Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.

Commander Kinsey explained on 2/14/2023 :
> Trying to get into a password protected zip. Got three instances of a free
> password cracker (Stella Data Recovery) running for the last handful of hours
> trying three different methods (they only use 1 core each). Still not got
> in. I find it hard to believe zips are that tightly sealed.

256 bit encryption is pretty strong.

What was used to encrypt it?

On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:

> Commander Kinsey explained on 2/14/2023 :
>> Trying to get into a password protected zip. Got three instances of a free
>> password cracker (Stella Data Recovery) running for the last handful of hours
>> trying three different methods (they only use 1 core each). Still not got
>> in. I find it hard to believe zips are that tightly sealed.
>
> 256 bit encryption is pretty strong.
>
> What was used to encrypt it?

Is there not a standard for all zips?

I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.

On 2/14/2023 10:05 AM, Commander Kinsey wrote:
> Trying to get into a password protected zip.  Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each).  Still not got in.  I find it hard to believe zips are that tightly sealed.

Old ZIP, trivially crack-able.
New ZIP, not so much.

https://en.wikipedia.org/wiki/ZIP_%28file_format%29#Strong_encryption_controversy

"WinZip introduced its own AES-256 encryption"

Not everything with that file extension, is easy pickins.
You'll need a dictionary attack, and cracking speed will
depend on whether they decided to use multi-pass or not.

The last time I experimented with cracking, the software
said "it will take 13 years" :-) You get the idea. Mind you,
I was unable to get my video card to work on it, my attempt
ran CPU-only.

$ file SketchUp2017.zip <=== made an AES-256 with 7-ZIP zip option, set password to "12345"

SketchUp2017.zip: Zip archive data, at least v5.1 to extract

$ file shotwell-master.zip

shotwell-master.zip: Zip archive data, at least v1.0 to extract

$ file Sandboxie-5.40.zip

Sandboxie-5.40.zip: Zip archive data, at least v1.0 to extract

The non-crypto ones are the "more-compatible" ones that even
Windows can open for extraction.

In Windows 11, I used the bash shell to access a modern "file" and /etc/magic.
Not that it really did an outstanding job. I would prefer it to name
the encryption, like zipcrypto if it was trivially crack-able.

If I use ZipCrypto, it says:

$ file SketchUp2017.zip <=== made a ZipCrypto with 7-ZIP zip option, set password to "12345"

SketchUp2017.zip: Zip archive data, at least v2.0 to extract

Paul

Commander Kinsey wrote on 2/14/2023 :
> On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org>
> wrote:
>
>> Commander Kinsey explained on 2/14/2023 :
>>> Trying to get into a password protected zip. Got three instances of a
>>> free
>>> password cracker (Stella Data Recovery) running for the last handful of
>>> hours
>>> trying three different methods (they only use 1 core each). Still not got
>>> in. I find it hard to believe zips are that tightly sealed.
>>
>> 256 bit encryption is pretty strong.
>>
>> What was used to encrypt it?
>
> Is there not a standard for all zips?
>
> I remember from the 90s when zips were a new thing, it was a laugh they could
> easily be opened.

Yes, their password protection was feeble. Now they 'can' encrypt with
128 or 256 bit encryption algorithms.

That is a very large 'password space' (keyspace) to slog through doing
even modified brute force attacks.

"Commander Kinsey" <CK1@nospam.com> wrote:

>Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.

The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.

--
Tim Slattery
tim <at> risingdove <dot> com

Tim Slattery formulated on Wednesday :
> "Commander Kinsey" <CK1@nospam.com> wrote:
>
>> Trying to get into a password protected zip. Got three instances of a free
>> password cracker (Stella Data Recovery) running for the last handful of
>> hours trying three different methods (they only use 1 core each). Still not
>> got in. I find it hard to believe zips are that tightly sealed.
>
> The ZIP format was created for data compression, not security. Since
> then password protection has been added to it. I guess it would be as
> strong or weak as any other encrypted format.

From:

https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.7.TXT

4.4.3 version needed to extract (2 bytes)

4.4.3.1 The minimum supported ZIP specification version needed
to extract the file, mapped as above. This value is based on
the specific format features a ZIP program MUST support to
be able to extract the file. If multiple features are
applied to a file, the minimum version MUST be set to the
feature having the highest value. New features or feature
changes affecting the published format specification will be
implemented using higher version numbers than the last
published value to avoid conflict.

4.4.3.2 Current minimum feature versions are as defined below:

1.0 - Default value
1.1 - File is a volume label
2.0 - File is a folder (directory)
2.0 - File is compressed using Deflate compression
2.0 - File is encrypted using traditional PKWARE encryption
2.1 - File is compressed using Deflate64(tm)
2.5 - File is compressed using PKWARE DCL Implode
2.7 - File is a patch data set
4.5 - File uses ZIP64 format extensions
4.6 - File is compressed using BZIP2 compression*
5.0 - File is encrypted using DES
5.0 - File is encrypted using 3DES
5.0 - File is encrypted using original RC2 encryption
5.0 - File is encrypted using RC4 encryption
5.1 - File is encrypted using AES encryption
5.1 - File is encrypted using corrected RC2 encryption**
5.2 - File is encrypted using corrected RC2-64 encryption**
6.1 - File is encrypted using non-OAEP key wrapping***
6.2 - Central directory encryption
6.3 - File is compressed using LZMA
6.3 - File is compressed using PPMd+
6.3 - File is encrypted using Blowfish
6.3 - File is encrypted using Twofish

On 2/15/2023 11:13 AM, Tim Slattery wrote:
> "Commander Kinsey" <CK1@nospam.com> wrote:
>
>> Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.
>
> The ZIP format was created for data compression, not security. Since
> then password protection has been added to it. I guess it would be as
> strong or weak as any other encrypted format.
>

The export laws on crypto, historically had a chilling effect
on crypto strength. And to some extent, that hasn't changed.
It's only when it impacts the competitiveness of a country,
that it stops.

It used to be "you stop it before it happens" was how
you handled crypto. Today, it's the usage of rubber hoses
which is the preferred method (the TrueCrypt mystery,
and legislative attempts to build backdoors).

When ZIP was invented, elliptic curve didn't exist. But
there were still likely to have been methods which signal
you are using the "tough" version. Using a weak-as-piss
method ensures your product can be Exported.

The same kinds of things happened on PDF format.

And the old protection on ZIP is so weak, if Google wants to,
they can scan ZIP attachments in GMail with that protection method,
in "real time". You can't have a much weaker crypto than that.
It's no barrier at all.

The newer method on the other hand, is more of an impediment.

Even the encryption on 7Z has had the odd issue, but these
implementation details have been corrected.

Paul

On 14/2/2023 11:05 pm, Commander Kinsey wrote:
> Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.

Talk to ChatGPT? :)

Theoretically, all password prompts can be hacked. Dictionary attack is
usually the first method to try.

On 2023-02-15 12:19, Mr. Man-wai Chang wrote:
> On 14/2/2023 11:05 pm, Commander Kinsey wrote:
>> Trying to get into a password protected zip.  Got three instances of a
>> free password cracker (Stella Data Recovery) running for the last
>> handful of hours trying three different methods (they only use 1 core
>> each).  Still not got in.  I find it hard to believe zips are that
>> tightly sealed.
>
>
> Talk to ChatGPT? :)
>
> Theoretically, all password prompts can be hacked. Dictionary attack is
> usually the first method to try.

</lurk>

!*yvgWXVyTQnfbUfj7tNstkM-

Not in the dictionary much.

Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.

Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).

<lurk>

--
“Donald Trump and his allies and supporters are a clear and present
danger to American democracy.”
- J Michael Luttig - 2022-06-16
- Former US appellate court judge (R) testifying to the January 6
committee

On 18/2/2023 7:25 am, Alan Browne wrote:
>
> Not in the dictionary much.
>
> Back in the 80s or 90s we needed to unzip a file after an engineer left
> the co.
>
> Another engineer used a dictionary attack. Got nowhere.
> Then asked "who was the engineer anyway?"
> "Eric"
> He switched to a Hebrew dictionary and the zip file was opened
> quickly... (Hebrew rendered in the English alphabet).

It's still a dictonary hack, using a human languagte called Hebrew! :)

The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)

On 18/2/2023 9:35 pm, Mr. Man-wai Chang wrote:
>
> The other method is of course using the characteristic of ASCII/EBCDIC!
> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
> method will definitely work, but needs time! ;)

Exactly like hacking a combination lock...

On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
> On 18/2/2023 7:25 am, Alan Browne wrote:
>>
>> Not in the dictionary much.
>>
>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>> the co.
>>
>> Another engineer used a dictionary attack.  Got nowhere.
>> Then asked "who was the engineer anyway?"
>> "Eric"
>> He switched to a Hebrew dictionary and the zip file was opened
>> quickly... (Hebrew rendered in the English alphabet).
>
> It's still a dictonary hack, using a human languagte called Hebrew! :)
>
> The other method is of course using the characteristic of ASCII/EBCDIC!
> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
> method will definitely work, but needs time! ;)

That was back then - since then people have learned (I hope) to use real
passwords such as the one I put up. Also the encryption level used
these days is far better than back then.

--
“Donald Trump and his allies and supporters are a clear and present
danger to American democracy.”
- J Michael Luttig - 2022-06-16
- Former US appellate court judge (R) testifying to the January 6
committee

Mr. Man-wai Chang submitted this idea :
> On 18/2/2023 7:25 am, Alan Browne wrote:
>>
>> Not in the dictionary much.
>>
>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>> the co.
>>
>> Another engineer used a dictionary attack. Got nowhere.
>> Then asked "who was the engineer anyway?"
>> "Eric"
>> He switched to a Hebrew dictionary and the zip file was opened
>> quickly... (Hebrew rendered in the English alphabet).

Modified Brute Force attack.

> It's still a dictonary hack, using a human languagte called Hebrew! :)

Twice Modified Brute Force attack.

> The other method is of course using the characteristic of ASCII/EBCDIC! That
> is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This method will
> definitely work, but needs time! ;)

Brute Force attack.

On 19/2/2023 1:18 am, FromTheRafters wrote:
>
> Modified Brute Force attack.
>
> Twice Modified Brute Force attack.
>
> Brute Force attack.

People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)

Mr. Man-wai Chang explained on 2/19/2023 :
> On 19/2/2023 1:18 am, FromTheRafters wrote:
>>
>> Modified Brute Force attack.
>>
>> Twice Modified Brute Force attack.
>>
>> Brute Force attack.
>
>
> People might not know the meaning of "brute force".

True, but as you know it just means the whole keyspace is searched and
on average you check half of them to get a winner.

> Picking phyical locks
> might be easier to understand. :)

True again, but when you can reduce the keyspace to a smaller set it is
a 'Modified Brute Force attack' so needing to check only for words
reduces the effective keyspace and then further restricting to only
words for a language known to be used by the person doing the
encryption narrows it even further.

Alan Browne <bitbucket@blackhole.com> wrote:
> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>
>>> Not in the dictionary much.
>>>
>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>> the co.
>>>
>>> Another engineer used a dictionary attack.  Got nowhere.
>>> Then asked "who was the engineer anyway?"
>>> "Eric"
>>> He switched to a Hebrew dictionary and the zip file was opened
>>> quickly... (Hebrew rendered in the English alphabet).
>>
>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>
>> The other method is of course using the characteristic of ASCII/EBCDIC!
>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
>> method will definitely work, but needs time! ;)
>
> That was back then - since then people have learned (I hope) to use real
> passwords such as the one I put up.

Many do and many don't.

As long as people need to type in passwords they aren't going to use long
and complicated strings.

> Also the encryption level used
> these days is far better than back then.

It doesn't matter how good the encryption is if the password is bad.

On 2023-02-19 17:56, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>
>>>> Not in the dictionary much.
>>>>
>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>> the co.
>>>>
>>>> Another engineer used a dictionary attack.  Got nowhere.
>>>> Then asked "who was the engineer anyway?"
>>>> "Eric"
>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>> quickly... (Hebrew rendered in the English alphabet).
>>>
>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>
>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
>>> method will definitely work, but needs time! ;)
>>
>> That was back then - since then people have learned (I hope) to use real
>> passwords such as the one I put up.
>
> Many do and many don't.
>
> As long as people need to type in passwords they aren't going to use long
> and complicated strings.

Either use a password manager (as I do) or become clever in the
composition of the passwords. So earlier I posted a pretty random one
appropriate to a password manager.

Alternately strong passwords that are memorable can look something like:

merrY$penGuin@2four78

>> Also the encryption level used
>> these days is far better than back then.
>
> It doesn't matter how good the encryption is if the password is bad.

Of course.

--
“Donald Trump and his allies and supporters are a clear and present
danger to American democracy.”
- J Michael Luttig - 2022-06-16
- Former US appellate court judge (R) testifying to the January 6
committee

On 2/19/2023 5:56 PM, Chris wrote:
> Alan Browne <bitbucket@blackhole.com> wrote:
>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>
>>>> Not in the dictionary much.
>>>>
>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>> the co.
>>>>
>>>> Another engineer used a dictionary attack.  Got nowhere.
>>>> Then asked "who was the engineer anyway?"
>>>> "Eric"
>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>> quickly... (Hebrew rendered in the English alphabet).
>>>
>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>
>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
>>> method will definitely work, but needs time! ;)
>>
>> That was back then - since then people have learned (I hope) to use real
>> passwords such as the one I put up.
>
> Many do and many don't.
>
> As long as people need to type in passwords they aren't going to use long
> and complicated strings.
>
>> Also the encryption level used
>> these days is far better than back then.
>
> It doesn't matter how good the encryption is if the password is bad.

Any Internet-facing passwords here, are long and strong.

Security inside my LAN is poor. If something gets in here,
it's total destruction time... If I spent the whole day
building a fort out of cardboard boxes, there would be nothing
of value inside the fort (all my waking hours would be spent
on the fort and nothing else).

Is my router vulnerable ? Based on industry standards of
security, the answer to that is... Yes.

Part of the security for a home user, is what the ISP
is doing. For example, I watched one day, as someone within
myisp.com was scanning my node. Today, the ISP does not allow
other users to scan internal nodes, so I no longer see
script kiddies doing stuff like that. However, Google can
still attempt to scan the node. There is, of course, no
purposeful webserver running (that I know of). There could
be localhost:631 within the bash shell, but that's about it.
Even if IIS on the current OS, actually installed useful
stuff (it doesn't), I would not be doing that. I have used
the IIS ftpd setup in the past, but only on an episode basis
(for a couple hours, and not port-forwarded, then removed).

Since my WinXP machine died, my imaginary security has
gone up this much [fingers measure a tiny space about
the size of a millimeter] :-)

Paul

On Sun, 19 Feb 2023 19:00:12 -0500, Paul <nospam@needed.invalid> wrote:

>Part of the security for a home user, is what the ISP
>is doing. For example, I watched one day, as someone within
>myisp.com was scanning my node. Today, the ISP does not allow
>other users to scan internal nodes, so I no longer see
>script kiddies doing stuff like that. However, Google can
>still attempt to scan the node. There is, of course, no
>purposeful webserver running (that I know of). There could
>be localhost:631 within the bash shell, but that's about it.
>Even if IIS on the current OS, actually installed useful
>stuff (it doesn't), I would not be doing that.

Well, IIS includes a web server, which I find very useful and
convenient. Useful for one is apparently not useful for another. In my
case, it saves me from having to go get a third party web server.

>I have used
>the IIS ftpd setup in the past, but only on an episode basis
>(for a couple hours, and not port-forwarded, then removed).

On 2/19/2023 7:43 PM, Char Jackson wrote:

>
>> I have used
>> the IIS ftpd setup in the past, but only on an episode basis
>> (for a couple hours, and not port-forwarded, then removed).

When I looked at this previously, I did not like the
lack of the word "server". When they choose waffle-words
for stuff, I can't tell if I'm getting a pony, or only the pony-poo.

[Picture]

https://i.postimg.cc/MK7Xq1sb/Win11-IIS.gif

And this uncertainty started, with some HyperV shuck-and-jive.
You could not tell what you were getting.

Paul

Alan Browne <bitbucket@blackhole.com> wrote:
> On 2023-02-19 17:56, Chris wrote:
>> Alan Browne <bitbucket@blackhole.com> wrote:
>>> On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
>>>> On 18/2/2023 7:25 am, Alan Browne wrote:
>>>>>
>>>>> Not in the dictionary much.
>>>>>
>>>>> Back in the 80s or 90s we needed to unzip a file after an engineer left
>>>>> the co.
>>>>>
>>>>> Another engineer used a dictionary attack.  Got nowhere.
>>>>> Then asked "who was the engineer anyway?"
>>>>> "Eric"
>>>>> He switched to a Hebrew dictionary and the zip file was opened
>>>>> quickly... (Hebrew rendered in the English alphabet).
>>>>
>>>> It's still a dictonary hack, using a human languagte called Hebrew! :)
>>>>
>>>> The other method is of course using the characteristic of ASCII/EBCDIC!
>>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", ....  This
>>>> method will definitely work, but needs time! ;)
>>>
>>> That was back then - since then people have learned (I hope) to use real
>>> passwords such as the one I put up.
>>
>> Many do and many don't.
>>
>> As long as people need to type in passwords they aren't going to use long
>> and complicated strings.
>
> Either use a password manager (as I do) or become clever in the
> composition of the passwords.

I agree and do use s password manager myself. However, having tried to
persuade family members to do the same, it's just too much of a faff and
they stick with their crappy and/or written down passwords.

With the best will in the world many people will not be using best
practices.

On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:

> As long as people need to type in passwords they aren't going to
> use long and complicated strings.

No excuse!

mechanic <mechanic@example.net> wrote:

> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
>
> > As long as people need to type in passwords they aren't going to
> > use long and complicated strings.
>
> No excuse!

And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
(if you are not known for fandom)

Jan

mechanic <mechanic@example.net> wrote:
> On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
>
>> As long as people need to type in passwords they aren't going to
>> use long and complicated strings.
>
> No excuse!

At work one time, I set up my password as a 25 character random string via
my password manager which was great until they decided to sync the network
password with the local password on my machine. So when when I needed to
login after a reboot or screensaver kicks in I had to type it in manually.

Quickly changed it - via the support desk - to something more type-able!