I have made a 7z archive using Delta filter containing a wav file and I have protected it with a password. I am running a terminal in Kali Linux. My problem is that I cannot get the password cracked using 7z2john.pl and john the ripper. If I omit the Delta compression, using only the default compression of 7z, then the cracking succeeds. My question: is it possible to use 7z2john.pl and john the ripper to crack a password-protected 7z file with Delta compression? If it is possible, how can it be done?
Here are the steps to reproduce the problem:
- I use the following command to create the archive:
7z a test.7z *.wav -mf=Delta:4 -peasy
I get this output:
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz (306C3),ASM,AES-NI) Open archive: test.7z -- Path = test.7z Type = 7z Physical Size = 1090 Headers Size = 162 Method = Delta LZMA2:15 7zAES Solid = - Blocks = 1 Scanning the drive: 1 file, 32080 bytes (32 KiB) Updating archive: test.7z Items to compress: 1 Files read from disk: 1 Archive size: 1090 bytes (2 KiB) Everything is Ok
- I use 7z2john.pl to generate material for John the Ripper to crack the archive:
/usr/share/john/7z2john.pl test.7z > test.hash
- I create a word list file containing only the password I gave to the archive:
echo easy > wordlist.txt
Then I try to decrypt the file:
sudo john test.hash --wordlist=wordlist.txt
I get the following output:
Using default input encoding: UTF-8 Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES]) Cost 1 (iteration count) is 524288 for all loaded hashes Cost 2 (padding size) is 3 for all loaded hashes Cost 3 (compression type) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 1 candidate left, minimum 32 needed for performance. 0g 0:00:00:00 DONE (2020-08-15 07:37) 0g/s 5.555p/s 5.555c/s 5.555C/s easy Session completed
- I check if the password has been cracked:
sudo john --show test.hash
I get the following output:
0 password hashes cracked, 1 left
So it seems that the decrypting did not succeed. However, I can extract the archive using command 7z e test.7z -peasy
so the password should be correct. Also, if I create the archive without specifying the Delta filter using command 7z a test.7z *.wav -peasy
. That way, by repeating the steps 1-4 I get the password cracked and am shown the result that the correct password has been found:
$ 7z a test.7z *.wav -peasy 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=fi_FI.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz (306C3),ASM,AES-NI) Scanning the drive: 1 file, 32080 bytes (32 KiB) Creating archive: test.7z Items to compress: 1 Files read from disk: 1 Archive size: 1058 bytes (2 KiB) Everything is Ok $ /usr/share/john/7z2john.pl test.7z > test.hash $ echo easy >> wordlist.txt $ sudo john test.hash --wordlist=wordlist.txt Using default input encoding: UTF-8 Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES]) Cost 1 (iteration count) is 524288 for all loaded hashes Cost 2 (padding size) is 11 for all loaded hashes Cost 3 (compression type) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Warning: Only 1 candidate left, minimum 32 needed for performance. easy (test.7z) 1g 0:00:00:00 DONE (2020-08-15 07:49) 5.263g/s 5.263p/s 5.263c/s 5.263C/s easy Use the "--show" option to display all of the cracked passwords reliably Session completed $ sudo john --show test.hash test.7z:easy 1 password hash cracked, 0 left