Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Nov 2010 02:39:34 +0300
From: Solar Designer <>
Subject: Re: which john & options to use for Mac OS X 10.4+ salted SHA-1 using OSX 10.6?


On Thu, Nov 04, 2010 at 03:24:12PM -0700, William wrote:
> I'm trying to crack a old .iso of mine which I've forgotten 
> the pw for (really).  I dumped the file and its a Mac OS X 10.4+ salted 
> SHA-1 

This sounds weird to me.  How is that .iso password protected?  How did
you dump the file?  Are you sure you're cracking a password relevant to
the .iso, rather than some other password hash you have in the system?

> I've been running the john command against it for 7 days now.  What would be
>  the best way to crack this sucker?

It depends.  Please start by answering my questions above, if you don't
mind.  Also, please mention any info you can recall about your password -
its length (or a lengths range), character set, whether it was based on
dictionary word(s) or not, anything else of that kind.

> Should I use  the patched 1.7.6 jumbo 7 macosx universal 3?

You may use it, but it should not make a difference for your use,
compared to JtR Pro that you're already using.

> I bought the pro 1.7.3, is there a new one out?

Not yet.

> When i loaded it onto the MacMini, I had to dl Rosetta...

That's weird.  What made you arrive at the conclusion that you needed
Rosetta?  Did you receive some kind of error message?  I'd appreciate a
problem report against JtR Pro for that.

JtR Pro uses a Universal binary that should run on Intel Macs just fine
(as well as on PowerPC ones), without Rosetta.

> I've tried to get the 1.7.6 jumbo 7 running, but it's not working.  Keep getting
> "-bash: john: command not found"

This is addressed in the FAQ: you should be typing "./john" instead of
just "john".  JtR Pro avoids this problem by adding the correct
directory to the default search path, specifically for those who are new
to the Unix shell.

> different syntax on 1.7.6?

No, it's free & generic (requires skills) vs. Pro & OS-specific (easier
to use if you're new to this stuff).  (Yes, "Pro" is sort of misnamed...
but it has to be that way.)

> What's the best to use: --rules  or --single or what?

Initially, no options at all.  Just give "john" the file to crack.
Apparently, that's what you're doing already, and it did not crack the
password in 7 days.  If so, you may want to try customizing/focusing the
attack, for which you need to consider the information you can recall
about the password.  There's no general answer that a single option
would be better in all cases (if this were the case, that setting would
have been the default).

Also, please note that not all passwords are meant to be crackable (in a
reasonable amount of time).  This is why it makes sense for a system
administrator to detect and eliminate just the weak passwords (the
crackable ones).  If your lost password was a strong one and you don't
recall any sufficiently specific information about it, then it is quite
possible that it won't get cracked.

Once again, please start by confirming that you're in fact cracking what
you think you are.  It is quite possible that you are not.  It is the
first time I hear of an .iso file somehow being related to a Mac OS X
salted SHA-1 hash.

Best regards,


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.