Date: Sat, 11 Mar 2006 07:17:02 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: does john crack xp passwords correctly? I wrote, regarding a half-cracked LM hash: > >It's seven unknown (not yet cracked) characters followed by the part of > >the password that's been cracked (the "M" might be upper- or lower-case, > >though - John does not check that). At this point, it is known that the > >password is exactly 10 characters long - and only the first 7 characters > >remain to be cracked. On Sat, Mar 11, 2006 at 04:00:08AM +0000, hadzijj qwerty wrote: > I'm not sure this is explained in the documentation. Is it somewhere? I'm afraid not. This is specific to LM hashes, which are not the primary focus of John - although I agree that the proper documentation on this needs to be written. > I have 4 passwords in my passwords file. > But the strange thing is that john writes: > > Loaded 7 passwords with no different salts (NT LM DES [48/64 4K]) > > AFAIK administrator password is is treated like 1 password, whilst every > other password > is treated like 2 passwords. Why? The FAQ has this entry: Q: I have 10 users, but John said it loaded 15 password hashes. What's going on? A: Some extremely poorly designed hash types (Windows NT LM hashes and double-length DES-based crypt(3) hashes also known as "bigcrypt" or "crypt16") have a property that allows John to split their encodings into two separate hashes (corresponding to halves of plaintext passwords) on load. John then proceeds to crack those hashes separately, so at a given time it might have only one of two halves of some passwords cracked. If interrupted and restarted, it would need to only load the hashes which correspond to uncracked password halves, so the number of such hashes is what John reports (in all cases, for consistency). Did this answer your question? Also, the "48/64 4K" on that line suggests that you're using an old version of John (probably the 1.6 release). You should be able to get much better performance at LM hashes by upgrading to version 1.7. > >Provided that you use the current version of John (1.7 or newer) and you > >run the MMX build of it, you should get your full Administrator password > >cracked reasonably soon (two weeks worst case for a modern CPU, but > >chances are that you'd get it cracked _much_ quicker - within hours). > > I have a version 1.6.39 under debian unstable. The output above does not match that of version 1.6.39, so that's not what you're using. > Is version 1.7 much faster? Version 1.7 is several times faster than the 1.6 release at LM hashes. My advice is that you download the 220.127.116.11 tarball, compile it (with "make linux-x86-mmx" if you're on an x86 machine), and use that. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.