Coding Challenge #66 - Zip File Cracker

This challenge is to build your own zip file cracking tool.

Despite it being well known that encrypted zip file are not particularly secure many people still use them, including several of the companies that my recent employers have used to “encrypt” my payslips.

It’s especially poor when they use a simple to guess / or common combination of words as the password, making the password easily susceptible to a dictionary attack. Making it more security / privacy theatre than reality.

In this coding challenge we’re going to write a zip file cracker so you’ll know how easy it is to crack zip file and you’ll never use password protected (encrypted) zip files to share personal/sensitive data.

The Challenge - Building a Zip File Cracker

In this coding challenge we’re going to build a tool to ‘crack’ an encrypted zip file.

Step Zero

In many programming languages we index arrays from zero onwards. Coding Challenges is the same, we start with Step 0. It’s the step where you setup your IDE / editor of choice and programming language of choice.

This is a great challenge to complete in a language like C, C++, Rust or Go so you can build a concurrent cracker. Though it’s perfectly possible to do it in languages like PHP, Python or JavaScript. The choice is yours!

After you’ve setup your development environment create a test zip file like so:

% export LC_CTYPE=C
% cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-1000} | head -n 1 > cc.txt
challenge-zip-cracker 
% zip -e cctest.zip cc.txt
        

Enter a password when prompted. For now use the simple password ‘test’.

Step 1

In this step your goal is to verify the file is a zip file. The simplest way to do this is to check the headers match those of a zip file. You can do that by reading the headers and checking they match those detailed here.

If you remember back to the build your own xxd coding challenge we could use xxd to inspect the file and see the headers too:

% xxd -l64 cctest.zip
00000000: 504b 0304 1400 0900 0800 0e81 dc58 09a9  PK...........X..
00000010: b5ad f602 0000 e903 0000 0600 1c00 6363  ..............cc
00000020: 2e74 7874 5554 0900 03ec d17e 66ee d17e  .txtUT.....~f..~
00000030: 6675 780b 0001 04f5 0100 0004 1400 0000  fux.............
        

Another key thing to notice here is that even though the file is “encrypted” the metadata is not - we can see the filename: cc.txt.

Your program should do something like this:

% cczipcrack cctest.zip
Has zip headers.
% cczipcrack cc.txt
Does not have zip headers.
        

Continued...

You can find the remaining steps for this challenge on the Coding Challenges website as build your own zip file cracker..