forgot your pdf password ?

So, you forgot your PDF password that you received or did you like me encrypted your own PDF file a way back and now you don’t remember the password for it.
Yes, that indeed happened with me a while back and then I thought how can i retrieve my password for it ?
pdfcrack is one of the most famous linux tool that does the

sudo apt-get install pdfcrack

It was simple, ryt? The following is the output of the default pdfcrack software which is present in the repositories.

beyond@beyond-GL552VW /tmp/pdfcrack $ pdfcrack
beyond@beyond-GL552VW /tmp/pdfcrack $ pdfcrack
Usage: pdfcrack -f filename [OPTIONS]
OPTIONS:
-b, –bench perform benchmark and exit
-c, –charset=STRING Use the characters in STRING as charset
-w, –wordlist=FILE Use FILE as source of passwords to try
-n, –minpw=INTEGER Skip trying passwords shorter than this
-m, –maxpw=INTEGER Stop when reaching this passwordlength
-l, –loadState=FILE Continue from the state saved in FILENAME
-o, –owner Work with the ownerpassword
-u, –user Work with the userpassword (default)
-p, –password=STRING Give userpassword to speed up breaking ownerpassword (implies -o)
-q, –quiet Run quietly
-s, –permutate Try permutating the passwords (currently only supports switching first character to uppercase)
-v, –version Print version and exit

An example of the usage can be:

pdfcrack -w /my/path/for/rockyou.txt -s /path/to/secure/file.pdf

Now the problem arises here that this version of pdfcrack is single threaded. Yeah! thats right. This will take ages to crack a simple password from the dictionary
file like rockyou.txt. But what we need is something like hashcat, ryt ? It should use some GPU power to speed up the process.

So to start, I explored and found a few articles on web and lot of enthusiastic guys who ported the normal pdfcrack’s code to multicore and multithreaded version.
https://sourceforge.net/p/pdfcrack/discussion/575585/thread/94dbe77e/
http://andi.flowrider.ch/research/pdfcrack.html

Dr. Andreas Meier is the guy who has contributed significantly for this. You can download the new source code from his repo. This new version supports
threading.
Follow the steps to get it done.

1. Download the source code.
2. Go through the README and Makefile.
3. do a ‘make’ with whatever number of threads your system support.
4. If it fails, check for the Makefile error that I got. Its is primarily due to the linking trial of pthread library and the way it is written.
5. Just update in the Makefile with the following
#LIBS = -lpthread
LIBS = -pthread
6. do a ‘make clean’ and a ‘

Now this version of pdfcrack gives the following options:

beyond@beyond-GL552VW /tmp/pdfcrack $ ./pdfcrack
Usage: ./pdfcrack -f filename [OPTIONS]OPTIONS:
-b, –bench perform benchmark and exit
-c, –charset=STRING Use the characters in STRING as charset
-w, –wordlist=FILE Use FILE as source of passwords to try
-n, –minpw=INTEGER Skip trying passwords shorter than this
-m, –maxpw=INTEGER Stop when reaching this passwordlength
-t, –threads=INTEGER Stop number of threads used (default 0) recommendedfor multi-core systems
-l, –loadState=FILE Continue from the state saved in FILENAME
-o, –owner Work with the ownerpassword
-u, –user Work with the userpassword (default)
-p, –password=STRING Give userpassword to speed up breaking ownerpassword (implies -o)
-q, –quiet Run quietly
-s, –permutate Try permutating the passwords (currently only supports switching first character to uppercase)
-v, –version Print version and exit
-z, –zone=INT1/INT2 Run program on multiple hosts (split search space) e.g. -z 3/8 (run on host 3 out of 8)

So, we got some options now to explore the multithreaded option with pdfcrack. Lets put it to work now.

beyond@beyond-GL552VW /tmp/pdfcrack $ ./pdfcrack /tmp/157046967-20171011.pdf -w /home/beyond/rockyou.txt -t 8
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -1852
Length: 128
Encrypted Metadata: True
FileID: 1dea253ce3631c21149a619ad9b5ea25
U: a3f0257d99da4a218365ea312734ccac00000000000000000000000000000000
O: 246a2584f4a746812f449e0e189fd0ebbc728bc733b671af6bbfd8dc143c3279
thread 0 started
thread 1 started
thread 2 started
thread 3 started
thread 4 started
thread 5 started
thread 6 started
thread 7 started
Average Speed: 431608.6 w/s. Current Word: ‘9389265’
Average Speed: 430808.6 w/s. Current Word: ‘rbk10junio’
Average Speed: 431734.6 w/s. Current Word: ‘kjcool’
Thread 5 found password: ‘********’
joined thread 0
joined thread 1
joined thread 2
joined thread 3
joined thread 4
joined thread 5
joined thread 6
joined thread 7
found user-password: ‘********’

Bingo! and just to verify it actually used threading(well we can guess it from the time it took to parse through the entire rockyou.txt file), I launched htop in the
background. Here is the stats when pdfcrack was running.

htop response

In the next post, I will try to explain why even this method with pdfcrack is not effective well, primarily because it doesn’t use GPU power and what are the ways
that it can be used. The major problem will occur when you are going to brute-force it brutally i.e. no prior information of any kind.
Except in the dictionary attack, where you use predetermined passwords and try them to the pdf, the brute-forcing is much much much slower way as it involves
permutation of all the possible character set that you may have included for the attack.
Lower Case : 26
Upper Case: 26
Numbers: 10
Special Chars : 33
Total : 95
You can use ‘-m’ & ‘-n’ flags for specifying minimum and maximum length of the password but still the time taken by it will be huge and thus it will not make any
sense.
For example:
Just for 8 char long password. Total combinations will be 95^8.
The speed that I was getting on 8 threads with my system, as you can see above is around 431608.6 passwords/sec.
Calculating this gives me : ‘15194144944.313421692’ seconds approx. => 4220595.81 hours => 481 yrs or so. Only
Obviously, this is not something anybody would be doing. Dictionaries attack and their permutation or hybrid attack are more plausible options at times.
Reducing the character set also helps a lot for optimizing the time.
We are left with only two options to do this more faster.
Either we can increase the system’s capability to throws more numbers of words/passwords per second
Or we can reduce the total character set.
Or Increase the system’s capability to be more capable.
Let us discuss in our next post about using Hashcat and how it differs from the pdfcrack in terms of speed and efficiency.

Leave a Reply

Your email address will not be published. Required fields are marked *