Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Mar 2011 01:45:41 +0300
From: Solar Designer <>
Subject: Re: Password file hash type analysis in JtR


I probably misunderstood your original request on this.  I had two
related and relevant enhancements planned:

1. Continue to detect other hash types when loading password hash files
for cracking (even after successful initial autodetection of a certain
"sticky" hash type).  That way, the user won't inadvertently miss hashes
of those other types.

2. "--show" output enhancements, including output in formats other than
same-as-input (/etc/passwd or pwdump-like).  This could include CSV.

So far, I implemented #1 (will be in 1.7.7), but not #2.  I didn't feel
that #2 had much to do with "hash type analysis", hence it did not occur
to me that this was what you might have been referring to.  I am still
planning to implement #2 (in a post-1.7.7 version).

On Sun, Feb 27, 2011 at 10:51:32PM -0500, Robert Harris wrote:
> Why not output in more than two columns?   I don't see the need to combine
> different information in one column.

Actually, "john --show" already uses many columns - usually as many
colon-delimited columns as the input file has.  However, it only
replaces the contents of one of the columns (hashes to cracked
passwords).  Yes, it could make sense to use different output formats,
including more than one John-generated column.

> Something like this is a good start?
> Username       Password     Hashtype

Right now, "john --show" is not always aware of the hash type.  It will
report literal matches (between the password hash files and john.pot)
even when the hash type is not detected (maybe not supported) by the
copy of JtR that you use for reporting.  Yes, it could output the hash
type when known... although there are also cases when the hash type is
not known reliably (the string in john.pot would be valid for more than
one hash type).  Perhaps such ambiguities should be reduced by
consistently marking detected hashes in split() with hash type tags
going forward, like we've been doing in many cases already.  The hashes
in john.pot would always be non-ambiguous then.

> Since we're on the subject of formatting the output, I'd like to purpose a
> potential new variable and output format to be used with the "--show".
> Please discuss here and consider implementing.
> But first some background.
> When I do a password audit, I'm usually doing it for many servers.  I
> usually name the password file the same name of the server.  If it is a unix
> server I combine the <server-name>.shadow and <server-name>.password file
> with unshadow, then the resulting file is called <server-name>.  I usually
> run john with the * to do all this files in the directory, but this gets
> tricky when it is time for the results.   I have to run john --show with
> each file name.  I do this with a perl script.   Since I frequently find a
> good amount of passwords, this perl script also outputs the show rules in
> comma delimited format.  I also make sure I include the file name (which
> happens to be the server name), in the comma delimited output (which is to
> one file).  That way, I can easily sort my results any way I like, in a
> spreadsheet program.
> So, I would love to see John be able to natively output in comma delimited
> format (like with --show-comma-delimited).

I think it will be "--show=csv".

> Also it would be nice for it to
> accept a user variable that it would tack on the end of comma delimited
> line.  (This user variable could be used as the name of the server.)  Or
> maybe it could automatically tack on the name of the file to the end of the
> line.

I'd prefer it to use the filename.

> So, it could look something like this:
> John --show-comma-delim  Server-A  --uservariable=Server-A 
> "UserId","Name on Account","Password","Hashtype","Uservariable"
> "rharris","Robert B. Harris","changeme1","sha-1","Server-A"
> So, having this output would drastically reduce the need for us to have a
> script to support getting the output into a sortable format. 

Understood and agreed.

> We would still need to have a script to go through each file's results with
> show, unless that changes too.   Perhaps it should!?  Since starting the
> audit can take a wildcard input to start the audit on all files in the
> directory (like john *), why can the show output do the same.

"john --show" is already usable on multiple files at once; it's just
that without a filename field in its output you get a mix of results for
your different files.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.