I had shared about pdfcrack earlier here. Now it is boring and will take a long time for pdfcrack to crack the password.
But what if I could help it using a wordlist that might make the whole processor faster. But how do I go creating a wordlist. Say for e.g. I know the first four characters are letters, the remaining four characters are numbers. How would I go creating that and how do I provide that stack/wordlist to pdfcrack.
A generic tool to generate a wordlist is crunch.
Say for e.g. I know the first four characters are letters, the remaining four characters are numbers.
The following command will generate a wordlist according to the above description:
crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -t @@@@%%%%
(This answer may help you understand how @, % and such work in crunch.)
You can save the result to a regular file by redirecting output to it; then use the file with the -w option of pdfcrack:
crunch … >wordlist
pdfcrack -w wordlist protected.pdf
crunch tells me the size of the file will be about 612 GB. If I were you, I would pipe one tool to the other. Unfortunately pdfcrack -w (at least in my Debian) does not follow the convention of - meaning the stdin. Still I can do this:
crunch … | pdfcrack -w /dev/stdin protected.pdf
In case you cannot use /dev/stdin, create a named fifo and use it instead of a regular file:
mkfifo myfifo
crunch … >myfifo &
pdfcrack -w myfifo protected.pdf
You might actually want to use another program than pdfcrack. With a good GPU, hashcat can try orders of magnitude more passwords per second (to give an idea, it can be millions of tries per second, or much faster if you have a powerful GPU).
You can directly ask it to crack a password having a specific pattern of characters. To do so, it requires an external script (pdf2john.py) to extract the hash of the password from the PDF into a format hashcat can use.
As an example, you can use a command such as:
hashcat -a 3 -i -m 10500 'hash' ?l?l?l?l?d?d?d?d
In the command, -a 3 specifies that the attack mode is a bruteforce, -m 10500 is the type of hash (PDF), and the word at the end is the pattern, here being 4 letters and 4 digits. The -i specifies that the attack will start from 1 character, then 2, ... up to the length of the cracking pattern.
At 45k a second, to computer 4.6 billion will take about 100,000 seconds. So it seems doable at 28 hours.
I’d just write a program to count from 0 to 9999, then wrap four loops from a to z around it. So you end up with a file:
aaaa0001 to zzzz9999
