Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Apr 2006 06:34:08 +0400
From: Solar Designer <>
Subject: Re: new at this cracker business


Have you been able to crack some of your passwords after the explanation
in my last response?

On Thu, Apr 06, 2006 at 01:26:36AM +0000, jay rubin wrote:
> Solar Designer-  Thank you, you've been a big help and I am beginning to 
> get a better undestanding of how to crack a password.  There is still a lot 
> I have to learn such as salt,

Windows systems don't use salts.  Unix systems do.

> and hash rules.  Hash rules looks like some kind of password format.

I have no idea what you're referring to with "hash rules".

> I also ran john -test and don't understnad the benchmark output ...

Feel free to post it in a separate message for me to comment.  If you
do, please post it anew, not by hitting "reply" to some other message,
as this affects threading in web-based archives of the mailing list.

> I've been keeping track of what I done 
> and am going to repeat everything here up to my current execution of john.
> Jay's adventures as he tries to crack his Windows XP passwords.

Thanks.  This may help make the documentation easier to understand.

> 1.	Downloaded John the Ripper (Win32 - binaries, ZIP, 1360 KB)


> 2.	Found that I needed the SAM database file.

What made you think so?

If you would proceed to read the EXAMPLES, you would notice this:

| Similarly, if you're going to be cracking Windows passwords, use any of
| the many utilities that dump Windows password hashes (LM and/or NTLM) in
| Jeremy Allison's PWDUMP output format.  Some of these utilities may be
| obtained here:

So you would have downloaded pwdump2 (the first such utility listed on
that page) and used it to obtain the password hashes to feed into John.

> 3.	Could not copy the SAM file since on being booted the operating 
> system accessed it locking the resource.
> 4.	Tried a safe boot to see if I could copy it.  Didn?t work.
> 5.	Tried an MS/DOS boot to see if I could copy it.  Didn?t work.
> 6.	Found an unlocked copy of the SAM database file in a repair 
> subfolder of the windows folder.

Yes, that's one way to do it.  But SAM files are not easy to process.

> 7.	Ran john (forgot command string) and got an error, no hashes.

Indeed - John does not support SAM files directly.

> 8.	According to documentation I discovered that I needed to merge the 
> SAM database file with its shadow file.

That's wrong.  The documentation does not say that.  I'll try to guess
why/how you arrived at this conclusion.  There's this FAQ entry:

| Q: Why doesn't John load my password file?  It says "No password hashes
| loaded".
| A: Your password file might be shadowed.  You need to get both
| /etc/passwd and the shadow file, and combine them into one file for use
| with John.  Please refer to EXAMPLES.  As the system administrator,
| you're supposed to know the name and location of your shadow file.

That's one out of five possible answers to this question - but it's the
first one listed - because this cause of the problem is very common when
using John to crack Unix passwords (which is its primary purpose).
Perhaps this answer should be re-worded such that it would be apparent
that it applies to Unix password files only (doesn't the mention of
"/etc/passwd" make it obvious, though? OK, perhaps not to Windows users
who have never worked with Unix).

Another answer included on the FAQ is:

| A: Your password file format or hash type(s) might not be supported ...

This is the last answer on the list - but it applied in your case -
because SAM files are not supported.

> 9.	Could not find any shadow file.
> 10.	Found a system utility vssadmin (volume shadow copy service) in the 
> windows/system32 folder which when run stated that I had no shadow files on 
> my system.

"Password shadowing" is a concept specific to Unix, where the system
originally did not protect password hashes from being accessed by
regular users, but such protection was later introduced (by moving
users' passwords into a separate "shadow" file with different access

This does not apply to Windows systems.  The utility which you found is
completely irrelevant.

> 11.	Finally decided I had the wrong version of john.

No, the version of John was fine.  (Well, unless you would want to crack
the case-sensitive NTLM hashes - but you did not get this far and you
might not need that.)

> 12.	Found 1.7 + jumbo patch build for Win32 (1664 KB), by thomas 
> springer.

OK, that would also work.

> 13.	Documentation said I needed pwdump2 which I then downloaded.


> 14.	Ran pwdump2 against SAM producing SAM.txt file.

You may _think_ that you ran it against the SAM (how?), but in reality
pwdump2 dumps the hashes from the running system, not from a SAM file.
You did not need the SAM file for that.

Calling the resulting file SAM.txt might be misleading, but of course it
shouldn't affect anything.

> 15.	Ran john against SAM.txt file using command string of john ?show 
> ?format=NT SAM.txt and got a message, 0 password hashes cracked, 7 left.

That's because you didn't have anything cracked yet.  The "--show"
option is, as the name suggests, for displaying previously cracked
usernames and passwords.  The documentation says this, too.

> 16.	Send an email to
> 17.	Ran john using command string of john SAM.txt, still running.


> Though I read the README, FAQ and EXAMPLES documentation in my downloads I 
> found them, for myself, a little complex.

Understood.  This is in part because John runs on so many different
platforms and supports so many different hash types.  As a result, some
statements in the documentation have to be very generic and not
specific.  Also, John is a tool for systems administrators, so a certain
level of experience is assumed.

> Also with the first offical 
> download of john, to execute it I had to use either john-386 or john-mmx.  

That's correct - you should be using "john-mmx" unless your computer is
truly ancient.  I decided against including a plain "john" in the
Windows and DOS distributions to ensure that people make a conscious
decision on which build they use (MMX or not).  Maybe I was wrong as the
feedback I am receiving suggests that people don't understand this stuff
and are picking a John executable at random.

> In the documents it says just use john.

Yes, in most of the documentation it does.  However, there's this short
note (should I call it an excuse?) in the README -

| Please note that "binary" (pre-compiled) distributions of John may
| include alternate executables instead of just "john".  You may need to
| choose the executable which fits your system best, e.g. "john-mmx" to
| take advantage of MMX acceleration.

> I also on the MARC site under subject of 'does john crack xp passwords 
> correctly' I read the following:
> john -show pwfile | cut -d: -f2 > cracked
> john -w=cracked -rules -format=nt pwfile
> john -show -format=nt pwfile

This was my answer to someone who wanted to crack the case-sensitive
NTLM hashes after having cracked the case-insensitive LM ones.  It does
not apply to your case since you do not have anything cracked and you
might not want/need to be cracking NTLM hashes.

These commands alone are also insufficient to accomplish the task - my
complete answer was longer.

> It did not reconize cut or f2 as options.

Indeed.  That's because these commands require Cygwin, as mentioned in
the discussion you've taken them from.  But you really don't need this.

> None of these show the final 
> command line that I used to execute john as just john SAM.txt.

The README and EXAMPLES files do show this.  A quote from README:

| To run John, you need to supply it with some password files and
| optionally specify a cracking mode, like this, using the default order
| of modes and assuming that "passwd" is a copy of your password file:
| 	john passwd

And a quote from EXAMPLES:

| 2. Now, let's assume you've got a password file, "mypasswd", and want to
| crack it.  The simplest way is to let John use its default order of
| cracking modes:
| 	john mypasswd

Obviously, the password file name can be arbitrary.

P.S. Please don't quote entire messages in your responses.  Only quote
the bits relevant to your response, preferably inline (like I did).

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ