Zydra - How to Crack Password-Protected ZIP Files, PDFs & More

Contents

1. Zydra - How to Crack Password-Protected ZIP Files, PDFs & More
2. How Are These Records Encoded?
3. Download and Set Up Zydra
4. Cracking RAR Documents
5. Cracking Compress Records
6. Cracking PDF Documents
7. Cracking Shadow Records
8. Wrapping Up

Zydra - How to Crack Password-Protected ZIP Files, PDFs & More

Everyone knows not to store delicate data in decoded records, correct? PDFs and Compress documents can frequently contain a mother lode of data, for example, network graphs, IP addresses, and login certifications. In some cases, even specific documents that are scrambled aren't protected from aggressors. That is where Zydra comes in — a device for breaking RAR documents, compressing records, PDF records, and Linux shadow records.

How Are These Records Encoded?

Contingent upon the program utilized and its rendition, such records could be secret keys safeguarded utilizing different encryption calculations.

For instance, the Linux order line zip utility purposes the more seasoned PKZIP calculation, which is shaky and simple to break. Different projects, such as WinZip and 7-Zip, have major areas of strength for utilizing 256 encryption. Prior renditions of the RAR convention utilize a restrictive encryption calculation, while more current forms use AES. WinRAR and PeaZip, well-known decisions that can manage RAR records, likewise utilize the AES standard.

Arm's Next Gen Cpu & Gpu

Assuming you're utilizing Linux, it's not difficult to make PDFs in LibreOffice by sending out ordinary word records, and there's even a choice to secret key safeguard the recently made document. More established forms of LibreOffice utilize the Blowfish calculation to scramble documents, yet forms 3.5 and up use AES. Different strategies to make PDF records incorporate Microsoft Office and Adobe Stunt-devil — Office renditions 2007+ and Aerialist Forms 7+ all help AES encryption.

Linux shadow records themselves are not encoded, yet the passwords held inside them are. Encryption calculations utilized for these can change contingent upon the framework, however, MD5, SHA-512, SHA-256, Blowfish, and DES are ordinarily utilized.

Download and Set Up Zydra

To start, we really want to download Zydra from GitHub — utilize the wget utility to snatch the Python record right from the order line:

~$ wget https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py

--2020-07-15 18:41:25--  https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30544 (30K) [text/plain]
Saving to: ‘Zydra.py’

Zydra.py             100%[======================>]  29.83K  --.-KB/s    in 0.04s

2020-07-15 18:41:26 (764 KB/s) - ‘Zydra.py’ saved [30544/30544]

Then, and this step is totally discretionary, how about we rename the content making it altogether lowercase. Assuming you're languid like me, it's only one less key to press:

~$ mv Zydra.py zydra.py

We additionally need to introduce a few conditions for Zydra to work appropriately — it utilizes Python 3, so we can utilize pip3 to introduce the additional modules:

~$ pip3 install rarfile pyfiglet py-term

Collecting rarfile
  Downloading rarfile-3.1.tar.gz (121 kB)
     |████████████████████████████████| 121 kB 1.0 MB/s
Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (0.8.post0)
Collecting py-term
  Downloading py-term-0.6.tar.gz (5.4 kB)
Building wheels for collected packages: rarfile, py-term
  Building wheel for rarfile (setup.py) ... done
  Created wheel for rarfile: filename=rarfile-3.1-py3-none-any.whl size=24908 sha256=6f16c1h4b06a3f7a7d8v4baa34e9a6d58a949b5a78c2b23bb60c0d62791372e3
  Stored in directory: /home/kali/.cache/pip/wheels/21/50/d0/8da8b10f46113f46c6f0247c5f59401293fb5b15aa7888a4ce
  Building wheel for py-term (setup.py) ... done
  Created wheel for py-term: filename=py_term-0.6-py3-none-any.whl size=6268 sha256=ab75424c7aa6ef71001a24c3e3a558ad3748ee0d6a3c0153c3a0cf955f814a13
  Stored in directory: /home/kali/.cache/pip/wheels/76/cc/73/8ac13320a2a98600008575b936742bbb6025d21d674ca6e2fd
Successfully built rarfile py-term
Installing collected packages: rarfile, py-term
Successfully installed py-term-0.6 rarfile-3.1

~$ python3 zydra.py

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f  -d 

Brute force Mode:
   zydra.py -f  -b  -m  -x 

   Available char_type:
      The lowercase letters abcdefghijklmnopqrstuvwxyz
      The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
        The concatenation of the lowercase and uppercase
         numbers 0123456789
        punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
          space character
   You can select multiple character types.
    Example: zydra.py -f  -b  -m 1 -x 8

zydra.py: error:  Choose a file, Use --help for more info

This gives us a decent standard, a used model, and some data about a portion of the choices accessible. It likewise gives us a blunder expressing it needs a document, and advises us to utilize - - help for more data; this will give us more subtleties and choices:

~$ python3 zydra.py --help

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Usage: zydra.py [options] [args]

Dictionary Mode:
   zydra.py -f  -d 

Brute force Mode:
   zydra.py -f  -b  -m  -x 

   Available char_type:
      The lowercase letters abcdefghijklmnopqrstuvwxyz
      The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
        The concatenation of the lowercase and uppercase
         numbers 0123456789
        punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'"
          space character
   You can select multiple character types.
    Example: zydra.py -f  -b  -m 1 -x 8

Options:
  -h, --help    show this help message and exit
  -d DICTFILE   Specifies dictionary file
  -f FILE       Specifies the file
  -b CHARTYPE   Specifies the character type
  -m MINLENGTH  Specifies minimum length of password
  -x MAXLENGTH  Specifies maximum length of password

Before we can run Zydra, we will require a few records to test it out on. I have made a RAR record, Compress document, and PDF document that you can download and use to track. The secret word for every one of the three of these is "password1" as you'll before long find out. There is likewise a shadow document you can download, which I got from the Metasploitable virtual machine.

We'll likewise require a reasonable wordlist. Since our secret word for these documents is basic, we'll involve a negligible rundown for exhibition purposes — this one from the SecLists GitHub repo will work:

~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt

--2020-07-15 19:08:05--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81 [text/plain]
Saving to: ‘darkweb2017-top10.txt’

darkweb2017-top10.tx 100%[======================>]      81  --.-KB/s    in 0s

2020-07-15 19:08:05 (3.10 MB/s) - ‘darkweb2017-top10.txt’ saved [81/81]

Right now, we are prepared to get breaking.

Cracking RAR Documents

Arm's Next Gen Cpu & Gpu

Zydra can work in two modes: word reference and animal power. In word reference mode, we simply have to supply a wordlist with the - d banner. We additionally need to determine the record we are attempting to break utilizing the - f banner:

~$ python3 zydra.py -f nb-rar.rar -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:08:15 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:08:41 2020
Execution time ==> 0:00:25.876620

When it begins, it gives us the conceivable secret key count (essentially, the number of lines there that are in the wordlist) and an advancement bar. It doesn't take well before it tracks down the secret word and lets us know it.

For beast force mode, we really want to set a couple of additional choices. We actually determine the document to break, however, presently we can utilize the - b banner to set the person types to use for savage driving. The base and greatest length of the secret word can likewise be set presently, utilizing the - m and - x banners, individually:

~$ python3 zydra.py -f nb-rar.rar -b letters,digits -m 1 -x 10

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
           /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:01 2020

Starting password cracking for /root/nb/nb-rar.rar /

 [*] Count of possible passwords: 853058371866181866
    Progress : [                                          ] 0.000 %

As may be obvious, the quantity of potential passwords is very enormous, so while this element can be helpful in specific cases, more often than not utilizing the word reference mode is shrewd.

Since we have the secret phrase, we can remove the items in the RAR document with the accompanying order:

~$ unrar x nb-rar.rar

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal

Extracting from nb-rar.rar

Enter password (will not be echoed) for test.txt:

Arm's Next Gen Cpu & Gpu

Cracking Compress Records

Breaking Compress documents works basically the same way — we'll just utilize word reference mode from this point forward since it is much more effective. Simply determine the document to break and the wordlist to utilize:

~$ python3 zydra.py -f nb-zip.zip -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:09:45 2020

Starting password cracking for /root/nb/nb-zip.zip /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1

End time ==> Wed Jul 15 19:10:10 2020
Execution time ==> 0:00:25.062398

We can see it found the secret word again without any issues.

To separate the items in the ZIP document, utilize the unfasten order:

~$ unzip nb-zip.zip

Archive:  nb-zip.zip
[nb-zip.zip] example.txt password:

Cracking PDF Documents

For Zydra to work with PDF documents, we want to introduce a program called pdf first:

~$ sudo apt install qpdf

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libqpdf28
The following NEW packages will be installed:
  libqpdf28 qpdf
0 upgraded, 2 newly installed, 0 to remove and 568 not upgraded.
Need to get 1,015 kB of archives.
After this operation, 2,690 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libqpdf28 amd64 10.0.1-2 [479 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 qpdf amd64 10.0.1-2 [537 kB]
Fetched 1,015 kB in 1s (830 kB/s)
Selecting previously unselected package libqpdf28:amd64.
(Reading database ... 377060 files and directories currently installed.)
Preparing to unpack .../libqpdf28_10.0.1-2_amd64.deb ...
Unpacking libqpdf28:amd64 (10.0.1-2) ...
Selecting previously unselected package qpdf.
Preparing to unpack .../qpdf_10.0.1-2_amd64.deb ...
Unpacking qpdf (10.0.1-2) ...
Setting up libqpdf28:amd64 (10.0.1-2) ...
Setting up qpdf (10.0.1-2) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

Presently we can break the PDF by giving the document and wordlist to utilize, very much like previously:

~$ python3 zydra.py -f nb-sample.pdf -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:10:30 2020

Starting password cracking for /root/nb/nb-sample.pdf /

 [*] Count of possible passwords: 10
    Progress : [#####################################     ] 80.000 %
    [+] Password Found: password1
    [*] Your decrypted file is decrypted_nb-sample.pdf

End time ==> Wed Jul 15 19:10:55 2020
Execution time ==> 0:00:25.118694

Once more, we can see it tracked down the secret phrase, however this time there is an extra discourse. This is essentially letting us know the record is a decoded form of the first, which we can check with the document order:

~$ file decrypted_nb-sample.pdf

decrypted_nb-sample.pdf: PDF document, version 1.4

Cracking Shadow Records

Zydra will consequently endeavor to break the secret word hashes for any clients found in Linux shadow documents. While it's not generally effective, this can be a decent technique to evaluate first since it is speedy and simple.

Arm's Next Gen Cpu & Gpu

We should simply indicate the record with the - f banner and the wordlist with the - d banner:

~$ python3 zydra.py -f nb-shadow -d darkweb2017-top10.txt

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         _______           ______   _______  _______
        / ___   )|\     /|(  __  \ (  ____ )(  ___  )
        \/   )  |( \   / )| (  \  )| (    )|| (   ) |
            /   ) \ (_) / | |   ) || (____)|| (___) |
          ok   /   /   \   /  | |   | ||     __)|  ___  |
          /   /     ) (   | |   ) || (\ (   | (   ) |
         /   (_/\   | |   | (__/  )| ) \ \__| )   ( |
        (_______/   \_/   (______/ |/   \__/|/     \|

        Author : Hamed Hosseini
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Wed Jul 15 19:11:03 2020

Starting password cracking for /root/nb/nb-shadow /

 [*] Count of possible passwords: 10
  [**] cracking Password for: root
    Progress : [##############################################] 100.000 %
    [-] password not found

  [**] cracking Password for: sys
  [**] cracking Password for: klog
  [**] cracking Password for: msfadmin
  [**] cracking Password for: postgres
  [**] cracking Password for: user
  [**] cracking Password for: service
End time ==> Wed Jul 15 19:11:26 2020
Execution time ==> 0:00:22.062705

Wrapping Up

In this instructional exercise, we investigated a device called Zydra and how it tends to be utilized to break secret phrase safeguarded RAR records, Compress documents, PDF documents, and Linux shadow documents. While we broke these with almost no trouble, major areas of strength for utilizing will incredibly build the time and exertion it takes to do as such.