Linux for OSCP… and beyond (IV): Compress, view, uncompress (and crack) compressed files in Linux.

Image generation with https://app.leonardo.ai

And here we are again! In this blog post, we will talk about some different tools used to compress and uncompress files in Linux, and also different ways to (try to) crack password protected compressed files.

DISCLAIMER: The sole purpose of these posts is to help people as misuse of technology, in this case the use of common, guessable or weak passwords, can lead to valuable information being easily accessed by cybercriminals. I am not responsible for potentially malicious uses that may be made of what it is explained here. Remember: Attempting to crack any protected system without prior authorization from its owner is ILLEGAL (at least in most countries around the globe).

In this case, the lesson to be learned is:

1. Please take note and use a strong password system, especially when accessing public services, websites or applications.
2. Try to rely on the use of password managers and keep your software properly updated.
3. Use a reliable two-factor authentication (2FA) whenever possible (a cell phone, an e-mail address or a token or authentication software parallel to the use of passwords).

1. BZIP2 FILES (.bz2) — ONLY FILES

1.1 Installation

# Debian based distros
sudo apt-get install -y bzip2
sudo apt install -y bzip2

1.2 Compression

# Compress (and replace) <file_name> in(by) <file_name>.bz2 
bzip2 <file_name>

1.3 Uncompression

#Uncompress (and replace) <file_name>.bz2 in (by) <file_name> (d for decompress)
bzip2 -d <file_name>.bz2

2. GZIP FILES (.gz) — ONLY FILES

2.1 Installation

# Debian based distros
sudo apt-get install -y gzip
sudo apt install -y  gzip

2.2 Compression

# Compress (and replace) <file_name> in(by) <file_name>.gz 
# -9 for better compression
gzip -9 <file_name>

2.3 Viewing the contents

gzip -l <filename>.gz

2.4 Uncompression

#Uncompress (and replace) <file_name>.gz in (by) <file_name>
gzip -d <file_name>.gz

3. TAR FILES(.tar, .tar.gz, .tar.bz2)

3.1 Installation

# Debian based distros
sudo apt-get install -y tar
sudo apt install -y  tar

3.2 .tar files

• Compression

#-c: compress files
#-v: verbose mode
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
tar -cvf files.tar /path/to/folder_to_compress
tar cvf files.tar /path/to/folder_to_compress

• Viewing the contents

#-t: View the  `tar`  file content.
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
tar -tf files.tar
tar tf files.tar

# a large number of files...
tar -tf files.tar | less
tar tf files.tar | less

• Uncompression

#Uncompress here (without using directory names)
rar|unrar e <filename>.rar

#Uncompress here ((using directory names and full paths)
rar|unrar x <filename>.rar

#Uncompress to a folder (without using directory names)
mkdir -p /path/to/folder && rar|unrar e <filename>.rar -o /path/to/folder

#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && rar|unrar x <filename>.rar -o /path/to/folder


# With password...
#Uncompress to a folder (without using directory names)
mkdir -p /path/to/folder && rar|unrar e <filename>.rar /path/to/folder -p<password>

#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && rar|unrar x <filename>.rar /path/to/folder -p<password>

3.3 .tar.gz files

• Compression

#-c: compress files
#-v: verbose mode
#-z: for tar gzip files (.tar.gz)
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
tar -cvzf files.tar.gz /path/to/folder_to_compress
tar cvzf files.tar.gz /path/to/folder_to_compress

# We can also use gzip to compress a previously generated tar file into a smaller file .tar.gz:
gzip files.tar

• Viewing the contents

#-t: View the  `tar`  file content.
#-f: file, the name of the tar file we want `tar` to work with. 
# This option must be followed by the name of the tar file.
tar -tfz files.tar.gz
tar tfz files.tar.gz
# Notice that in modern versions of tar we could use "tar -tf" or "tar tf".
# It would be enough to recognize the gz extension and show the content...

# A large number of files...
tar -tfz files.tar.gz | less
tar tfz files.tar.gz | less

• Uncompression

#-x: Extract files
#-v: verbose mode
#-z: for tar gzip files (.tar.gz)
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
#Uncompress here
tar -xvzf files.tar.gz
tar xvzf files.tar.gz
#Uncompress to a folder
mkdir -p /path/to/folder && tar -xvzf files.tar.gz -C /path/to/folder
mkdir -p /path/to/folder && tar xvzf files.tar.gz -C /path/to/folder

#We can also use gunzip to unzip the .gz file to extract the .tar file, and finally use the tar command with de default value:
gunzip files.tar.gz | tar xvf -

3.4 .tar.bz2 files

• Compression

#-c: compress files
#-v: verbose mode
#-j: for tar bzip2 files (.tar.bz2)
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
tar -cvjf files.tar.bz2 /path/to/folder_to_compress
tar cvjf files.tar.bz2 /path/to/folder_to_compress

# We can also use bzip2 to compress a previously generated tar file into a smaller file .tar.bz2:
bzip2 files.tar

• Viewing the contents

#-t: View the  `tar`  file content.
#-f: file, the name of the tar file we want `tar` to work with. 
# This option must be followed by the name of the tar file.
tar -tfj files.tar.bz2
tar tfj files.tar.bz2
# Notice that in modern versions of tar we could use "tar -tf" or "tar tf".
# It would be enough to recognize the bz2 extension and show the content...

# Alarge number of files...
tar -tfj files.tar.bz2 | less
tar tfj files.tar.bz2 | less

• Uncompression

#-x: Extract files
#-v: verbose mode
#-j: for tar bzip2 files (.tar.bz2) Use bzip2 to decompress inner tar file
#-f: file, the name of the tar file we want `tar` to work with. This option must be followed by the name of the tar file.
#Uncompress here
tar -xvjf files.tar.bz2
tar xvjf files.tar.bz2

#Uncompress to a folder
mkdir -p /path/to/folder && tar -xvjf files.tar.bz2 -C /path/to/folder
mkdir -p /path/to/folder && tar xvjf files.tar.bz2 -C /path/to/folder

#We can also use bzip to unzip the .gz file to extract the .tar file, and finally use the tar command with de default value:
bzip2 -d files.tar.bz2 | tar xvf -

4. ZIP/UNZIP FILES AND DIRECTORIES (.zip)

4.1 Installation

# Debian based distros

# zip tool: ways to install...
sudo apt-get install -y zip
sudo apt install -y zip

# unzip tool: ways to install
sudo apt-get install -y unzip
sudo apt install -y unzip

4.2 Compression

zip files.zip <file1_to_add> <file2_to_add> <file3_to_add> ...

zip files.zip /path/to/folder

Recursively (-r):

zip -r files.zip folder1 folder2

- Examples:

zip ./backups/backup.zip file1.txt file2.txt.file3.txt file4.txt

zip ./backups/backup.zip ./*.txt

zip -r ./backups/backup.zip folder1 folder2 folder3

zip -r ./backups/home-dir.zip ~/*

4.3 Viewing the contents

# With zipgrep (search files in a ZIP archive for lines matching a pattern)
zipgrep * files.zip
zipgrep *.* files.zip
zipgrep *.txt files.zip

# With unzpip (l for list)
unzip -l files.zip

4.4 Uncompression

#Uncompress here
unzip files.zip

#Uncompress to a folder (-d for destination directory)
mkdir -p /path/to/folder && unzip files.zip -d /path/to/folder

5. RAR/UNRAR FILES AND DIRECTORIES (.rar)

5.1 Installation

# Debian based distros

# rar tool install
sudo apt-get install -y rar
sudo apt install -y rar

# unrar tool install
sudo apt-get install -y unrar
sudo apt install -y unrar

5.2 Compression

# Compress files... (a for adding/appending files/foders)
rar a <filename>.rar <file1_to_add> <file2_to_add> <file3_to_add> ...

# Compress a folder:
rar a <filename>.rar /path/to/folder/*.* 

# Witn password:
rar a <filename>.rar <file1_to_add> <file2_to_add> ... -p<password>

rar a <filename>.rar /path/to/folder/*.*  -p<password>

- Examples:

# Compress files...
rar a /tmp/backup.rar file1.bak file2.bak

# Compress a folder:
rar a user-home.rar ~/user/*.*

# With password:
rar a shadow.rar /etc/shadow  -pV3ryS3cur3P4ss

5.3 Viewing the contents

# check the content of a file 
# (l for list, t for testing the package integrity)
rar|unrar l <filename>.rar

# check package integrity
rar|unrar t <filename>.rar

5.4 Uncompression

#Uncompress here (without using directory names)
rar|unrar e <filename>.rar
#Uncompress here ((using directory names and full paths)
rar|unrar x <filename>.rar

#Uncompress to a folder (without using directory names)
mkdir -p /path/to/folder && rar|unrar e <filename>.rar -o /path/to/folder
#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && rar|unrar x <filename>.rar -o /path/to/folder


# With password...
#Uncompress to a folder (without using directory names)
mkdir -p /path/to/folder && rar|unrar e <filename>.rar /path/to/folder -p<password>
#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && rar|unrar x <filename>.rar /path/to/folder -p<password>

6. 7ZIP FILES AND DIRECTORIES (.7z, .zip, .gz, .bz2, .tar, …)

Last but not least (in fact this tool is my favorite one), 7zip is a file archiver with a high compression ratio. It implements LZMA compression algorithm featuring very high compression ratio, LZMA2, XZ, ZIP, Zip64, CAB, RAR (if the non-free p7zip-rar package is installed), ARJ, GZIP, BZIP2, TAR, CPIO, RPM, ISO, most filesystem images and DEB formats. Compression ratio in the new 7z format is 30–50% better than ratio in ZIP format (extracted from man pages).

6.1 Installation

# Debian based distros
# basic install
sudo apt-get install -y p7zip
sudo apt install -y p7zip

# full package (passwords to files, etc.)
sudo apt-get install -y p7zip-full
sudo apt install -y p7zip-full

# 3rd-Party tool: rar
sudo apt-get install -y p7zip-rar
sudo apt install -y p7zip-rar

6.2 Compression

# 7z format:
# Compress files... (a for add/append files)
7z a <filename>.7z <file1_to_add> <file2_to_add> <file3_to_add> ...
7z a -t7z <filename>.zip file1_to_add> <file2_to_add> <file3_to_add>

# Compress a folder (7z format, by default).
# -t for using the type of file format/extension...
7z a <filename>.7z /path/to/folder/*.* 
7z a -t7z <filename>.zip /path/to/folder/*.*

# gz format:
7z a -tgzip <filename>.gz <file_to_add>

# b2z format:
7z a -tb2zip <filename>.b2z <file_to_add>

# tar format:
7z a -ttar <filename>.tar <file_to_add>

# zip format:
# Compress a files...
7z a -tzip <filename>.zip file1_to_add> <file2_to_add> <file3_to_add>
# Compress a folder...
7z a -tzip <filename>.zip /path/to/folder/*.* 

# Adding password to file (-p for password)
7z a -p <filename>.7z <file1_to_add> <file2_to_add> <file3_to_add> ...

6.3 Viewing the contents

# check the content of a file (l for list, t for testing the package integrity)
7z l <filename.7z|gz|b2z|tar>

# check package integrity
7z t <filename.7z|gz|b2z|tar|zip>

6.4 Uncompression

#Uncompress here (without using directory names) e or x for extracting
7z e <filename.7z|gz|b2z|tar|zip>
#Uncompress here ((using directory names and full paths)
#IMPORTATN NOTE: rar files only can be unrar with x option and with p7zip-rar package installed
7z x <filename.7z|gz|b2z|tar|zip|rar>

#Uncompress to a folder (without using directory names) -o for output path
mkdir -p /path/to/folder && 7z e <filename.7z|gz|b2z|tar|zip> -o /path/to/folder
#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && 7z x <filename.7z|gz|b2z|tar|zip> -o /path/to/folder


# With password...
#Uncompress to a folder (without using directory names)
mkdir -p /path/to/folder && 7z e <filename.7z|gz|b2z|tar|zip> -o /path/to/folder -p<password>
#Uncompress to a folder  (using directory names and full paths)
mkdir -p /path/to/folder && 7z x <filename.7z|gz|b2z|tar|zip> -o /path/to/folder -p<password>

7. Cracking .zip password compressed files with fcrackzip

fcrackzip is a fast zip password cracker. It’s a very good alternative to zip2john and then using john tool…

# Installation
sudo apt install fcrackzip

# Displaying the info about the zip file
frackzipinfo <filname.zip>

# Bruteforcing (b)  the password (p) for only alfanumeric charset (-c 'a1')
# u for only matches with the right result. With verbosity (v)
fcrackzip -u -v -b -c 'a1' <filename.zip>

# only characters, length between 3 and 5 chars
fcrackzip -u -v -b -c 'a' -l 3-5 <filename.zip>

# Cracking a password protected zip file (D - Dictionary: rockyou)
fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt <filename.zip>

7.1. Example:

• Imagine the following zip file protected by a password:

$ /bin/cat secret.txt
protected file

$ zip --password password1 secret.zip secret.txt
  adding: secret.txt (stored 0%)

$ zipinfo secret.zip                            
Archive:  secret.zip
Zip file size: 213 bytes, number of entries: 1
-rw-r--r--  3.0 unx       15 TX stor 23-Aug-02 15:37 secret.txt
1 file, 15 bytes uncompressed, 15 bytes compressed:  0.0%

• Now, with fcrackzip and bruteforcing the password:

$ fcrackzip -u -v -b -c 'a1' secret.zip

Not very recommendable to bruteforce, if we know password could be long, even if it’s a very easy password to guess…

• Or with fcrackzip and rockyou.txt dictionary (a lot faster!):

$ fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt secret.zip

- Output:

8. Cracking password compressed files with *2john tools and John the Ripper (or hashcat)

In Kali Linux, we can find a lot of tools that allows us to convert known types of files protected by passwords into hashes to be broken later with john (or hashcat).

8.1 List of current files protected with passwords that can be converted

/usr/bin/1password2john
/usr/bin/7z2john
/usr/bin/DPAPImk2john
/usr/bin/adxcsouf2john
/usr/bin/aem2john
/usr/bin/aix2john
/usr/bin/andotp2john
/usr/bin/androidbackup2john
/usr/bin/androidfde2john
/usr/bin/ansible2john
/usr/bin/apex2john
/usr/bin/applenotes2john
/usr/bin/aruba2john
/usr/bin/atmail2john
/usr/bin/axcrypt2john
/usr/bin/bestcrypt2john
/usr/bin/bitcoin2john
/usr/bin/bitshares2john
/usr/bin/bitwarden2john
/usr/bin/bks2john
/usr/bin/blockchain2john
/usr/bin/ccache2john
/usr/bin/cisco2john
/usr/bin/cracf2john
/usr/bin/dashlane2john
/usr/bin/deepsound2john
/usr/bin/diskcryptor2john
/usr/bin/dmg2john
/usr/bin/ecryptfs2john
/usr/bin/ejabberd2john
/usr/bin/electrum2john
/usr/bin/encfs2john
/usr/bin/enpass2john
/usr/bin/ethereum2john
/usr/bin/filezilla2john
/usr/bin/geli2john
/usr/bin/hccapx2john
/usr/bin/htdigest2john
/usr/bin/ibmiscanner2john
/usr/bin/ikescan2john
/usr/bin/itunes_backup2john
/usr/bin/iwork2john
/usr/bin/kdcdump2john
/usr/bin/keychain2john
/usr/bin/keyring2john
/usr/bin/keystore2john
/usr/bin/kirbi2john
/usr/bin/known_hosts2john
/usr/bin/krb2john
/usr/bin/kwallet2john
/usr/bin/lastpass2john
/usr/bin/ldif2john
/usr/bin/libreoffice2john
/usr/bin/lion2john
/usr/bin/lotus2john
/usr/bin/luks2john
/usr/bin/mac2john
/usr/bin/mcafee_epo2john
/usr/bin/monero2john
/usr/bin/money2john
/usr/bin/mosquitto2john
/usr/bin/mozilla2john
/usr/bin/multibit2john
/usr/bin/neo2john
/usr/bin/office2john
/usr/bin/openbsd_softraid2john
/usr/bin/openssl2john
/usr/bin/padlock2john
/usr/bin/pcap2john
/usr/bin/pdf2john
/usr/bin/pem2john
/usr/bin/pfx2john
/usr/bin/pgpdisk2john
/usr/bin/pgpsda2john
/usr/bin/pgpwde2john
/usr/bin/prosody2john
/usr/bin/ps_token2john
/usr/bin/pse2john
/usr/bin/pwsafe2john
/usr/bin/radius2john
/usr/bin/restic2john
/usr/bin/sap2john
/usr/bin/sense2john
/usr/bin/signal2john
/usr/bin/sipdump2john
/usr/bin/ssh2john
/usr/bin/sspr2john
/usr/bin/staroffice2john
/usr/bin/strip2john
/usr/bin/telegram2john
/usr/bin/tezos2john
/usr/bin/truecrypt2john
/usr/bin/vdi2john
/usr/bin/vmx2john
/usr/bin/zed2john
/usr/sbin/bitlocker2john
/usr/sbin/dmg2john
/usr/sbin/gpg2john
/usr/sbin/hccap2john
/usr/sbin/keepass2john
/usr/sbin/putty2john
/usr/sbin/racf2john
/usr/sbin/rar2john
/usr/sbin/uaf2john
/usr/sbin/vncpcap2john
/usr/sbin/wpapcap2john
/usr/sbin/zip2john

8.2 Example: zip2john

We will use zip2johh to extrac the hash from the zip file protected by password:

 zip2john <filename.zip> > ziphash.john

For example, if we use the same secret.zip file protected by password “password1”, used for fcrackzip example…

$ zip2john secret.zip > ziphash.john
ver 1.0 efh 5455 efh 7875 secret.zip/secret.txt PKZIP Encr: 2b chk, TS_chk, cmplen=27, decmplen=15, crc=6BCDB150 ts=7CAD cs=7cad type=0

$ /bin/cat ziphash.john
secret.zip/secret.txt:$pkzip$1*2*2*0*1b*f*6bcdb150*0*44*0*1b*7cad*c8913fcdd3566ed9c86f239c06dbc62199321f778a677ad91867ba*$/pkzip$:secret.txt:secret.zip::secret.zip

- Output:

Observe there are 2 groups of headers/tails. The first group (underlined in green) shows the name of the file/s and the typical structure for a *2john file. The second one, the type of compression used (it could be zip2 or, in this case, pkzip). These two will be relevant when trying to crack the hash…

8.3 Cracking the hash with john (using dictionary rockyou)

We have two approaches:

• Diretcly. We will take the file with the hash extracted with john and use the dictionary to try to break that hash:

# Use the dictionary against the hash output (from zip2john) 
$ john --wordlist /usr/share/wordlists/rockyou.txt ziphash.hash

# Show the result
$ john --show ziphash.hash

- Output:

Output directly from the zip2john hash crack with john and rockyou dictionary

• Erasing the first heading group and the last trailing one with the name of the files and simply use the specific format type of hash when cracking the file (in this case pkzip):

$ /bin/cat ziphash.john           
secret.zip/secret.txt:$pkzip$1*2*2*0*1b*f*6bcdb150*0*44*0*1b*7cad*c8913fcdd3566ed9c86f239c06dbc62199321f778a677ad91867ba*$/pkzip$:secret.txt:secret.zip::secret.zip

$ /bin/cat ziphash.john | cut -d ':' -f 2 > john.hash

$ /bin/cat john.hash                                 
$pkzip$1*2*2*0*1b*f*6bcdb150*0*44*0*1b*7cad*c8913fcdd3566ed9c86f239c06dbc62199321f778a677ad91867ba*$/pkzip$

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=pkzip john.hash

$ john --show john.hash

- Output:

Output after cracking the hash without the header/tail in zip2john formatted file

8.4 Cracking the hash with hashcat (using dictionary rockyou)

First of all, we need to modify the existing output from zip2john and erase the heading and the trailing groups with the info about the file names (such as we did with the second approach when using john). Once erased this info and got the specific data about the hash, we will crack this new hash with hashcat.

$ /bin/cat ziphash.john
# The output can be zip2 or pkip hash type. In this case, pkzip
secret.zip/secret.txt:$pkzip$1*2*2*0*1b*f*6bcdb150*0*44*0*1b*7cad*c8913fcdd3566ed9c86f239c06dbc62199321f778a677ad91867ba*$/pkzip$:secret.txt:secret.zip::secret.zip

$ /bin/cat ziphash.john | cut -d ':' -f 2 > ziphash.hashcat
$pkzip$1*2*2*0*1b*f*6bcdb150*0*44*0*1b*7cad*c8913fcdd3566ed9c86f239c06dbc62199321f778a677ad91867ba*$/pkzip$

# Hashcat straight attack (-a 0) for WinZip hashes 
# (-m 13600 for Zip files header, -m 17225 for PKZIP (Mixed Multi-File) 
# Dictionary: rockyou
$ hashcat -a 0 -m 17225 ~/ziphash.hashcat /usr/share/wordlists/rockyou.txt

- Output:

hashcat crack of output from zip2john without the formatted header/tail with filenames

And that’s all for now, guys. Next post I’ll talk about different ways to transfer files from/to a Linux machine (very useful to exfiltrate data from the target and download payloads or tools there to extract more valuable info about the remote system).

More info:

What is 2FA? A simplified guide to two-factor authentication

tar(1) - Linux man page

rar

zip(1) - Linux man page

7z(1) - Linux man page

Beginners Guide for John the Ripper (Part 2) - Hacking Articles

fcrackzip | Kali Linux Tools