Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Apr 2006 22:55:15 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: John-the-ripper run on Trusted HP-UX

On Mon, Apr 03, 2006 at 09:39:24AM -0700, Greg Barry wrote:
> Everything works fine with john-the-ripper on the machine except when
> users set their passwords to greater than 8 characters. 
> 
> For these accounts, john always marks them as cracked with output like
> the following:
> 
> guesses: 4  time: 0:00:52:13  c/s: 152516  trying: vx25 - vxs7
> Loaded 22 password hashes with 22 different salts (Traditional DES
> [32/32x8V BS])
> 03/31/06 11:31:15 $                (h0058:2)
> 03/31/06 11:31:15 7                (h0094:2)
> 03/31/06 11:32:30 11a            (h0018:2)
> 03/31/06 11:35:16 3f               (h0015:2)

(I am curious how you made it print timestamps here - a custom patch?
Was the information available in the log file insufficient?)

This is correct.  This output means that John has successfully cracked
the endings of those passwords (characters past 8).  For example,
h0058's password is 9 characters long and ends in a dollar sign.  The
":2" after usernames means "second part of the password".

In general, you should not draw conclusions on what is cracked and what
is not based on the console output of a John cracking session.  Instead,
you should be using "john --show".

There are other cases where there can be legitimate discrepancies
between the cracking session and "john --show" output.  For example,
John might not load duplicate hashes for cracking - so it would only
report one of the affected usernames while cracking - yet "john --show"
would correctly report all of the usernames which share the cracked
hash.

The information recorded in john.pot and .log files is similar in nature
to the console output of a running session.

Thus, "john --show" is the only correct way to obtain the results of
John cracking runs - with the required post-processing of the data.

> Is there any way to configure john-the-ripper to support passwds greater
> than 8 characters on trusted HP-UX systems?

As you can see, John already supports those - with no need to configure
anything.

P.S. Modern PA-RISC systems are 64-bit, yet the hpux-* targets in John
are currently 32-bit only.  Unfortunately, I don't possess a 64-bit
PA-RISC system.  I'd be grateful if anyone would be willing to help add
the proper targets into John's Makefile (which should be trivial) and/or
test them.  This should give an almost 2x speedup at DES-based hashes.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ