Add AES Support to ScanZip/ScanEncryptedZip
ryanohoro opened this issue · 0 comments
ryanohoro commented
Is your feature request related to a problem? Please describe.
ScanZip/ScanEncryptedZip should support AES-encrypted zip files. Scanning an AES encrypted ZIP file currently returns "unsupported_compression".
7zz -slt l f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
64-bit locale=en_US.UTF-8 Threads:128
Scanning the drive for archives:
1 file, 158394 bytes (155 KiB)
Listing archive: f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
--
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
Type = zip
Physical Size = 158394
----------
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.pdf
Folder = -
Size = 186622
Packed Size = 158138
Modified = 2022-12-23 16:03:28
Created =
Accessed =
Attributes = -rw-r--r--
Encrypted = +
Comment =
CRC =
Method = AES-128 Deflate:Maximum
Characteristics = WzAES : Encrypt
Host OS = Unix
Version = 51
Volume Index = 0
Offset = 0
./strelka-oneshot -f f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
cat strelka-oneshot.log | jq
"scan": {
"encrypted_zip": {
"cracked_password": "infected",
"elapsed": 0.056146,
"flags": ["unsupported_compression"],
"total": {
"extracted": 0,
"files": 1
}
},
Describe the solution you'd like
Use 7zip or pyzipper instead of zipfile to extract zip files.
7zz -slt l f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
7-Zip (z) 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15
64-bit locale=en_US.UTF-8 Threads:128
Scanning the drive for archives:
1 file, 158394 bytes (155 KiB)
Listing archive: f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
--
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip
Type = zip
Physical Size = 158394
----------
Path = f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.pdf
Folder = -
Size = 186622
Packed Size = 158138
Modified = 2022-12-23 16:03:28
Created =
Accessed =
Attributes = -rw-r--r--
Encrypted = +
Comment =
CRC =
Method = AES-128 Deflate:Maximum
Characteristics = WzAES : Encrypt
Host OS = Unix
Version = 51
Volume Index = 0
Offset = 0
Describe alternatives you've considered
Additional context
AES encryption is widely supported, though not the default for most applications.