RSS
 

5020 – Password protected ZIP

02 Dec 2015
CTF: Hacking Lab
Link to challenge: https://www.hacking-lab.com
Date Completed: December 2014

To solve this challenge I simply performed a dictionary attack on the zip file until I had discovered the correct password. Linux tools available are fairly slow and may only test 1000-10000 passwords each second so I decided to use Accent Zip password recovery which is a commercial tool capable of testing upto 600000 passwords a second. The answer was found in under 2 seconds.

Security Questions

1. The security problem with ZIP files is that there is that they are vulnerable to brute force attacks as it is a client side security scheme.

2. Due to the nature of ZIP files, the only method of attack is a bruteforce attack. I used a third party tool ‘Accent Zip password recovery’ to bruteforce the password for this zip. Luckily, the password was short (5 characters) and was a common dictionary word.

The password was: close

3. As ZIP files are vulnerable to bruteforce attacks. The password creator could ensure:

  • their password is of a long size (i.e. 10+ characters) making bruteforce attacks take much longer
  • their password is not a common dictionary word and contains symbols/numbers/uppercase/lowercase characters
 
No Comments

Posted in Hacking Lab

 

Leave a Reply