Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Mar 2006 22:40:12 +0300
From: Solar Designer <>
Subject: Re: john the ripper output

On Wed, Mar 15, 2006 at 09:19:30AM +0000, Hari Sekhon wrote:
> I find that john --show passwdfile works best.

This is what you're supposed to be using.  In fact, it's the only
documented way to obtain the cracked passwords.

> The john.pot and john.log 
> don't give useful information pairings of username/passwords. john.pot 
> holds passwords and hashes, which is fine to look at if the username is 
> the same as the password but a bit of a guessing game otherwise...

john.pot is a file that John uses internally.  It is machine-friendly,
not human-friendly.  "john --show" may also display more cracked users
(e.g., if the same password hash is shared for several users, john.pot
may have it listed only once, but "john --show" will display the
password for all of the affected users) and it will combine any partial
hashes (those are stored in john.pot on separate lines).

The output of John while it is running may also not include all of the
cracked passwords, so you should not be relying on it for that.  In
particular, this may happen when the same password hash is shared for
multiple users and you're running John in other than "single crack" or
batch modes.  In those cases, John would simply not load the duplicate
instances of the hash for cracking - yet a subsequent "john --show" run
would correctly display all of the users whose passwords get cracked.

> Ps. It would be better if john sent it's output as it's going along the 
> same way that most unix programs do

Actually, John works _exactly_ the same way that most other Unix
programs do.  This buffering of program output is performed by most C
libraries, and programs have to explicitly ask the library to not buffer
their output or to line-buffer it (instead of buffering fixed amounts of
data) if they want to.  Most programs don't change the default.

Maybe John should be explicitly line-buffering its standard output,
although that would slow things down in those special cases when John
produces a lot of output (successfully cracking thousands of passwords
per second).

> so that I could do
> ./john passwdfile > john.progressfile 2>&1 &
> and then just tail -f the john.progressfile. Or even better to nohup 
> john and then you could log off/close ssh session etc and ssh back into 
> it some time/days later and do the tail -f...

This has already been suggested: use GNU screen.

You do need to use "john --show" to get at the actual cracked passwords

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.