Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

Cracking password protected PDF documents
#1
We just started with the work on oclHashcat to support cracking of password protected PDF.

There is 5-6 different versions but for PDF version 1.1 - 1.3, which uses RC4-40 (and we have a fast rc4 cracking kernel), we can already summarize:
  • Guarantee to crack every password protected PDF of format v1.1 - v1.3 regardless of the password used
  • All existing documents at once as there's no more salt involved after the key is computed
  • In less than 4 hours (single GPU)!!

Here's how the output looks like:

Quote:
root@et:~/oclHashcat-1.32# ./oclHashcat64.bin -w3 -m 10410 hash -a 3 ?b?b?b?b?b
oclHashcat v1.32 starting...

Device #1: Tahiti, 3022MB, 1000Mhz, 32MCU
Device #2: Tahiti, 3022MB, 1000Mhz, 32MCU
Device #3: Tahiti, 3022MB, 1000Mhz, 32MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #1: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #1: Kernel ./amd/bzero.cl (887 bytes)
Device #2: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #2: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #2: Kernel ./amd/bzero.cl (887 bytes)
Device #3: Kernel ./amd/m10410_a3.cl (21164 bytes)
Device #3: Kernel ./amd/markov_le_v1.cl (9208 bytes)
Device #3: Kernel ./amd/bzero.cl (887 bytes)

$pdf$1*2*40*-4*1*16*c015cff8dbf99345ac91c84a45667784*32*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*32*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170:$HEX[db34433720]

Session.Name...: oclHashcat
Status.........: Cracked
Input.Mode.....: Mask (?b?b?b?b?b) [5]
Hash.Target....: $pdf$1*2*40*-4*1*16*c015cff8dbf99345ac91c84a45667784*32*1f300cd939dd5cf0920c787f12d16be22205e55a5bec5c9c6d563ab4fd0770d7*32*9a1156c38ab8177598d1608df7d7e340ae639679bd66bc4cda9bc9a4eedeb170
Hash.Type......: PDF 1.3 (Acrobat 2, 3, 4) + collider-mode #1
Time.Started...: Fri Nov 7 16:05:44 2014 (19 mins, 42 secs)
Speed.GPU.#1...: 85019.7 kH/s
Speed.GPU.#2...: 85010.9 kH/s
Speed.GPU.#3...: 84962.4 kH/s
Speed.GPU.#*...: 255.0 MH/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 301050363904/1099511627776 (27.38%)
Skipped........: 0/301050363904 (0.00%)
Rejected.......: 0/301050363904 (0.00%)
HWMon.GPU.#1...: 99% Util, 38c Temp, 25% Fan
HWMon.GPU.#2...: 99% Util, 39c Temp, 27% Fan
HWMon.GPU.#3...: 99% Util, 38c Temp, 27% Fan

Started: Fri Nov 7 16:05:44 2014
Stopped: Fri Nov 7 16:25:29 2014
#2
Very good news for today, waiting for more details, as there are some documents waiting for 'recovery' Smile
#3
Hehe, awesome as usual, congratulations, Jens.
So, this only applies to PDFs up to Acrobat v4.
v5 and 6 implements 128 bit RC4, v7 128 bit AES and X and later 256 bit AES.
#4
Very good news ! :]
#5
Hello,

I'm a newbie and I'm interested in cracking a PDF file from many years ago, but I don't know how to run the oclHashcat for doing this.

Seeing this example makes me understand that -w, -m and -a are options for specifying how to do it, but don't know how to specify the target file.

Is the "?b?b?b?b?b" some kind of hash associated with the file? Should I run some hash command against the PDF file?

Thanks in advance
#6
It's not implemented yet, so you just have to wait for that feature in next versions.
#7
As written, it will work with oclHashcat-1.32.
#8
glad to hear that!

____________________
Coque Samsung Galaxy A7
chargeur iPhone 6 Plus