Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 02 Aug 2015 10:28:20 +0200
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Why does john display some cracked passwords twice?

W dniu 30.07.2015 o 10:04, Marek Wrzosek pisze:
> W dniu 29.07.2015 o 20:45, Solar Designer pisze:
>> You don't need to remove them.  John's output during cracking is just
>> for you to be aware of its progress, and john.pot is normally for John's
>> internal use.  The actual cracking results you should obtain with "john
>> --show passwordfileshere", and this won't show any duplicates even if
>> there are duplicate lines in your pot file.

What is maximum size of pot file?

>> Sure, your use of --fork is fine.
>>
>>
>> Why, I guess it completed much quicker with --fork than it would have
>> without, even if it produced some duplicate cracks.

I think, that depends on how many processes and how often are cracking
the exact same passwords, so in certain circumferences maybe OpenMP is
better. Is there somewhere a comparison of OpenMP and fork? What are
pros and cons of both solutions?

>> I would be happier to end this thread when we have a specific
>> conclusion: a JtR bug (e.g., if reproducible with modes other than
>> wordlist and loopback) or just an expected side-effect of having similar
>> input words (e.g., what you saw is not surprising at all if that was in
>> loopback mode, where you could have the same passwords already in your
>> john.pot, e.g. for different salts).  Thank you, Marek.
>>
>> Alexander
>>

Actually, there was no salts, I was cracking raw-md5. This was test of
my new (used) CPU, I was starting fresh, so there are only MD5 hashes
from this crack.

I checked markov and incremental already with and without mask mode -
there is no duplicates in pot file, so far, but I've (re-)discovered
something interesting (but not john-related, it's more mind-related).
Using markov mode (or incremental) with mask mode (I was using ?w?d?d)
and depending on what passwords are encrypted in your hashes could cause
output like that:

mavjoy22         (?)
gaberh24         (?)
gabe0812         (?)
gabou812         (?)
gabi1025         (?)
gabi2136         (?)
gabija99         (?)
gab012698        (?)
once6996         (?)
bt098756         (?)

There could be more pairs like:

gabe0812         (?)
gabou812         (?)

fast scrolling across the screen (or terminal window) they look the same
for human eyes. Imagine seeing this for few days et voilà. I was using
loopback mode from time to time (which is probably the main producer of
duplicates), so I'm not sure which duplicate come from which mode. I
wasn't searching for duplicates before it starts alarming me.

Best Regards
-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.