Securing your PDF documents is a good way to ensure that your PDF is safe and your privacy is retained. However, when using a weak or predictable password, you can easily be in the danger.
Before we dive into cracking PDF passwords, I’m going to encrypt a random PDF file that I found on my computer. For that matter, I’m going to use the pdftk tool to add a password to this PDF document:
$ pdftk 1710.05006.pdf output encrypted.pdf user_pw password123
encrypted.pdf file is an encrypted PDF document with the password
Note: If you want to follow along, make sure to install
pdftk tool using
snap install pdftk command.
Method 1: John the Ripper
John the Ripper is a fast password cracker pretty much for everything that can be cracked offline, it is currently available in Linux, macOS, Windows, and many other environments.
Before we get started, we need to install the tool. First, make sure you make a folder in your system. I’m creating a
$ mkdir crack-pdf $ cd crack-pdf
Second, let’s clone the GitHub repository:
$ git clone https://github.com/openwall/john
This will take a few seconds to a few minutes depending on your Internet speed. Next, let’s change the current directory to the
src folder in
JohnTheRipper parent directory:
$ cd JohnTheRipper/src
Finally, we update our repository, install the
libssl dependency and install John the Ripper tool:
$ sudo apt update $ sudo apt install libssl-dev $ ./configure && make
Again, this will take a few minutes depending on your network and CPU conditions. Give it some time and you’ll be ready to go. When it’s finished, get back to your original folder (
crack-pdf in my case):
$ cd .. $ cd ..
Now that we have installed our tool, let’s dive into cracking our previously created PDF document.
First, we need to extract the hash from the PDF file so we can compare the hash of the trial password with the hash of the real password. Luckily, the tool we just installed has the
pdf2john.pl script that does just that:
$ JohnTheRipper/run/pdf2john.pl encrypted.pdf > encrypted.hash
pdf2john.pl Perl script file along with other very useful scripts are located in the
run folder after you’ve successfully built and installed JohnTheRipper as shown previously.
As you can see, we have created another file named
encrypted.hash that contains the hash of the target password of the
Let’s crack the hash now:
$ JohnTheRipper/run/john encrypted.hash
john tool will first try the default
password.lst file located in the
run folder. If it can’t find any matched passwords, it’ll go for incremental (brute-force attack) which takes a lot of time.
You can press any button besides
CTRL+C (which stops the cracking) to show the progress. In my case, it is performing about 32k passwords per second.
$ wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt $ JohnTheRipper/run/john --wordlist=rockyou.txt encrypted.hash
As you can see, the password was found and highlighted in yellow! and it is
password123. The second time you run the same command will not show anything as it’s cached in the
run/john.pot file. You can remove the
--wordlist argument and use
--show --format=PDF to show the password again after it’s successfully cracked.
Alright! You have successfully cracked the password of a PDF document using John the Ripper tool! In the next section, you will learn how to do that using
Method 2: pdfcrack
PDFCrack is a simpler tool compared to John for recovering passwords from PDF documents, it should be able to handle all PDF files that are encrypted with a password. In this section, we’ll be using the same file we created earlier for cracking the password.
pdfcrack is pretty straightforward:
$ apt install pdfcrack
After that, you can use the tool right away. Writing the tool name as is will give us some help on how to use it:
You can also type
man pdfcrack for detailed information about the usage. Let’s crack the password of
encrypted.pdf with the
$ pdfcrack -f encrypted.pdf --wordlist=rockyou.txt
The password was found immediately after pressing Enter! By default, the tool uses brute-forcing, which means it tries all possible combinations of lowercased and uppercased ASCII characters along with numbers. Again, you can use crunch for advanced wordlist creation, or use the parameters of this tool such as
--maxpw to crack with a customized wordlist.
One of the cool features of
pdfcrack is that you can resume a stopped job. If you CTRL+C to stop the cracking, a new file called
savedstate.sav will be created in the current working directory for resuming purposes, if you run the command again, the tool will automatically continue where it left off last time.
Alright, that’s it for you! This guide shows the best two methods of cracking PDF documents in your Linux machine, make sure to pick the one that suits you best!
Learn also: How to Brute-Force SSH in Linux