Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 06 Apr 2006 01:26:36 +0000
From: "jay rubin" <>
Subject: Re: new at this cracker business

Solar Designer-  Thank you, you've been a big help and I am beginning to get 
a better undestanding of how to crack a password.  There is still a lot I 
have to learn such as salt, and hash rules.  Hash rules looks like some kind 
of password format.   I also ran john -test and don't understnad the 
benchmark output the I recieved.  I've been keeping track of what I done and 
am going to repeat everything here up to my current execution of john.

Jay's adventures as he tries to crack his Windows XP passwords.

1.	Downloaded John the Ripper (Win32 - binaries, ZIP, 1360 KB)
2.	Found that I needed the SAM database file.
3.	Could not copy the SAM file since on being booted the operating system 
accessed it locking the resource.
4.	Tried a safe boot to see if I could copy it.  Didn’t work.
5.	Tried an MS/DOS boot to see if I could copy it.  Didn’t work.
6.	Found an unlocked copy of the SAM database file in a repair subfolder of 
the windows folder.
7.	Ran john (forgot command string) and got an error, no hashes.
8.	According to documentation I discovered that I needed to merge the SAM 
database file with its shadow file.
9.	Could not find any shadow file.
10.	Found a system utility vssadmin (volume shadow copy service) in the 
windows/system32 folder which when run stated that I had no shadow files on 
my system.
11.	Finally decided I had the wrong version of john.
12.	Found 1.7 + jumbo patch build for Win32 (1664 KB), by thomas springer.
13.	Documentation said I needed pwdump2 which I then downloaded.
14.	Ran pwdump2 against SAM producing SAM.txt file.
15.	Ran john against SAM.txt file using command string of john –show 
–format=NT SAM.txt and got a message, 0 password hashes cracked, 7 left.
16.	Send an email to
17.	Ran john using command string of john SAM.txt, still running.

Though I read the README, FAQ and EXAMPLES documentation in my downloads I 
found them, for myself, a little complex.  Also with the first offical 
download of john, to execute it I had to use either john-386 or john-mmx.  
In the documents it says just use john.

I also on the MARC site under subject of 'does john crack xp passwords 
correctly' I read the following:

john -show pwfile | cut -d: -f2 > cracked
john -w=cracked -rules -format=nt pwfile
john -show -format=nt pwfile

It did not reconize cut or f2 as options.  None of these show the final 
command line that I used to execute john as just john SAM.txt.


>From: Solar Designer <>
>Subject: Re: [john-users] new at this cracker business
>Date: Thu, 6 Apr 2006 03:47:45 +0400
>On Wed, Apr 05, 2006 at 10:06:41PM +0000, jay rubin wrote:
> > I decided I wanted to see how secure was my windows password.  Without
> > getting into too much about all the missteps that I've taken I've 
> > downloaded 1.7 + jumbo patch build for Win32 (1664 KB), by thomas 
> > and pwdump2.  I ran my SAM file through pwdump2
>Jay originally sent a similar question to me privately, but I asked that
>he post it to the list. ;-)
>Jay - it's a pity that you've omitted the "missteps" from this posting
>because they're still relevant.  Basically, your grabbing the SAM file
>was a mistake - it would have been more straightforward to use one of
>the PWDUMP* tools (such as pwdump2 which you've downloaded) to dump the
>hashes to a text file.
>SAM files are much harder to process.  John does not process SAM files
>directly.  Moreover, recent versions of Windows encrypt hashes in the
>SAM with so-called SYSKEY - so you would need to grab that as well.
>That's a lot of complexity for no gain.  Just don't do it.
>As it relates to your "running a SAM file through pwdump2", you must be
>wrong.  pwdump2 does not process SAM files; rather, it dumps the hashes
>from the running Windows system.
> > and then ran john using
> >
> > john -show -format=LM SAM.txt
> >
> > the following message was the result
> >
> > 0 password hashes cracked, 7 left  (if I run this with a format of NT I 
> > the same thing on with 5 left)
>That's obvious - you haven't cracked any of the hashes yet.  But this
>tells us that your file is of the correct format (should be PWDUMP
>output) - that's good.
>To actually start a cracking session, run:
>	john SAM.txt
>yes, with no options.  This will attempt cracking your LM hashes
>(they're case-insensitive, but that's good enough if you just want to
>see how long it takes to crack your passwords).
>Then, after the above command terminates or after you interrupt it, run:
>	john --show SAM.txt
>to continue cracking, run:
>	john --restore
> > I've tried not to waste anyones time by going through the MARC message
> > archieves but still need some help.
>Thank you for reviewing the archives.  One thing you could have done
>better - also saving you time - is starting by reading the documentation
>for JtR - at least the README and EXAMPLES files - before even starting
>with the list archives:
> > It may be my ini file.
>No, the ini file should be fine.
> > The ini file I
> > got it is hard to read since the the lines are all strung out while 
> > ini file from a previous version of john I had downloaded is readable.
>That's one of the differences between official and unofficial Win32
>builds of John.  For the official builds, I spend some extra time to
>make things more Windows-ish - including conversion of text files from
>Unix to DOS-style linefeeds.  Obviously, others doing unofficial builds
>may not care to do the same.  This does not affect the operation of the
>program in any way.
>You did not have to use the unofficial build for what you intend to do.
>The official one you had downloaded previously would have worked.
> > Please respond as if writing for John for Dummies.
>Well, this response might not be it.  I thought that I need to comment
>on the mistakes you've made first.  Step-by-step instructions would have
>been both shorter and simpler.  Please let us know if you still have
>difficulties and I'll post the "for dummies" thing.
>Alexander Peslyak <solar at>
>GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 
> - bringing security into open computing 
>Was I helpful?  Please give your feedback here: 
>To unsubscribe, e-mail and reply
>to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.