Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 5 May 2020 12:36:51 +0200
From: MA40 <ardeinternet@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Session Archive. Where?

Hi.

I found it!

Yes, I use Johnny, and indeed, it change the names and locations of the
session files.

With Johnny a hidden folder is created inside the user's folder, and inside
it another folder with all the files with all the information of the
sessions.

The path is: "User/.john/sessions/"

I'm interested to see what is saved in the session file in case I can get
an idea of where the attack is going.

For example, this is the content of a file from a session of mine: (Can
someone briefly explain what each line means?)

A greeting.

MA40.

************************************************

************************************************

REC4

6

--session=C:/Users/Administrator/.john/sessions/05-03-20-18-56-28

C:/Users/Administrator/Documents/hashes.txt

--format=Bitcoin

--input-encoding=UTF-8

--internal-codepage=UTF-8

145153

0

41a766

0

0

41a766

0

20d940

0

0

3

0

b9893ea

369

2

7

0

0

6

2

4

0

4

slt-v2

1dbc5ec782c719aaa214f0445cc2aab6

4

************************************************

************************************************

El lun., 4 may. 2020 a las 23:06, Solar Designer (<solar@...nwall.com>)
escribió:

> Hi,
>
> On Mon, May 04, 2020 at 08:12:42PM +0200, MA40 wrote:
> > In the John the Ripper documentation it states that the session state is
> > saved in the file "John's home directory/john.rec".
> >
> > I have John the Ripper installed in Windows in the directory
> > "john-1.9.0-jumbo-1-win64" and, neither in that directory, nor in the
> > "john-1.9.0-jumbo-1-win64/run/" there is no file named "john.rec". Could
> it
> > be called another way?
>
> For you, the file is supposed to be in john-1.9.0-jumbo-1-win64/run.  If
> you specified an alternative session name with "--session", that will be
> the filename, with the ".rec" suffix added to it.
>
> Why are you looking for that file?  Normally, you'd just use
> "--restore", or alternatively the combination of "--session=NAME"
> initially and "--restore=NAME" later, where "NAME" is a name of your
> choice.  On "--restore", JtR itself will look for the file in the same
> directory where it put it.
>
> Oh, I now recall you had mentioned you use Johnny.  I've never used
> Johnny for real myself (beyond brief testing), but I suspect it might
> override the session name or session file location by default.  I hope
> someone with Johnny experience will follow-up and let us all know.
>
> Alexander
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.