Skip to content

ScanEncryptedZip

Extracts passwords from encrypted ZIP archives.

Attributes:

Name Type Description
passwords

List of passwords to use when bruteforcing encrypted files.
Options

limit: Maximum number of files to extract. Defaults to 1000. password_file: Location of passwords file for zip archives. Defaults to /etc/strelka/passwords.dat.

Source code in strelka/src/python/strelka/scanners/scan_encrypted_zip.py 
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
class ScanEncryptedZip(strelka.Scanner):
    """Extracts passwords from encrypted ZIP archives.

    Attributes:
                    passwords: List of passwords to use when bruteforcing encrypted files.

    Options:
                    limit: Maximum number of files to extract.
                                    Defaults to 1000.
                    password_file: Location of passwords file for zip archives.
                                    Defaults to /etc/strelka/passwords.dat.
    """

    def scan(self, data, file, options, expire_at):
        jtr_path = options.get("jtr_path", "/jtr/")
        tmp_directory = options.get("tmp_file_directory", "/tmp/")
        file_limit = options.get("limit", 1000)
        password_file = options.get("password_file", "/etc/strelka/passwords.dat")
        log_extracted_pws = options.get("log_pws", False)
        scanner_timeout = options.get("scanner_timeout", 150)
        brute = options.get("brute_force", False)
        max_length = options.get("max_length", 5)

        self.event["total"] = {"files": 0, "extracted": 0}

        with io.BytesIO(data) as zip_io:
            try:
                is_aes = False
                with pyzipper.ZipFile(zip_io) as zip_obj:
                    file_list = zip_obj.filelist  # .filelist
                    for file_list_item in file_list:
                        if not file_list_item.is_dir():
                            # Check for the AES compression type
                            if file_list_item.compress_type == 99:
                                is_aes = True
                                break

                with (
                    pyzipper.AESZipFile(zip_io) if is_aes else pyzipper.ZipFile(zip_io)
                ) as zip_obj:
                    file_list = zip_obj.filelist  # .filelist
                    for file_list_item in file_list:
                        if not file_list_item.is_dir():
                            self.event["total"]["files"] += 1

                    extracted_pw = crack_zip(
                        self,
                        data,
                        jtr_path,
                        tmp_directory,
                        brute=brute,
                        scanner_timeout=scanner_timeout,
                        max_length=max_length,
                        password_file=password_file,
                    )

                    if not extracted_pw:
                        self.flags.append("Could not extract password")
                        return

                    if log_extracted_pws:
                        self.event["cracked_password"] = extracted_pw

                    for file_item in file_list:
                        if not file_item.is_dir():
                            if self.event["total"]["extracted"] >= file_limit:
                                break

                            try:
                                extract_data = zip_obj.read(
                                    file_item.filename, pwd=extracted_pw
                                )

                                if extract_data:
                                    # Send extracted file back to Strelka
                                    self.emit_file(
                                        extract_data, name=file_item.filename
                                    )

                                    self.event["total"]["extracted"] += 1

                            except NotImplementedError:
                                self.flags.append("unsupported_compression")
                            except RuntimeError:
                                self.flags.append("runtime_error")
                            except ValueError:
                                self.flags.append("value_error")
                            except zlib.error:
                                self.flags.append("zlib_error")

            except pyzipper.BadZipFile:
                self.flags.append("bad_zip")

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
encrypted_zip

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
elapsed
str
flags
list
total
dict
total.extracted
int
total.files
int

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": ["cracked_by_wordlist"],
        "total": {"files": 4, "extracted": 4},
    }