PKZIP Multi-File Compressed — Hashcat Mode 17220
TL;DR — Mode 17220 targets ZipCrypto archives with multiple compressed files. The presence of multiple files significantly improves recovery prospects because each file provides additional plaintext attack opportunities — known file format headers, deflate stream structure, and cross-file consistency checks.
Why multi-file is favourable
Each file in a ZipCrypto archive uses the same encryption key derived from the password. Each file therefore provides an independent piece of evidence for the same key. With multiple files, attackers can cross-reference the key state across files — increasing certainty and reducing false positives.
If the archive contains files with predictable starting bytes (most do), each contributes plaintext anchor points. JPEGs, PDFs, Office documents, ZIP-within-ZIP — all have well-known signature bytes that combine to make recovery faster and more reliable.
Recovery characteristics
Multi-file ZipCrypto archives are typically the most favourable mode 17xxx case. Recovery often succeeds in minutes rather than hours, even without strong hints.
False-positive rates are very low because cross-file verification confirms candidate keys.
Common sources
Document distribution bundles (legal, accounting, real estate), software installers, photo collections, project deliverables. Anything that's a logical bundle of related files distributed as a ZIP.
Frequently Asked Questions
Why does multi-file matter?
How many files is enough?
Do all files need the same password?
Related references
Have a file in this category?
Start with a free analysis. The encryption type is detected automatically; a free check runs through fast techniques before any paid attempt. You only pay if recovery actually works.
Run a free analysis