john-users - Re: JtR to process the LinkedIn hash dump

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 07 Jun 2012 03:37:35 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: JtR to process the LinkedIn hash dump

On 06/07/2012 01:59 AM, Solar Designer wrote:
> On Wed, Jun 06, 2012 at 06:10:49PM -0500, jfoug wrote:
>> You will note that 'most' of them that you crack will have 00000 as the
>> first bytes of the hash (if you are using the rock-u words, and nothing more
>> than 'rules' from JtR).  This shows that whomever released this, that they
>> are using 00000 as a 'already cracked' signature.
>
> Not necessarily.  Another possibility (and I am not the first one to
> suggest it) is that whoever released these hashes did not figure out how
> to crack the ones with 00000's, so he/she left them in this released
> uncracked hashes dump.  This would explain why the hashes with 00000's
> correspond to weaker passwords (on average) than those without.  The
> reason for this public release might have been to crowdsource cracking
> of the relatively more difficult hashes, which happened to be both those
> with 00000's (not attacked for real at all) and those for somewhat more
> complicated passwords (than average in the original/full database, which
> we haven't seen so far).

Another observation is that if you zero the first 20 bits of the 
complete hashes, you'll end up getting >63000 dupes. That is a little 
puzzling.

The current format does not treat them as dupes when loading, but will 
crack and record both versions of the hash when finding a password.

magnum