.PDF Password Cracking

In my honest opinion, I rarely come across password-protected .pdf files. Most .pdf files I have ever read don't really have anything in them that would be worth password-protection anyway. Still, to me it represents the concept of good security and privacy, both of which should be important to anybody using a computer. However, where you can make it, you can somehow break it. So fire up a Terminal (or a Shell Konsole) and let me show you how.

First of all, we need a .pdf file. Download any .pdf file online, or make a file and save it in a .pdf format. Let me just say you should be using a Linux distribution, preferably BackTrack 5. If you do not have Linux, go make friends with Google and do some research on it. Now then, the tool we will be using to password-protect the file is pdftk, and the tool to crack the password is called pdfcrack. It's a nifty little tool that cracks both user and owner passwords applied to .pdf files. To download the tools, make sure you are root (unless you are using BackTrack, in which case you already are), and type in-

apt-get install pdftk

Then-

apt-get install pdfcrack

Once you have both tools installed, we need to password protect our file. Go to your terminal and type-

pdftk unprotected_file.pdf output protected_file.pdf user_pw PROMPT

-where "unprotected_file.pdf" is your original .pdf file that you want to protect with a password, and "protected_file" is the new file that will be password protected (you can name this file anything you want). You will then be asked for a password as input, which will be the password that is used to protect your new .pdf file. I suggest using password as your password, just as a proof of concept for the tool, and also to test it (You can benchmark to do this, but where is the fun in that?). Once you enter it and hit your Return key (your Enter key), you now have two .pdf files- the original one without a password, and the new one that you created with pdftk.

Now you are ready to crack your password-protected .pdf file. Just go to your Terminal and type-

pdfcrack

After you type in this command, you will see plenty of options-


root@bt:~# pdfcrack
Usage: pdfcrack -f filename [OPTIONS]
OPTIONS:
-b, --bench perform benchmark and exit
-c, --charset=STRING Use the characters in STRING as charset
-w, --wordlist=FILE Use FILE as source of passwords to try
-n, --minpw=INTEGER Skip trying passwords shorter than this
-m, --maxpw=INTEGER Stop when reaching this passwordlength
-l, --loadState=FILE Continue from the state saved in FILENAME
-o, --owner Work with the ownerpassword
-u, --user Work with the userpassword (default)
-p, --password=STRING Give userpassword to speed up breaking
ownerpassword (implies -o)
-q, --quiet Run quietly
-s, --permutate Try permutating the passwords (currently only
supports switching first character to uppercase)
-v, --version Print version and exit

For this guide, I will show you two methods of cracking- a Dictionary Attack, and a Bruteforce Attack. The first method we will use is a dictionary attack. This will read every line of a wordlist until a match to the .pdf file's password is found. I specified above that you should have used password as your password for your .pdf file. Make sure you are in the same directory as your password-protected .pdf file, then type this in your Terminal-

pdfcrack -f [password-protected pdf file] --wordlist=[path to wordlist]

I named my .pdf file "crackme.pdf", so in BackTrack 5 my command would look like this-

pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst

Here is the output from my command-

root@bt:~/Hacking/Tutorials# pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst
PDF version 1.3
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: b1de5d9d3ca2f5ec1dc4514f2a583907
U: 1f10ccc1e8a59d7083f9bbc1acf9c70900000000000000000000000000000000
O: 43710afb9adf32376fad13575c2ae401b12dd0cd7b6cde9fca684132393c6604
Average Speed: 14601.4 w/s. Current Word: 'J Arthur Moore'
Average Speed: 14024.8 w/s. Current Word: 'avvizzimento'
Average Speed: 13901.1 w/s. Current Word: 'ferebamque'
Average Speed: 14160.5 w/s. Current Word: 'mescoleremo'
found user-password: 'password'

As you can see, pdfcrack cracked the password, specified by this line of output-

found user-password: 'password'

Yes, password was the password I chose.


The command for brute-forcing, however, will look like this-

pdfcrack -f crackme.pdf --charset=abcdefghijklmnopqrstuvwxyz -n 6

The output for this command will be similar to the Dictionary Attack output. However, this method will take longer, because it has to use the character set (charset) we specified to find the password, instead of using a dictionary file.

HAPPY HACKING!