Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jul 2015 10:04:59 +0200
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Why does john display some cracked passwords twice?

W dniu 29.07.2015 o 20:45, Solar Designer pisze:
> On Wed, Jul 29, 2015 at 10:20:02AM +0200, Marek Wrzosek wrote:
>> For now, I stuck, so I'll probably go back in time (remove some lines
>> from pot file) and calmly I'll try to reproduce the problem.
>> Most likely this is because of wordlist/loopback with rules and fork, an
>> unfortunate coincidence that two or more threads are using two or more
>> different but similar words and different rules that together cause the
>> same output in the exact same moment that "pot sync" was unable to deal
>> with them. That is a lot of coincidence for me ;-)
>> It should happens from time to time. Isn't it too frequent then?
> 
> This might well be too frequent, or not, depending on your exact
> circumstances.  You had mentioned you saw this problem even with modes
> such as incremental and prince - if so, that's a bug, so please try to
> reproduce it and let us know if you were able to or not.  And we'd like
> to be able to reproduce the problem, too, so a testcase would be very
> helpful, if you can provide that.
> 
>> I can easily remove duplicates by using uniq command, no harm done.
> 
> You don't need to remove them.  John's output during cracking is just
> for you to be aware of its progress, and john.pot is normally for John's
> internal use.  The actual cracking results you should obtain with "john
> --show passwordfileshere", and this won't show any duplicates even if
> there are duplicate lines in your pot file.
> 
>> BTW, I was using fork with wordlist+rules mainly because of this statement:
>> "Warning: no OpenMP support for this hash type, consider --fork=4".
> 
> Sure, your use of --fork is fine.
> 
>> Maybe it should be disabled for certain cases like above.
> 
> Why, I guess it completed much quicker with --fork than it would have
> without, even if it produced some duplicate cracks.
> 
>> Most probably it's EOT. Thanks for help, magnum.
> 
> I would be happier to end this thread when we have a specific
> conclusion: a JtR bug (e.g., if reproducible with modes other than
> wordlist and loopback) or just an expected side-effect of having similar
> input words (e.g., what you saw is not surprising at all if that was in
> loopback mode, where you could have the same passwords already in your
> john.pot, e.g. for different salts).  Thank you, Marek.
> 
> Alexander
> 
The problem is: I'm not sure right now. I was using a lot of modes and I
saw duplicates few times. The most frequently with wordlist/loopback and
rules, but it is theoretically possible in prince too (I think), because
this mode is using wordlist or pot file also and creates candidates by
concatenating passwords, so the mechanism is similar.
I'll report this as soon as I'll be able to reproduce this in modes
other than wordlist+rules but until then I consider this as an EOT.
I was using fork because the sum of combined Kp/s was higher than Kp/s
without fork but it was bugging me.
I'm curious what are the odds and how wide is the window of opportunity
("pot sync") for it to happen. Probability of this must be higher for
loopback mode (or maybe for prince-loopback) and for wordlist that were
created using smaller wordlist and word-mangling rules. If fork is
desirable in that cases, maybe there should be a way for a user to
decide how one big wordlist should be distributed among the processes.
Thanks, Alexander.

Best Regards
-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.