Provided by: yazc_0.4.3-1_amd64 
NAME
yazc - yet another zip cracker
SYNOPSIS
yazc [-h] [-V]
yazc COMMAND OPTIONS... FILE
DESCRIPTION
yazc cracks password protected zip files. Three attack methods are supported: bruteforce,
dictionary and plaintext.
Note: Only files encrypted using the legacy Pkware encryption method are supported.
BRUTEFORCE
The bruteforce command tries every possible character combination. A general rule of thumb
is to use this command when you suspect the password to be 8 characters or less.
-c, --charset=CHARSET
Set the character set to CHARSET.
-i, --initial=STRING
Set the initial password to STRING.
-l, --length=NUM
Set the maximum password length to LENGTH characters.
-a, --alpha
Use characters [a-z].
-A, --alpha-caps
Use characters [A-Z].
-n, --numeric
Use characters [0-9].
-s, --special
Use special characters "!:$%&/()=?{[]}+-*~#@|;".
-t, --threads=NUM
Distribute load to NUM threads. For maximum performance, this should be set to the
number of logical processors available.
-h, --help
Display help and exit.
DICTIONARY
The dictionary command reads passwords from a text file (or stdin if no file argument is
provided). It is assumed that each password is separated by a newline.
-d, --dictionary=FILE
Read passwords from FILE.
-h, --help
Display help and exit.
PLAINTEXT
The plaintext command uses a known vulnerability in the pkzip stream cipher to find the
internal representation of the encryption key. To use this attack type, you need at least
13 known plaintext bytes from any file in the archive. Generally, this means that you need
to obtain at least 13 bytes of the compressed stream before it was encrypted.
The plaintext command can be used either with the raw byte offsets (-o option) or by using
the zip file entry name.
-o, --offset
Use raw byte offsets instead of entry names.
-t, --threads=NUM
Distribute load to NUM threads.
-h, --help
Display help and exit.
INFO
The info command lists the filenames, offsets and the encryption header for each file in
the archive. This is useful to determine what configuration to pass to the plaintext
command.
EXAMPLES
Use a bruteforce attack on file archive.zip using only lower case letters and distribute
the load to 8 threads:
yazc bruteforce -a -t8 archive.zip
Use a dictionary attack on file archive.zip and use passwords from rockyou.txt:
cat rockyou.txt | yazc dictionary archive.zip
Use a plaintext attack on archive.zip. Take plaintext bytes 100 to 650 and map them to
ciphertext bytes 112 to 662. Use these bytes to reduce the number of keys and perform the
attack. Once the intermediate key is found, decrypt the rest of the cipher (begins at
offset 64) to get the internal representation (the encryption key derived from the
password). If possible the actual (or equivalent) password will also be recovered and
printed.
yazc plaintext -o plain.bin 100 650 archive.zip 112 662 64
AUTHOR
Marc Ferland <marc.ferland at gmail dot com>
Part of this software was inspired by fcrackzip by Marc Lehmann and pkcrack by Peter
Conrad. The original plaintext algorithm was developed by Eli Biham and Paul C. Kocher.
YAZC(1)