Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Nov 2012 23:39:16 +0400
From: Solar Designer <>
Subject: Re: Trying to understand output of john -status

On Fri, Nov 09, 2012 at 07:16:59PM +0000, Tom wrote:
> When I type the following command while john is running I get the following.
> # john -status=john
>  guesses: 0 time: 8:20:31:52 0%00% (3) c/s: 4068
> I don't know how to interpret this but it looks like nothing is happening.

It's just the status of that session.  The session may be currently
running or not (this is not seen from the status file - you only see
where it got to when the file was last updated).

4068 c/s is rather low, but it may be OK for some hash/cipher types -
depending on what you're cracking, on what hardware, with what John
version, build, and settings.

> However, 
> When I press the space bar on the terminal window it does give me the current 
> PW it's tryng. 

That's as intended.  Yes, --status does not print this info (since it's
not included in the disk file), but a keypress does.

> If I cat the john.pot file it shows me some passwords. 

Presumably, those were cracked by other sessions before you ran this
one, since the session named "john" thinks it hasn't cracked anything yet.

> However when I type the following I get the following, 
> john --show john
> 4 password hashes cracked, 0 left

That's a weird command - or rather, it's a weird filename you chose to
use here.  First you called the session "john" - that's already pretty
confusing since that's also the name of the John program.  Now you're
asking John to print cracked passwords for some file named "john".
What's in that file?  I suggest that you avoid confusing/conflicting
names like that.

> The john program continues to work, as I mentioned when I press the space bar 
> it shows me the current try. 
> I also know that that the shadow file has more passwords. I can see names in 
> the list with encrypted pw's in it.

Have you used the "unshadow" program or are you running John on the
shadow file directly?  The latter works, but is suboptimal.  With
"unshadow", you might get more passwords cracked early on due to it
letting John use info such as people's names and home directory names.

> I have been running this for about 2 months.

Yet the above session, confusingly named "john", was started from
scratch less than 9 days ago.  Maybe you wanted to restore a previously
interrupted session rather than restart it from scratch?  If so, you
should have used --restore.

Also, chances are that the c/s rate can be improved a lot.  You need to
mention your hash type (please include the "Loaded ..." line from John
verbatim), John version and make target used, and hardware details -
then we might be able to suggest how to speed things up.

> Should I leave it running ? And allow it to keep trying the rest of the 
> passwords.

What are you doing this for?  We need to know your goals before we can
advise you on this.


P.S. Please consider posting to john-users via e-mail rather than via Gmane.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.