PDFCrack

Overview

PDFCrack is a specialized tool designed to recover passwords from PDF documents. It targets both user passwords (document open passwords) and owner passwords (permissions passwords) using efficient brute-force and dictionary attack methods. The tool leverages optimized algorithms to crack PDF encryption standards including 40-bit, 128-bit, and 256-bit encryption.

Capabilities:

• Crack PDF user passwords
• Crack PDF owner/permissions passwords
• Dictionary and brute-force attacks
• Custom charset support
• Parallel processing with GPU acceleration
• Progress tracking and resumable sessions
• Support for multiple PDF standards

Installation

Linux/Debian

# Install from repository
sudo apt-get update
sudo apt-get install pdfcrack

# Or compile from source
git clone https://github.com/elceef/pdfcrack.git
cd pdfcrack
./configure
make
sudo make install

macOS

# Using Homebrew
brew install pdfcrack

# Or from source
git clone https://github.com/elceef/pdfcrack.git
cd pdfcrack
./configure
make
sudo make install

Windows

# Download binary
https://github.com/elceef/pdfcrack/releases

# Or compile with MinGW
git clone https://github.com/elceef/pdfcrack.git
cd pdfcrack
./configure
make

Docker

docker pull pdfcrack/pdfcrack
docker run -v /path/to/pdf:/data pdfcrack/pdfcrack /data/document.pdf

Basic Usage

Crack PDF Password

# Dictionary attack with wordlist
pdfcrack -f document.pdf -w wordlist.txt

# Brute-force with default charset
pdfcrack -f document.pdf -c a

# Try with multiple wordlists
pdfcrack -f document.pdf -w words1.txt -w words2.txt

Essential Commands

Command	Description
pdfcrack -f file.pdf -w dict.txt	Dictionary attack on PDF
pdfcrack -f file.pdf -n 8	Use 8 parallel threads
pdfcrack -f file.pdf -c a	Brute-force all lowercase letters
pdfcrack -f file.pdf -u	Crack user password only
pdfcrack -f file.pdf --owner	Crack owner password only
pdfcrack -f file.pdf -v	Verbose output

Dictionary Attacks

Using Wordlists

# Standard dictionary attack
pdfcrack -f encrypted.pdf -w /usr/share/wordlists/rockyou.txt

# Multiple dictionaries
pdfcrack -f encrypted.pdf \
  -w dict1.txt \
  -w dict2.txt \
  -w dict3.txt

# Search multiple PDFs with same wordlist
for pdf in *.pdf; do
    pdfcrack -f "$pdf" -w wordlist.txt
done

Common Wordlists

# Kali Linux default wordlists
pdfcrack -f document.pdf -w /usr/share/wordlists/rockyou.txt

# Generate custom wordlist
# Using crunch to generate patterns
crunch 6 8 abcdefghijklmnopqrstuvwxyz > custom.txt
pdfcrack -f document.pdf -w custom.txt

# Using hashcat wordlists
wget https://files.secondline.org/wordlists/rockyou.txt
pdfcrack -f document.pdf -w rockyou.txt

Pattern-Based Attacks

# Create wordlist for password variations
cat << 'EOF' > patterns.txt
password
Password
PASSWORD
pass123
Pass123
PASS123
admin
Admin
ADMIN
EOF

pdfcrack -f document.pdf -w patterns.txt

Brute-Force Attacks

Character Set Options

# Lowercase letters only
pdfcrack -f document.pdf -c a

# Uppercase letters only
pdfcrack -f document.pdf -c A

# Numbers only
pdfcrack -f document.pdf -c n

# Lowercase + numbers
pdfcrack -f document.pdf -c an

# Uppercase + lowercase
pdfcrack -f document.pdf -c aA

# Alphanumeric
pdfcrack -f document.pdf -c aAn

# All printable characters
pdfcrack -f document.pdf -c aAn!@#\$%\^

Length-Constrained Brute Force

# Passwords 1-6 characters
pdfcrack -f document.pdf -c a -l 1 -L 6

# Specific length (exactly 8 characters)
pdfcrack -f document.pdf -c aAn -l 8 -L 8

# Numbers only, 4-6 digits (PIN)
pdfcrack -f document.pdf -c n -l 4 -L 6

Custom Character Sets

# Custom charset
pdfcrack -f document.pdf -s "abcdefghijklmnopqrstuvwxyz0123456789_-."

# Using system locale charset
pdfcrack -f document.pdf -c UTF-8

# Combined custom and preset
pdfcrack -f document.pdf -c aAn -s "!@#$%"

Advanced Options

Performance Tuning

# Use multiple threads
pdfcrack -f document.pdf -w wordlist.txt -n 8

# Set thread count to CPU cores
CORES=$(nproc)
pdfcrack -f document.pdf -n $CORES -w wordlist.txt

# Enable GPU acceleration (if supported)
pdfcrack -f document.pdf --gpu -w wordlist.txt

Targeted Cracking

# Crack user password only (opens document)
pdfcrack -f document.pdf -w wordlist.txt -u

# Crack owner password only (permissions)
pdfcrack -f document.pdf -w wordlist.txt --owner

# Try both user and owner
pdfcrack -f document.pdf -w wordlist.txt

Session Management

# Resume previous session
pdfcrack -f document.pdf -w wordlist.txt --resume

# Save session for later
pdfcrack -f document.pdf -w wordlist.txt --session crack_session.sav

# Resume from saved session
pdfcrack -f document.pdf --session crack_session.sav --resume

Output and Verbosity

# Verbose output
pdfcrack -f document.pdf -v -w wordlist.txt

# Very verbose (debugging)
pdfcrack -f document.pdf -vv -w wordlist.txt

# Silent mode
pdfcrack -f document.pdf -q -w wordlist.txt

# Save output to file
pdfcrack -f document.pdf -w wordlist.txt > results.txt 2>&1

Security Level Detection

PDF Encryption Analysis

# Detect encryption level
pdfcrack -f document.pdf -l

# Get PDF information
pdfinfo document.pdf

# Identify encryption standard
strings document.pdf | grep -i encrypt

Encryption Types

# 40-bit encryption (oldest, fastest to crack)
pdfcrack -f weak_encryption.pdf -w wordlist.txt

# 128-bit encryption (standard, moderate difficulty)
pdfcrack -f standard_encryption.pdf -w wordlist.txt -n 8

# 256-bit AES encryption (strongest, most time-consuming)
pdfcrack -f strong_encryption.pdf -w wordlist.txt -n 16

Batch Operations

Process Multiple Files

#!/bin/bash
# Crack multiple PDFs

WORDLIST="wordlist.txt"
OUTPUT_DIR="cracked"
mkdir -p "$OUTPUT_DIR"

for pdf in *.pdf; do
    echo "Processing: $pdf"
    
    # Run pdfcrack
    result=$(pdfcrack -f "$pdf" -w "$WORDLIST" 2>&1)
    
    if echo "$result" | grep -q "found"; then
        echo "$pdf: $result" >> "$OUTPUT_DIR/results.txt"
        echo "Successfully cracked: $pdf"
    fi
done

Parallel Batch Cracking

#!/bin/bash
# Parallel processing of multiple PDFs

WORDLIST="wordlist.txt"
THREADS=$(nproc)
BATCH_SIZE=$((THREADS / 2))

find . -name "*.pdf" -type f | xargs -P $BATCH_SIZE -I {} \
    pdfcrack -f {} -w "$WORDLIST" -n 4

Performance Benchmarking

# Time the crack attempt
time pdfcrack -f document.pdf -w wordlist.txt

# Profile performance
pdfcrack -f document.pdf -w wordlist.txt --benchmark

# Estimate time to completion
# For brute force with progress tracking
pdfcrack -f document.pdf -c aAn -l 1 -L 8 --estimate

Wordlist Management

Creating Custom Wordlists

# Generate wordlist with crunch
crunch 6 8 abcdefghijklmnopqrstuvwxyz0123456789 > 6-8char.txt

# Generate with john
john --wordlist=/usr/share/wordlists/rockyou.txt --rules --stdout > rules.txt

# Combine multiple wordlists
cat dict1.txt dict2.txt dict3.txt | sort -u > combined.txt

# Extract words of specific length
cat wordlist.txt | awk 'length==8' > 8char.txt

Wordlist Optimization

# Remove duplicates
sort -u wordlist.txt > unique.txt

# Sort by frequency (most likely passwords first)
# Using external tool
head -n 100000 /usr/share/wordlists/rockyou.txt > top_passwords.txt

# Filter for password-like patterns
grep -E '^[a-zA-Z0-9_]{6,12}$' wordlist.txt > filtered.txt

Integration with Other Tools

Pre-Analysis with pdfinfo

# Get PDF details before cracking
pdfinfo encrypted.pdf

# Check encryption info
pdfinfo -enc encrypted.pdf

# Extract PDF metadata
pdftotext encrypted.pdf -

Combined Workflow

#!/bin/bash
# Complete PDF security assessment

PDF="$1"

echo "=== PDF Analysis ==="
pdfinfo "$PDF"

echo "=== Testing for default passwords ==="
pdfcrack -f "$PDF" -w common_passwords.txt

echo "=== Brute force attempts ==="
pdfcrack -f "$PDF" -c aAn -l 1 -L 6 -n 8

echo "=== Analysis complete ==="

Success Indicators

Recognizing Cracked Passwords

# Successful crack produces output like:
# User password: 'mypassword'
# Owner password: 'ownerpass'

# Extract password from output
pdfcrack -f document.pdf -w wordlist.txt | grep -oP "(?<=password: ').+(?=')"

# Verify by opening PDF
pdftotext -userPassword "password" document.pdf -

Troubleshooting

Common Issues

Slow Performance:

# Increase threads
pdfcrack -f document.pdf -n $(nproc) -w wordlist.txt

# Use optimized wordlist (most common first)
pdfcrack -f document.pdf -w top1000.txt

High Memory Usage:

# Process wordlist in chunks
split -l 1000000 wordlist.txt chunk_
for chunk in chunk_*; do
    pdfcrack -f document.pdf -w "$chunk"
done

Not Finding Password:

# Expand character set
pdfcrack -f document.pdf -s "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#\$%"

# Increase length attempts
pdfcrack -f document.pdf -c aAn -l 1 -L 12

# Try different encoding
pdfcrack -f document.pdf --charset utf-8

PDF Password Types

User Password

• Opens/displays the document
• Can be cracked with PDFCrack
• Most common target

Owner Password

• Controls permissions (printing, copying, editing)
• May differ from user password
• Also crackable with PDFCrack

Master Password

# Some PDFs use master passwords
pdfcrack -f document.pdf -w wordlist.txt --master

Security Considerations

Legal and Authorized Use

PDFCrack is for:

• Testing password strength of owned documents
• Incident response investigations
• Authorized penetration testing
• Security research with consent

Protection Measures

• Use strong passwords (12+ characters, mixed case, special chars)
• Consider 256-bit AES encryption
• Implement access controls
• Document password management policies

Performance Reference

Encryption Type	Typical Time (4 threads)	Character Set
40-bit	Minutes	6-char alphanumeric
128-bit	Hours	8-char alphanumeric
256-bit AES	Days+	10+ char mixed

Comparison with Alternatives

Tool	PDF Support	Speed	Features
PDFCrack	Yes	Fast	Dictionary, brute-force
John	Limited	Moderate	Rules, wordlists
Hashcat	No native	N/A	GPU-focused
Qpdf	Limited	N/A	Analysis only

Resources

• Official Repository: https://github.com/elceef/pdfcrack
• Wordlists: /usr/share/wordlists/ (Kali Linux)
• PDF Security Standards: ISO 32000-1