7zip archives under attack!

#7zip #attack #dictionary #shell

Notice! This article is for folks who are familiar with BASH-console a bit.
If you feel you do not realize how it works let me know in comments please!

I think that one from my mind is correct, I just need to try all those two hundred ones!

Does that remember you anything?

Sometime people face situation they do not remember the password on an archive, but at the same time they remember that is sort of simple one.

Sometime we know that the password is one of those couples in our mind, but we do not remember which exactly!
For such cases it would be good to have some mechanism or practice to find out the correct one, so that means we need to think about it and produce a solution!

In this article I will show you how an archive could be attacked using 7zip command-line interface without many efforts.

The first thing we need to think about is how many passwords we remember.
Let us say we remember ten of those, that means we need to arrange a list of those.

password
makemoneymonkey
...

Okay, let us say we have needed file and it already contains all needed passwords you could remember.
Then we have to use this file in conjunction with 7zip command-line interface.

All what we got to do in this case is just running the following script from a folder you have an archive that is going to be attacked using that dictionary.
Okay, let us see how it works in real life!

I have already prepared a script that allows us to run 7zip command-line interface against each password, check it out here:

#!/bin/bash

passwords_list="passwords-list"
archive=$1

echo "Starting attacking"

while IFS='' read -r line_data; do
    result=$(7z t $archive -p"$line_data" 2> /dev/null | grep -o "is Ok")

    if [[ $result ]]; then
        echo "Excellent! Password is $line_data"
        exit
    fi
done < $passwords_list

echo "Sorry we didn't find any appropriate password :-("

Please let me know whether this article has been helpful or not

Top comments (3)

Martin Schwarzer • Sep 4 '18

It would probably be best to use some other encryption, where you don't have to store away passwords (plural!) in your brain attic. For example, gpg should come to mind naturally, if you're at all concerned with protecting data. And I'd assume you won't forget the password for your key.

If you're using the route with the bash script, you should store the passes to test in an array, as your script breaks passwords with spaces. You also can use the exit status of 7z directly and don't have to subshell any of the processes. I'd imagine something like that:

#!/bin/bash

passwords=('My')
passwords+=('passwords')
passwords+=('may')
passwords+=('contain')
passwords+=('some spaces,')
passwords+=('and')
passwords+=('+~#')
passwords+=('stuff')

archive="$1"

printf '%s' "Start attacking . . ."

for testpass in "${passwords[@]}" ; do
  if 7z t "$archive" -p"$testpass" &> /dev/null ; then
    printf ' .\nPassword is: "%s" \(°^°)/\n' "$testpass"
    exit 0
  else
    printf ' .'
  fi
done
printf ' ( -- ____ -- )\n%s\n' "Sorry, didn't find any appropriate password."
exit 1

Or a bit more universal:

#!/bin/bash
archive="$1"
printf 'Abort with Ctrl-C.\nTesting next: '
read -r testpass
until 7z t "$archive" -p"$testpass" &> /dev/null ; do
  printf 'Testing next: '
  read -r testpass
done
printf "That's it! '%s' \\(°^°)/\\n" "$testpass"

Dmitry • Sep 4 '18

That's a point! Thanks for the idea, I think it's good one!
But you know sometimes when that already happened we just have to find a solution!

So for that case it was a solution, but yours is also fine, I will keep that in mind!

DEV Community

7zip archives under attack!

Top comments (3)

Read next

💻 My MacOS Shell Setup = Zsh + OhMyZsh + PowerLevel10k + tmux + nvim 🤓😎

Self-host - Part 3 - MySQL and PostgreSQL Database Backup to Local Drive

Advanced Shell Techniques

Concurrency & Fault-tolerant In Distributed Systems