Extract PDF hash (edit passwd)
#1
Hello guys, I need to recover "edit password" from a PDF file. How can I extract "edit password" hash? Thank you!
#2
did u try
pdf2john?
https://github.com/magnumripper/JohnTheR...df2john.py
#3
Yes, but I get: «AttributeError: 'str' object has no attribute 'decode'». It works with "read password" only, I need to extract "owner password" hash.
#4
Look up
Click Wiki
Click FAQ
CTRL+F
Type "PDF"
...
Boy that was difficult.
#5
(01-25-2017, 07:08 PM)kiara Wrote: did u try
pdf2john?
https://github.com/magnumripper/JohnTheR...df2john.py

(01-25-2017, 07:46 PM)Xanadrel Wrote: Look up
Click Wiki
Click FAQ
CTRL+F
Type "PDF"
...
Boy that was difficult.
Thanks... I get this:

Code:
$pdf$4*4*128*-1084*1*16*51765003ed0e2944a8991e710ec8aaa1*32*6554d929ab86fdd40a078d4e8cefb0ea2e0000000000000059028800188f3b00*32*34d5f6a6a8766b703d03a9ed1a8e3565f5cd34a85a506332737a70fb429e2bf6

This is empty (this file doesn't have open password). I need to extract the hash of "edit password".
#6
Hashcat only supports cracking encrypted PDFs. Usually when only an edit password is applied, the document is not encrypted. You can use one of many freely-available tools to simply strip out the edit password entirely without cracking it.
#7
(01-25-2017, 09:41 PM)epixoip Wrote: Hashcat only supports cracking encrypted PDFs. Usually when only an edit password is applied, the document is not encrypted. You can use one of many freely-available tools to simply strip out the edit password entirely without cracking it.

Hi epixoip, I know this, but I need to recover the password. Thanks anyway!
#8
Code:
$ ./pdfcrack.exe -f ...

PDF version 1.6
Security Handler: Standard
V: 2
R: 3
P: -1084
Length: 128
Encrypted Metadata: True
FileID: 51765003ed0e2944a8991e710ec8aaa1
U: 6554d929ab86fdd40a078d4e8cefb0ea2e0000000000000059028800188f3b00
O: 34d5f6a6a8766b703d03a9ed1a8e3565f5cd34a85a506332737a70fb429e2bf6

EDIT: Hashcat can't crack this password. Pdfcrack can do it, but much slower...
#9
As I said above, Hashcat only supports encrypted PDFs. It does not support cracking edit passwords.
#10
It seems that the differences between the algorithms used for checking the owner password (- editing - permissions) compared to the user password (password to open the file aka encrypted PDFs) at least for rev 3 (PDF 1.4 - 1.6 (Acrobat 5 - 8)) is very little:
the difference is just the input (length) to the first MD5 and what is used for the rc4 key.
Here is a diff of the -m 10500 kernel (the file is [hashcat_root]/OpenCL/m10500.cl):
Code:
diff --git a/OpenCL/m10500.cl b/OpenCL/m10500.cl
index c4ba5df..67ef4a0 100644
--- a/OpenCL/m10500.cl
+++ b/OpenCL/m10500.cl
@@ -325,29 +325,10 @@ __kernel void m10500_init (__global pw_t *pws, __global const kernel_rule_t *rul
  id_buf[10] = 0;
  id_buf[11] = 0;

-  u32 id_len  = pdf_bufs[salt_pos].id_len;
-  u32 id_len4 = id_len / 4;
-
  u32 rc4data[2];

-  rc4data[0] = pdf_bufs[salt_pos].rc4data[0];
-  rc4data[1] = pdf_bufs[salt_pos].rc4data[1];
-
-  u32 final_length = 68 + id_len;
-
-  u32 w11 = 0x80;
-  u32 w12 = 0;
-
-  if (pdf_bufs[salt_pos].enc_md != 1)
-  {
-    w11 = 0xffffffff;
-    w12 = 0x80;
-
-    final_length += 4;
-  }
-
-  id_buf[id_len4 + 0] = w11;
-  id_buf[id_len4 + 1] = w12;
+  rc4data[0] = padding[0];
+  rc4data[1] = padding[1];

  /**
   * main init
@@ -391,14 +372,14 @@ __kernel void m10500_init (__global pw_t *pws, __global const kernel_rule_t *rul
  w1_t[1] |= w1[1];
  w1_t[2] |= w1[2];
  w1_t[3] |= w1[3];
-  w2_t[0]  = o_buf[0];
-  w2_t[1]  = o_buf[1];
-  w2_t[2]  = o_buf[2];
-  w2_t[3]  = o_buf[3];
-  w3_t[0]  = o_buf[4];
-  w3_t[1]  = o_buf[5];
-  w3_t[2]  = o_buf[6];
-  w3_t[3]  = o_buf[7];
+  w2_t[0] = 0x80;
+  w2_t[1] = 0;
+  w2_t[2] = 0;
+  w2_t[3] = 0;
+  w3_t[0] = 0;
+  w3_t[1] = 0;
+  w3_t[2] = 32 * 8;
+  w3_t[3] = 0;

  u32 digest[4];

@@ -409,25 +390,6 @@ __kernel void m10500_init (__global pw_t *pws, __global const kernel_rule_t *rul

  md5_transform (w0_t, w1_t, w2_t, w3_t, digest);

-  w0_t[0] = P;
-  w0_t[1] = id_buf[ 0];
-  w0_t[2] = id_buf[ 1];
-  w0_t[3] = id_buf[ 2];
-  w1_t[0] = id_buf[ 3];
-  w1_t[1] = id_buf[ 4];
-  w1_t[2] = id_buf[ 5];
-  w1_t[3] = id_buf[ 6];
-  w2_t[0] = id_buf[ 7];
-  w2_t[1] = id_buf[ 8];
-  w2_t[2] = id_buf[ 9];
-  w2_t[3] = id_buf[10];
-  w3_t[0] = id_buf[11];
-  w3_t[1] = 0;
-  w3_t[2] = final_length * 8;
-  w3_t[3] = 0;
-
-  md5_transform (w0_t, w1_t, w2_t, w3_t, digest);
-
  tmps[gid].digest[0] = digest[0];
  tmps[gid].digest[1] = digest[1];
  tmps[gid].digest[2] = digest[2];

you can play with it by just using "git apply a.patch" and removing the cached kernels (rm -r [hashcat_root]/kernels).

The only changes you need to do with the "hash" itself is to swap the user and owner part (i.e. swap the 2 last fields with the 2 second to last fields), e.g.:

Code:
$pdf$2*3*128*-3904*1*16*631ed33746e50fba5caf56bcc39e09c6*32*5f9d0e4f0b39835dace0d306c40cd6b700000000000000000000000000000000*32*842103b0a0dc886db9223b94afe2d7cd63389079b61986a4fcf70095ad630c24
becomes
Code:
$pdf$2*3*128*-3904*1*0*631ed33746e50fba5caf56bcc39e09c6*32*842103b0a0dc886db9223b94afe2d7cd63389079b61986a4fcf70095ad630c24*32*5f9d0e4f0b39835dace0d306c40cd6b700000000000000000000000000000000

or
Code:
$pdf$4*4*128*-1084*1*16*51765003ed0e2944a8991e710ec8aaa1*32*6554d929ab86fdd40a078d4e8cefb0ea2e0000000000000059028800188f3b00*32*34d5f6a6a8766b703d03a9ed1a8e3565f5cd34a85a506332737a70fb429e2bf6
becomes
Code:
$pdf$4*4*128*-1084*1*16*51765003ed0e2944a8991e710ec8aaa1*32*34d5f6a6a8766b703d03a9ed1a8e3565f5cd34a85a506332737a70fb429e2bf6*32*6554d929ab86fdd40a078d4e8cefb0ea2e0000000000000059028800188f3b00

Example run:
Code:
./hashcat -m 10500 '$pdf$2*3*128*-3904*1*16*631ed33746e50fba5caf56bcc39e09c6*32*842103b0a0dc886db9223b94afe2d7cd63389079b61986a4fcf70095ad630c24*32*5f9d0e4f0b39835dace0d306c40cd6b700000000000000000000000000000000' dict.txt

$pdf$2*3*128*-3904*1*16*631ed33746e50fba5caf56bcc39e09c6*32*842103b0a0dc886db9223b94afe2d7cd63389079b61986a4fcf70095ad630c24*32*5f9d0e4f0b39835dace0d306c40cd6b700000000000000000000000000000000:hashcat

I just think that support for this type of password recovery is just not demanded enough. Most users just workaround the permissions, without even caring what the password is. But of course for some forensic use cases it could be sometimes nice to get the password that was originally used to produce the PDF file.

The file used for analysis: http://www.filedropper.com/pdfownerpassonly