Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Feb 2018 21:48:36 +0100
From: Solar Designer <>
Subject: Re: dmg file with lost password

Hi Ian,

Thank you for bringing this to the list.

On Mon, Feb 26, 2018 at 09:21:14AM -0500, Ian Boyd wrote:
> 1. I have been using Terminal, Xcode, and Bbedit and been trying to follow the posted instructions on Openwall, the JtR community, and from here

These instructions are about building JtR from source, and they're out
of date.

> but the john- doesn't have the src file as it does in the instructions.

This is a binary (already built) download contributed by a user (so you
don't need to build it, hence the lack of src in there).  This build
should be readily usable, without needing Xcode.

> Then I found Johnny!!! (super awesome and makes it easier for someone like myself) So WHO EVER made Johnny??? THANK YOU! AWESOME JOB!

Aleksey, Shinnok, and Mathieu made it.  They'd be happy to hear you
found it useful, and we should probably merge Johnny into the main jumbo
tree so that more people find it and so that we keep it consistent with
the rest of jumbo.

> 2. Using Johnny, and trying to figure out how to crack one password for my .dmg file. This program makes it easier to work with, but are there any helpful tips on who to use to crack one file?
> 	When I think I scan the file properly i get a "Warning: invalid UTF-8 seen reading??? and the computer stalls at 57% 

It's hard to help you with this without knowing exactly how you used
Johnny and what else it outputs besides that warning and the 57%.

As Claudio correctly pointed out, you should have started by using
dmg2john.  You can probably do this from Johnny itself, using the dialog
shown on this screenshot:

I guess you need to choose dmg in the "Choose file format" drop-down.

Please confirm that you did this (or if not, do it) and please also show
us the full output from JtR (copy-paste from a Johnny window).

In our off-list discussion, I wrote that "In our experience with
forgotten passwords to .dmg files, failure is more likely than success"
and you asked "Why are dmg files usually unsuccessful to crack?"  I'll
answer here: Apple has made the "key derivation" step (deriving an
internal encryption key from a user-entered password/passphrase)
purposefully computationally expensive (slow).  This is an industry
standard thing to do, and Apple did it right (although in more recent
years even more expensive key derivation methods have been designed).
Without specialized hardware (ASICs, which some three-letter agencies
probably have, but we don't), JtR is only able to test a few thousand to
maybe 10 thousand candidate passwords per second per GPU, against a dmg
file generated/protected on a recent version of OS X.  (For ancient
versions, speeds may be 100 times higher.)  This means that a user might
realistically test, say, a billion of candidate passwords before giving
up (this might be a day on the latest high-end GPU, or a few months on a
laptop/desktop CPU - but exact times may vary greatly).  And that's just
not enough to crack a semi-strong password/passphrase unless quite some
information about what it can vs. cannot be like is known (can be
recalled and input to the program).  Of course, the weakest passwords
(such as those within the top few million of common passwords) can be
cracked anyway, but when people ask for help it's unusual for their
forgotten password/phrase to be a common one (although this happens).

I hope this helps.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.