Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 23 May 2005 20:20:04 +0400
From: Solar Designer <>
Subject: Re: Comparing John session files and more

On Tue, May 17, 2005 at 02:34:08PM +0200, Michael Behrisch wrote:
> Am Sonntag, 15. Mai 2005 01:19 schrieb Solar Designer:
> > > The following questions occur:
> > > Is it save to restore a session with a different passwd than
> > > it was interrupted with?
> >
> > Usually, yes.  But this means editing the recovery file, which is an
> > undocumented territory and subject to change without notice.
> Well, I don't edit the recovery file, I simply change the contents of 
> the passwd file,

That's essentially the same thing.  I've been thinking to implement a
CRC check on the password, wordlist, and *.chr files referenced from a
recovery file, but decided that it's not worth the complexity, and if
someone wants to shoot themselves in the foot, let them do so. ;-)

> thus I should be fine.

Yes, you should be fine for now, but _not_ because you're only
replacing passwd files rather then editing the recovery file.  As I
have already mentioned, changing the passwd files from under an
existing John session does not always work as expected (depending on
what is expected, of course).  In particular, there may be issues with
"single crack" mode and with changing password hash types.

But most of the time everything works just fine.

> > > How do I know whether the second process did catch up?
> > > (At the moment I do compare the rule number in wordlist mode
> > > and the entry number in incremental mode which are both recorded
> > > in the .rec file. Is that the right thing to do?)
> >
> > Yes, -- if this is sufficient precision for you.  In "incremental"
> > mode, you need to realize that you have to wait for the entry number
> > to become greater than it is in your original run on the full file.
> > It is insufficient to wait for the numbers to become equal since there
> > may be a large number of candidate passwords to try for each entry and
> > your original John run might be already past a significant fraction of
> > those.
> This is also true in wordlist mode (if comparing rule numbers only) 
> and it is exactly what the script does.

That's correct.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ