Cracking a password protected RAR

Hi guys!

I know that this is more of an application/presentation layer question, but I’m sure there’s some experts here that could help me with this.

A mediacal institution in our country is sending patient’s exam reports to them using password protected .rar files and the passwords are then send to them via mobile text messaging. The EU legislation requires full encryption when sending this type of data and in our company we use nextcloud to send end-to-end encrypted password protected links for that purpose with way less sensitive data.

I was always wondering - what’s with this .rar/.zip password protected files?
Are they really encrypted, or do they use quasi .pdf protection, that can be broken with a 20$ bruteforce software? I’ve noticed in recent years that google also acts weird if I try to send a password protected .exe as attachments. In theory it should not allow sending encrypted files (let alone an .exe one), but if I remove the .exe extension and encrypt it using 7zip, the .zip file can be send as an attachment. I can’t seem to send the bare extension stripped file (without password protection). To be honest, I’m not quite sure that google is unable to read those password protected files…

Is there any difference between Winrar or 7zip password protection? I don’t think any of them encrypts filenames…and since those files are usually client’s names, that’s really…well a not so ideal solution. I mean It could work in private setting but in professional like that…
Do any of those password removal software work? Because if they do, that’s borderline malpractice…

If there’s anyone here from IT security that would be so kind to explain this to me, I would really appreciate it?

Maybe an idea for a youtube test video :slight_smile:

I can’t speak to RAR, since I do not create archives using that format.

For 7zip specifically, it can create encrypted .7z files with AES-256 encryption, and encrypted .zip files with AES-256 or ZipCrypto. With the 7z format, you have the option to encrypt file names as well as the actual files. With zip, the names are not encrypted. The AES-256 encryption itself is secure, but the password also has to be decent or it may be vulnerable to brute forcing. So, it is really encrypted, but still may be able to be brute forced with a weak password (say if the password was 1234 or something).

1 Like

It is pretty well protected.

However (for ZIP in Linux):

zip2john filename.zip > hash.txt
john --format=zip hash.txt filename.zip

And that is the password.

2 Likes

We hardly hear about vulnerabilities in implementing encryption in rar and 7z.
Whether they are 100% effective … only an in-depth code audit will tell you.
Everything is focused on a very strong password. The problem is that such file upload either has a weak password or a copy / paste more complicated pass.

A more likely attack vector is a weak password or password hijack than the poor encryption implementation in rar / 7z.
Both solutions probably have additional options to hide / encrypt file names, i.e. the contents of the archive.

Personally, if there was such an option, I would think about implementing something more sophisticated, starting with pgp rsa 4096 and ending with veracrypt containers secured with cascaded algorithms AES256 + Twofish + Serpent with a strong password and key file.

2 Likes