Disclaimer: This blog post is intended solely for educational purposes in controlled lab environments. Do not attempt to access ZIP files you do not own or have explicit permission to test.
Introduction
ZIP files are a ubiquitous method for compressing and sharing files. Many users protect ZIPs with passwords, assuming the data is secure. In reality, ZIP passwords can often be guessed or cracked offline if they are weak, making this a useful exercise for security training, awareness, and defensive education.
If you are going to set a password, it is always a good idea to remember that password but more often than not you won’t, this is where password auditing toolsets can be your key to access.
Lab Setup
Requirements
- Windows or any OS to create a ZIP file
- Kali Linux to run John the Ripper
- Optional: A shared folder or SCP method to move files between systems
Objective
- Learn how offline password auditing works
- Understand why ZIP passwords fail when weak
- Derive defensive insights to protect ZIPs and other encrypted archives
Step 1: Obtain John the Ripper Jumbo
The Jumbo edition of John the Ripper includes advanced features and support for formats such as ZIP/AES, which are not included in the base version.
1.1 Installing on Kali Linux
- Open a terminal in Kali.
- Update package lists: sudo apt update
- Install the Jumbo version of John: sudo apt install john
- Verify the installation and confirm it is Jumbo: john
Expected output:
John the Ripper 1.9.0-jumbo-1+bleeding-aec1328d6c
Note: “Jumbo” indicates support for ZIP2, bcrypt, and other advanced hash types required for modern lab exercises.
Step 2: Create a Test ZIP Archive
- On any OS, create a folder or file
- Compress the folder as a ZIP.
- Enable password protection (AES-256 preferred).
- Use a deliberately weak password for demonstration in this case "celines15"
- The content of the ZIP is irrelevant. John the Ripper attacks the password metadata, not the files themselves.
Move the ZIP file to Kali and I do not recommend you attempt to do these operations on Windows, you will almost certainly have Defender there will buy an almost certainty that John the Ripper will be quarantined as being malicious - I also do not recommend disabling antivirus to follow this guide.
I choose to copy the file to the following location using WinSCP so it is in the location:
Absolute Path > /home/mooney/lab/LabData.zip
Step 4: Extract the ZIP Hash
John cannot attack the ZIP directly. Instead, extract a hash of the password metadata:
Command : zip2john LabData.zip > zip.hash
Verify the hash:
cat zip.hash
You should see a line beginning with:
LabData.zip:$zip2$...
This is the data John will use for password auditing.
Step 5: Run the Password Audit
Use a wordlist-based attack:
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt --rulesCheck progress:
john --status
Once John recovers a password:
john --show zip.hash
Step 6: Defensive Views
| Observation | Defensive Recommendation |
|---|---|
| Short, dictionary-based passwords | Use long, random passphrases (16+ chars) |
| ZIP passwords allow offline guessing | Treat ZIP passwords as convenience, not strong protection |
| AES-256 ZIP is still vulnerable to weak passwords | Use encrypted containers (VeraCrypt) or OS-level encryption |
| Predictable patterns | Avoid common words, patterns, and personal references |
Step 7: Key Takeaways
- Password cracking targets authentication metadata, not file contents.
- ZIP passwords are only as strong as the password itself.
- Controlled lab exercises reinforce security awareness and good password hygiene.
Conclusion
This lab demonstrates in a safe, controlled environment why weak ZIP passwords fail. Learners gain practical insight into password auditing, defensive best practices, and the limitations of ZIP encryption.
Using John the Ripper Jumbo, students can simulate real-world offline attacks without touching unauthorized data, making it an excellent tool for education and security awareness.o you want me to add that diagram next