An Idiot's Guide to Bruteforcing

The other day I found a password-protected zip file on an old hard drive. Seeing that it had an intruiging name, and that I didn't know the password, I told myself that this would be a good challenge to learn bruteforcing.

Bruteforcing: The act of systematically checking every possible password until the correct one is found - see Wikipedia for more.

The Math Behind It

I know, now you will start to hate me. It seems that the definition of bruteforcing requires you not to worry about math. If anything, bruteforcers want to get away from math. But once you get started with it, it's not possible to evade it.

So I told myself I needed to learn it, at least, to be able to know how long cracking this file would work.

Bruteforcing is pure math, and I didn't understand that in the beginning. Which is why I ended up frustrated after trying to crack one password 24/7 for 30 consecutive days with no results.

The math behind it is simple. Let's define its two components and then their relationship:

1. Character set
2. Password length

Character Set

The character set is a list of characters the password, you are trying to bruteforce, contains.

Typically it's made up of a combination of the following types:

• lowercase alphabet [a-z]
• uppercase alphabet [A-Z]
• numbers [0-9]
• extra characters [.-!]

Let's use a practical example. In the case of the file I wanted to crack, I used the following command to bruteforce it.

$ fcrackzip -b -c aA1! -u -l 4-10 newfile.zip > result.txt

In fcrackzip the  -c aA1! parameter defines the character set. In this case it means that we are going to use lowercase and uppercase alphabet, numbers and extra characters.

Character set 	= a-z + A-Z + 0-9 + .-!
# of characters = 26 + 26 + 10 + 33 = 95

If you add all these characters, you will end up with a total of 95.

Let's go look at password length.

Password Length

It defines how many characters the password, we are trying to crack, has.

When bruteforcing, the password length tends to be an educated guess. It's rare to exactly know how long the password is. More often we know a minimal and maximum password length.

If we look at the command from above again, we can see that I, too, made an educated guess concerning the password length.

$ fcrackzip -b -c aA1! -u -l 4-10 newfile.zip > result.txt

I estimated it to be between 4 and 10 characters.

The Relationship

Now that we have the basic information straightened out, let's see how this helps us. Let us calculate the total number of possible combinations.

So far, we have established the following:

Minimum password length: 4
Maximum password length: 10
Size of character set: 95

The relationship between the two is described by this equation:

For each character in the password you have 95 possibilities.

95⁴ = 95 x 95 x 95 x 95 = 81,450,625 possible combinations

That means for a 4 character password, you have 81 million possible combinations. For a password with 5 characters the total number of combinations is:

95⁵ = 95 x 95 x 95 x 95 x 95 = 7,737,809,375 possible combinations

We can obviously also calculate the number of combinations for a 6, 7, 8, 9 or 10 character password - if it interests you, do go ahead and calculate it.

Now, let's get going with our bruteforce setup.

Bruteforce Setup on Ubuntu

I don't like to run cracking programs on my computer as they drain the CPU, slow down other programs and require me to keep my computer running all day.

There are finer options, nowadays. Spinning up a server on DigitalOcean is one of them.

The idea being I can connect to the server, start the program, let it run for as long as I need to, get the password and be done with it.

Steps to Set up

The following are the steps required to get started on an Ubuntu server.

1. Create a droplet (& add your SSH key).
2. Secure it, by running this setup script (or following the steps manually).
3. Install fcrackzip.
4. Upload the zip that needs to be cracked.
5. Run fcrackzip.

So let's go.

1. Create a Droplet

For the purpose of this experiment, spin up a small droplet on DigitalOcean containing the latest Ubuntu version.

As you scroll down when creating the server, make sure that you add your SSH key to the new machine.

2. Securing the Droplet

Once the droplet is up and running, connect to the root account.

$ ssh root@206.189.68.13

Before I can set it up, I need to copy my secure script to the server. This is done using scp:

$ scp digitalocean-server-setup.sh root@206.189.68.13:/root

Next, I assign execution permissions to the script and run it.

$ sudo chmod +x digitalocean-server-setup.sh
$ ./digitalocean-server-setup.sh

The script by itself creates a new user profile, sets up the firewall and activates it. This is essential in order to protect the server. However, this can also be done manually. For now, we should be set up.

3. Install fcrackzip

fcrackzip is one of the bruteforcing programs that is available for zip files. There are others, such as John the Ripper. But for our purpose, this program is good enough. On Ubuntu, we can simply use apt-get to install fcrackzip.

$ sudo apt-get update
$ sudo apt-get install fcrackzip

The program is now installed.

4. Upload the zip archive

Then, I need to upload the zip file that needs to be cracked.

$ scp archive.zip root@206.189.68.13:/root

scp copies the archive.zip file from the current local directory to the server on the root directory.

5. Run fcrackzip

At the beginning, I showed you what the command to crack the file would be. It is this:

$ fcrackzip -b -c aA1! -u -l 4-10 archive.zip > result.txt

Now, let's understand what it does.

• -b: use the bruteforcing mode.
• -c aA1!: use the whole character set: lowercase and uppercase alphabet, numbers and special characters.
• -u: use unzip to weed out false positives.
• -l 4-10: set the password length between 4-10 characters.
• > result.txt: redirect the program's output to result.txt.

I then confirmed the command hoping that I would have a result within the next couple of days. As some of you might imagine, this didn't work out.

By day 7th, I was quite confused. Was the program still running? Thus, I examined the running processes.

$ ps aux | grep fcrack
root     10391  5.6  0.1   4412  1612 ?        S    Jan14 1058:46 fcrackzip -b -c aA1! -u -l 4-10 archive.zip

The program was still clearly running on the server, but I had the feeling that something wasn't right. I thought it should have, by now, figured out the password. Thus, I went back to the drawing board and systematically checked what could have gone wrong. The first stop?

Checking for the Correct Setup

Lesson #1: Check for the correct setup, before you let your server run 24/7 for the next 30 days.

To test my setup, I need to create another zip file with an easy to break password. In order to generate such an archive, I first needed to install zip.

$ sudo apt-get install zip

The next step was to create the password-protected archive. In order to do that, you first need a file you can add to the archive. Which is why I quickly created one:

$ dd bs=1024 count=2 </dev/urandom >newfile.txt
# This creates a 2mb file, named newfile.txt, containing random data 

It then goes on to create the actual password-protected zip file:

$ zip -P 1234 newfile.zip newfile.txt 
# '1234' being the weak password

Next, I ran fcrackzip against it, with the same parameters as before.

$ fcrackzip -b -c aA1! -u -l 4-10 newfile.zip > result.txt

Within 4 seconds, fcrackzip had cracked the password.

PASSWORD FOUND!!!!: pw == 1234

The program was, thus, running correctly. Still, I had one more potential issue to pursue.

Check the Process is Running When You Are Logged Out

Lesson #2: Check that the process continues to run even when you are logged out.

I didn't know this, until I learned about it here: But often times processes stop when you log out via SSH.

The only way I, for now, have figured out how to control this, is by logging into DigitalOcean and looking at the CPU usage details for the droplet. Refresh the site after you've disconnected from the server, as it doesn't show live data.

If you continually see the CPU usage at 100%, you can be pretty sure that the bruteforce program is still running.

If the CPU usage drops after you log out, check out this thread to learn why it happens. The following command makes it possible for the program to run even after you're logged out.

$ nohup fcrackzip -b -c aA1! -u -l 4-10 zahlungsdaten.zip > result.txt &

nohup will make sure that no interrupt signal, that is being sent on log out, will stop the process from running. The & sends the process to the background.

After all this, I still had another path to follow:

Understand How Long it Will Take to Crack a Password

Lesson #3: Benchmark to understand how long the cracking will take.

I wanted to crack a password with up to 10 characters. With some basic math, we can quickly figure out how long it should take us. But first, let us benchmark fcrackzip:

fcrackzip -B -u archive.zip
 cpmask: (skipped)
 zip1: cracks/s = 9368401
*zip2, USE_MULT_TAB: cracks/s = 9954904

It can crack between 9.3 and 9.9 million combinations per second, depending on the zip version. To get a better estimate, let's find out which zip version our archive is using.

$ file archive.zip
archive.zip: Zip archive data, at least v2.0 to extract

It seems, that it's using the newer zip version, which makes it possible to crack almost 10 millions combinations per second.

From above, we know that a 4 character password has 81 million combinations. Using our benchmark rate, we can calculate how long it should take to try out every possible combination.

81,450,625/9,954,904 = 8.18 seconds

It takes a little over 8 seconds. That's pretty fast.

For the sake of clarity, I've calculated how long it would take different password lengths, all using the maximum character set.

Once you calculate these numbers, you quickly realize that pure math gets in the way of cracking longer passwords. In order to crack an 8 letter password, I would already need 214 years.

That explains also why I hadn't seen any output from the program running. It was still calculating all possible passwords and hadn't yet found the correct one.

I guess next time I need to optimize the whole process.

Which is why I will go more in-depth into how to bruteforce more intelligently. Using masks and the like, but also use approaches that reduce the number of possibilities and increase the likelihood, that you will find what you are looking for. See you next time!