Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Dec 2011 12:48:18 +0530
From: Ramprasad Prasad <ramprasad.ap@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: john 1.7.9 Not able to use md5 on linux

On 29 December 2011 23:14, Solar Designer <solar@...nwall.com> wrote:

> On Thu, Dec 29, 2011 at 09:54:39PM +0530, Ramprasad Prasad wrote:
> > I am trying to use md5_hex passwords
> >
> >
> > I create a simple file
> > $ perl -MDigest::MD5 -le 'print "user:".Digest::MD5::md5_hex($ARGV[0])'
> > password > /tmp/pass
> >
> > So now the file contains hex passwords
> > $ cat /tmp/pass
> > user:5f4dcc3b5aa765d61d8327deb882cf99
> >
> >
> > $ ./john --format=md5  /tmp/pass
> > No password hashes loaded (see FAQ)
>
> You need a -jumbo version of John for raw MD5 hashes.  Here's how your
> sample hash gets cracked:
>
> $ ./john --format=raw-md5 pw
> Loaded 1 password hash (Raw MD5 [SSE2i 10x4x3])
> password         (user)
> guesses: 1  time: 0:00:00:00 DONE (Thu Dec 29 21:21:34 2011)  c/s: 6333
>  trying: 123456 - boomer
> Use the "--show" option to display all of the cracked passwords reliably
> $ ./john --format=raw-md5 --show pw
> user:password
>
> 1 password hash cracked, 0 left
>
> The --format=raw-md5 option is needed because the hash representation is
> ambiguous: a 32 hex char string could correspond to a number of other
> supported hash types as well.  Here's what John says about this when I
> omit the option:
>
> $ ./john pw
> Warning: detected hash type "lm", but the string is also recognized as
> "lotus5"
> Use the "--format=lotus5" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "mscash"
> Use the "--format=mscash" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "mscash2"
> Use the "--format=mscash2" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "raw-md4"
> Use the "--format=raw-md4" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "raw-md5thick"
> Use the "--format=raw-md5thick" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "raw-md5"
> Use the "--format=raw-md5" option to force loading these as that type
> instead
> Warning: detected hash type "lm", but the string is also recognized as
> "raw-md5u"
> Use the "--format=raw-md5u" option to force loading these as that type
> instead
> Loaded 2 password hashes with no different salts (LM DES [128/128 BS
> SSE2-16])
> guesses: 0  time: 0:00:00:04 0.00% (3)  c/s: 35904K  trying: GCWA10 -
> GCWAS5
> Session aborted
>
> As you can see, it misdetects the hash as LM and offers a number of
> alternatives for you to use.
>
> --format=md5 is wrong: it refers to MD5-based crypt(3), not to raw MD5.
> Also, since MD5-based crypt(3) hash encodings are not ambiguous, the
> only use for the --format=md5 option is when you have more than one hash
> type in the same file and you need to choose this one.  That is, when
> John loads hashes other than those you intended, rather than when it
> does not load anything at all.  So this does not apply to your case.
>
> Alexander
>
> P.S. BTW, /tmp is not supposed to be accessed by a user directly.  Doing
> so exposes the user account for attack on a multi-user system or via a
> possibly compromised service.  I understand that on your own personal
> computer or especially in a VM you might not care, but then why bother
> to type the extra characters and make a bad habit that might actually
> hurt you if repeated on a multi-user server?
>


Thanks ..  --raw-md5  did it ( wonder why that does not come with the main
release of john)
I use /tmp because I do not want to clutter my working directory, but you
are right that may become a habit. I may use it in a code etc which may
leave a vulnerability

I will replace /tmp/ with ~/tmp/   in my  examples now

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.