Cracking the Code: Unlocking Password-Protected PDFs with Masked Brute Force

Nayan Pahuja - Oct 1 '23 - - Dev Community

Hey Guys! This article is something I am not used to writing so, If I miss any spots, please feel free to correct me in the comments. I am looking forward to constructive feedback.

With that in mind, Let's start the article.

We will be using the following resources for this article, I will be linking them with their explanation incase anyone wants to follow along.


Introduction:

John the Ripper is an incredible open source software designed for the purpose of recovering lost or forgotten passwords through various password cracking techniques. It is highly versatile and can be used to crack a wide range of password types, including those stored in various cryptographic formats and hash algorithms.

We are going to work with the Jumbo version of JohnTheRipper. This is a community-enhanced, "jumbo" version of John the Ripper. It has a lot of code, documentation, and data contributed by the user community. This is not "official" John the Ripper code.

Hashcat is also another incredible open source software password cracking tool that is widely used by security professionals, penetration testers, and researchers to recover passwords from various types of hashed data.
It is known for it's wide support for multiple hash algorithms and fast speed.


Setup the environment:

Fun Story: I am writing this article because I needed to crack a password today for a document that was emailed to me, but I couldn't open it.

John The Ripper:

John

  • Download Windows binaries for Jumbo version and place it in the users directory.

Install Perl

We are also going to need to install Perl programming language for this to run JtR.
Download the Strawberry version of Perl, the link to which can be found here: Perl

Download the installer according to your respective bit for your desktop/laptop.

Note: Remember to restart your laptop after installing perl.

Perl

Download HashCat:

Download the Hashcat binaries and place it in a directory. For convenience I am going to place it in users as well.

Hashcat


Cracking the password:

  • Make sure to unzip the all the stuff that we have downloaded.

Now let's get to the magic part.

  • Visit the directory where you placed John The Ripper.

JtR1

Change your current directory to run using cd run.

You can follow the commands as I did above to get to the directory.

If you run the command dir in windows cmd and ls in UNIX, you can see all the directories features that Jack the Ripper offers.

JtR2

  • Out of this we need the command pdf2john.

John the Ripper is primarily focused on password cracking and hashing-related tasks, and it doesn't directly handle PDF cracking. To work with a password-protected PDF file in John the Ripper, you first need to create a hash file using the 'pdf2john.pl' tool, which is available in the 'run' directory after compiling John the Ripper from its source code. This Perl script tool allows you to extract the hash (metadata information) from the PDF file and save it to a new file using the following command:

  • I have a test pdf by the named pdf here which is protected by the password 2020!.

  • You must place your pdf inside the run directory of Jack The Ripper for convenience or specify the path in the command. I am going to do the earlier here.

JtR3

  • If you check the run directory with your file explorer you would see something like this in it.

Notepad1

  • We only need the hash key not the file name so I am going to remove that from our hash key and place the key.txt in hashcat directory.
  • We are done with the work of John The Ripper now. We can proceed with using Hashcat for further process.

Hashcat:

We are going to use the masking approach for this the documentation to which can be found here:

You can open another terminal for this or use the same and change your directory to this.

Run the command:

hashcat.exe -h

to find about various attributes you can select in hashcat.

You might see something like this:

HashCat

Let's get a little understanding of what Brute Force is first.

Imagine to open the door you needed a key and you had 1000 keys with no information. You would have to go through every key possibly hitting the right one because you know it's one of these keys that unlock it. You will have to try every possible key.

Same as you would in say a 3 digit lock you can actually go through all the combinations 000--->999.

But if we were to increase the digits, possible include characters this would be very hard.

So if we have some information even very little information such as the number of characters, what type, lowercase, uppercase digits etc can help bring down our possibilities from billion to millions!.

  • So I am going to take this hint here that I know the password will be of length 5 with 4 numerical digits and 1 special character.

What we need to utilize hashcat here is use this command

hashcat.exe -a 3 -m 10500 key.txt ?d?d?d?d?s
Enter fullscreen mode Exit fullscreen mode

HashCat0

Here is a breakdown:

  • a means: Attack Mode-> Brute force in this case.
  • m means: Hash Type
  • key.txt is our file name
  • ?d?d?d?d?s means that the first four characters are to be of type digits and last is a special character.

The result might be something like this.

HashCat2

Incase you are trying it on some other pdf file the results might take time accordingly.


Retrieving the password:

  • Now for the final step. Open the potfile using a notepad and you would see something like this:

What is a Potfile?

  • The potfile is only created after at least one hash has been cracked successfully. The directory does exist but no potfile there. Cracked over a million of hashes already and hashcat removes already cracked hashes.

Result

The 2020! is our password!.

Yay!. We have successfully cracked a password.


Conclusion:

In the digital age, password security is of utmost importance, and sometimes, it becomes necessary to recover lost or forgotten passwords. In this article, we explored two powerful open-source tools, John the Ripper and Hashcat, which are invaluable resources for security professionals, penetration testers, and researchers.

This is it for this article!. Thanks for reaching the end. Please feel free to drop comments below, I'll be sure to reply!.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .