hashcat Forum

We just started with the work on oclHashcat to support cracking of password protected PDF.

There is 5-6 different versions but for PDF version 1.1 - 1.3, which uses RC4-40 (and we have a fast rc4 cracking kernel), we can already summarize:

• Guarantee to crack every password protected PDF of format v1.1 - v1.3 regardless of the password used
  
• All existing documents at once as there's no more salt involved after the key is computed
  
• In less than 4 hours (single GPU)!!
  

Here's how the output looks like:

Quote:
root@et:~/oclHashcat-1.32# ./oclHashcat64.bin -w3 -m 10410 hash -a 3 ?b?b?b?b?b
oclHashcat v1.32 starting...

Device #1: Tahiti, 3022MB, 1000Mhz, 32MCU
Device #2: Tahiti, 3022MB, 1000Mhz, 32MCU
Device #3: Tahiti, 3022MB, 1000Mhz, 32MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #1: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #1: Kernel ./amd/bzero.cl (887 bytes)
Device #2: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #2: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #2: Kernel ./amd/bzero.cl (887 bytes)
Device #3: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #3: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #3: Kernel ./amd/bzero.cl (887 bytes)

$pdf$1*2*40*-4*1*16*c015cff8dbf99345ac91c84a45667784*32*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*32*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170:$HEX[db34433720]

Session.Name...: oclHashcat
Status.........: Cracked
Input.Mode.....: Mask (?b?b?b?b?b) [5]
Hash.Target....: $pdf$1*2*40*-4*1*16*c015cff8dbf99345ac91c84a45667784*32*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*32*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170
Hash.Type......: PDF 1.3 (Acrobat 2, 3, 4) + collider-mode #1
Time.Started...: Fri Nov 7 16:05:44 2014 (19 mins, 42 secs)
Speed.GPU.#1...: 85019.7 kH/s
Speed.GPU.#2...: 85010.9 kH/s
Speed.GPU.#3...: 84962.4 kH/s
Speed.GPU.#*...: 255.0 MH/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 301050363904/1099511627776 (27.38%)
Skipped........: 0/301050363904 (0.00%)
Rejected.......: 0/301050363904 (0.00%)
HWMon.GPU.#1...: 99% Util, 38c Temp, 25% Fan
HWMon.GPU.#2...: 99% Util, 39c Temp, 27% Fan
HWMon.GPU.#3...: 99% Util, 38c Temp, 27% Fan

Started: Fri Nov 7 16:05:44 2014
Stopped: Fri Nov 7 16:25:29 2014

Very good news for today, waiting for more details, as there are some documents waiting for 'recovery'

Hehe, awesome as usual, congratulations, Jens.
So, this only applies to PDFs up to Acrobat v4.
v5 and 6 implements 128 bit RC4, v7 128 bit AES and X and later 256 bit AES.

Very good news ! :]

Hello,

I'm a newbie and I'm interested in cracking a PDF file from many years ago, but I don't know how to run the oclHashcat for doing this.

Seeing this example makes me understand that -w, -m and -a are options for specifying how to do it, but don't know how to specify the target file.

Is the "?b?b?b?b?b" some kind of hash associated with the file? Should I run some hash command against the PDF file?

Thanks in advance

It's not implemented yet, so you just have to wait for that feature in next versions.

As written, it will work with oclHashcat-1.32.

glad to hear that!

____________________
Coque Samsung Galaxy A7
chargeur iPhone 6 Plus