Since I had never tried to write a zip password cracker, I figured it was about time.

I haven't read through Violent Python yet, but I know that this is one of the examples from it. With that in mind, I figured this would be a good exercise and another useful tool for my arsenal.

First things first, I had to create my password protected zip file.

Python Zip Password Cracker - Archiving

When I attempted to open this file, it prompted me for a password.

Python Zip Password Cracker - Open Attempt

With the zip file in place, I created the following Python script.

import zipfile
from time import time

def main():
    try:
        myZip = zipfile.ZipFile("secret.zip")
    except zipfile.BadZipfile:
        print "[!] There was an error opening your zip file."
        return

    password = ''
    
    timeStart = time()
    with open("10_million_password_list_top_10000.txt", "r") as f:
        passes = f.readlines()
        for pass_count, x in enumerate(passes):
            password = x.strip()
            try:
                myZip.extractall(pwd = password)
                totalTime = time() - timeStart
                print "\nPassword cracked: %s\n" % password
                print "%i password attempts per second." % (pass_count/totalTime)
                return
            except Exception as e:
                if str(e[0]) == 'Bad password for file':
                    pass # TODO: properly handle exceptions?
                elif 'Error -3 while decompressing' in str(e[0]):
                    pass # TODO: properly handle exceptions?
                else:
                    print e
        print "Sorry, password not found."

if __name__ == '__main__':
	main()

This opens up the specified zip file (in this case, secret.zip), and attempts to extract it using each password in the provided wordlist one by one. If the program throws no exceptions, then it means the archive was successfully extracted (which means the password was found). In this case, it prints out the cracked password as well as how many password attempts per second it performed (for statistical purposes).

With everything in place, I grabbed a password list and fired the script up.

Python Zip Password Cracker - Execution

When I went back to the directory, I found the file that I originally hid in the archive.

Python Zip Password Cracker - Extracted Secrets

Some of my next steps will be to add better reporting about the contents and cracking status, as well as maybe looking into threading or support for other file types.

The code and updates can be found in my GitHub repository.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

4 Comments

Filed under Security Not Included

4 Responses to Zip password cracker in Python

  1. Vess

    This would work only if the password is in the dictionary.

    There is a better approach, if you have at least one unecrypted copy of the files in the archive (and they are all encrypted with the same password). Take a look at PKCrack and try to implement it in Python.

    • Yea, for sure, but it is just a dictionary attack cracker.

      That said, PKCrack would be fun to implement in the next version. That said, it wouldn’t have worked in this example since all I had was plaintext in the archive!

      Thanks for the suggestion though, maybe brute force and plaintext attack should be something I add for a version 1.1!

  2. mane badra aly

    please I want to download the password it does not pass at home I can not download I suplis you

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.