Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100213054945.GA8402@openwall.com>
Date: Sat, 13 Feb 2010 08:49:45 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Multiple guesses for cracked hashes and no working password

On Fri, Feb 12, 2010 at 02:19:58PM -0800, Anton wrote:
> The hashes look like this:
> dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998:::
> dar_history_0:172:879D21AEE0D96D88A3CF696C1:81297B5EDEA2A476F9CC9648D11E4360:::
[...]

These look like hashes of the current and some old passwords of the
user.  Each line contains an LM and an NTLM hash.  As Minga has
correctly pointed out, the LM hashes on your post somehow lack some of
the characters, yet the rest of your post suggests that the file on your
computer actually has all of the characters intact, so I'll assume that
you made some sort of copy and paste error when posting the hashes to
the list.

> When john was done with these, i got multiple password guesses, all appeared
> in upper case (by design?):

You have already figured this out, but for those reading the list
archives here are references to the rest of this thread and to the
relevant old posting:

http://www.openwall.com/lists/john-users/2010/02/12/4
http://www.openwall.com/lists/john-users/2006/07/08/2

> C:\downloads\tmp\john1701\run>john-mmx emg1.txt
> Loaded 20 password hashes with no different salts (NT LM DES [64/64 BS MMX])
> 3                (dar:2)
[...]
> RAZVOD2          (dar:1)
> guesses: 20  time: 0:02:20:57 (3)  c/s: 18674K  trying: RAZVO9W - RAZVOK3

You got all of the LM hash halves cracked.  Apparently, the user had
been changing the password many times, which is why there are so many
different guesses.  To get the halves combined as appropriate and to
ensure you get complete results, you should use "john --show".

> Now, if i used only the first hash
> (dar:1721:FBF279AE7CE2A2C197B57AF6F22B:A6D16E79FADB4A41E6DCBF387BEFC998:::)
> , not the history one, i got this:
> 
> \john1701\run>john-mmx.exe 1.txt
> Loaded 1 password hash (NT LM DES [64/64 BS MMX])
> IAMAWES          (dar:1)
> guesses: 1  time: 0:00:19:08 (3)  c/s: 10216K  trying: IAMAWT! - IAMAWHY

Apparently, you ran the above command with _some_ of the hashes already
cracked and stored in your john.pot file.  Specifically, the second half
of the LM hash in 1.txt was already cracked, which is why it was not
loaded/cracked/reported again.  This demonstrates nicely that you ought
to be using "john --show".  The passwords printed while JtR is running
are not its complete/final output; they're mostly to give you an idea of
the current status of your JtR run while it is still in progress.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.