PKZIP Classic ZipCrypto — Hashcat Mode 17200

What ZipCrypto actually is

PKZIP's original encryption was published in PKWARE's APPNOTE.TXT (the ZIP format specification) and remains the default for many archive utilities producing 'classic' password-protected ZIPs. It uses three 32-bit linear-feedback registers seeded by the password and updated per byte — a custom stream cipher, not a standard one.

The cipher's nominal security level is 96 bits. In practice, academic cryptanalysis (Eli Biham and Paul Kocher, 1994; later refinements by Stay, Lewerentz, and others) has demonstrated key-recovery attacks that reduce the effective complexity by many orders of magnitude under specific conditions — particularly when an attacker has known plaintext (e.g., a known file in the archive or a recognisable file format header).

From a recovery perspective, mode 17200 ZipCrypto archives are typically the most favourable archive case. The cipher's structural weakness means recovery often succeeds even without strong password hints.

• Hashcat mode: 17200 (standard ZipCrypto)
• Nominal cipher: 96-bit stream cipher
• Known cryptanalytic weaknesses with plaintext
• Default for legacy 'classic' password-protected ZIPs
• Distinguished from 17210/17220/17225/17230 by CRC handling

Why classic ZipCrypto is weak

The cipher's three 32-bit registers form a small internal state. After processing the first 12 bytes (a header that includes a known 1-byte CRC check), the state is fully determined by the password. Attacks exploit relationships between observed cipher output and the small state space.

When the archive contains files with predictable starting bytes (most file formats do — JPEG starts with FF D8, PDF starts with %PDF-, ZIP-within-ZIP starts with PK\x03\x04), known-plaintext attacks reduce the effective password search dramatically. This is sometimes informally called the 'Biham-Kocher' attack.

Modern recovery tooling implements these attacks routinely. The combination of cipher weakness + typical file formats means most ZipCrypto archives are recoverable on tractable timescales.

Identifying mode 17200

ZipCrypto is identified by the general-purpose flag in the local file header. Bit 0 indicates encryption; bits 1-2 indicate compression options. The encryption method byte indicates ZipCrypto (vs WinZip AES, which uses extra fields).

Tools like 7-Zip, unzip -v, or zipinfo print whether each entry uses 'ZipCrypto' or 'AES-256'. The mode-17200 hash format starts with `$pkzip2$1*1*` (or 2*, 3* for variants) followed by per-file metadata.

Multi-file ZIP archives where each file is encrypted separately: each file produces its own hash, which Hashcat can target independently or jointly through mode variants 17210-17230.

Mode 17200 vs WinZip AES (mode 13600)

WinZip introduced AES-256 encryption for ZIP archives in WinZip 9.0 (2003). This is mode 13600 in Hashcat — categorically harder than 17200. AES-256 has no known practical attacks, so recovery feasibility for mode 13600 reduces to password complexity (similar to modern Office or PDF).

If your archive uses 'AE-2' encryption (the standard for WinZip AES), it's mode 13600. If it uses 'classic' ZipCrypto, it's mode 17200. The ZIP file format accommodates both; many tools default to ZipCrypto for compatibility with older readers.

Recovery realism for mode 17200

The combination of cipher structural weakness and typical archive content (predictable file headers in JPEGs, PDFs, Office docs) makes most mode 17200 archives recoverable. Even without specific hints, known-plaintext attacks succeed on most files.

Multi-file archives are particularly favourable: each additional file provides additional plaintext opportunities. A 10-file archive of typical office documents typically yields the cipher key within minutes on modern hardware.

Specific recovery duration varies and we don't publish numbers — but mode 17200 sits comfortably on the 'practically recoverable' side of the line in almost all cases.

Files commonly using ZipCrypto

Default ZIP creation in Windows Explorer (built-in send-to compressed folder) uses ZipCrypto when password-protected. Many corporate document distribution systems default to ZipCrypto for compatibility with older recipients.

Common sources in 2026: legal disclosure bundles from older case management systems, software distribution archives, accountant deliverables, contractor work products, and any password-protected ZIP from Windows-default tooling without WinZip explicitly installed.

Frequently Asked Questions

Related references