Geek Culture
Published in

Geek Culture

Simple Brute Force Attack on Zip File Using Python

Photo by Marcus Urbenz on Unsplash

ZIP is an archive formatter that supports data compression. A ZIP file can be filled by one or more files or directories. The size of ZIP is smaller than the original one. It also support password protection, to protect our data from others. But, if you are somebody who likes making new password, sometimes you will forgot your old password even it’s the simplest one. It’s really annoying right.

The purpose of this article is how to deal with yourself when forget your protected zip file. Please note, it’s for your ZIP file not for other person. Any action into others file is beyond my responsibility. But, trust me, this method will help us a lot. Especially, when we really can’t remember the password that we input before. FYI, this is article I got from @xtremepentest

Okay, let’s go into the code

Initialization

Okay, let’s make some protected file, here is the example, I want to protect three song into ZIP, in this case I give it password password

Well, after successfully protect the file, it will ask us to put the password in every extraction just like the picture below

Okay, our protected file is ready, let’s go into the code section

Code Section

Before all, this will use zipfile module for doing the brute force attack and tqdm modules for built a progress bar to make the attack more realistic.

from tqdm import tqdm
import zipfile

In case you are not yet install that two modules just run this in your terminal.

pip install tqdm
pip install zipfile

Next we will ask the user to input the zip file name and the wordlist for doing the dictionary attack.

protected_file = input("Zip file: ")
wordlist = input("Choose wordlist: ")

Wordlist is a collection of text that usually used in brute force attack. You can built manually, just save your file as .txt file. Here is the example

...
scooter
richard
soccer
rachel
purple
password
melissa
jackson
angela
arsenal
222222
...

I save the above wordlist as my_wordlist.txt. After wordlist created, we need to check is the program is a ZIP file or not. If the program is a ZIP the code will run and if not the code will stop.

try:
zip_file = zipfile.ZipFile(protected_file)
n_pass = len(list(open(wordlist, "rb")))
except:
print("\a")
print("File not zip, exiting...")
exit(0)

In the code above, I also read all wordlist to know how many word will be used in the brute force attack. Finally, here we go into the final code when the attack happen.

print("Number of password that will be checked:", n_pass)
print('\n')
with open(wordlist, "rb") as wordlist:
for word in tqdm(wordlist, total=n_pass, unit='word'):
try:
zip_file.extractall(pwd=word.strip())
except:
continue
else:
print("\a")
print("[+] Password Found:", word.decode().strip())
print("\a")
print('Exiting...')
exit(0)
print("\a")
print("[X] Password not found in the wordlist, try another one")

Well, using the extractall function from zipfile module the brute force will run until the end of the wordlist. If the password matched, it will prompt out the password. But, if not the brute force will be exit.

Implementation

Okay, here is the documentation of the attack scenario that we had built before

Well, yeah the password is password like we declared before. If you want some challenge, try to find this ZIP file password and tell me the answer.

Conclusion

In this article, I was sharing about how to make simple brute force zip file attack by implementing tqdm and zipfile modules. Please use this tutorial wisely for your life.

That’s all from me, thanks for reading. ✌

--

--

--

A new tech publication by Start it up (https://medium.com/swlh).

Recommended from Medium

CMSC389R HW7

Setting up a new encrypted password on a MOCA server for RedPrairie/JDA WMS

PATRON is a decentralized autonomous organization (DAO) created by the community, for the community.

Several Ways of Securing Your API Endpoint

ECDSA vs RSA. What and why?

working of RSA

{UPDATE} Shape Slide Hack Free Resources Generator

Securing Digital Exchanges

Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Handhika Yanuar Pratama

Handhika Yanuar Pratama

A Stoic Developer || Junior Data Engineer || Dreamer

More from Medium

Organize Files on a Smartphone Using the Lazy Man’s Python File Organizer Script

How to Build Screen Recorder using python

Ping and SYN flood attacks with Python and Scapy

Building a hash cracking tool using Python