Friday, June 23, 2023

open a password protected PDF when the password is not completely known

There was an interest statement from SBI for NK in his email. The name in the email was correct, and it was from cbssbi.info@alerts.sbi.co.in, so it was assumed to be genuine. NK thought he did not have any SBI account, so we needed to check the statement. The statement was supposed to be protected with last 5 digits of phone number followed by date of birth in DDMMYY format. But no combination of phone numbers and dates of birth were opening it. 

Checking for tools to brute-force it, after many false-starts with "free" offerings which are limited to 3 letter passwords(!), finally landed up with John The Ripper.

Just running it with the default settings was bound to not work, since the default password list did not have the particular types of numbers we wanted to check. Also, brute-forcing with 11 numbers as the mask was indicating ETA of a week or so. So, googling around, found this nice post detailing how to customize JtR runs. So, the final steps were:

sudo apt-get install libssl-dev
git clone https://github.com/magnumripper/JohnTheRipper.git
cd ./JohnTheRipper/src
./configure && make
cd
JohnTheRipper/run/pdf2john.pl pdf_protected.pdf > pdf.hash

# created a file mywordlist with all relevant phone numbers
# created a file john-local.conf with the following contents
[List.Rules:myrule]
# append all possible dates DDMMYY
: $[0-3]$[0-9]$[0-1]$[0-9]$[0-9]$[0-9]

Then ran
JohnTheRipper/run/john --conf=john-local.conf --wordlist=mywordlist --stdout --rules:myrule >longlist
JohnTheRipper/run/john  pdf.hash --wordlist=longlist

and Hey Presto!

Instead of  a week to brute-force 11 numbers, the result was ready in less than a second.

No comments:

Post a Comment