Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 19 Mar 2006 22:40:12 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: john the ripper output

On Wed, Mar 15, 2006 at 09:19:30AM +0000, Hari Sekhon wrote:
> I find that john --show passwdfile works best.

This is what you're supposed to be using.  In fact, it's the only
documented way to obtain the cracked passwords.

> The john.pot and john.log 
> don't give useful information pairings of username/passwords. john.pot 
> holds passwords and hashes, which is fine to look at if the username is 
> the same as the password but a bit of a guessing game otherwise...

john.pot is a file that John uses internally.  It is machine-friendly,
not human-friendly.  "john --show" may also display more cracked users
(e.g., if the same password hash is shared for several users, john.pot
may have it listed only once, but "john --show" will display the
password for all of the affected users) and it will combine any partial
hashes (those are stored in john.pot on separate lines).

The output of John while it is running may also not include all of the
cracked passwords, so you should not be relying on it for that.  In
particular, this may happen when the same password hash is shared for
multiple users and you're running John in other than "single crack" or
batch modes.  In those cases, John would simply not load the duplicate
instances of the hash for cracking - yet a subsequent "john --show" run
would correctly display all of the users whose passwords get cracked.

> Ps. It would be better if john sent it's output as it's going along the 
> same way that most unix programs do

Actually, John works _exactly_ the same way that most other Unix
programs do.  This buffering of program output is performed by most C
libraries, and programs have to explicitly ask the library to not buffer
their output or to line-buffer it (instead of buffering fixed amounts of
data) if they want to.  Most programs don't change the default.

Maybe John should be explicitly line-buffering its standard output,
although that would slow things down in those special cases when John
produces a lot of output (successfully cracking thousands of passwords
per second).

> so that I could do
> 
> ./john passwdfile > john.progressfile 2>&1 &
> 
> and then just tail -f the john.progressfile. Or even better to nohup 
> john and then you could log off/close ssh session etc and ssh back into 
> it some time/days later and do the tail -f...

This has already been suggested: use GNU screen.

You do need to use "john --show" to get at the actual cracked passwords
anyway.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.