Date: Sat, 13 Feb 2010 08:49:45 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Multiple guesses for cracked hashes and no working password On Fri, Feb 12, 2010 at 02:19:58PM -0800, Anton wrote: > The hashes look like this: > dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998::: > dar_history_0:172:879D21AEE0D96D88A3CF696C1:81297B5EDEA2A476F9CC9648D11E4360::: [...] These look like hashes of the current and some old passwords of the user. Each line contains an LM and an NTLM hash. As Minga has correctly pointed out, the LM hashes on your post somehow lack some of the characters, yet the rest of your post suggests that the file on your computer actually has all of the characters intact, so I'll assume that you made some sort of copy and paste error when posting the hashes to the list. > When john was done with these, i got multiple password guesses, all appeared > in upper case (by design?): You have already figured this out, but for those reading the list archives here are references to the rest of this thread and to the relevant old posting: http://www.openwall.com/lists/john-users/2010/02/12/4 http://www.openwall.com/lists/john-users/2006/07/08/2 > C:\downloads\tmp\john1701\run>john-mmx emg1.txt > Loaded 20 password hashes with no different salts (NT LM DES [64/64 BS MMX]) > 3 (dar:2) [...] > RAZVOD2 (dar:1) > guesses: 20 time: 0:02:20:57 (3) c/s: 18674K trying: RAZVO9W - RAZVOK3 You got all of the LM hash halves cracked. Apparently, the user had been changing the password many times, which is why there are so many different guesses. To get the halves combined as appropriate and to ensure you get complete results, you should use "john --show". > Now, if i used only the first hash > (dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998:::) > , not the history one, i got this: > > \john1701\run>john-mmx.exe 1.txt > Loaded 1 password hash (NT LM DES [64/64 BS MMX]) > IAMAWES (dar:1) > guesses: 1 time: 0:00:19:08 (3) c/s: 10216K trying: IAMAWT! - IAMAWHY Apparently, you ran the above command with _some_ of the hashes already cracked and stored in your john.pot file. Specifically, the second half of the LM hash in 1.txt was already cracked, which is why it was not loaded/cracked/reported again. This demonstrates nicely that you ought to be using "john --show". The passwords printed while JtR is running are not its complete/final output; they're mostly to give you an idea of the current status of your JtR run while it is still in progress. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.