September 21, 2011, at 04:50 PM

PDF Password Brute Force

So I was sent a PDF file which was “protected” by a password, which was supposed to be my date of birth in ddmmyyyy format. But that didn’t work, even when I tried various variants of it. I even installed Adobe Reader in case it was some proprietary nonsense (Chrome is my PDF viewer these days). So I emailed them to see what was up.

However, I couldn’t help also wondering whether I could brute-force the password. If it was a typo then I would have a search space of 1,000,000,000 possibilities (assuming an extra character as part of the typo, and digits only). If they’d just used someone else’s date of birth, the size is a lot lower, more so if I assume a reasonable range of years.

So I came up with this (or rather, an uglier variant):

@echo off
setlocal enabledelayedexpansion
for /l %%y in (1970,1,1990) do for /l %%m in (1,1,12) do for /l %%d in (1,1,31) do (
  set pw=0%%m%%y
  set pw=0%%d!pw:~-6!
  set pw=!pw:~-8!
  pdftotext -q -upw !pw! %1
  if not errorlevel 1 goto :foundit
)
goto :eof

:foundit
echo Password is %pw%

It does a bit of unnecessary checking of impossible dates (31st February, for example) but it found the answer for me in about 15s.

(pdftotext is part of xpdf, which is an awesome tool for manipulating PDF files into not-PDF files.)

So I emailed them again to suggest that their security is rubbish, and I didn’t need that new file after all... it’d be nice to imagine they’ll do something about it, but I don’t have much hope...