Support for WinZip AES in ScanZip / ScanEncryptedZip

[ryanohoro]

Describe the change

Adds a check for compression_type == 99 which indicates a ZIP file encrypted using the WinZip AES type. It uses pyzipper, a fork of zipfile to decrypt and is largely API-compatible.

Adds new tests to test_scan_zip and test_scan_encrypted_zip that use an AES256 encrypted test fixture.

This change adds a new python dependency pyzipper, removes zipfile from ScanZip and ScanEncryptedZip. zipfile is still used in the project in ScanDocx and ScanOle (oletools).

Closes #258

Describe testing procedures

docker-compose -f build/docker-compose.yaml build backend

============================= test session starts ==============================
platform linux -- Python 3.10.6, pytest-7.2.0, pluggy-1.0.0
rootdir: /strelka
plugins: mock-3.10.0, unordered-0.5.2
collected 55 items

tests/test_required_for_scanner.py .
tests/test_scan_base64.py .
tests/test_scan_base64_pe.py .
tests/test_scan_batch.py .
tests/test_scan_bmp_eof.py .
tests/test_scan_bzip2.py .
tests/test_scan_docx.py .
tests/test_scan_elf.py .
tests/test_scan_email.py .
tests/test_scan_encrypted_doc.py ....
tests/test_scan_encrypted_zip.py ..
tests/test_scan_entropy.py .
tests/test_scan_exiftool.py ..
tests/test_scan_footer.py .
tests/test_scan_gif.py .
tests/test_scan_gzip.py .
tests/test_scan_hash.py .
tests/test_scan_header.py .
tests/test_scan_html.py .
tests/test_scan_ini.py .
tests/test_scan_iso.py .
tests/test_scan_javascript.py .
tests/test_scan_jpeg.py ..
tests/test_scan_json.py .
tests/test_scan_lnk.py .
tests/test_scan_lzma.py .
tests/test_scan_macho.py .
tests/test_scan_manifest.py .
tests/test_scan_msi.py .
tests/test_scan_ocr.py .
tests/test_scan_pdf.py .
tests/test_scan_pe.py .
tests/test_scan_png_eof.py .
tests/test_scan_qr.py .
tests/test_scan_rar.py .
tests/test_scan_strings.py .
tests/test_scan_tar.py .
tests/test_scan_url.py .....
tests/test_scan_vhd.py ..
tests/test_scan_x509.py ..
tests/test_scan_yara.py .
tests/test_scan_zip.py ..

=============================== warnings summary ===============================

...

======================= 55 passed, 30 warnings in 7.97s ========================

./strelka-oneshot -f ../../../../samples/f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip 
cat strelka-oneshot.log | jq

{
  "file": {
    "depth": 0,
    "flavors": {
      "mime": [
        "application/zip"
      ],
      "yara": [
        "encrypted_zip",
        "zip_file"
      ]
    },
    "scanners": [
      "ScanEncryptedZip",
      "ScanEntropy",
      "ScanFooter",
      "ScanHash",
      "ScanHeader",
      "ScanYara",
      "ScanZip"
    ],
    "size": 158394,
    "tree": {
      "node": "54f3ce15-d277-4b14-8442-dc74f564b4ec",
      "root": "54f3ce15-d277-4b14-8442-dc74f564b4ec"
    }
  },
  "request": {
    "attributes": {
      "filename": "../../../../samples/f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab.zip"
    },
    "client": "go-oneshot",
    "id": "54f3ce15-d277-4b14-8442-dc74f564b4ec",
    "source": "ubuntu",
    "time": 1671830301
  },
  "scan": {
    "encrypted_zip": {
      "cracked_password": "infected",
      "elapsed": 0.546169,
      "flags": [
        "cracked_by_wordlist"
      ],
      "total": {
        "extracted": 1,
        "files": 1
      }
    },

Sample output

No changes to Strelka output

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of and tested my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings

[phutelmyer]

Good find @ryanohoro + good add!

[phutelmyer]

Looks good...testing...