Suggested improvement for FAQ on PDF hashes
The FAQ How do I extract the hashes from PDF documents? is incomplete. It does not mention module 25400, which cracks owner passwords. It does not forthrightly describe relationship between modules and PDF versions.

The first paragraph currently reads,

Quote:You should use the tool to extract the required information of the .pdf files. The output “hashes” could have different signatures depending on the pdf version. For some example hashes see: example hashes (-m 10400, -m 10500, -m 10600 or -m 10700).

I suggest it be changed to read,

Quote:The protection methods used in PDF have changed over PDF versions, and corresponding Adobe Acrobat software versions. Generally, each protection method is handled by a different hash type. You can see the current list of PDF versions and corresponding type numbers using hashcat --help , and searching the resulting output for "PDF".

Currently the supported PDF versions and hash types ("-m") are:
  • PDF 1.7 ExtensionLevel 8, Acrobat 10 - 11, -m 10700
  • PDF 1.7 ExtensionLevel 3, Acrobat 9, -m 10600
  • PDF 1.4 - 1.6, Acrobat 5 - 8, -m 25400 (recovers owner as well as user password)
  • PDF 1.4 - 1.6, Acrobat 5 - 8, -m 10500
  • PDF 1.1 - 1.3, Acrobat 2 - 4, -m 10400
  • PDF 1.1 - 1.3, Acrobat 2 - 4, -m 10410 (collider #1)
  • PDF 1.1 - 1.3, Acrobat 2 - 4, -m 10420 (collider #2)

Generally, all PDF hash types share a similar hash format, as you can see in the example hashes. Use a tool to read the protection information from a PDF file and create a has. One such tool is this tool (you may need to patch to remove its spurious b'' wrapper).

The second paragraph of that FAQ could perhaps be improved also, but that would be a different post.