Empty PDF password
#1
Hi there,

I use hashcat for a long time, but today I was taken by surprise. There is a PDF hash found by pdf2john:
$pdf$2*3*128*-1340*1*16*c9fc2…

The document is free to open, but password protected to make changes in it. Ok, I started hashcat with -m 10500 hashtype. The following message appeared:

INFO: All hashes found during weak hashes check! Use --show to display them.

That’s good. But there is no password in the results file: just a new line character at the end. Looks like the password is empty (could it be really?). I have tried to change document’s security settings in Acrobat Pro, but unsuccessfully. It refuses to accept empty password for the document.
Also I’ve tried to start john with this hash, and got the same output – empty password. Looks like the password is really empty, but I can’t use it in Acrobat for some reason.


There is a linux tool qpdf to remove passwords from PDF files. I’ve run it with the command:

qpdf in.pdf out.pdf --decrypt --password=’’

, and got a decrypted file!
Have you ever seen the empty PDF passwords? Is there any way to force Acrobat to accept it?
 
I didn’t tell the full PDF hash according to the forum rules. If anybody wants to check it, please tell me there.
Thanks!
Reply
#2
It's possible that the password was added by some tool other than Acrobat.

It sounds like you found a workaround with using qpdf?
Reply