Didier Stevens

Wednesday 15 April 2015

PDF Password Cracking With John The Ripper

Filed under: Encryption,PDF — Didier Stevens @ 0:00

I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows.

It’s not difficult.

Download the latest jumbo edition john-the-ripper-v1.8.0-jumbo-1-win-32.7z from the custom builds page.

Decompress this version.

Download the previous jumbo edition John the Ripper 1.7.9-jumbo-5 (Windows binaries, ZIP, 3845 KB).

Extract file cyggcc_s-1.dll from the previous jumbo edition, and copy it to folder John-the-Ripper-v1.8.0-jumbo-1-Win-32\run.

Generate the hash for the password protected PDF file (I’m using my ex020.pdf exercise file) and store it in a file (pdf2john.py is a Python program, so you need to have Python installed):

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\pdf2john.py ex020.pdf > ex020.hash

Start John The Ripper:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe ex020.hash

Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/32])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret           (ex020.pdf)
1g 0:00:00:00 DONE 2/3 (2015-03-29 22:39) 10.20g/s 125071p/s 125071c/s 125071C/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed

By starting John The Ripper without any options, it will first run in single crack mode and then in wordlist mode until it finds the password (secret).

But you can also provide your own wordlists (with option –wordlist) and use rules (option –rules) or work in incremental mode (–incremental).


  1. I tried that on linux and after i ran pdf2john and tried to run john on the hash file i got a “No password hashes loaded” message.

    Comment by Anonymous — Wednesday 15 April 2015 @ 16:12

  2. I’ve used it too on Linux with no problem. Can you share the content of your hash file?

    Comment by Didier Stevens — Wednesday 15 April 2015 @ 19:03

  3. […] Łamanie haseł plików PDF przy użyciu Johna the Rippera […]

    Pingback by Weekendowa Lektura 2015-04-17. Zapraszamy do lektury | Zaufana Trzecia Strona — Friday 17 April 2015 @ 18:45

  4. i get this erorr
    C:\hashcat-2.00\john\run>pdf2john.py 40.pdf
    Traceback (most recent call last):
    File “C:\hashcat-2.00\john\run\pdf2john.py”, line 318, in
    filename = sys.argv[j].decode(‘UTF-8’)
    AttributeError: ‘str’ object has no attribute ‘decode’

    Comment by mmfsh — Wednesday 18 May 2016 @ 10:18

  5. What version of Python are you using?

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 10:55

  6. Python 3.3 and my pdf in arabic language

    Comment by mmfsh — Wednesday 18 May 2016 @ 12:05

  7. Try Python 2

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:06

  8. is this version Python 2.7.11 correct

    Comment by mmfsh — Wednesday 18 May 2016 @ 12:10

  9. That’s what I used.

    Comment by Didier Stevens — Wednesday 18 May 2016 @ 12:11

  10. […] written some blog posts about decrypting PDFs, but because we need to perform a brute-force attack here (it’s a short […]

    Pingback by Cracking Encrypted PDFs – Part 1 | Didier Stevens — Tuesday 26 December 2017 @ 17:16

  11. […] I showed how this can be done with free, open source tools: Hashcat and John the Ripper. But although I could recover the encryption key using Hashcat, I still had to use a commercial […]

    Pingback by Cracking Encrypted PDFs – Conclusion | Didier Stevens — Friday 29 December 2017 @ 0:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: