Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 3 Apr 2006 22:55:15 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: John-the-ripper run on Trusted HP-UX

On Mon, Apr 03, 2006 at 09:39:24AM -0700, Greg Barry wrote:
> Everything works fine with john-the-ripper on the machine except when
> users set their passwords to greater than 8 characters. 
> 
> For these accounts, john always marks them as cracked with output like
> the following:
> 
> guesses: 4  time: 0:00:52:13  c/s: 152516  trying: vx25 - vxs7
> Loaded 22 password hashes with 22 different salts (Traditional DES
> [32/32x8V BS])
> 03/31/06 11:31:15 $                (h0058:2)
> 03/31/06 11:31:15 7                (h0094:2)
> 03/31/06 11:32:30 11a            (h0018:2)
> 03/31/06 11:35:16 3f               (h0015:2)

(I am curious how you made it print timestamps here - a custom patch?
Was the information available in the log file insufficient?)

This is correct.  This output means that John has successfully cracked
the endings of those passwords (characters past 8).  For example,
h0058's password is 9 characters long and ends in a dollar sign.  The
":2" after usernames means "second part of the password".

In general, you should not draw conclusions on what is cracked and what
is not based on the console output of a John cracking session.  Instead,
you should be using "john --show".

There are other cases where there can be legitimate discrepancies
between the cracking session and "john --show" output.  For example,
John might not load duplicate hashes for cracking - so it would only
report one of the affected usernames while cracking - yet "john --show"
would correctly report all of the usernames which share the cracked
hash.

The information recorded in john.pot and .log files is similar in nature
to the console output of a running session.

Thus, "john --show" is the only correct way to obtain the results of
John cracking runs - with the required post-processing of the data.

> Is there any way to configure john-the-ripper to support passwds greater
> than 8 characters on trusted HP-UX systems?

As you can see, John already supports those - with no need to configure
anything.

P.S. Modern PA-RISC systems are 64-bit, yet the hpux-* targets in John
are currently 32-bit only.  Unfortunately, I don't possess a 64-bit
PA-RISC system.  I'd be grateful if anyone would be willing to help add
the proper targets into John's Makefile (which should be trivial) and/or
test them.  This should give an almost 2x speedup at DES-based hashes.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.