🛡️ Methodology Checklist
- ZIP hash:
zip2john [FILE].zip > hash.txt - RAR hash:
rar2john [FILE].rar > hash.txt - 7z hash:
7z2john.pl [FILE].7z > hash.txt - Crack with John:
john --wordlist=[WORDLIST] hash.txt - Crack with Hashcat:
hashcat -m 13600 hash.txt [WORDLIST](WinZip) - List archive contents before cracking:
7z l [FILE].7z - Document archive password and contents found
🎯 Operational Context
Use when: Password-protected archive (ZIP, 7z, RAR) found during enumeration — extract hash and crack offline.
Think Dumber First: zip2john archive.zip > zip.hash && john zip.hash --wordlist=rockyou.txt — most user-encrypted archives use simple passwords from rockyou in the first million entries.
Skip when: Archive uses AES-256 with bcrypt KDF — cracking will be impractically slow; look for password clues in nearby files instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
zip2john [ARCHIVE].zip > zip.hash | Extract hash from ZIP archive |
john --wordlist=rockyou.txt zip.hash | Crack ZIP password |
file [ARCHIVE].gzip | Identify if archive is OpenSSL-encrypted |
for i in $(cat rockyou.txt); do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz; done | Brute-force OpenSSL-encrypted GZIP |
bitlocker2john -i [IMAGE].vhd > backup.hashes | Extract all hashes from BitLocker VHD |
grep "bitlocker\$0" backup.hashes > backup.hash | Filter for user password hash (not recovery key) |
hashcat -a 0 -m 22100 backup.hash rockyou.txt | Crack BitLocker password (mode 22100) |
sudo apt-get install dislocker | Install BitLocker decryption tool |
sudo losetup -f -P [IMAGE].vhd | Attach VHD as loop block device |
lsblk | Identify the loop partition (e.g., /dev/loop0p2) |
sudo dislocker /dev/loop0p2 -u[PASSWORD] -- /media/bitlocker | Decrypt BitLocker partition |
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount | Mount decrypted volume |
sudo umount /media/bitlockermount && sudo umount /media/bitlocker | Cleanup: unmount both mount points |
🔬 Deep Dive & Workflow
Archive Encryption Types
Two fundamentally different encryption mechanisms requiring different attack approaches:
- Native ZIP encryption — hash extractable via
zip2john, crack offline with John/Hashcat - OpenSSL-wrapped archives — no hash to extract; must brute-force the decryption command directly in a loop
- BitLocker (VHD/VHDx) — full-disk encryption;
bitlocker2johnextracts multiple hash types
OpenSSL GZIP Loop Attack
When file archive.gzip returns openssl enc'd data with salted password, native extraction fails. The attack brute-forces decryption inline:
for i in $(cat rockyou.txt); do
openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz
doneSuccessful decryption extracts files to disk; failed attempts produce no output (redirected to /dev/null). Watch for files appearing in the current directory.
BitLocker Hash Filtering
bitlocker2john outputs two types of hashes per volume:
$bitlocker$0$...— user password hash (faster to crack)$bitlocker$1$...— recovery key hash (48-digit numeric, rarely crackable)
Always filter with grep "bitlocker\$0" before passing to Hashcat.
BitLocker Mount Workflow
1. bitlocker2john → extract hash
2. hashcat -m 22100 → crack password
3. losetup -f -P → attach VHD as block device
4. lsblk → identify partition (e.g., /dev/loop0p2)
5. mkdir /media/bitlocker /media/bitlockermount
6. dislocker /dev/loop0p2 -u[PASSWORD] -- /media/bitlocker
7. mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount
8. ls /media/bitlockermount → access files
The dislocker flag is -u (no space before the password): -uPassword123.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| zip2john returns ‘no password found’ | ZIP not encrypted | Open directly: unzip archive.zip; ‘no password’ means no encryption |
| john fails on 7z hash | 7z uses AES-256 | Use hashcat mode 11600 (-m 11600) for 7z; GPU required for reasonable speed |
| john cracks hash but password doesn’t work | Character encoding issue | Try password with different encodings; 7z allows unicode passwords |
| RAR archive password not cracking | RAR5 format | Use hashcat mode 13000 (-m 13000) for RAR5; john supports RAR3 natively |
| Archive opens but files inside also encrypted | Per-file encryption | Each file may have different password; try same password first, then crack individual file hashes |
📝 Reporting Trigger
Finding Title: Password-Protected Archive Cracked — Sensitive Data Exposed Impact: Cracking password-protected archives reveals sensitive contents including credentials, private keys, or confidential documents that were protected under the assumption that archive encryption provides adequate security. Root Cause: Weak password used for archive encryption. Archive password not managed through a secrets management system. Recommendation: Use strong randomly-generated passwords for archive encryption. Store archive passwords in a password manager or secrets management system. Consider alternative secure file sharing methods (encrypted email, secure file transfer) that don’t require password distribution.