Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Mar 2006 07:17:02 +0300
From: Solar Designer <>
Subject: Re: does john crack xp passwords correctly?

I wrote, regarding a half-cracked LM hash:
> >It's seven unknown (not yet cracked) characters followed by the part of
> >the password that's been cracked (the "M" might be upper- or lower-case,
> >though - John does not check that).  At this point, it is known that the
> >password is exactly 10 characters long - and only the first 7 characters
> >remain to be cracked.

On Sat, Mar 11, 2006 at 04:00:08AM +0000, hadzijj qwerty wrote:
> I'm not sure this is explained in the documentation. Is it somewhere?

I'm afraid not.  This is specific to LM hashes, which are not the
primary focus of John - although I agree that the proper documentation
on this needs to be written.

> I have 4 passwords in my passwords file.
> But the strange thing is that john writes:
> Loaded 7 passwords with no different salts (NT LM DES [48/64 4K])
> AFAIK administrator password is is treated like 1 password, whilst every 
> other password
> is treated like 2 passwords. Why?

The FAQ has this entry:

Q: I have 10 users, but John said it loaded 15 password hashes.  What's
going on?
A: Some extremely poorly designed hash types (Windows NT LM hashes and
double-length DES-based crypt(3) hashes also known as "bigcrypt" or
"crypt16") have a property that allows John to split their encodings
into two separate hashes (corresponding to halves of plaintext
passwords) on load.  John then proceeds to crack those hashes
separately, so at a given time it might have only one of two halves of
some passwords cracked.  If interrupted and restarted, it would need to
only load the hashes which correspond to uncracked password halves, so
the number of such hashes is what John reports (in all cases, for

Did this answer your question?

Also, the "48/64 4K" on that line suggests that you're using an old
version of John (probably the 1.6 release).  You should be able to get
much better performance at LM hashes by upgrading to version 1.7.

> >Provided that you use the current version of John (1.7 or newer) and you
> >run the MMX build of it, you should get your full Administrator password
> >cracked reasonably soon (two weeks worst case for a modern CPU, but
> >chances are that you'd get it cracked _much_ quicker - within hours).
> I have a version 1.6.39 under debian unstable.

The output above does not match that of version 1.6.39, so that's not
what you're using.

> Is version 1.7 much faster?

Version 1.7 is several times faster than the 1.6 release at LM hashes.

My advice is that you download the tarball, compile it (with
"make linux-x86-mmx" if you're on an x86 machine), and use that.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.