Date: Mon, 21 Jan 2008 07:17:25 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: different formats.. On Sat, Jan 19, 2008 at 08:11:36PM -0500, Steve ...... wrote: > Hi, I have shadow files from different boxses and Im just wondering what the > easiest and fasiest method of cracking them is? > I used to just throw it one file and john would load them all but now im > wondering so there from different boxses and everything should I be doing it > sepertely? keep in mind im not an advanced john the ripper user. First of all, it is preferable to use the "unshadow" program to combine your /etc/passwd and shadow files - not run "john" on the shadow files. This is because the "single crack" mode works better when you give it more information on each account - such as the user's full name and home directory name. Then, it is in fact a good idea to run John the Ripper on all of your password files at once (after having used "unshadow" on them individually). Quite often, this will result in more matching salts and in reduced key setup overhead, which improves the overall c/s rate. With "single crack", it may also result in more passwords getting cracked since John the Ripper takes advantage of being able to try user-specific candidate passwords against other users' password hashes that happen to have the same salt, for free. You do not need to request the "single crack" mode explicitly for this - running "john" with no options will do (letting it go through its usual sequence of cracking modes - "single crack", wordlist with word mangling rules, and finally "incremental"). It is OK to combine your (unshadowed) password files into one large file if you like, but you do not have to - you can specify multiple filenames on the command line for "john". You may also use shell wildcards. Now, let's get to the main part of your question (as seen from the message Subject) - different hash types. It may happen that the systems you take the shadow files from use different hash types. (In fact, it may also happen that a single system has password hashes of more than one type in its shadow file - e.g., if the system has been through OS version upgrades.) When you run John the Ripper, it autodetects the first hash type that it recognizes in the first file that it parses, then it only loads hashes of the same type (as an exception, it will load traditional DES-based crypt(3) and "bigcrypt" hashes at the same time). Thus, you need to either review your password files or try running John the Ripper with explicit "--format=..." settings (for all hash types that might potentially be present) in order to figure out if there are other hash types. If so, you will need to use the "--format=..." option on your actual John the Ripper runs - and do separate runs for each hash type. Finally, please don't forget to use the "--show" option to extract your results. It is unreliable to rely on the output that John the Ripper produces while it cracks your hashes, or on the john.pot or log file contents. When a given hash is found on more than one user account, it's only "--show" which guarantees to display all affected accounts. Also, you will need "--show" in order to figure out what password files the cracked passwords come from - you achieve this by running "--show" on specific password files rather than on all of them at once (although the latter is also supported). You do not need to use "--format=..." with "--show", although you can if you want to filter your results by hash type. (As an exception, you may have to use "--format=..." with "--show" when your input files have more than one hash type per account, which is often the case for PWDUMP output on Windows systems.) -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ