Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 26 Jan 2008 08:32:34 +0300
From: Solar Designer <>
Subject: Re: What type of passwords does john crack?

Responding to three of Steve's postings at once:

On Fri, Jan 25, 2008 at 04:45:07PM -0500, Steve ...... wrote:
> > > now I have to run john from /etc/john or I get an
> > > fopen: john.ini: No such file or directory error. =/
> actually it appears to be a common problem on google. I reinstalled
> everything including the latest jumbo patch and this problem still exists..
> not a biggie though for me anyways, just letting you know this problem
> exists.

The error message is common, but its causes differ.  The problem exists
for you because you've done something wrong - such as trying to "install"
JtR.  Normally, JtR should not be "installed" - you simply run it from
the "run" directory, where both the "john" binary executable and the
configuration file reside.  However, if you really want to install it
for some weird reason, you must build it with system-wide installation
support enabled - this is a setting in params.h - and then install to
the right directories (not just to anywhere).  Normally, this is only
done by packagers (that is, for distribution of a pre-built package), so
I do not recommend it for you.

On Fri, Jan 25, 2008 at 05:39:52PM -0500, Steve ...... wrote:
> anyways using DES or raw-MD5 appertenly there are no weak
> passwords cause none of them were cracked, YET.

One of the hashes you posted in your first message in this thread is in
fact easily crackable (within seconds) with "--format=des".

As to "raw-MD5", as you have shown (with the code) these hashes are not
raw MD5.  The encoding syntax is the same, which is why JtR agrees to
load them as if they were raw MD5.

On Fri, Jan 25, 2008 at 09:04:54PM -0500, Steve ...... wrote:
> HMAC.. shoot. I just started creating a rainbow table thats gonna take
> 2.2days. Now that I know its not a plain MD5 I dont think rainbow
> tables will work with it do you?..

Rainbow tables in general may work with HMACs, but you'd need an
appropriate implementation and you'd have to generate separate tables
for each HMAC key.  The rainbow tables that you're generating are
probably not for HMAC-MD5 at all, so they won't work.

Also, if you only need to crack this specific set of hashes once,
generating your own rainbow tables is a waste of time.  You'll spend at
least the same amount of CPU time on generating the tables than you
would on cracking the hashes directly.  Then you'll also be spending
more time on cracking the hashes with the rainbow tables, one hash at a
time (as opposed to all hashes at once, which JtR does for saltless
hashes such as raw MD5, or which it could do for HMACs with a fixed key
if someone implements the support).

Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.