Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 29 Jul 2015 21:45:53 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Why does john display some cracked passwords twice?

On Wed, Jul 29, 2015 at 10:20:02AM +0200, Marek Wrzosek wrote:
> For now, I stuck, so I'll probably go back in time (remove some lines
> from pot file) and calmly I'll try to reproduce the problem.
> Most likely this is because of wordlist/loopback with rules and fork, an
> unfortunate coincidence that two or more threads are using two or more
> different but similar words and different rules that together cause the
> same output in the exact same moment that "pot sync" was unable to deal
> with them. That is a lot of coincidence for me ;-)
> It should happens from time to time. Isn't it too frequent then?

This might well be too frequent, or not, depending on your exact
circumstances.  You had mentioned you saw this problem even with modes
such as incremental and prince - if so, that's a bug, so please try to
reproduce it and let us know if you were able to or not.  And we'd like
to be able to reproduce the problem, too, so a testcase would be very
helpful, if you can provide that.

> I can easily remove duplicates by using uniq command, no harm done.

You don't need to remove them.  John's output during cracking is just
for you to be aware of its progress, and john.pot is normally for John's
internal use.  The actual cracking results you should obtain with "john
--show passwordfileshere", and this won't show any duplicates even if
there are duplicate lines in your pot file.

> BTW, I was using fork with wordlist+rules mainly because of this statement:
> "Warning: no OpenMP support for this hash type, consider --fork=4".

Sure, your use of --fork is fine.

> Maybe it should be disabled for certain cases like above.

Why, I guess it completed much quicker with --fork than it would have
without, even if it produced some duplicate cracks.

> Most probably it's EOT. Thanks for help, magnum.

I would be happier to end this thread when we have a specific
conclusion: a JtR bug (e.g., if reproducible with modes other than
wordlist and loopback) or just an expected side-effect of having similar
input words (e.g., what you saw is not surprising at all if that was in
loopback mode, where you could have the same passwords already in your
john.pot, e.g. for different salts).  Thank you, Marek.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.