Cracking a Password-Protected ZIP File with John the Ripper — A Hands-On Guide

2 days ago 8

BOOK THIS SPACE FOR AD

ARTICLE AD

Image generates using ChatGPT

Disclaimer:

This guide is intended for educational purposes only. All demonstrations and techniques discussed here should only be performed on systems you own or have explicit permission to test. Unauthorized hacking is illegal and unethical.

Please use this knowledge responsibly — become a better defender, ethical hacker, or bug bounty hunter.

John the Ripper (often called “John” or JtR) is a powerful, flexible password-cracking tool used by security professionals, CTF players, and bug bounty hunters alike.

Originally designed to crack Unix password hashes, it has evolved into a multi-format beast capable of cracking:

ZIP file passwordsHashes from /etc/shadow.htpasswd hashesMySQL, bcrypt, NTLM, MD5, SHA1, and more

John works using dictionary attacks, brute-force, or rule-based attacks.

You’ve found a password-protected file, backup.zip, while exploring a target during a bug bounty recon phase. Time to crack it and see what’s inside.

Let’s walk through the process together.

Here’s the quick flow we’ll follow:

Extract the password hash using zip2johnCrack the password using john and a wordlistUnzip the file using the recovered password

Start by converting the ZIP file into a hash that John understands:

zip2john backup.zip > hash.txt

This creates a hash.txt file with a special hash format for John to work with.

Now give that hash to John, along with a wordlist like the good ol’ rockyou.txt:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

John will start comparing hashes from the ZIP with passwords from your wordlist.

📣 You’ll see output like:

Loaded 1 password hash (PKZIP [32/64])

Let it do its thing. If the password is in the wordlist, it’ll be cracked quickly.

Once it’s done (or instantly cracked), display the password:

john --show hash.txt

Output might look like this:

backup.zip:mysecretpassword

✔️ And there it is — you’ve got the key.

Now you can extract the contents:

unzip -P mysecretpassword backup.zip

That’s it — you’re in!

If you want to streamline it, you can automatically pull the password from the crack output like this:

PASSWORD=$(john --show hash.txt | cut -d':' -f2)
unzip -P "$PASSWORD" backup.zip

Handy for scripting or chaining this into a workflow.

Let’s say you’re browsing a misconfigured open directory or subdomain. You spot a backup.zip, download it, and it’s password-protected.

You run this cracking flow and inside you find:

Config filesHardcoded credentialsInternal APIsSensitive PII

You now have a high-impact finding to report — sensitive data exposure due to weak password protection. Even better if the same password works elsewhere (login portals, admin panels, etc.).

zip2john, rar2john, 7z2john, pdf2john — all work the same wayTry fcrackzip for simple ZIPs (faster, though limited format support)Build target-specific wordlists using tools like cewlUse john --rules to get more aggressive and intelligent with cracking

John the Ripper is a powerful ally in your bug bounty toolkit.Cracking ZIPs is quick, easy, and often overlooked.Always try cracking passwords when you find ZIPs or hash dumps.Respect legal boundaries — always test ethically and with permission.

Read Entire Article