Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 May 2006 14:06:35 -0700
From: "Arvind Sood" <asood74@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: John seems to exit without error

Thank you Solar Designer,

I did as you suggested - and lo and behold -it loaded more hashes... which
led to this follow-up problem.

but first, here is what I did ...

1- Emptied the contents of ./john.pot using a text editor and then did a "rm
-rf john.pot~" (the pot~ showed up when I emptied the .pot file).


2- Deleted all instances of the .log and .rec files for all my sessions.

3- issued the command and got the output as shown here

[sooda@...alhost run]$ ./john --format=nt
--wordlist=../pwdfiles/lm_cracked.txt --rules --session=ntcrack_1
../pwdfiles/pwoutput.txt

Loaded 13 password hashes with no different salts (NT MD4 [TridgeMD4])
gr8hack          (Administrator)
password         (DCuser)
guesses: 2  time: 0:00:00:00 100%  c/s: 17666  trying: Passwording
[sooda@...alhost run]$ cat ../pwdfiles/lm_cracked.txt
GR8HACK
PA55W0RD!
PASSWORD#1
PASSWORD#1
PASSWORD
BENTLEY#1
PASSWORD#1
123PASSWORD321
NO PASSWORD
PASSWORD
PASSWORD
PASSWORD
PASSWORD
PASSWORD
PASSWORD
PASSWORD#1
PASSWORD
SN0WDAY
PASSWORD
890ILER???????
NO PASSWORD

37 password hashes cracked, 8 left
[sooda@...alhost run]$


Here are the questions

1- why did john exit after cracking two passwords only? there were many more
entries in the lm_cracked.txt file. Should john not have cracked the
password set to PA55WORD! for instance?

2- Since there was nothing in the .pot file this time - why did john
exit/finish so early?

3- Does john --rules, check for only upper vs. lowercase? or even a
combination of cases? for example if we have
 a password set as "BenTLeY" -
 will --rules try only "bentley" or "BENTLEY"
 conclude the password is neither "BENTLEY" nor "bentley" and exit
or
 will it continue to try various combinations of cases for each character
(Bentley, BENtley etc.)?
.. apologies if that was a dumb-ass question, but I am still learning :-)

4- I never noticed it till now, but John loads only unique hashes. I had 25
user accounts only  13 unique passwords (hence 13 unique hashes). when
parsing the file john loaded only the 13 unique entities .... that is so
cool !!

As always, I am indebted to you for the instruction and support


Kind regards,
Arvind



On 12/05/06, Solar Designer <solar@...nwall.com> wrote:
>
> On Fri, May 12, 2006 at 01:38:33PM -0400, Arvind Sood wrote:
> > - Notice that john immediately returns me to a $ prompt. Also - why did
> it
> > load 11 hashes? There are many more accounts .....
> >
> > [ sooda@...alhost run]$ ./john --wordlist=../pwdfiles/lm_cracked.txt
> --rules
> > --format=nt --session=ntcrack ../pwdfiles/pwoutput.txt
> > Loaded 11 password hashes with no different salts (NT MD4 [TridgeMD4])
> > guesses: 0  time: 0:00:00:00 100%  c/s: 34100  trying: Passwording
> > [sooda@...alhost run]$
>
> > Why does John only load 11 hashes?
>
> John does not waste time cracking the hashes which are already in
> john.pot.  In the log file, you should see two separate lines like:
>
> 0:00:00:00 Loaded a total of <many> password hashes with no different
> salts
> 0:00:00:00 Remaining 11 password hashes with no different salts
>
> If you want to have it crack those hashes again - since you're just
> testing - you need to move the existing john.pot out of the way.
>
> > Why does it immediately return me to a $ prompt?
>
> That's because there's not much work for it to do - you give it the
> passwords and it only needs to check for upper vs. lower case.  In your
> example, it only had to compute NTLM hashes 34,100 times - this can be
> done in under a second. :-)
>
> > - it did not do that with the --format=LM switch.
>
> Indeed.  You actually had it crack passwords for you in that run.
>
> > Why does john not show up in the ps -ef?
>
> That's because it really completes its work and terminates in under a
> second.  It does not "background" itself or something.
>
> --
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D
> 3598
> http://www.openwall.com - bringing security into open computing
> environments
>
> Was I helpful?  Please give your feedback here:
> http://rate.affero.net/solar
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ