zip2john

Extract the password hash from an archive, listing all files in the archive

$ zip2john [path/to/file.zip]

$ zip2john -o [path/to/compressed_file] [path/to/file.zip]

$ zip2john -o [path/to/compressed_file] [path/to/file.zip] > [file.hash]

zip2john [options] <zip_file(s)> [> output_file]

<zip_file(s)>
    One or more paths to the password-protected ZIP archive files from which to extract hashes. This is a mandatory argument.

-o <file>, --output-file=<file>
    Writes the extracted hash(es) to the specified file instead of printing them to standard output (stdout).

-m <mode>, --mode=<mode>
    Specifies the encryption mode for hash extraction. Useful if auto-detection fails or for specific analysis. Common modes include pkzip (traditional) and zip-aes.

--keep-data
    Instructs zip2john to also include the encrypted data (ciphertext) in the hash output. While this makes the hash string longer, it can sometimes provide more context for faster cracking with certain JtR attack modes.

--single-file-mode=<file_in_zip>
    Extracts the hash specifically for a single file located inside the ZIP archive, rather than the entire archive's password. This is useful for large archives where only a particular component is of interest.

--stdout
    Forces output to standard output, even if a specific output file is generally expected or an internal redirection is considered.

zip2john is an essential utility from the acclaimed John the Ripper (JtR) password cracking suite. Its primary purpose is to process password-protected ZIP archives and extract the encryption hash in a format compatible with John the Ripper. This extracted hash can then be used by JtR to perform dictionary attacks, brute-force attacks, or other advanced cracking techniques to recover the original password.

The tool supports various ZIP encryption methods, including traditional PKZIP encryption (which is known to be weaker) and the more robust AES encryption. By converting the proprietary ZIP encryption into a standardized hash format, zip2john bridges the gap between encrypted archives and powerful password auditing tools, making it invaluable for security professionals, penetration testers, and system administrators tasked with auditing password strength or recovering lost access to archived data.

• zip2john only extracts the hash; it does not crack the password itself. A separate tool like John the Ripper is required for password cracking.
• The effectiveness of cracking depends heavily on the complexity of the password and the resources (CPU, GPU, wordlists) available. AES-encrypted ZIP files are significantly harder to crack than traditional PKZIP encrypted ones.
• The ZIP archive must be password-protected for zip2john to extract a meaningful hash.

The most common usage involves redirecting the output to a file that John the Ripper can then use:

zip2john my_encrypted.zip > zip_hash.txt

Then, you would use John the Ripper to attempt to crack the password:

john zip_hash.txt

The hash output by zip2john is typically a long string designed specifically for JtR. It includes metadata about the encryption type, checksums, and encrypted data chunks. For example, a traditional PKZIP hash might look like:

my_encrypted.zip:$pkzip$1*1*2*0*1*f71*...

While an AES-encrypted hash would be:

my_encrypted.zip:$zip2john$1*1*1*0*1*...

zip2john is an integral part of the John the Ripper (JtR) password cracker suite, which was initially developed by Solar Designer in the mid-1990s. As encrypted ZIP archives became a common method for data protection, zip2john was developed to extend JtR's capabilities to these files. Over time, it has evolved to support newer and stronger encryption methods used in ZIP files, such as AES, ensuring JtR remains a versatile tool for password auditing and recovery across various file formats.

john(1), unzip(1), zip(1), rar2john(1), pdf2john(1), office2john(1)