Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Jan 2014 09:56:41 -0800
From: C GPS <nro117gm@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: How to use Wordlists with John The Ripper

I extracted the hash by going into single user mode on my locked machine,
creating a root account and then running DaveGrohl to extract. The hash
that came out was very long. The short version that you see is my attempt
at disambiguating it per the instructions given in an instructional
tutorial on extracting hashes from 10.8. It is named sha1.txt only because
I named them that as again instructed by the aforementioned tutorial.

Below is the complete hash without username: (I don't mind posting it
because the machine is not currently on-line). I'll be curious to know if
the clears anything up.

$ml$29673$3d4722620e7e54569658f7b45c53a7bfb8b94e4fa54c1b0676750541289a9132$8d5f531f0a555e70744b3151464e8579eedacd653c142c2be1cf474f0bf84bad69d65aeba8e9e799e7f04f277965d4075821d0904c4013518c774fc8235cbbb34ebef8522cb4e5358baa4b34066f5a653f22ca4c9c33fea6db8efb6d76795ccce613a79a00c5522c43cd8f775cd2cb5adb4b59deee8d6640a0d4b00504db7772




On Sun, Jan 12, 2014 at 4:19 AM, Frank Dittrich
<frank_dittrich@...mail.com>wrote:

> On 01/12/2014 07:54 AM, NRO117@...il.com wrote:
> > Meanwhile I attempted as described below.  My results were as follows:
> > _____
> >
> > john password_sha1.txt -w=password.lst
> > stat: password_sha1.txt: No such file or directory
> > _____
> >
> > sha1.txt being the hash I am attempting to decrypt
> > password.lst being the wordlist I am attempting to use
> >
> > I then entered the following with results below:
> > _____
> >
> > john password_sha1.txt -w=password.lst
> > Loaded 2 password hashes with no different salts (LM DES [128/128 BS
> SSE2])
>
> Probably a copy and paste error, and you actually tried
> john sha1.txt -w=password.lst
>
> Otherwise, you should have seen the same error message as before.
> > _____
> >
> > Does that look right? (no different salts included?)
>
> This means, that your version of John the Ripper has detected the hashes
> in sha1.txt as LM hashes.
> Because your file is named sha1.txt, I would assume that it doesn't
> contain LM hashes.
> A number of different hash formats might be wrongly detected by john,
> especially raw hashes using hexadecimal encoding, i.e., the hashes are
> just sequences of [0-9a-f] or [0-9A-F].
>
>
> I don't suggest you post one or more hashes in your sha1.txt files
> (because others might be able to crack them).
> But if my assumption about hex encoded hashes is right, it would be nice
> to know:
>
> Where and how did you get these hashes, which application or OS is using
> these hashes?
> Can you create a similar sample hash with a known trivial password, and
> post both the known password and the hash here?
> If not, can you at least check the length of the hash encoded string?
>
> Is it the same length than the hex encoded string here:
>
> echo -n "test" |sha1sum -
> a94a8fe5ccb19ba61c4c0873d391e987982fbbd3  -
>
> These are 40 characters (20 Bytes in hex encoding).
> Are your hashes of the same length?
> If not, what is the length?
>
>
> Frank
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.