Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Dec 2012 09:08:09 +0100
From: magnum <>
Subject: Re: Creating Graphs from john.log

On 20 Dec, 2012, at 5:34 , Matt Weir <> wrote:
> 1) I'd really like to output the number of guesses have been generated
> when a password is cracked. Right now it outputs the time instead.
> While you can get a rough idea of the number of guesses based on the
> time, it creates a lot of difficulties when sharing/comparing data
> with other people. Aka if I have a crazy fast computer and someone
> else has an old 486, they might have a better ruleset but when I
> compare it to my dumbforce run I wouldn't know it. Number of guesses
> made is a platform agnostic measurement.

I really appreciate your work so I'd by happy to help. As you know there are two notions: either "candidates tried", or "candidate/hash combinations tried" and JtR keeps track of the latter for the c/s figure. Solar has indicated he will eventually make the former visible too, but currently it is not.

Hopefully you also know that you can show that figure, not in log but in output, by setting CrackStatus = Y and StatusShowCandidates = Y. Example:

$ ../run/john ../test/ --max-run-time=30 --format=raw-md5 --incremental:all8
Loaded 1500 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])
start123         (u53-RawMD5)
guesses: 1/41866110000  time: 0:00:00:01 0.00%  c/s: 41866M  trying: start127 - start105
password         (u9-RawMD5)
guesses: 2/121446928728  time: 0:00:00:04 0.00%  c/s: 30361M  trying: passwoom - passwoll
trustno1         (u33-RawMD5)
guesses: 3/297817949400  time: 0:00:00:11 0.00%  c/s: 27074M  trying: trustnol - trustnig
guesses: 3/791303813772  time: 0:00:00:30 0.00%  c/s: 26376M  trying: 190413d1 - 190418.c
Use the "--show" option to display all of the cracked passwords reliably
Session stopped (max run-time reached)

This tells us that "start123" was 41866110000/1500 = the 27910740th candidate tried (actually due to "12x" it's between 27910729 and 27910740, including). Let's verify it:

$ ../run/john --incremental:all8 -stdout | grep -nFm1 start123

If this figure (the 41866110000) is usable, I could easily make it appear in the log file too. I suppose you'd like it on the same line as "+ Cracked ...", right?

I could also add a command-line option for enabling 'StatusShowCandidates' without editing john.conf (CrackStatus already has one: --show-crack-status) if you like.

> 2) I need to be able to count duplicate passwords. This is a bit of a
> contentious point, but when modeling a password cracking session I
> strongly believe we need to be able to represent that some passwords
> are much more common than others. An attacker should be rewarded for
> guessing '123456' first and I want to be able to model that. Right now
> JtR, (rightfully so), removes duplicate hashes for performance
> reasons. It would be nice to be able to modify a flag in john.conf so
> that duplicate guesses were not removed.

I think I could add another option that just turns off the dupe hash suppression in loader, with no regression problems. I'm not sure but I think the rest would just work as-is. I can give it a shot.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.