Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jan 2015 11:18:29 -0500
From: Matt Weir <>
To: "" <>
Subject: Re: How to force John to count duplicate guesses?

Hey Rafael,

I created a github repo of checkPass2 and it is available here:

I'll be the first to admit I haven't put the time into it to make is usable
by anyone else so I apologize for that. For example I've  been going into
the source code and manually changing the print statement to print what I
want vs adding a command line option to switch the output. Right now it
currently outputs the status of the cracking session, aka number of
guesses/number of passwords cracked. It does save everything though so if
there is a particular formatting you want the data is there. Also if there
is a feature you want by all means please open up an issue on the github

Side note, I also limit the output since Excel doesn't like it when I try
to graph millions of data points. So it will print out the starting status,
the ending status, but in the middle of a cracking session it will only
print out the current status after X number of passwords have been cracked,
(X grows larger the bigger the target set). Aka if I'm graphing an attack
against RockYou's 32 million passwords it'll only print out the status
after several thousand new passwords have been cracked. If you are modeling
a shorter cracking session you may want to manually change this.

As for dealing with hashed passwords, if you are still struggling getting
JtR to count all of your guesses one option might be to run your cracking
session in JtR and then use the cracked passwords as a target set in

Good luck!


On Thu, Jan 8, 2015 at 2:46 PM, magnum <> wrote:

> Hmm you seem to have found a bug for us. Without rules, we have no
> consecutive dupe supression at all now. We have had it in the past but
> somehow it's not there now. This begs the question what *other* reason
> make your figures lower...
> magnum
> On 2015-01-08 20:29, Rafael Veras wrote:
> > Hi magnum,
> >
> > Yes, I can build it myself. Can you point me to the file/function I need
> to
> > edit?
> >
> >> The exact fix depends on your exact command line (-pipe, -stdin or pure
> > -wordlist, and
> > whether you use rules or not).
> >
> > I don't use rules and prefer -stdin.
> >
> > Thanks,
> >
> > Rafael
> >
> > On Wed, Jan 7, 2015 at 9:15 PM, magnum <> wrote:
> >
> >> On 2015-01-07 21:51, Rafael Veras wrote:
> >>> By the end of the experiment a get the following status line:
> >>>
> >>> 1956366g *7942070363p* 0:00:21:18 1530g/s 6214Kp/s 6214Kc/s 25268GC/s
> >>> lyngemita..LynGemItA
> >>>
> >>> In bold is the number of password candidates tried. I expected to see
> >>> 8000000000 there.
> >>>
> >>> After some toy experiments, I realized John might not be counting
> >>> candidates that were already tried.
> >>>
> >>> From the status lines, I generate a graph with the performance of
> >> guessing
> >>> methods. Not counting duplicates artificially boosts the performance of
> >>> this particular guessing method, in terms of hits/guesses.
> >>>
> >>> So is it possible to easily alter this behavior, either in john.conf or
> >> in
> >>> the source code?!
> >>
> >> Even without the --dupe-suppression option, *consecutive* dupes are
> >> suppressed and there is no option to turn that off. You can probably
> >> hack that away fairly easy - can you build John yourself? The exaxt fix
> >> depends on your exact command line (-pipe, -stdin or pure -wordlist, and
> >> whether you use rules or not).
> >>
> >> magnum
> >>
> >>
> >

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.