Bruteforce password protected PDF


in this new post, I just will explain how to bruteforce simple password used to protected a PDF. There are a lot of free tools on Windows or Linux to do that but I chose pdfcrack. I made this demonstration on a Linux Mint 18.1 Serena. To install the tool, simply use standard apt command.

fl0at0xff@bl00b ~ $ sudo apt-get install pdfcrack

I you have not a protected PDF, you can easily create one using the tool named pdftk. This tool allows you to set a password on a PDF file.

fl0at0xff@bl00b ~ $ sudo apt-get install pdftk

I assume that you have a PDF named demo.pdf. Use this command to set the adm1n password.

fl0at0xff@bl00b ~ $ pdftk demo.pdf output demoprotected.pdf userpw adm1n

The output file is renamed to demoprotected.pdf

Now, to crack it you can simply run the following command:

fl0at0xff@bl00b ~ $ pdfcrack -f demoprotected.pdf

Password cracking using bruteforce technique is a long and tedious process. Like you know, this tool will try to guess the password with a serie of words which can take a long time, especially since it appears to be a single threaded tool utilizing only one CPU core regardless of you hardware. You can verify this information using htop command. 

To speed up the process, you can set some options. A very useful one is the minimum and maximum password lenght. Indeed, it is very rare for a password to be less than 4 characters. It is therefore not necessary to test all possible passwords from 1 to 3 characters. If you think the maximum size is 8 characters, you can also specify it.

fl0at0xff@bl00b ~ $ pdfcrack -f demoprotected.pdf -n 4 -m 8

In addition to this, it is possible to define the charset to use. Indeed, if you think that the password only contains lower cases and numbers, you can define it like this:

fl0at0xff@bl00b ~ $ pdfcrack -f demoprotected.pdf -n 4 -m 8 -c abdcefghijklmnopqrstuvwxyz0123456789

For this example, the password is 5 characters length and just contains lower cases and a number.

fl0at0xff@bl00b ~ $ pdfcrack -f demoprotected.pdf -n 5 -m 5 -c abdcefghijklmnopqrstuvwxyz0123456789

PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: 7539d0c14667edc186fae6b2e48acc4b
U: e20cdb90a4e8554a71ed1188bfc70f9f00000000000000000000000000000000
O: 5628859c2538b44356cb08cbd32e30780fad48eb4ef92da774789070d8bb1572
Average Speed: 30897.0 w/s. Current Word: '82ina'
Average Speed: 31659.5 w/s. Current Word: 'vn30a'
Average Speed: 21563.2 w/s. Current Word: 'ffcab'
Average Speed: 27206.5 w/s. Current Word: '49zlb'
Average Speed: 31744.7 w/s. Current Word: '15lzb'
found user-password: 'adm1n'

That’s it ! 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.