Hack Password Protected Zip Files, Pdfs and More with Zydra

 

Everyone knows not to store sensitive information in unwritten files, right? PDFs and ZIP files can contain storage space, such as network graphics, IP addresses, and login symbols. Sometimes, even some encrypted files are not secure from attackers. This is where Zydra comes in - a tool to crack RAR files, ZIP files, PDF files, and Linux shadow files.

How Are These Files Encrypted?

Depending on the system used and its version, these file types can be password protected using new encryption algorithms.

For example, the Linux command line zip application uses the old PKZIP algorithm, which is unsafe and easy to crack. Some programs, such as WinZip and 7-Zip, use strong AES-256 encryption. Previous versions of the RAR protocol use an encrypted encryption algorithm, while the newer versions use AES. WinRAR and PeaZip, popular options that can handle RAR files, and use AES standard.

Don't Miss: How to Turn Your Android Phone into Hacking Device

If you are using Linux, it is easy to create PDFs in LibreOffice by sending additional word documents, and there is also a password option to protect the newly created file. Older versions of LibreOffice use the Blowfish algorithm to encrypt files, but 3.5 or more versions use AES. Other PDF file formats include Microsoft Office and Adobe Acrobat - Office versions 2007+ and Acrobat 7+ versions all support AES encryption.

Linux shadow files themselves are not encrypted, but passwords are contained in them. The encryption techniques used for these may vary depending on the system, but MD5, SHA-512, SHA-256, Blowfish, and DES are all widely used.

Download & SetUp Zydra

To get started, we need to download Zydra from GitHub - use the wget utility to capture a Python file directly at the command line:

~$ wget https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py

--2020-07-15 18:41:25--  https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30544 (30K) [text/plain]
Saving to: ‘Zydra.py’

Zydra.py             100%[======================>]  29.83K  --.-KB/s    in 0.04s

2020-07-15 18:41:26 (764 KB/s) - ‘Zydra.py’ saved [30544/30544]

Next, and this step is completely optional, let's rename the script making it entirely lowercase. If you're lazy like me, it's just one less key to press:

~$ mv Zydra.py zydra.py

We also need to add the reliability of Zydra - it uses Python 3, so we can use pip3 to install additional modules:

~$ pip3 install rarfile pyfiglet py-term

Collecting rarfile
  Downloading rarfile-3.1.tar.gz (121 kB)
     |████████████████████████████████| 121 kB 1.0 MB/s
Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (0.8.post0)
Collecting py-term
  Downloading py-term-0.6.tar.gz (5.4 kB)
Building wheels for collected packages: rarfile, py-term
  Building wheel for rarfile (setup.py) ... done
  Created wheel for rarfile: filename=rarfile-3.1-py3-none-any.whl size=24908 sha256=6f16c1h4b06a3f7a7d8v4baa34e9a6d58a949b5a78c2b23bb60c0d62791372e3
  Stored in directory: /home/kali/.cache/pip/wheels/21/50/d0/8da8b10f46113f46c6f0247c5f59401293fb5b15aa7888a4ce
  Building wheel for py-term (setup.py) ... done
  Created wheel for py-term: filename=py_term-0.6-py3-none-any.whl size=6268 sha256=ab75424c7aa6ef71001a24c3e3a558ad3748ee0d6a3c0153c3a0cf955f814a13
  Stored in directory: /home/kali/.cache/pip/wheels/76/cc/73/8ac13320a2a98600008575b936742bbb6025d21d674ca6e2fd
Successfully built rarfile py-term
Installing collected packages: rarfile, py-term
Successfully installed py-term-0.6 rarfile-3.1

Now we should be ready to run Zydra using the python3 command:

~$ python3 zydra.py

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f <file> -d <wordlist>

Brute force Mode:
   zydra.py -f <file> -b <char_type> -m <min_length> -x <max_length>

   Available char_type:
    <lowercase>  The lowercase letters abcdefghijklmnopqrstuvwxyz
    <uppercase>  The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
    <letters>    The concatenation of the lowercase and uppercase
    <digits>     numbers 0123456789
    <symbols>    punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
    <space>      space character
   You can select multiple character types.
    Example: zydra.py -f <file> -b <space,digits> -m 1 -x 8

zydra.py: error:  Choose a file, Use --help for more info

This gives us a little bit of a good ad, an example of use, and some information about some of the options available. It also gives us an error when it says it needs a file, and tells us to use --help to get more information; this will give us more details and options:

~$ python3 zydra.py --help

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f <file> -d <wordlist>

Brute force Mode:
   zydra.py -f <file> -b <char_type> -m <min_length> -x <max_length>

   Available char_type:
    <lowercase>  The lowercase letters abcdefghijklmnopqrstuvwxyz
    <uppercase>  The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
    <letters>    The concatenation of the lowercase and uppercase
    <digits>     numbers 0123456789
    <symbols>    punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
    <space>      space character
   You can select multiple character types.
    Example: zydra.py -f <file> -b <space,digits> -m 1 -x 8

Options:
  -h, --help    show this help message and exit
  -d DICTFILE   Specifies dictionary file
  -f FILE       Specifies the file
  -b CHARTYPE   Specifies the character type
  -m MINLENGTH  Specifies minimum length of password
  -x MAXLENGTH  Specifies maximum length of password

Before we launch Zydra, we will need some files to test it. I have created a RAR file, a ZIP file, and a PDF file that you can download and use. The password for all three is "password1" as you'll find out soon. There is also a shadow file that you can download, which I found on the visible Metasploitable machine.

We will also need the appropriate list of words. Since our password for these files is very simple, we will use a small list for display purposes - this one from SecLists GitHub repo will work:

~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt

--2020-07-15 19:08:05--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81 [text/plain]
Saving to: ‘darkweb2017-top10.txt’

darkweb2017-top10.tx 100%[======================>]      81  --.-KB/s    in 0s

2020-07-15 19:08:05 (3.10 MB/s) - ‘darkweb2017-top10.txt’ saved [81/81]

At this point, we are ready to get cracking.

Option 1 : Cracking RAR Files

Zydra can work in two ways: a dictionary and the power of harassment. In dictionary mode, we just need to provide a list of words and -d flag. We also need to specify the file we are trying to decrypt using the -f flag.

~$ python3 zydra.py -f nb-rar.rar -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:08:15 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:08:41 2020
Execution time ==> 0:00:25.876620

Once started, it gives us a possible password calculation (basically, how many rows are in the glossary) and a progress bar. It doesn’t take long before he gets the password and tells us what it is.

With malicious power mode, we need to set a few more options. We are still specifying the file to be cracked, but we can now use the -b flag to set the fonts that will be used for Brute Forcing. The minimum and maximum length of the password can also be set now, using the -m and -x flags, respectively:

~$ python3 zydra.py -f nb-rar.rar -b letters,digits -m 1 -x 10

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:01 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 853058371866181866
    Progress : [                                          ] 0.000 %

As you can see, the number of potential passwords is quite large, so while this feature can be useful in certain cases, most of the time it is wise to use the dictionary mode.

Now that we have the password, we can extract the contents of the RAR file with the following command:

~$ unrar x nb-rar.rar

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal

Extracting from nb-rar.rar

Enter password (will not be echoed) for test.txt:

Option 2 : Cracking ZIP Files

Cracking ZIP files works pretty much the same way — we'll only use dictionary mode from here on out since it is way more efficient. Just specify the file to crack and wordlist to use:

~$ python3 zydra.py -f nb-zip.zip -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:45 2020

Starting password cracking for /root/nb/nb-zip.zip /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:10:10 2020
Execution time ==> 0:00:25.062398

We can see it found the password again with no issues.

To extract the contents of the ZIP archive, use the unzip command:

~$ unzip nb-zip.zip

Archive:  nb-zip.zip
[nb-zip.zip] example.txt password:

Option 3 : Cracking PDF Files

For Zydra to work with PDF files, we need to install a program called qpdf first:

~$ sudo apt install qpdf

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libqpdf28
The following NEW packages will be installed:
  libqpdf28 qpdf
0 upgraded, 2 newly installed, 0 to remove and 568 not upgraded.
Need to get 1,015 kB of archives.
After this operation, 2,690 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libqpdf28 amd64 10.0.1-2 [479 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 qpdf amd64 10.0.1-2 [537 kB]
Fetched 1,015 kB in 1s (830 kB/s)
Selecting previously unselected package libqpdf28:amd64.
(Reading database ... 377060 files and directories currently installed.)
Preparing to unpack .../libqpdf28_10.0.1-2_amd64.deb ...
Unpacking libqpdf28:amd64 (10.0.1-2) ...
Selecting previously unselected package qpdf.
Preparing to unpack .../qpdf_10.0.1-2_amd64.deb ...
Unpacking qpdf (10.0.1-2) ...
Setting up libqpdf28:amd64 (10.0.1-2) ...
Setting up qpdf (10.0.1-2) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

Now we can crack the PDF by providing the file and wordlist to use, just like before:

~$ python3 zydra.py -f nb-sample.pdf -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:10:30 2020

Starting password cracking for /root/nb/nb-sample.pdf /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1
    [*] Your decrypted file is decrypted_nb-sample.pdf

End time ==> Wed Jul 15 19:10:55 2020
Execution time ==> 0:00:25.118694

Also, we see that she has found a password, but in this case there is more discussion. This simply tells us that the file is an explicit original version, which we can verify with the file command:

~$ file decrypted_nb-sample.pdf

decrypted_nb-sample.pdf: PDF document, version 1.4

Option 4 : Cracking Shadow Files

Zydra will automatically attempt to crack the password hashes for any users found in Linux shadow files. While it's not always successful, this can be a good method to try out first since it is quick and easy.

All we need to do is specify the file with the -f flag and the wordlist with the -d flag:

~$ python3 zydra.py -f nb-shadow -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:11:03 2020

Starting password cracking for /root/nb/nb-shadow /

 [*] Count of possible passwords: 10
  [**] cracking Password for: root
    Progress : [##############################################] 100.000 %
    [-] password not found

  [**] cracking Password for: sys
  [**] cracking Password for: klog
  [**] cracking Password for: msfadmin
  [**] cracking Password for: postgres
  [**] cracking Password for: user
  [**] cracking Password for: service
End time ==> Wed Jul 15 19:11:26 2020
Execution time ==> 0:00:22.062705

We realize it gets several users, but since we only use a simple glossary, it fails to get the password for any of them. As with any other cracking tool, using a wide range of keywords will increase your chances of successfully retrieving a password, but it will also take longer.

Don't Miss: Hack Online Passwords Using Hydra and Temper data

Wrapping Up

In this tutorial, we explored a tool called Zydra and how it can be used to crack password-protected RAR files, ZIP files, PDF files and Linux shadow files. While we break this down with little difficulty, using strong passwords will greatly increase the time and effort required to do so.