Man Linux: Main Page and Category List


       fcrackzip - a Free/Fast Zip Password Cracker


       fcrackzip  [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark]
       [--charset    characterset]    [--help]    [--validate]     [--verbose]
       [--init-password    string/path]   [--length   min-max]   [--use-unzip]
       [--method name] [--modulo r/m] file...


       fcrackzip searches each zipfile given for encrypted files and tries  to
       guess the password. All files must be encrypted with the same password,
       the more files you provide, the better.

       -h, --help
              Prints the version number and (hopefully) some helpful insights.

       -v, --verbose
              Each -v makes the program more verbose.

       -b, --brute-force
              Select brute force mode. This tries all possible combinations of
              the letters you specify.

       -D, --dictionary
              Select dictionary  mode.  In  this  mode,  fcrackzip  will  read
              passwords  from a file, which must contain one password per line
              and should be alphabetically sorted (e.g. using sort(1)).

       -c, --charset characterset-specification
              Select the characters to use in brute-force  cracking.  Must  be
              one of

                a   include all lowercase characters [a-z]
                A   include all uppercase characters [A-Z]
                1   include the digits [0-9]
                !   include [!:$%&/()=?{[]}+*~#]
                :   the following characters upto the end of the spe-
                    cification string are included in the character set.
                    This way you can include any character except binary
                    null (at least under unix).

              For  example, a1:$% selects lowercase characters, digits and the
              dollar and percent signs.

       -p, --init-password string
              Set initial (starting) password  for  brute-force  searching  to
              string, or use the file with the name string to supply passwords
              for dictionary searching.

       -l, --length min[-max]
              Use an initial password of length min, and check  all  passwords
              upto  passwords  of length max (including). You can omit the max

       -u, --use-unzip
              Try to decompress the first  file  by  calling  unzip  with  the
              guessed password. This weeds out false positives when not enough
              files have been given.

       -m, --method name
              Use method number "name" instead of the default cracking method.
              The  switch  --help  will print a list of available methods. Use
              --benchmark to see  which  method  does  perform  best  on  your
              machine. The name can also be the number of the method to use.

       -2, --modulo r/m
              Calculate only r/m of the password. Not yet supported.

       -B, --benchmark
              Make a small benchmark, the output is nearly meaningless.

       -V, --validate
              Make some basic checks wether the cracker works.


       Have you ever mis-typed a password for unzip? Unzip reacted pretty fast
       with ´incorrect password´, without decrypting the whole file. While the
       encryption algorithm used by zip is relatively secure, PK made cracking
       easy by providing hooks for very fast  password-checking,  directly  in
       the zip file. Understanding these is crucial to zip password cracking:

       For each password that is tried, the first twelve bytes of the file are
       decrypted. Depending on the version of zip used  to  encrypt  the  file
       (more  on  that  later),  the  first  ten  or  eleven bytes are random,
       followed by one or two bytes whose values are stored elsewhere  in  the
       zip file, i.e. are known beforehand. If these last bytes don’t have the
       correct (known) value, the password is definitely wrong. If  the  bytes
       are correct, the password might be correct, but the only method to find
       out is to unzip the file and compare the uncompressed length and crc´s.

       Earlier  versions  of  pkzip (1.xx) (and, incidentally, many zip clones
       for other operating systems!) stored two known bytes.  Thus  the  error
       rate  was  roughly  1/2^16 = 0.01%. PKWARE ´improved´ (interesting what
       industry calls improved) the security of their format by only including
       one  byte, so the possibility of false passwords is now raised to 0.4%.
       Unfortunately, there is no real way to distinguish one  byte  from  two
       byte formats, so we have to be conservative.


       By  default,  brute  force  starts  at the given starting password, and
       successively tries all combinations until they are exhausted,  printing
       all  passwords  that  it  detects,  together  with  a rough correctness

       The starting password given by the -p  switch  determines  the  length.
       fcrackzip   will   not   currently   increase   the   password   length
       automatically, unless the -l switch is used.


       This mode is similar to brute force mode,  but  instead  of  generating
       passwords  using  a given set of characters and a length, the passwords
       will be read from a file that you have to specify using the -p  switch.


       A  CP  mask  is  a  method to obscure images or parts of images using a
       password.  These obscured images can be restored  even  when  saved  as
       JPEG  files. In most of these files the password is actually hidden and
       can be decoded easily (using one  of  the  many  available  viewer  and
       masking  programs,  e.g.  xv).  If  you convert the image the password,
       however, is lost. The cpmask crack method can be  used  to  brute-force
       these  images.  Instead of a zip file you supply the obscured part (and
       nothing else) of the image  in  the  PPM-Image  Format  (xv  and  other
       viewers can easily do this).

       The  cpmask  method  can  only cope with password composed of uppercase
       letters, so be sure to supply the --charset  A  or  equivalent  option,
       together with a suitable initialization password.


       fcrackzip -c a -p aaaaaa
              checks  the  encrypted  files  in for all lowercase 6
              character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).

       fcrackzip --method cpmask --charset A --init AAAA test.ppm
              checks the  obscured  image  test.ppm  for  all  four  character

       fcrackzip -D -p passwords.txt
              check for every password listed in the file passwords.txt.


       fzc,  which  seems to be widely used as a fast password cracker, claims
       to make 204570 checks per second on my machine  (measured  under  plain
       dos w/o memory manager).

       fcrackzip,  being  written  in  C  and  not  in assembler, naturally is
       slower. Measured on a slightly loaded  unix  (same  machine),  it´s  12
       percent     slower     (the    compiler    used    was    pgcc,    from

       To remedy this a bit, I converted small parts of the encryption core to
       x86 assembler (it will still compile on non x86 machines), and now it´s
       about 4-12 percent faster than fzc (again,  the  fcrackzip  performance
       was  measured  under  a  multitasking  os, so there are inevitably some
       meaurement errors), so there shouldn’t be a tempting reason  to  switch
       to other programs.

       Further  improvements  are definitely possible: fzc took 4 years to get
       into shape, while fcrackzip was hacked together in under 10 hours.  And
       not  to  forget  you  have the source, while other programs (like fzc),
       even come as an encrypted .exe file (maybe  because  their  programmers
       are  afraid  of  other  people  could  having  a  look at their lack of
       programming skills?  nobody knows...)


       The reason I wrote fcrackzip was NOT to have the  fastest  zip  cracker
       available, but to provide a portable, free (thus extensible), but still
       fast zip password cracker. I was  really  pissed  of  with  that  dumb,
       nonextendable  zipcrackers  that were either slow, were too limited, or
       wouldn’t run in the background (say, under unix). (And  you  can’t  run
       them on your superfast 600Mhz Alpha).


       No automatic unzip checking.

       Stop/resume facility is missing.

       Should  be  able  to distinguish between files with 16 bit stored CRC´s
       and 8 bit stored CRC´s.

       The benchmark does not work on all systems.

       It’s still early alpha.

       Method "cpmask" only accepts ppms.

       Could be faster.


       fcrackzip  was  written  by  Marc  Lehmann  <>.  The   main
       fcrackzip page is at

                        Free/Fast Zip Password Cracker