PDF Mode 10500: RC4 or AES being used?
#1
Hello everyone!



I'm working on a PDF with the following stats (extracted with exiftool v12.80):



Code:
PDF Version: 1.4

Encryption: Standard V2.3 (128-bit)



The generated hash (cropped):



Code:
$pdf$2*3*128*-4*1*16*103f



According to this overview Example Hashes the right mode should be 10500 (PDF 1.4 - 1.6)?

But after some research if found out, that v1.6 introduced AES encryption (reference e.g. here), but prior versions used RC4 in 128bit mode.



So my question would be: is the mode 10500 suitable for both variants?

Because I thought RC4 is much weaker than AES and thus faster to break...

Keep up the good work!
Regards
Reply
#2
After extensive searching around and after several test exports with OpenOffice, SoftMaker Office and PDFXChange Editor and again researching I can conclude, that PDF versioning is a big mess.

What I have learned so far:
The PDF Version is no indicator whatsoever in regard of used encryption.
For instance I created several PDF documents with SoftMaker and PDFXChange and selected different encryption standards. But the PDF Version stayed the same.
SoftMaker created V1.4 PDF regardless of 40Bit or 128Bit RC4.
PDFXChange created V1.7 PDF regardless 40Bit RC4, 128Bit RC4, 128Bit AES, ...

So the only real indicator which hashcat mode has to be used, can only be obtained either with exiftool or while looking at the generated string produced by pdf2hashcat.py.
I assume that if the beginning of the produced hash matches the mode provided on the hashcat wiki examples page, then it is the right one...

Furthermore I encountered the encryption standard V4.4 which hashcat seems not supporting? (128Bit AES and 128Bit RC4 with Acrobat compatibility set to v7+)

Please have a look at attached image for a overview and more clarity.

.png   pdf overview.png (Size: 55.98 KB / Downloads: 6)
Reply