Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Jul 2011 13:28:11 -0500
From: "jfoug" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: runtime 'quirks' in john

I think I have tracked down some 'quirks' I have seen in the past. This
semi-non issue is that john can list it found more passwords that it really
did.  I used to see this on the x86-generic builds.  DES and BigCrypt (and
one other I do not remember), would find some extras.

 

Well, at that time I was using a more dirty password file.   I was pretty
sure that seeing the same word multiple times on 'some' formats, can have
the stats break, and do some double counting.

 

Well, I made this little test app: 

 

#include <stdio.h>

void main() {

   char Buf[1024], Buf2[1024];

   fgets(Buf, 1024, stdin);

   strtok(Buf, "\r\n");

   fgets(Buf2, 1024, stdin);

   while (!feof(stdin)) {

      int i;

      strtok(Buf2, "\r\n");

      for (i = 0; i < 16; ++i)

         printf("%s\n%s\n", Buf, Buf2);

      strcpy(Buf, Buf2);

      fgets(Buf2, 1024, stdin);

   }

}

 

Ran it on pw.dic to make it larger, reran the script, and low and behold:

 

-form=md5_gen(4)                guesses: 1530 time: 0:00:00:03 DONE

.POT Chk:  md5_gen(4)           guesses: 1500 time: 0:00:00:00 DONE

 

-form=mscash                    guesses: 1537 time: 0:00:00:00 DONE

.POT Chk:  mscash               guesses: 1500 time: 0:00:00:00 DONE

 

-form=mscash-crash              guesses: 1477 time: 0:00:00:00 DONE

.POT Chk:  mscash-crash         guesses: 1440 time: 0:00:00:00 DONE   (1440
is the expected count)

 

 

NOTE, there are many formats that find only a few items, when run against
this dictionary, but that is by design. For the slower formats, I use head
to cut just a few words off the front of the pw.dic file, and those few
words were the ones used to create the input file.  So those formats being
very 'low' on count is fully expected.

 

I had seen this issue in the past, but not really sounded any alarms, since
it really does not seem to be any serious issue.  The number of words found
was 1500 (1320 at that time), and they all were found, and there were no
'extra' values in the pot file. It only seemed to show up in the 'guesses'
line that john prints out, and which the test script grep's out.
However, being able to convert a fully working script/dictionary into a set
which shows this issue, does make me.

 

I am not fully convinced this is a 'bad' issue, but I will continue to look
at it, now that I am able to replicate it.

 

Jim.

 

 


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.