Select a result to preview

pdfcrack

##cybersecurity/red-team/password-attacks ##tools/password-cracking

pdfcrack

One-liner: Command-line tool for cracking password-protected PDF files using brute-force or dictionary attacks.

🎯 What Is It?

pdfcrack is a lightweight, CPU-based PDF password cracker for Linux/Unix. It supports both user passwords (viewing) and owner passwords (editing restrictions). Commonly used in CTFs, forensics, and document recovery.

🛠️ Installation

# Debian/Ubuntu
sudo apt install pdfcrack

# Kali Linux (pre-installed)
pdfcrack --help

🔐 PDF Password Types

1. User Password

Prevents opening/viewing the PDF.

Prompt: "This document requires a password to open"

2. Owner Password

Allows viewing but restricts editing, printing, copying.

PDF opens, but can't print or copy text

pdfcrack can crack both types.

💻 Usage

Basic Syntax

pdfcrack [options] -f <pdf_file>

Dictionary Attack

# Crack with wordlist
pdfcrack -f protected.pdf -w /usr/share/wordlists/rockyou.txt

Options:
  -f : Specify PDF file
  -w : Wordlist file

Brute-Force Attack

# Default brute-force (printable ASCII, 0-32 chars)
pdfcrack -f protected.pdf

# Specify min/max password length
pdfcrack -f protected.pdf --minpw=6 --maxpw=8

# Specify character set
pdfcrack -f protected.pdf --charset=abcdefghijklmnopqrstuvwxyz

Options:
  --minpw : Minimum password length
  --maxpw : Maximum password length
  --charset : Custom character set

Specify Password Type

# Crack user password (default)
pdfcrack -f protected.pdf -u

# Crack owner password
pdfcrack -f protected.pdf -o

Options:
  -u : User password mode
  -o : Owner password mode

Save/Resume Progress

# Save progress to file
pdfcrack -f protected.pdf --savefile=progress.sav

# Resume from saved progress
pdfcrack -f protected.pdf --loadfile=progress.sav

💡 Examples

Example 1: Dictionary Attack

pdfcrack -f confidential.pdf -w /usr/share/wordlists/rockyou.txt

OUTPUT:
Reading and initializing PDF data...
User password: "sunshine123"

Example 2: Brute-Force (Lowercase, 6-8 chars)

pdfcrack -f document.pdf --charset=abcdefghijklmnopqrstuvwxyz --minpw=6 --maxpw=8

Example 3: Owner Password

# Crack owner password (printing restrictions)
pdfcrack -f restricted.pdf -o -w wordlist.txt

OUTPUT:
Owner password: "editpass"

Example 4: Resume Long Cracking Session

# Start and save progress
pdfcrack -f large.pdf --savefile=session.sav

# Resume later
pdfcrack -f large.pdf --loadfile=session.sav

⚡ Performance

Speed

Dictionary (rockyou.txt):
  ~14M passwords in 2-5 minutes

Brute-force (lowercase, 6 chars):
  ~308M combinations in several hours

Brute-force (alphanumeric, 8 chars):
  Impractical without GPU acceleration

Tips for Faster Cracking

  1. Use Dictionary First

    pdfcrack -f doc.pdf -w rockyou.txt

  2. Limit Character Set

    # If you know password is lowercase only
pdfcrack -f doc.pdf --charset=abcdefghijklmnopqrstuvwxyz

  3. Limit Length Range

    # If you know password is 6-8 characters
pdfcrack -f doc.pdf --minpw=6 --maxpw=8

🔗 Alternative Tools

Tool Speed Notes
pdfcrack Slow (CPU) Simple, free
John the Ripper Medium More features
hashcat Fast (GPU) Requires hash extraction
Passware Very Fast Commercial, expensive

John the Ripper Alternative

# Extract hash
pdf2john protected.pdf > hash.txt

# Crack
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# Show result
john --show hash.txt

⚠️ Limitations

1. Speed

2. Encryption Strength

3. No Guaranteed Success

💡 CTF Use Case

# CTF Challenge: flag.pdf (password-protected)
pdfcrack -f flag.pdf -w /usr/share/wordlists/rockyou.txt

OUTPUT:
User password: "ctf{password_cracking_101}"

# Open PDF
evince flag.pdf
# Enter password: ctf{password_cracking_101}
# Flag obtained!

🎤 Interview Context

Scenario: "You found a password-protected PDF in a forensic investigation. How do you analyze it?"

STAR Example:
Situation: Discovered invoice.pdf on compromised system.
Task: Crack password to examine contents.
Action: