Cracking a password-protected PDF in seconds – PZU and their illusory protection. NN Investment Partners also repeats these bad practices.

The illusion of security is worse than the awareness of its absence because it leads to decisions made on false premises. Information conveyed by public trust institutions such as “We protect your personal data” often creates this illusion of security. Let’s study two examples of this using password-protected PDF files.

  1. I received an email from PZU with an insurance offer, emphasizing “We protect personal data”:
pdf with password pzu

2. The attachment was a PDF file protected by a password:

pdf with password

3. Let’s assume I don’t know the password. However, I know from the email content that the password consists of 4 digits. Let’s check how long it will take to crack it using a modern home computer.

4. By opening the PDF in text mode, we can read the file header (e.g., using Notepad). This will allow us to identify which version of the standard it was created in:

pdf 1.4
As we can see from the string “%PDF-1.4”, an over 20-year-old format was used here in the form of PDF 1.4.

5. The next step is to extract the password hash we want to crack. Here, the tool pdf2john.py comes in handy.

hash pdf

6. To crack the obtained hash, we will use hashcat in brute force mode. 10500 indicates the hash cracking mode for PDF files in versions 1.4-1.6:

The hash.txt file contains the previously extracted password hash. a3 indicates a brute force mode with the mask ?d?d?d?d where each ?d represents any digit from 0-9.
hashcat pdf

As seen below, cracking a four-digit password took 10 seconds:

pdf hashcat

Therefore, it can be confidently stated that a 4-digit password is a type of illusory protection and does not secure personal data.

Next, let’s examine the “secured” PDF from NN Investment Partners.

  1. Here, it was “protected” with a slightly longer string of characters — the PESEL number.
nn investment partners pdf

2. The file header in the attachment – “%PDF-1.2” indicates that the file was created using the 1996 standard:

pdf 1.2

3. The extracted password hash indicates the same:

hash pdf

4. We run a “brute” brute force with hashcat. “Brute” because we do not consider any additional assumptions that would reduce the number of possible combinations except that the PESEL is an 11-digit number:

hashcat pesel
This time cracking the password took 64 seconds. Again, we demonstrate that an 11-digit password is no protection and is an example of the illusion of security.
pdf hashcat

What to do, how to live?

To encrypt data, long passwords should be used — over 12 characters, with a large character space, i.e., containing uppercase/lowercase letters, digits, and special characters. Such a password should be sent to the client through a second communication channel, such as SMS. Additionally, institutions should use strong encryption algorithms that significantly slow down brute force attempts. An example here could be using a 7zip archive with the AES-256 algorithm.

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Tagged , , , , , . Bookmark the permalink.

Share your opinion about the article.