66.15 PDF Password Recovery
20230122
Have you forgotten a password to a critical PDF document that you
password protected? There could be some hope with a couple of useful
tools for password recovery. One is
hashcat which can be installed with
wajig install hascat. Another I’ve tried out is john the
ripper. Both are open source and
freely available.
John the ripper is a password recovery app that tries a brute force approach to password recovery through dictionary lookup.
snap install john-the-ripper
wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zip
perl john-bleeding-jumbo/run/pdf2john.pl myenc.pdf > myenc.hash
john myenc.hashBreaking this down to each step.
John the ripper is available as a snap and so can be easily installed:
snap install john-the-ripperFor a pdf document the encryption hash needs to be extracted as a
separate step using a perl script called pdf2john. Obtain the
script from the github zip file and unzip it locally:
wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zipYou can then run the pdf2john script to extract the hash:
perl john-bleeding-jumbo/run/pdf2john.pl myenc.pdf > myenc.hashThe hash file looks like this (though I have truncated the very long line of some 230 characters in this instance.
myenc.pdf:$pdf$4*4*128*-1084*1*16*4562af96fd15a323045f285f2eaa698a*32*f3859708f9d3f...This format can be used directly by jack the ripper but for hashcat the filename and the colon need to be removed.
Running the password recovery program is then a matter of calling
john with the file containing the hash. This will now utilise all
cores on your computer and run time can be 6 hours or more.
john myenc.hashUsing default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-01-22 10:55) 0g/s 152943p/s 152943c/s 152943C/s Enab1900..Pdf1900
Proceeding with wordlist:/snap/john-the-ripper/current/run/password.lst
Enabling duplicate candidate password suppressorYou can get a status at any time with s:
0g 0:00:25:37 3.75% 2/3 (ETA: 22:18:58) 0g/s 111340p/s 111340c/s 111340C/s 26316082..rockers1782
Remaining hashes 1 (0 removed)
Remaining salts 1 (0 removed)
Time in seconds 1537 (1537.00 new)
Successful guesses 0 (0 new, 0 g/s)
Passwords tested 171130171 (171130171 new, 111340 p/s)
dupe suppressor is enabled since accepted candidate 45884
and it accepted 171084544 (90.62%, 111310 p/s)
rejected 17710356 (9.38%, 11522 p/s)
out of total 188794900 (122833 p/s)
Hash computations 171130171 (171130171 new, 111340 c/s)
Hash combinations 171130171 (171130171 new, 111340 C/s)Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0
