How to Crack a ZIP File Password with John the Ripper

 How to Crack a ZIP File Password with John the Ripper


If you've ever run into a password-protected ZIP file during a pentest, a CTF challenge, or while recovering your own archive, John the Ripper is one of the fastest ways to get in. In this walkthrough I'll show you the complete flow — from extracting the hash to cracking it to verifying the result — in just three commands.


Prefer video? I walk through this end-to-end in [the tutorial on my YouTube channel](https://www.youtube.com/@guskhawaja).



What You'll Need

  • Kali Linux (or any distro with the `john` package installed)
  • The `rockyou.txt` wordlist — ships with Kali at `/usr/share/wordlists/rockyou.txt`. If it's gzipped, unpack it first with `gunzip /usr/share/wordlists/rockyou.txt.gz`.
  • Basic terminal familiarity


That's it. John the Ripper is already installed on Kali by default, along with its companion utility `zip2john`.


Why John the Ripper (and Not Just `unzip`)?

When a ZIP file is encrypted, the password isn't stored anywhere — what's stored is a hash derived from the password. `unzip` can't "try" passwords quickly; it's designed for interactive use. John the Ripper, on the other hand, is built for exactly this: loading a hash, running millions of password candidates against it per second, and stopping when it finds a match.


The catch is that John doesn't speak ZIP directly. It needs the hash in its own format. That's where `zip2john` comes in — a small utility that reads the ZIP header and dumps the hash in the format John expects.


Step 1 — Create a Test ZIP File (Optional)

If you want to follow along with a safe target, create your own encrypted archive:

echo "secret data" > note.txt

zip -e locked.zip note.txt


The `-e` flag tells `zip` to encrypt. You'll be prompted for a password. For demonstration I'll use `dragon` — it's in the rockyou wordlist, so John will find it almost instantly.


After this you'll have a `locked.zip` file that can't be opened without the password.


Step 2 — Extract the Hash with zip2john

This is the key step. We use `zip2john` to pull the password hash out of the archive and redirect it into a file John can work with:

zip2john locked.zip > hash.txt


Take a quick look at what came out:

cat hash.txt


You'll see something like this:

locked.zip/note.txt:$pkzip$1*1*2*0*18*c*a3f7*fce5*...*$/pkzip$


The `$pkzip$` prefix is the important part — it tells John which hash algorithm is in use. John supports a long list of zip-style formats (`pkzip`, `winzip`, etc.), and this prefix tells it to grab the right one automatically.


Step 3 — Crack the Hash with John


Now the main event. Point John at the hash file and give it a wordlist:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt


What's happening under the hood:

1. John reads the hash from `hash.txt` and auto-detects it as a PKZIP hash.

2. It opens the wordlist and starts iterating through candidate passwords.

3. For each candidate, it hashes the word with the same algorithm and compares against the target hash.

4. The first match wins. John prints the cracked password and exits.


On a modern laptop, `dragon` is found in well under a second because it's near the top of the rockyou wordlist. Stronger passwords obviously take longer — but the point stands: if the password is in your wordlist, John will find it.


Display the Result Cleanly

Once John finds a password, it saves it to its internal pot file (`~/.john/john.pot`). To print it cleanly, run:

john --show hash.txt


Output:

locked.zip/note.txt:dragon

1 password hash cracked, 0 left

That's your password: `dragon`


Step 4 — Verify by Unzipping

Prove it works by opening the archive with the recovered password:

unzip locked.zip


Enter `dragon` when prompted, and the file extracts:

Archive:  locked.zip

[locked.zip] note.txt password:

  inflating: note.txt


Open the file contents:

cat note.txt


Done. Three commands, one cracked password, one unlocked archive.


Troubleshooting

`rockyou.txt` is missing? On recent Kali installs the wordlist is gzipped. Run:

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

John says "No password hashes loaded"? Open `hash.txt` and make sure the `$pkzip$` (or similar) prefix is present. If it's empty, `zip2john` couldn't parse the file — double-check the ZIP isn't corrupted.

Password not in rockyou? Try a larger wordlist (SecLists has several), or combine wordlists with rule-based mangling: `john --wordlist=rockyou.txt --rules hash.txt`. For truly strong passwords you'd move to incremental / brute-force mode — but at that point, the attack surface is very different.

Using a different hash prefix? Some zip formats produce `$zip2$` or `$pkzip2$` instead of `$pkzip$`. John handles them all — the prefix just tells it which format module to load.


When This Matters

In a real pentest, password-protected archives show up in a lot of places: email attachments, old backup drives, pivot points where someone stashed credentials in a zip, CTF flags hidden behind weak passwords. Knowing how to crack them quickly is a core skill.

Legal reminder: run this against your own files or files you have explicit written authorization to test. Cracking passwords on other people's archives is illegal in most jurisdictions, full stop.


What's Next

The same John the Ripper workflow works on dozens of formats beyond ZIP — RAR, 7z, SSH keys, PDF passwords, KeePass databases, shadow files. You swap `zip2john` for the matching converter (`rar2john`, `ssh2john`, `pdf2john`, etc.), and the rest of the flow is identical.


Written by Gus Khawaja (https://guskhawaja.me)


Comments

Post a Comment

Popular posts from this blog

How to Install a Printer on Kali Linux

Image
 Installing a printer on Kali Linux involves several steps. Before we start, ensure you have administrative privileges, as you'll need to run some commands as a superuser.   Prerequisites   1. Physical Connection : Make sure the printer is physically connected to the machine and turned on. 2. Driver : Check if your printer manufacturer provides a Linux driver. If not, you may still be able to use generic drivers. 3. Update Repositories : Make sure your package manager repositories are updated by running `sudo apt update`.   Step 1: Install CUPS (Common UNIX Printing System)   CUPS is a modular printing system that enables a computer to act as a print server. It's the most commonly used system for printing on Unix-based operating systems.   To install CUPS, open a terminal and run: sudo apt install cups   Step 2: Start and Enable CUPS Service   Once CUPS is installed, you'll need to start its service and enable i...
Read more

Sharing a Folder on Kali Linux

Image
  Sharing a folder over a network on Kali Linux can be efficiently accomplished using Samba, a re-implementation of the SMB/CIFS networking protocol. This guide will take you through the steps to set up a Samba share. Prerequisites 1. Administrative Privileges : You'll need to run commands as a superuser. 2. Folder to Share : Have a folder ready that you wish to share. If not, create one. 3. Network Access : Ensure that the Kali Linux machine is connected to the network where you want to share the folder. Step 1: Update Package Repositories Before installing any package, it's a good practice to update your package repositories: sudo apt update Step 2: Install Samba To install Samba, execute the following command: sudo apt install samba Step 3: Configure Samba The main configuration file for Samba is /etc/samba/smb.conf . You can edit this file to define your shares. First, backup the original configuration file: sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak Now, edit ...
Read more

Listing Files and Folders in Kali Linux

Image
In the intricate world of ethical hacking, the computer is an indispensable ally. The ability to swiftly navigate through files and folders is a foundational skill that every hacker must master. The Kali Linux terminal, with its array of commands, offers the tools needed to achieve this mastery. Key Insights: The "ls" Command : One of the most frequently used commands in Kali Linux, the ls command allows users to list the files and folders in the current directory. When executed without any parameters, it displays items in the current directory, with folders appearing in blue and files in green. Discovering the Current Directory with the "pwd" Command : If you ever find yourself lost amidst the myriad of directories, the pwd command is your compass. It reveals the current directory you're in, ensuring you always know your location in the filesystem. Diving Deeper with the "ls -l" Option : For those w...
Read more