Today I received my monthly invoice from my internet provider and something struck me as weird.
The invoice, contained in the mail was in a ZIP file with a password.
Not to say how strange it was to receive an attachment as a ZIP file in these days and times (spam, malware, phishing, etc.), the password they chose struck me as very weak.
It’s the account holder birthday in the format YYMMDD.
I ran a very crude calculation in my mind while at the gym and it came out as very few possible combinations. After using an online tool to calculate how many days have passed (since not all combinations would result in a valid date) since 1900-01-01, turns out the combinations are just 44,075 (until 2020-09-14).
Knowing that optimized tools that use GPU power to crack hashes can make guesses in the millions per second, I wanted to see how quickly the password can be guessed without using them and using just the Linux/macOS CLI (as I only had access to a VPS in the gym).
I came up with the following code that works on macOS:
echo {1..44000} | xargs -P 16 -n 1 -I{} date -v "-{}d" +"%y%m%d" | xargs -P 16 -I{} sh -c 'unzip -qqoP "{}" 0417160508.zip && echo "{}" && exit 255'
The command is pretty simple in it’s workings, even though it seems complicated.
echo {1..44000} generates the numbers from 1 to 44,000 and passes them on to the next step.
xargs -P 16 -n 1 -I{} date -v "-{}d" +"%y%m%d" – takes the input from the first step and generates dates in the format YYMMDD by leveraging date‘s functionality to “augment” a date with specific amount. In this case it would take out X days from the current date. Where X is the number generated in the first step. This way we can generate dates from today back to 1900s.
The third step is the more interesting, so I’m going to split it in two parts:
xargs -P 16 -I{} sh -c '...'
This takes the generated dates from step 2 and runs a command on each of those dates. -P 16 here means that it’s going to run this in 16 parallel processes, to make sifting through the data faster. The same trick is applied to step 2 to speed up the date generation.
The second part is where the guesses happen:
unzip -qqoP "{}" 0417160508.zip && echo "{}" && exit 255
What this does is it first tries to decompress the zip file using the password generated in step 2. If it’s successful it would print out (echo) the guessed password and then exit 255 forces xargs to stop running. We don’t want to continue guessing if the password was found.
All in all, it was pretty bad decision to choose this as the password for the file, because running the above command takes only about 10 seconds to guess the correct password for my invoice. Not much more for anyone else.
Bisko's Tech Blog 