I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.
It’s not difficult.
Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page.
Decompress this version.
Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).
Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.
Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash
Start John The Ripper:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe ex020.hash
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status secret (ex020.pdf) 1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s 123456..crawford Use the "--show" option to display all of the cracked passwords reliably Session completed
By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).
But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).
Didier Stevens 
I tried that on linux and after i ran pdf2john and tried to run john on the hash file i got a “No password hashes loaded” message.
Comment by Anonymous — Wednesday 15 April 2015 @ 16:12
I’ve used it too on Linux with no problem. Can you share the content of your hash file?
Comment by Didier Stevens — Wednesday 15 April 2015 @ 19:03
[…] Łamanie haseł plików PDF przy użyciu Johna the Rippera […]
Pingback by Weekendowa Lektura 2015-04-17. Zapraszamy do lektury | Zaufana Trzecia Strona — Friday 17 April 2015 @ 18:45
i get this erorr
C:\hashcat-2.00\john\run>pdf2john.py 40.pdf
Traceback (most recent call last):
File “C:\hashcat-2.00\john\run\pdf2john.py”, line 318, in
filename = sys.argv[j].decode(‘UTF-8’)
AttributeError: ‘str’ object has no attribute ‘decode’
Comment by mmfsh — Wednesday 18 May 2016 @ 10:18
What version of Python are you using?
Comment by Didier Stevens — Wednesday 18 May 2016 @ 10:55
Python 3.3 and my pdf in arabic language
Comment by mmfsh — Wednesday 18 May 2016 @ 12:05
Try Python 2
Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:06
is this version Python 2.7.11 correct
Comment by mmfsh — Wednesday 18 May 2016 @ 12:10
That’s what I used.
Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:11
[…] written some blog posts about decrypting PDFs, but because we need to perform a brute-force attack here (it’s a short […]
Pingback by Cracking Encrypted PDFs – Part 1 | Didier Stevens — Tuesday 26 December 2017 @ 17:16
[…] I showed how this can be done with free, open source tools: Hashcat and John the Ripper. But although I could recover the encryption key using Hashcat, I still had to use a commercial […]
Pingback by Cracking Encrypted PDFs – Conclusion | Didier Stevens — Friday 29 December 2017 @ 0:00
I’ve used in Linux and is working fine, just taking some time, but checked the status and it is working…
Comment by 0micr0n — Thursday 19 April 2018 @ 8:53
When I try to do
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe 180420.hash(myfile name)
it shows: No password hashes loaded (see FAQ)
My python is 3.6, and the hash code is:
b’180420.pdf’:b’$pdf$1*2*40*-60*1*16*b031e633f8bffa771528059890d5f8b4*32*4ee68ecbeb7f85e50007f3f18e9a72b1bf8a1e7f6026a5489468ecae638af94b*32*07655258577387f78dfcf4faf64de93ab8283ecd6cefd0d632efbb1558edeab2′:::::b’180420.pdf’
Could you help me ? Thank you
Comment by jin — Monday 23 April 2018 @ 8:56
Use the Perl program, that’s the latest.
Comment by Didier Stevens — Monday 23 April 2018 @ 13:53