Didier Stevens

Wednesday 15 April 2015

PDF Password Cracking With John The Ripper

Filed under: Encryption,PDF — Didier Stevens @ 0:00

I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.

It’s not difficult.

Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page.

Decompress this version.

Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).

Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.

Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash

Start John The Ripper:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe ex020.hash

Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret           (ex020.pdf)
1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed

By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).

But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).


  1. I tried that on linux and after i ran pdf2john and tried to run john on the hash file i got a “No password hashes loaded” message.

    Comment by Anonymous — Wednesday 15 April 2015 @ 16:12

  2. I’ve used it too on Linux with no problem. Can you share the content of your hash file?

    Comment by Didier Stevens — Wednesday 15 April 2015 @ 19:03

  3. […] Łamanie haseł plików PDF przy użyciu Johna the Rippera […]

    Pingback by Weekendowa Lektura 2015-04-17. Zapraszamy do lektury | Zaufana Trzecia Strona — Friday 17 April 2015 @ 18:45

  4. i get this erorr
    C:\hashcat-2.00\john\run>pdf2john.py 40.pdf
    Traceback (most recent call last):
    File “C:\hashcat-2.00\john\run\pdf2john.py”, line 318, in
    filename = sys.argv[j].decode(‘UTF-8’)
    AttributeError: ‘str’ object has no attribute ‘decode’

    Comment by mmfsh — Wednesday 18 May 2016 @ 10:18

  5. What version of Python are you using?

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 10:55

  6. Python 3.3 and my pdf in arabic language

    Comment by mmfsh — Wednesday 18 May 2016 @ 12:05

  7. Try Python 2

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:06

  8. is this version Python 2.7.11 correct

    Comment by mmfsh — Wednesday 18 May 2016 @ 12:10

  9. That’s what I used.

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:11

  10. […] written some blog posts about decrypting PDFs, but because we need to perform a brute-force attack here (it’s a short […]

    Pingback by Cracking Encrypted PDFs – Part 1 | Didier Stevens — Tuesday 26 December 2017 @ 17:16

  11. […] I showed how this can be done with free, open source tools: Hashcat and John the Ripper. But although I could recover the encryption key using Hashcat, I still had to use a commercial […]

    Pingback by Cracking Encrypted PDFs – Conclusion | Didier Stevens — Friday 29 December 2017 @ 0:00

  12. I’ve used in Linux and is working fine, just taking some time, but checked the status and it is working…

    Comment by 0micr0n — Thursday 19 April 2018 @ 8:53

  13. When I try to do
    John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe 180420.hash(myfile name)

    it shows: No password hashes loaded (see FAQ)

    My python is 3.6, and the hash code is:

    Could you help me ? Thank you

    Comment by jin — Monday 23 April 2018 @ 8:56

  14. Use the Perl program, that’s the latest.

    Comment by Didier Stevens — Monday 23 April 2018 @ 13:53

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.