Crack an Encrypted PDF with pdfcrack in Linux
*Disclaimer: this tutorial is for educational purposes only. It is unlawful to access an encrypted document unless you have permission or ownership of the document. I do not condone the use of pdfcrack or any other cybersecurity tool for illegal purposes.
There are a few different ways to crack a password-protected PDF, and I am going to show you the method I found to be the easiest and fastest after I forgot the password to an old PDF document and had to figure out how to access it. I used a tool available for most Linux distributions called “pdfcrack”, and found it to be much faster and more user-friendly than John the Ripper (which failed to crack my password). First we need to open a terminal and install pdfcrack. I am using Kali Linux, but this command will also work for Ubuntu or any other Debian-based distribution.
sudo apt install pdfcrackNow you can type in pdfcrack to see its usage, syntax, and options.
Now we can go ahead and try the pdfcrack’s default mode. Navigate to the directory containing your encrypted PDF and enter the following command (substituting my file name with your own):
pdfcrack -f ./encrypteddoc.pdfThis is the most basic command to crack a password using pdfcrack, but it’s also the most time consuming. Pdfcrack defaults to using a brute-force attack on the encrypted file, running through thousands and millions of letter combinations to try and “guess” the password.
This can take a painfully long time to complete, especially if the password is long and complex. I would highly recommend either using a wordlist of common user passwords, or better yet, create a custom word list if you have some idea what the password might be, then add that to a “short” list of about 10,000 passwords. I would try that first, then move on to a larger list like the infamous “rockyou.txt” password list, then brute-forcing if none of those methods work.
Use the following command to crack the password with a wordlist:
pdfcrack -f ./encrypteddoc.pdf --wordlist=customwordlist.txtYou will of course want to substitute the name of the PDF and the name of the wordlist for your own, but everything else is the same. I really like how simple the syntax and options are for this tool.
You can create a custom wordlist simply by creating a .txt text document and adding a single unique word on every line, or you can use a specialty tool like “crunch,” which prompts you for details and generates a unique list of potential passwords.
In my example PDF document that I cracked, I first used a word list of the top 5,000 most common passwords, which I also added a custom wordlist to (which did not contain the actual password on purpose). This cracked the password in about 10 seconds.
I then used the default brute-force method, which took about…well I’m actually still waiting for it to finish. Again, I would highly recommend trying several different wordlists before resorting to a brute-force attack.
Once the program is finished it will display your password on the last line, and you can now enter it into the PDF when you go to open it.
