Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jul 2012 21:21:13 +0400
From: Solar Designer <>
Subject: Re: john with Apple Keychains (/Users/Alex/Library/Keychains/login.keychain)

Alex, Dhiru, Aleksey -

Alex - thank you for bringing this in here!  Dhiru had previously
provided the correct answer to you (and he just did it again), so I am
surprised you chose to start from the same old issue, but that's fine.

On Thu, Jul 19, 2012 at 10:16:40PM +0530, Dhiru Kholia wrote:
> > On Thu, Jul 19, 2012 at 06:24:23PM +0200, Alex Kornilov wrote:
> >> $ john --wordlist=/Users/Alex/Downloads/wordlist_john/Wordlists-20031009/all.lst
> >> login.keychain.bak
> >>
> >> Loaded 1 password hash (Tripcode DES [48/64 4K])
> Is this a bug? login.keychain.bak shouldn't have been detected as Tripcode DES.

This is not necessarily a bug.  login.keychain.bak might contain a
substring that looks just like a tripcode does.  trip_fmt.c's valid() is
rather strict.

> Which Operating System are you using? You might be able to use
> pre-compiled JtR versions depending on your OS.

Also, which John version and make target?

> For cracking OS X Keychains (which you seem to be doing) you need
> jumbo version of john. You can get it from
> After doing "git clone",
> build john, run keychain2john program on login.keychain.bak file and
> then run john on the output of keychain2john.

Right.  The 1.7.9-jumbo-6 release should also work.  Older versions did
not have keychain support.

> Another option is to obtain OS X hashes (using program,
> included with john-jumbo) and crack those to figure out the login
> password. This option will be way faster than trying to crack the
> Keychain.
> (Compile keychain2john using command "gcc keychain2john.c")

Dhiru - why don't you integrate this into the Makefile?

Alex - better use "gcc keychain2john.c -o keychain2john", so that the
resulting program is named keychain2john.

> > I guess you need to specify hash type. Try to add --type=keychain to
> > your cmdline.

Aleksey - you obviously meant --format rather than --type, but even then
this can't be right because the keychain files are binary (whereas John's
builtin loader reads text files only) and because the --format option is
very rarely the right solution.  Specifically, recent versions of John
will suggest other formats (even listing the specific option to use) in
case an input file is ambiguous and could be recognized as more than one
format.  Since this was not the case here (no such suggestions were
printed), --format would not help.

(Many or even most uses of --format that you see in postings on this
list are actually misuses, which are at best unneeded.  For example, we
saw this recently with dynamic_7 being specified in both the input file
and in --format, whereas the former would have been enough.)

> First run keychain2john on your keychain file and then run john on the
> output of keychain2john.

Dhiru is right indeed (he wrote this). :-)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.