Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7f38f5ec-fd50-43e5-8041-c369413c6556@jeffunit.com>
Date: Mon, 9 Jun 2025 18:56:47 -0700
From: jeff <jeff@...funit.com>
To: john-users@...ts.openwall.com
Subject: Re: Problem running john with --rules=oi

>> john.exe --fork=34 --format=NT --verbosity=2 --no-log
>> --wordlist=\pw-crack\dictionaries\rockyou2021.dic --rules=oi
>> \pw-crack\pwn_ntlm_75.7m.rawest
> I don't recall if we ever mentioned this before, but I guess that if you
> add --keep-guessing you'll be able to use --fork=128 or whatever you
> said your actual CPU count was.  The reason you had to use lower process
> counts is probably primarily that their total memory usage would grow as
> they remove the hashes they cracked from memory, which causes
> copy-on-write, or in other words unsharing of previously shared memory.
> When you let them keep the cracked hashes in memory (and maybe crack
> them again), you avoid this unsharing.  (At least this is what happens
> on Linux.  I'm not sure about Cygwin's fork() emulation on Windows.)
>
> --keep-guessing may not have been a good idea for you early on when
> cracks were extremely frequent, so .pot file would end up with too many
> duplicates.  But now that successful cracks are relatively rare, it may
> work better (and you can remove the duplicates later with "unique").
Right now I have 256gb of ram, and I am using 239gb total (as soon as 
john starts up).
I am not worried about using more ram as I find hashes, so I seem 
limited to about 34 forks for now.
Cygwin and/or windows does weird stuff with more than 64 threads. I 
complained to the cygwin
mailing list and they told me that was a windows feature :-(

>> After a few days, I got one more hash, and then the memory usage dropped
>> by 50%.
> This suggests that some of the child processes terminated, which may be
> because they actually completed their portions of work, or for some
> other reasons.  You may try omitting --no-log and see what's in the log
> files for those processes.
I think some child processes did terminate. Unfortunately, when I hit 
space on the terminal
where the command was run, it was completely unresponsive. Most recently 
I tried --rules=i1
and I got the unresponsive behavior plus the reduced memory usage. After 
about 8 more hours,
john terminated normally. I am presuming some child processes finished 
faster, and perhaps due
to the word skipping thing you mentioned, the john terminal was 
unresponsive? That behavior is
less than ideal, but now that I understand it can happen, it is manageable.

>>>      304 [main] john-avx2-omp 2045
>>> K:\pw-crack\john_bleeding_alt\run\john-avx2-omp.exe: *** fatal error
>>> in forked process - recreate_mmaps_after_fork_failed
>>>        0 [main] john 2012 dofork: child -1 - forked process 39004 died
>>> unexpectedly, retry 0, exit code 0x100, errno 11
>>> 1: fork: Resource temporarily unavailable
> This suggests a bug in Cygwin's fork() emulation, or maybe the system
> running out of memory.  It's surprising it would already at load time
> if it didn't for 2 days of running with the same process count before.
>
> A guess is it has something leftover from the previous failed run still
> in memory maybe?  Can you try this --restore thing after a reboot, or at
> least carefully check that you have the usual amount of free memory and
> nothing still running in Task Manager?
>
> I also recommend --keep-guessing and moving to Linux.  Doing this on
> Windows is a stretch (but maybe is part of the fun/challenge for you?)
>
It turns out that when I used control-c to terminate john, it seemed 
that a lot of memory was still
in use, based on the task manager. When I rebooted the machine, I was 
able to restart things.
So perhaps john did not exit cleanly on control-c.

Right now I am using my main computer to do the cracking. It does dual 
boot into mageia-linux, but
I have be unable to install any version of ubuntu. For now, I will stick 
to cracking on windows, though
cygwin can be less than ideal.

jeff

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.