npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

archive-decrypt

v1.0.0

Published

A Node.js package for brute force and dictionary attacks on encrypted archive files

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

heyauriheyauri

Keywords

ziprardecryptbrute-forcedictionary-attack

Readme

ArchiveDecrypt

A Node.js package for brute force and dictionary attacks on encrypted archive files (ZIP and RAR).

Features

  • Dictionary Attack: Try passwords from a wordlist
  • Brute Force Attack: Generate and try all possible password combinations
  • Hybrid Attack: Combine dictionary and brute force attacks
  • Programmatic API: Use in your Node.js applications
  • Command Line Interface: Use from your terminal
  • Support for Multiple Formats: Works with both ZIP and RAR files
  • Target File Selection: Specify a specific file to verify password (faster)
  • Character Set Presets: Use predefined character sets like lowercase, numbers, etc.
  • Progress Display: Shows speed, ETA, and progress
  • Statistics: Shows elapsed time, speed, and total attempts
  • Automatic Smallest File Selection: When no target file specified, automatically uses the smallest file for faster verification
  • Smart Error Handling: Handles various zlib and checksum errors that occur with wrong passwords

Table of Contents

Installation

npm install archive-decrypt

Or using yarn:

yarn add archive-decrypt

Quick Start

CLI Quick Start

# Dictionary attack
archive-decrypt dictionary encrypted.zip passwords.txt

# Brute force attack with numbers
archive-decrypt brute-force encrypted.zip --charset numbers --min-length 4 --max-length 6

# Hybrid attack
archive-decrypt hybrid encrypted.zip passwords.txt --charset lowercase --min-length 3 --max-length 5

API Quick Start

const ArchiveDecrypt = require('archive-decrypt');

(async () => {
  const archiveDecrypt = new ArchiveDecrypt('encrypted.zip');

  const result = await archiveDecrypt.bruteForceAttack({
    charset: 'numbers',
    minLength: 4,
    maxLength: 6,
    onSuccess: (password) => {
      console.log(`Found password: ${password}`);
    }
  });
})();

Usage

Command Line Interface

Dictionary Attack

# Basic usage
archive-decrypt dictionary encrypted.zip passwords.txt

# With options
archive-decrypt dictionary encrypted.zip passwords.txt \
  --target-file "path/to/file.jpg" \
  --max-attempts 10000 \
  --delay 10 \
  --quiet

Brute Force Attack

# Basic usage with default character set
archive-decrypt brute-force encrypted.zip

# With options
archive-decrypt brute-force encrypted.zip \
  --charset numbers \
  --min-length 4 \
  --max-length 6 \
  --target-file "path/to/file.jpg" \
  --max-attempts 10000

# Use custom character set
archive-decrypt brute-force encrypted.zip --charset "abc123!@#"

Hybrid Attack

# Basic usage
archive-decrypt hybrid encrypted.zip passwords.txt

# With options
archive-decrypt hybrid encrypted.zip passwords.txt \
  --charset lowercase \
  --min-length 3 \
  --max-length 5 \
  --target-file "path/to/file.jpg"

Character Set Presets

The following character set presets are available:

  • lowercase: abcdefghijklmnopqrstuvwxyz
  • uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • numbers: 0123456789
  • symbols: !@#$%^&*()_+-=[]{}|;:'",./<>?
  • all: All of the above combined
  • alphanumeric: Lowercase, uppercase, and numbers (default)

Programmatic API

Dictionary Attack

const ArchiveDecrypt = require('archive-decrypt');

const archiveDecrypt = new ArchiveDecrypt('encrypted.archive'); // Can be .zip or .rar

const dictionary = ['password', '1234', 'qwerty'];

(async () => {
  const result = await archiveDecrypt.dictionaryAttack({
    dictionary: dictionary,
    targetFileName: 'path/to/file.jpg', // Optional: Verify password by extracting this specific file
    onAttempt: (password, attempts, info) => {
      if (attempts % 1000 === 0) {
        console.log(`Attempt ${attempts} (${info.speed}/s) - ETA: ${info.eta}`);
      }
    },
    onSuccess: (password, attempts, info) => {
      console.log(`Success! Password found: ${password}`);
      console.log(`Attempts: ${attempts}`);
      console.log(`Elapsed: ${info.elapsed.toFixed(1)}s`);
      console.log(`Speed: ${info.speed}/s`);
    },
    onFailure: (info) => {
      console.log('Password not found in dictionary');
      console.log(`Attempts: ${info.attempts}`);
      console.log(`Elapsed: ${info.elapsed.toFixed(1)}s`);
    }
  });
})();

Brute Force Attack

const ArchiveDecrypt = require('archive-decrypt');

const archiveDecrypt = new ArchiveDecrypt('encrypted.archive'); // Can be .zip or .rar

(async () => {
  const result = await archiveDecrypt.bruteForceAttack({
    charset: 'numbers', // or custom charset like '0123456789'
    minLength: 4,
    maxLength: 6,
    targetFileName: 'path/to/file.jpg', // Optional: Verify password by extracting this specific file
    onAttempt: (password, attempts, info) => {
      if (attempts % 1000 === 0) {
        console.log(`Attempt ${attempts} (${info.speed}/s) - ETA: ${info.eta}`);
      }
    },
    onSuccess: (password, attempts, info) => {
      console.log(`Success! Password found: ${password}`);
    },
    onFailure: (info) => {
      console.log('Password not found');
    }
  });
})();

Hybrid Attack

const ArchiveDecrypt = require('archive-decrypt');

const archiveDecrypt = new ArchiveDecrypt('encrypted.archive'); // Can be .zip or .rar

const dictionary = ['password', '1234', 'qwerty'];

(async () => {
  const result = await archiveDecrypt.hybridAttack({
    dictionary: dictionary,
    charset: 'lowercase',
    minLength: 3,
    maxLength: 5,
    targetFileName: 'path/to/file.jpg', // Optional: Verify password by extracting this specific file
    onAttempt: (password, attempts, info) => {
      if (attempts % 1000 === 0) {
        console.log(`Attempt ${attempts} (${info.speed}/s) - ETA: ${info.eta}`);
      }
    },
    onSuccess: (password, attempts, info) => {
      console.log(`Success! Password found: ${password}`);
    },
    onFailure: (info) => {
      console.log('Password not found');
    }
  });
})();

Options

Common Options

All attack methods support these options:

  • targetFileName: Optional. Verify password by extracting this specific file. If the file doesn't exist in the archive, the attack will terminate immediately. If not specified, the smallest file will be automatically selected for faster verification.
  • maxAttempts: Maximum number of attempts (default: Infinity)
  • delay: Delay between attempts in milliseconds (default: 0)
  • ignoreUnexpectedError: Ignore unexpected errors and continue trying (default: true). This helps with zlib errors (Z_DATA_ERROR, CRC32 checksum failed, etc.) that can occur when trying wrong passwords.
  • onAttempt: Callback function called for each attempt. Receives parameters: (password, attempts, { speed, eta, total })
  • onSuccess: Callback function called when password is found. Receives parameters: (password, attempts, { elapsed, speed })
  • onFailure: Callback function called when password is not found. Receives parameters: ({ elapsed, speed, attempts })

Dictionary Attack Options

  • dictionary: Array of passwords to try

Brute Force Attack Options

  • charset: Characters to use for password generation, or a preset (lowercase, uppercase, numbers, symbols, all, alphanumeric) (default: alphanumeric)
  • minLength: Minimum password length (default: 1)
  • maxLength: Maximum password length (default: 10)

Performance Considerations

  • Dictionary Attack: Fastest option, especially with a good wordlist
  • Brute Force Attack: Can be very slow for long passwords or large character sets
  • Hybrid Attack: Balances speed and coverage by trying dictionary first, then brute force
  • Target File: Using targetFileName can significantly improve performance by only verifying a specific file (preferably small). If not specified, the smallest file in the archive will be automatically selected.
  • File Size Matters: Larger files take longer to decrypt and verify. Always prefer using the smallest file possible for password verification.
  • RAR vs ZIP: ZIP files are generally faster to verify than RAR files
  • Character Set Size: Smaller character sets will result in faster brute force attacks
  • Password Length: The number of combinations grows exponentially with password length

Security Note

⚠️ Important: This tool is intended for educational purposes only. Always obtain proper authorization before attempting to decrypt any encrypted files. Unauthorized access to encrypted content may be illegal in your jurisdiction.

Limitations

  • For RAR files, requires node-unrar-js for password verification
  • For ZIP files, uses adm-zip for password verification
  • Large character sets and long passwords can result in very slow brute force attacks
  • Target file name must match exactly, including path and case sensitivity
  • Does not support all compression methods or encryption algorithms

FAQ

Q: How do I speed up the brute force attack?

A: Use the smallest file in the archive for verification, use smaller character sets, and reduce the password length range.

Q: What if I don't know the target file name?

A: The tool will automatically select the smallest encrypted file in the archive.

Q: Why am I seeing zlib errors?

A: These are normal when trying wrong passwords. The tool handles them by default with ignoreUnexpectedError: true.

Q: Can I pause and resume attacks?

A: Not currently, but it's a planned feature for future versions.

License

MIT

Disclaimer: This tool is provided for educational and legitimate password recovery purposes only. Always respect the law and other people's privacy.