65.15 PDF Password Recovery


Have you forgotten a password to a critical PDF document that you password protected? There could be some hope with a couple of useful tools for password recovery. One is hashcat which can be installed with wajig install hascat. Another I’ve tried out is john the ripper. Both are open source and freely available.

John the ripper is a password recovery app that tries a brute force approach to password recovery through dictionary lookup.

snap install john-the-ripper
wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zip
perl john-bleeding-jumbo/run/pdf2john.pl myenc.pdf > myenc.hash
john myenc.hash

Breaking this down to each step.

John the ripper is available as a snap and so can be easily installed:

snap install john-the-ripper

For a pdf document the encryption hash needs to be extracted as a separate step using a perl script called pdf2john. Obtain the script from the github zip file and unzip it locally:

wget https://github.com/magnumripper/JohnTheRipper/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zip

You can then run the pdf2john script to extract the hash:

perl john-bleeding-jumbo/run/pdf2john.pl myenc.pdf > myenc.hash

The hash file looks like this (though I have truncated the very long line of some 230 characters in this instance.


This format can be used directly by jack the ripper but for hashcat the filename and the colon need to be removed.

Running the password recovery program is then a matter of calling john with the file containing the hash. This will now utilise all cores on your computer and run time can be 6 hours or more.

john myenc.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-01-22 10:55) 0g/s 152943p/s 152943c/s 152943C/s Enab1900..Pdf1900
Proceeding with wordlist:/snap/john-the-ripper/current/run/password.lst
Enabling duplicate candidate password suppressor

You can get a status at any time with s:

0g 0:00:25:37 3.75% 2/3 (ETA: 22:18:58) 0g/s 111340p/s 111340c/s 111340C/s 26316082..rockers1782
Remaining hashes    1 (0 removed)
Remaining salts     1 (0 removed)
Time in seconds     1537 (1537.00 new)
Successful guesses  0 (0 new, 0 g/s)
Passwords tested    171130171 (171130171 new, 111340 p/s)
 dupe suppressor    is enabled since accepted candidate 45884
 and it accepted    171084544 (90.62%, 111310 p/s)
        rejected    17710356 (9.38%, 11522 p/s)
    out of total    188794900 (122833 p/s)
Hash computations   171130171 (171130171 new, 111340 c/s)
Hash combinations   171130171 (171130171 new, 111340 C/s)

Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0