Tuesday, May 27, 2014

Cracking a PDF from a Nigerian Bank.

I have recently been getting lots of legitimate emails from companies using my email address for someone who isn't me, showing me companies aren't verifying emails before setting them up on their mailing lists such as:

  • Skype (really Microsoft...still?)
  • Zara
  • Telstra
  • 100s of Loan companies.

The last one should make you smile at least, it did me. Obviously looking at is, it is spam... but nope looking at all the emails, it seems someone had actually signed up and used my email to sign up. THANKS.

I therefore emailed their customer services, to see about them removing my email and closing their account. They replied (I then checked the email headers from the customer support and the account email and they were the same, proving it was a legitimate email). In one of the emails, there was a PDF which was password protected with the account number of the person's account who had signed up my email, so I didn't have it. Being the inquisitive person I am, I thought I'd try and see if there was an online tool that could do it for me, but they all said they could remove the password...if you knew it. Which is fair enough. I was not ok with this, I wanted to know the person to see if I could find them and email them telling them, my email isn't there's... So I found pdfcrack

I downloaded it and ran it against the pdf, using the default options.

pdfcrack "account.pdf"
The problem was that it wasn't correct number of characters, it was going through all combinations of characters from 0-n, since I actually knew how long the password was... they told us in the email, they replaced the numbers with *. Thanks Bank, counting it all, there are 10 characters for "001*****83". Running pdfcrack, shows you the arguments it accepts.
Usage: pdfcrack -f filename [OPTIONS]
-b, --bench             perform benchmark and exit
-c, --charset=STRING    Use the characters in STRING as charset
-w, --wordlist=FILE     Use FILE as source of passwords to try
-n, --minpw=INTEGER     Skip trying passwords shorter than this
-m, --maxpw=INTEGER     Stop when reaching this passwordlength
-l, --loadState=FILE    Continue from the state saved in FILENAME
-o, --owner             Work with the ownerpassword
-u, --user              Work with the userpassword (default)
-p, --password=STRING   Give userpassword to speed up breaking
                        ownerpassword (implies -o)
-q, --quiet             Run quietly
-s, --permutate         Try permutating the passwords (currently only
                        supports switching first character to uppercase)
-v, --version           Print version and exit

So from this, I can set the charset of the account number (0-9) and min/max numbers of the password (10).

pdfcrack -c 0123456789 -n 10 -m 10 "account.pdf"
This then will start trying all the passwords but this still will take far too long for me, but going back to the email, I know the start and the end of the string. This means I can generate a dictionary of all possible combinations of the account number, which will make pdfcrack a little faster. By googling "number list generator" I found this site.


I set up my options like this to generate the numbers with padding, prefixing the start of the account number and suffixing the end of it with saving the file after its done.

I then saved the file as output.txt, I then updated pdfcrack to use this dictionary, called a wordlist in its options.

pdfcrack -w output.txt "account.pdf"
This took 3 seconds to find the password on my box, I think pdfcrack doesn't support multi-core threading, so that was pretty fast and here is the output.
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -1852
Length: 128
Encrypted Metadata: True
FileID: e620bf3e3b2adfc0b842251b2e43778f
U: 69f457abbb40358fb69b6f75f2c258ac6162636465666768696a6b6c6d6e6f70
O: db0a102b17407083e77f5bbe9d11ff416d81f0f437ef8a6cda83964c51ae4e5d
found user-password: '0019999983'

Here is a screenshot of the pdf opened with the information hidden, note the bottom phrase "Big, Strong, Reliable"... Alanis Morissette would be proud of that.

Emmanuel Sarki,
S.D.A. Church Kadamo Jengre Bassa L.G.C.

Since Mr Sarki is currently a footballer playing in Poland... http://en.wikipedia.org/wiki/Emmanuel_Sarki I probably think it is fake and a Church being one of the random scammer who want money for but who knows.

I did this post to show companies, if you don't verify emails, send details with enough information that can be gleaned, it would be easy to steal off your customers. After emailing them numerous times to tell them of their error, I resorted to adding money to my Skype account and calling their customer service and they assured me they'd stop, (they didn't), I rang again with the account number from the PDF, they were then able to stop the emails, not until I'd found out everything I'd need to.

Steps to stop this:

  1. Ask your user for their email
  2. Ask to validate it by entering it again
  3. Email them a verification link
  4. User clicks emails
  5. Create account