Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Feb 2010 08:49:45 +0300
From: Solar Designer <>
Subject: Re: Multiple guesses for cracked hashes and no working password

On Fri, Feb 12, 2010 at 02:19:58PM -0800, Anton wrote:
> The hashes look like this:
> dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998:::
> dar_history_0:172:879D21AEE0D96D88A3CF696C1:81297B5EDEA2A476F9CC9648D11E4360:::

These look like hashes of the current and some old passwords of the
user.  Each line contains an LM and an NTLM hash.  As Minga has
correctly pointed out, the LM hashes on your post somehow lack some of
the characters, yet the rest of your post suggests that the file on your
computer actually has all of the characters intact, so I'll assume that
you made some sort of copy and paste error when posting the hashes to
the list.

> When john was done with these, i got multiple password guesses, all appeared
> in upper case (by design?):

You have already figured this out, but for those reading the list
archives here are references to the rest of this thread and to the
relevant old posting:

> C:\downloads\tmp\john1701\run>john-mmx emg1.txt
> Loaded 20 password hashes with no different salts (NT LM DES [64/64 BS MMX])
> 3                (dar:2)
> RAZVOD2          (dar:1)
> guesses: 20  time: 0:02:20:57 (3)  c/s: 18674K  trying: RAZVO9W - RAZVOK3

You got all of the LM hash halves cracked.  Apparently, the user had
been changing the password many times, which is why there are so many
different guesses.  To get the halves combined as appropriate and to
ensure you get complete results, you should use "john --show".

> Now, if i used only the first hash
> (dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998:::)
> , not the history one, i got this:
> \john1701\run>john-mmx.exe 1.txt
> Loaded 1 password hash (NT LM DES [64/64 BS MMX])
> IAMAWES          (dar:1)
> guesses: 1  time: 0:00:19:08 (3)  c/s: 10216K  trying: IAMAWT! - IAMAWHY

Apparently, you ran the above command with _some_ of the hashes already
cracked and stored in your john.pot file.  Specifically, the second half
of the LM hash in 1.txt was already cracked, which is why it was not
loaded/cracked/reported again.  This demonstrates nicely that you ought
to be using "john --show".  The passwords printed while JtR is running
are not its complete/final output; they're mostly to give you an idea of
the current status of your JtR run while it is still in progress.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.