What is fcrackzip?
fcrackzip is a lightweight, fast password cracker specifically designed for ZIP archives. It supports two attack modes — dictionary (wordlist) and brute-force — and uses the unzip utility to verify candidate passwords. It is commonly encountered in CTF forensics and password attack challenges where a protected ZIP file must be cracked to access its contents.
⚠ Legal Notice
Only use on files you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# Update packages sudo apt update # Install fcrackzip and unzip (unzip is needed to verify passwords) sudo apt install fcrackzip unzip -y # Verify installation fcrackzip --version
Basic Usage
# Dictionary attack using rockyou.txt (most common CTF approach) fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt protected.zip # Brute-force attack — lowercase letters, length 1 to 6 fcrackzip -u -b -c a -l 1-6 protected.zip # Brute-force — alphanumeric (lowercase + digits), length 4 to 8 fcrackzip -u -b -c aA1 -l 4-8 protected.zip # Brute-force — all printable characters fcrackzip -u -b -c '!a' -l 1-5 protected.zip # Verbose output (show each attempt) fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt protected.zip
Key Flags
-u— Use unzip to verify the correct password (always include this)-D— Dictionary attack mode-p— Path to the wordlist file-b— Brute-force attack mode-c a— Charset:a= lowercase,A= uppercase,1= digits,!= special chars-l— Password length range (e.g.-l 4-8)-v— Verbose mode, show each candidate tried
Common Use Cases
- CTF (Capture The Flag) forensics and password attack challenges
- Recovering passwords from ZIP files you own
- Authorized penetration testing engagements
- Internal security audits involving archived data
Further Reading
Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.