Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Aug 2016 22:37:06 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Which is the correct hash?

On 2016-08-29 21:00, Sebastian Heyn wrote:
> I'm trying to bruteforce an old backup.zip file that i found after over 10 years and I wanted to have a look at. Now I obviously forgot the password.
> My problem is that with john-1.7.9 (gentoo) the zip2john script gives a pkzip hash which is a 92 byte file ($PKZIP$). However when I use jumbo-john from git, zip2john gives a
> 32mb hashfile containing a $PKZIP2 hash.  which is the correct one? is there any known bugs in either version?
>
> -> the pkzip hash brutes at 19k/sec
> -> the pkzip2 hash brutes at 100/sec (--fork=32 gives x32 speed)
>
> any idea which is correct hash to brute force?

Generic answer: Obviously the newer version. The 1.7.9 version is so 
very old you shouldn't use it other than for curious comparisons. I 
can't even recall all changes to this format but some serious issues 
have been addressed, and quite possibly some performance improvements.

A more specific answer for your case is that the difference in speed you 
mention MAY be due to the older version defaulting to "file magic" 
whereas the newer does not. Does this zip file contains just one (or 
few) large file and no small ones? You can use -m as in "zip2john -m 
backup.zip > OUTFILE" to enable file magic and see where that gets you. 
Just beware that resorting to file magic can be error prone (you might 
end up with false negatives) and that is why we don't default to it anymore.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.