PDF (Standard V1.3 40-bit RC4) Salt-value exception
#1
Thumbs Up 
I'm trying to crack an encrypted to open pdf (demand a key when opening) with hashcat but it seems there is an issue in the hash.

I got the hash using latest pdf2john.pl (from john git-repo), which works in john. So *after* formatting it, the hash looks like:
Code:
$pdf$1*3*40*-60*1*16*884e1235aa7ee88713d7184e8f203354*32*8bd267f062849e03995f94eff2d47d1f28bf4e5e4e758a4164004e56fffa0108*32*2647bfb697425500f132c2342a8040ae5c6991068eefcaff00fbfc8586b33781

Here is the input and output from hashcat:
Code:
$ hashcat  -m 10400 ../ap.hashcat
hashcat (v5.1.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 4083/16335 MB allocatable, 8MCU

./OpenCL/m10400_a0-optimized.cl: Pure OpenCL kernel not found, falling back to optimized OpenCL kernel
Hashfile '../ap.hashcat' on line 1 ($pdf$1...5c6991068eefcaff00fbfc8586b33781): Salt-value exception
No hashes loaded.

Started: Sun Dec 02 22:42:46 2018
Stopped: Sun Dec 02 22:42:46 2018

I tried the format 10400 for PDF 1.1 - 1.3 (Acrobat 2 - 4)[1], but I had tried all PDF formats, the error changes to "Separator unmatched".

The same hash, provided as:
Code:
Ap.pdf:$pdf$1*3*40*-60*1*16*884e1235aa7ee88713d7184e8f203354*32*8bd267f062849e03995f94eff2d47d1f28bf4e5e4e758a4164004e56fffa0108*32*2647bfb697425500f132c2342a8040ae5c6991068eefcaff00fbfc8586b33781

Works in John in last commit, so it's a hashcat issue, right?

I'm already read some posts here in this forum, as https://hashcat.net/forum/thread-4105.html, but they were for past versions. So, there's something I can do?

Thanks \o/

[1] https://hashcat.net/wiki/doku.php?id=example_hashes
#2
I think it should be -m 10400 = PDF 1.1 - 1.3 (Acrobat 2 - 4)
but your hash starts with $pdf$1*3* and only V == 1 and R == 2 is allowd by the parser.

Remember that you should never post hashes on this forum... and only if you are asked by an admin/moderator, you of course need to include the password too (otherwise it's diffucult to troubleshoot anything).

Can you confirm it is a Acrobat 2, Acrobat 3 or Acrobat 4 PDF format ? I think the problem is that hashcat just doesn't allow R = 3
#3
(12-03-2018, 02:17 PM)philsmd Wrote: I think it should be -m 10400 = PDF 1.1 - 1.3 (Acrobat 2 - 4)
but your hash starts with $pdf$1*3* and only V == 1 and R == 2 is allowd by the parser.

Remember that you should never post hashes on this forum... and only if you are asked by an admin/moderator, you of course need to include the password too (otherwise it's diffucult to troubleshoot anything).

Can you confirm it is a Acrobat 2, Acrobat 3 or Acrobat 4 PDF format ? I think the problem is that hashcat just doesn't allow R = 3

Yep you're right, it's PDF v1.4, I was confused with standard v1.3 (encryption). Although I had already tested with -m 10500 (PDF 1.4 - 1.6, Acrobat 5 - 8), which returns "Token length exception".