66.15 PDF Password Recovery

20230122

Have you forgotten a password to a critical PDF document that you password protected? There could be some hope with a couple of useful tools for password recovery. One is hashcat which can be installed with wajig install hascat.

Another is John the ripper, a password recovery app that tries a brute force approach to password recovery through dictionary lookup. John the ripper is available as a snap and so can be easily installed:

snap install john-the-ripper

For a pdf document the encryption hash needs to be extracted as a separate step using a perl script called pdf2john. Obtain the script from the github zip file and unzip it locally:

wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zip

You can then run the pdf2john script to extract the hash:

perl john-bleeding-jumbo/run/pdf2john.pl myenc.pdf > myenc.hash

The hash file looks like this (truncating the very long line of some 230 characters in this instance):

myenc.pdf:$pdf$4*4*128*-1084*1*16*4562af96fd15a323045f285f2eaa698a*32*f3859708f9d3f...

This format can be used directly by jack the ripper but for hashcat the filename and the colon need to be removed.

Running the password recovery program is then a matter of calling john with the file containing the hash. This will now utilise all cores on your computer. The run time can be 6 hours or more and there is of course no guarantee of success.

john myenc.hash

Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-01-22 10:55) 0g/s 152943p/s 152943c/s 152943C/s Enab1900..Pdf1900
Proceeding with wordlist:/snap/john-the-ripper/current/run/password.lst
Enabling duplicate candidate password suppressor

You can get a status at any time with:

0g 0:00:25:37 3.75% 2/3 (ETA: 22:18:58) 0g/s 111340p/s 111340c/s 111340C/s 26316082..rockers1782
Remaining hashes    1 (0 removed)
Remaining salts     1 (0 removed)
Time in seconds     1537 (1537.00 new)
Successful guesses  0 (0 new, 0 g/s)
Passwords tested    171130171 (171130171 new, 111340 p/s)
 dupe suppressor    is enabled since accepted candidate 45884
 and it accepted    171084544 (90.62%, 111310 p/s)
        rejected    17710356 (9.38%, 11522 p/s)
    out of total    188794900 (122833 p/s)
Hash computations   171130171 (171130171 new, 111340 c/s)
Hash combinations   171130171 (171130171 new, 111340 C/s)

---

Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0