Initially I was not planning on writing about how to crack pdf passwords. After all, that would be irresponsible much in the way giving a knife to a small child is irresponsible – right?
Well, simply typing in the following three words into your search engine.
pdf password recovery
This search will return quite a few entries that can be purchased or downloaded for free. This blog posting will help you most with pdf’s you created with a password that wasn’t overly strong. If you are looking strong passwords you might be taking months or centuries to crack your password.
I received a pdf file that was protected with a password. Apparently there was a slight miscommunication of what the password was and so I couldn’t open the file that was intended for me.
Guessing passwords, especially if you have no idea about the length or how secure the password is – is foolish. Despite how fast the computers are today they are not fast enough to break an arbitrarily long and complex password.
A four character password actually can be brute force broken without any real effort in less than 2 minutes
>echo 23:31:42,30
23:31:42,30>..\pdfcrack file-4char.pdf
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: ee806bec8c858dd1bdd1575322c0202b
U: 5a1e5f56878012e4b920c42d2616f85900000000000000000000000000000000
O: 18512d0db798a3154a508336074c85f9171b9147980a8a2a48009fc1a1cf91aa
Average Speed: 42185.4 w/s. Current Word: ‘lDGc’
Average Speed: 42201.3 w/s. Current Word: ‘Gceg’
Average Speed: 42447.3 w/s. Current Word: ‘m3Mj’
Average Speed: 42391.4 w/s. Current Word: ‘1Bln’
Average Speed: 42208.1 w/s. Current Word: ‘xdTq’
found user-password: ‘Pass’>echo 23:33:31,21
23:33:31,21
If you can narrow down the composition of the password it is even faster at about a minute.
>echo 22:56:23,41
22:56:23,41>..\pdfcrack file-4char.pdf -c abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -n 4
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: ee806bec8c858dd1bdd1575322c0202b
U: 5a1e5f56878012e4b920c42d2616f85900000000000000000000000000000000
O: 18512d0db798a3154a508336074c85f9171b9147980a8a2a48009fc1a1cf91aa
Average Speed: 42185.2 w/s. Current Word: ‘ebag’
Average Speed: 42079.4 w/s. Current Word: ‘znZl’
Average Speed: 42294.0 w/s. Current Word: ‘veas’
found user-password: ‘Pass’echo 22:57:24,61
22:57:24,61
Just extending the password by one more character moves the task from the minutes to the hours.
I was lucky because the document wasn’t that important and the password was all lowercase letters (and not too long).
Had the task been a bit more complex I never could have managed to crack the code that fast. Had it taken longer, the time from that timezone would have changed and I would have been able to pick up the phone and get a new file.
The pdfcrack utility doesn’t take full advantage of multi threading on modern computers. This is actually the only serious drawback for this program. The task of brute forcing passwords while using it is less of a slam dunk with one thread versus four or more.
pdfcrack -t 4 receipe128.pdf
1:13:24,60
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -1852
Length: 128
Encrypted Metadata: True
FileID: 2625660821a90493e6068fab2aae37c8
U: 4e25fb3aea8995c47eed5bcafb67bc0300000000000000000000000000000000
O: 793706a064e35128a24bb79929a29805a1b0e20163d8edcf431da912648bdcae
thread 0 started
thread 1 started
thread 2 started
thread 3 started
Average Speed: 161666.2 w/s. Current Word: ‘3Jxc’
Average Speed: 161633.8 w/s. Current Word: ‘7iWf’
Average Speed: 162077.2 w/s. Current Word: ‘zslj’
Average Speed: 162074.8 w/s. Current Word: ‘5DKm’
Thread 3 found password: ‘Pass’
joined thread 0
joined thread 1
joined thread 2
joined thread 3
found user-password: ‘Pass’
1:13:53,10
The changes to support multi threading don’t appear to be base build of the pdfcrack tool but it is possible to get a copy that does from the following site.
http://andi.flowrider.ch/research/pdfcrack.html
Source code
http://andi.flowrider.ch/research/public/pdfcrack/pdfcrack.tar
Windows binary
http://andi.flowrider.ch/research/public/pdfcrack/pdfcrack_windows.zip
During my testing I had a chance to experiment more with PDF’s. It is a lot easier during testing if you can easily add and remove passwords.
The PDFTK tool does offer a number of different abilities to manipulate pdf files including both adding and removing passwords.
Secure PDF with password
The entire reason I became familiar with the PDFTK tool was because it was a command line program that could be used to encrypt pdf files. It is much easier to quickly type up the following command to “lock up” your pdf.
pdftk <source pdf> output <encrypted pdf> owner_pw <owner pass> user_pw <user pass> allow printing
pdftk receipe.pdf output receipe-encr128.pdf owner_pw secretpw user_pw pass6
The owner password is required for setting or clearing the password to prevent people from reading your document. The user password is that password. It is the user password that you are prompted for when opening up your encrypted PDF file.
The last two parameters on the command line actually are very self explanatory. When you add “allow printing” you can also print the PDF file once you enter your password. It is not clear if every open source PDF viewer respects that flag but Adobe reader certainly does.
There are a few other permissions you can grant.
- DegradedPrinting
- ModifyContents
- Assembly
- CopyContents
- ScreenReaders
- ModifyAnnotations
- FillIn
- AllFeatures
If you want to be able to print out your encrypted file, don’t forget to add “allow printing”.
Remove PDF password
Removing a password is just as easy as adding it. Simply pick your file and provide your owner password and it will be removed.
pdftk <source pdf> input_pw <pass> output <destination pdf>
pdftk receipe128.pdf input_pw secretpw output receipe-nopass.pdf
Extract a single page
The PDFTK tool can also manipulate the pdf itself not just deal with the security.
The PDFTK tool works great at extracting one or more pages from a larger pdf to create a smaller pdf. Whats more, the command actually seems pretty clear what it needs and what it is doing.
pdftk <source pdf> cat <page or range> output <destination pdf>
pdftk main.pdf cat 1 output page1.pdf
pdftk main.pdf cat 1-8 output firsteightpages.pdfThis example is creating a new pdf called page1.pdf which will contain page 1 from our pdf called “main.pdf”. It isn’t clear why the parameter “cat” wasn’t perhaps page or range to be a bit more friendly to the people less comfortable with the command line. Yet in general, most commands are a bit arbitrary and you simply need to memorize the name, their parameters and what the command does does.
The PDFTK program does the extraction with no output to the screen. If you want a bit more feedback from the program simply add the parameter “verbose” at the end. The output doesn’t provide much that is interesting.
It is usually easier to run the command and if you do make a mistake the error will be displayed.
Extract all pages
After seeing what is necessary to extract a single page, my mind had already created a shell script to go through the process and extract all pages.
This must be a fairly common desire when manipulating pdfs as there is a parameter for doing this.
pdftk <source pdf> burst
pdftk main.pdf burst
PDFTK will create as many pg_####.pdf files as there are pages.
ls -ltr
total 328
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Videos
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Templates
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Public
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Pictures
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Music
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Downloads
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Documents
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Desktop
-rw-r–r– 1 cdock cdock 69845 Sep 6 16:01 main.pdf
> pdftk main.pdf burst
> ls -ltr
total 484
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Videos
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Templates
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Public
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Pictures
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Music
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Downloads
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Documents
drwxr-xr-x 2 cdock cdock 4096 Mar 11 2015 Desktop
-rw-r–r– 1 cdock cdock 69845 Sep 6 16:01 main.pdf
-rw-r–r– 1 cdock cdock 43184 Sep 6 16:55 pg_0002.pdf
-rw-r–r– 1 cdock cdock 52053 Sep 6 16:55 pg_0001.pdf
-rw-r–r– 1 cdock cdock 54452 Sep 6 16:55 pg_0003.pdf
-rw-r–r– 1 cdock cdock 505 Sep 6 16:55 doc_data.txt
The final file create, doc_data.txt, contains information about the pdf itself.
Assembly of new PDF’s
Merging multiple pdf files into a single pdf is also trivial. Simply list all of them on the command line and they are placed into the final pdf file in the same order they are listed on the command line.
pdftk <source pdf 1> <source pdf 2> ... <source pdf n> cat output newfile.pdf
pdftk pg_0001.pdf pg_0002.pdf pg_0003.pdf cat output newfile.pdfInstalling Windows software
The good news is that even if you aren’t a Linux person you can download windows versions of these utilities.
PDFCrack Windows binary
http://andi.flowrider.ch/research/public/pdfcrack/pdfcrack_windows.zip
PDFTK Windows binary
https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/
Installing Linux software
Installation on Linux may vary depending on your distribution. On the Debian based distros simply use apt-get to get your own copy of either pdftk or pdfcrack.
Install PDFCrack
> sudo apt-get install pdfcrack
[sudo] password for dock:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
gstreamer1.0-pulseaudio icedtea-netx-common libasn1-8-heimdal libatk-wrapper-java libatk-wrapper-java-jni libfreerdp-rail1.1
libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal
liblivemedia23 libmpg123-0 libpostproc52 libproxy-tools libroken18-heimdal libusageenvironment1 libwind0-heimdal
Use ‘apt-get autoremove’ to remove them.
The following NEW packages will be installed:
pdfcrack
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 32.4 kB of archives.
After this operation, 105 kB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian/ jessie/main pdfcrack amd64 0.14-2 [32.4 kB]
Fetched 32.4 kB in 0s (167 kB/s)
Selecting previously unselected package pdfcrack.
(Reading database … 144680 files and directories currently installed.)
Preparing to unpack …/pdfcrack_0.14-2_amd64.deb …
Unpacking pdfcrack (0.14-2) …
Processing triggers for man-db (2.7.0.2-5) …
Setting up pdfcrack (0.14-2) …
Install PDFTK
> sudo apt-get install pdftk
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
gstreamer1.0-pulseaudio icedtea-netx-common libasn1-8-heimdal libatk-wrapper-java libatk-wrapper-java-jni libfreerdp-rail1.1
libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal
liblivemedia23 libmpg123-0 libpostproc52 libproxy-tools libroken18-heimdal libusageenvironment1 libwind0-heimdal
Use ‘apt-get autoremove’ to remove them.
The following extra packages will be installed:
gcj-4.9-jre-lib libgcj-common libgcj15
Suggested packages:
libgcj15-dbg libgcj15-awt
The following NEW packages will be installed:
gcj-4.9-jre-lib libgcj-common libgcj15 pdftk
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.4 MB of archives.
After this operation, 70.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.de.debian.org/debian/ jessie/main libgcj-common all 1:4.9.1-7 [160 kB]
Get:2 http://ftp.de.debian.org/debian/ jessie/main libgcj15 amd64 4.9.2-10 [9,224 kB]
Get:3 http://ftp.de.debian.org/debian/ jessie/main gcj-4.9-jre-lib all 4.9.2-10 [10.3 MB]
Get:4 http://ftp.de.debian.org/debian/ jessie/main pdftk amd64 2.02-2 [678 kB]
Fetched 20.4 MB in 23s (851 kB/s)
Selecting previously unselected package libgcj-common.
(Reading database … 144687 files and directories currently installed.)
Preparing to unpack …/libgcj-common_1%3a4.9.1-7_all.deb …
Unpacking libgcj-common (1:4.9.1-7) …
Selecting previously unselected package libgcj15:amd64.
Preparing to unpack …/libgcj15_4.9.2-10_amd64.deb …
Unpacking libgcj15:amd64 (4.9.2-10) …
Selecting previously unselected package gcj-4.9-jre-lib.
Preparing to unpack …/gcj-4.9-jre-lib_4.9.2-10_all.deb …
Unpacking gcj-4.9-jre-lib (4.9.2-10) …
Selecting previously unselected package pdftk.
Preparing to unpack …/pdftk_2.02-2_amd64.deb …
Unpacking pdftk (2.02-2) …
Processing triggers for man-db (2.7.0.2-5) …
Setting up libgcj-common (1:4.9.1-7) …
Setting up libgcj15:amd64 (4.9.2-10) …
Setting up gcj-4.9-jre-lib (4.9.2-10) …
Setting up pdftk (2.02-2) …
Processing triggers for libc-bin (2.19-18+deb8u4) …
