Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Sep 2014 11:15:06 -0700
From: Dan Tentler <>
Subject: Re: john --show

hurm, that may be it.
These are all NT hashes, taken from a domain controller, they should all
be uniform.

Yep, that was the case..

[root@...alhost run]# ./john --show pwdump --format=nt2
343 password hashes cracked, 19243 left

[root@...alhost run]# ./john --show pwdump
104 password hashes cracked, 20216 left

I don't suppose a feature request for "just show me everything" would be
out of order? :D

On 9/26/14 5:38 PM, magnum wrote:
> That RPM/version should not have any such bug. The only reason I can
> think of is your input file has a mix of formats.
> Example:
> user1:md5hash
> user2:md5hash
> user3:sha1hash
> user4:sha1hash
> To crack all of them, you need to run raw-md5 and raw-sha1 separately.
> But this also goes for -show. To see all cracks you'd need to run
> "./john -show -format:raw-md5" and then "./john -show -format:raw-sha1".
> The same is also true for pwdump-style input files. They (often)
> contain both LM and NT hashes (on each line!), so to see both you need
> to run -show with each of those formats given as --format option.
> If this is not it, I think you need to give more detail.
> magnum
> On 2014-09-27 00:45, Dan Tentler wrote:
>> [root@...alhost run]# ./john
>> John the Ripper password cracker, ver: 1.7.9-jumbo-5 [linux-x86-64]
>> Copyright (c) 1996-2011 by Solar Designer and others
>> I downloaded the RPM directly from the site. Not my 'regular box', this
>> one is some client VM they gave me - rhel 6.5.
>> -Dan
>> On 9/25/14 2:33 AM, magnum wrote:
>>> On 2014-09-25 06:54, Dan Tentler wrote:
>>>> So I noticed that doing john --show doesn't show everything - it seems
>>>> to only show 'cracked' passwords, not passwords that were something
>>>> like
>>>> 'the username is the password'.
>>>> In this example there are a bunch of passwords that are super simple,
>>>> and they don't appear to all show up - ~100 or so of them are
>>>> 'mailbox'
>>>> - meaning 100 accounts with the password mailbox, but when I do john
>>>> --show only one example of it appears in the output..
>>>> To get a full list (to feed to a tool like pipal or something) I'd
>>>> have
>>>> to do a bunch of hack and slash command line stuff to map the john.pot
>>>> file to the pwdump file so i can get a user:pass mapping for every
>>>> entry.
>>>> Is this the new functionality, or have I have I found a bug?
>>> That would be a bug! What format is this? What version of John are you
>>> using?
>>> magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.