Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 03 Apr 2006 14:08:33 -0700
From: Greg Barry <>
Subject: Re: John-the-ripper run on Trusted HP-UX

> On Mon, Apr 03, 2006 at 09:39:24AM -0700, Greg Barry wrote:
> > Everything works fine with john-the-ripper on the machine except when
> > users set their passwords to greater than 8 characters. 
> > 
> > For these accounts, john always marks them as cracked with output like
> > the following:
> > 
> > guesses: 4  time: 0:00:52:13  c/s: 152516  trying: vx25 - vxs7
> > Loaded 22 password hashes with 22 different salts (Traditional DES
> > [32/32x8V BS])
> > 03/31/06 11:31:15 $                (h0058:2)
> > 03/31/06 11:31:15 7                (h0094:2)
> > 03/31/06 11:32:30 11a            (h0018:2)
> > 03/31/06 11:35:16 3f               (h0015:2)
> (I am curious how you made it print timestamps here - a custom patch?
> Was the information available in the log file insufficient?)

       Yes , the timestamps were a custom change

> This is correct.  This output means that John has successfully cracked
> the endings of those passwords (characters past 8).  For example,
> h0058's password is 9 characters long and ends in a dollar sign.  The
> ":2" after usernames means "second part of the password".

     Am I correct to assume that john has run against the first 8 chars
of the passwd  as well
as the characters past 8

> In general, you should not draw conclusions on what is cracked and what
> is not based on the console output of a John cracking session.  Instead,
> you should be using "john --show".

I forget to do this. Will add to our standard procedures.  Thanks

> There are other cases where there can be legitimate discrepancies
> between the cracking session and "john --show" output.  For example,
> John might not load duplicate hashes for cracking - so it would only
> report one of the affected usernames while cracking - yet "john --show"
> would correctly report all of the usernames which share the cracked
> hash.
> The information recorded in john.pot and .log files is similar in nature
> to the console output of a running session.
> Thus, "john --show" is the only correct way to obtain the results of
> John cracking runs - with the required post-processing of the data.
> > Is there any way to configure john-the-ripper to support passwds greater
> > than 8 characters on trusted HP-UX systems?
> As you can see, John already supports those - with no need to configure
> anything.
> P.S. Modern PA-RISC systems are 64-bit, yet the hpux-* targets in John
> are currently 32-bit only.  Unfortunately, I don't possess a 64-bit
> PA-RISC system.  I'd be grateful if anyone would be willing to help add
> the proper targets into John's Makefile (which should be trivial) and/or
> test them.  This should give an almost 2x speedup at DES-based hashes.
> -- 
> Alexander Peslyak <solar at>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
> - bringing security into open computing environments
> Was I helpful?  Please give your feedback here:
> -- 
> To unsubscribe, e-mail and reply
> to the automated confirmation request that will be sent to you.

Greg Barry,    Systems Analyst
    Unix Systems Management
    Lockheed Martin Information Technology,    Hanford,    Richland WA
    Phone: 509-376-1652     Page: 85-9550     Email: 

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.