Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20080121041725.GA29566@openwall.com>
Date: Mon, 21 Jan 2008 07:17:25 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: different formats..

On Sat, Jan 19, 2008 at 08:11:36PM -0500, Steve ...... wrote:
> Hi, I have shadow files from different boxses and Im just wondering what the
> easiest and fasiest method of cracking them is?
> I used to just throw it one file and john would load them all but now im
> wondering so there from different boxses and everything should I be doing it
> sepertely? keep in mind im not an advanced john the ripper user.

First of all, it is preferable to use the "unshadow" program to combine
your /etc/passwd and shadow files - not run "john" on the shadow files.
This is because the "single crack" mode works better when you give it
more information on each account - such as the user's full name and home
directory name.

Then, it is in fact a good idea to run John the Ripper on all of your
password files at once (after having used "unshadow" on them
individually).  Quite often, this will result in more matching salts and
in reduced key setup overhead, which improves the overall c/s rate.
With "single crack", it may also result in more passwords getting
cracked since John the Ripper takes advantage of being able to try
user-specific candidate passwords against other users' password hashes
that happen to have the same salt, for free.  You do not need to request
the "single crack" mode explicitly for this - running "john" with no
options will do (letting it go through its usual sequence of cracking
modes - "single crack", wordlist with word mangling rules, and finally
"incremental").

It is OK to combine your (unshadowed) password files into one large file
if you like, but you do not have to - you can specify multiple filenames
on the command line for "john".  You may also use shell wildcards.

Now, let's get to the main part of your question (as seen from the
message Subject) - different hash types.  It may happen that the systems
you take the shadow files from use different hash types.  (In fact, it
may also happen that a single system has password hashes of more than
one type in its shadow file - e.g., if the system has been through OS
version upgrades.)  When you run John the Ripper, it autodetects the
first hash type that it recognizes in the first file that it parses,
then it only loads hashes of the same type (as an exception, it will
load traditional DES-based crypt(3) and "bigcrypt" hashes at the same
time).  Thus, you need to either review your password files or try
running John the Ripper with explicit "--format=..." settings (for all
hash types that might potentially be present) in order to figure out if
there are other hash types.  If so, you will need to use the
"--format=..." option on your actual John the Ripper runs - and do
separate runs for each hash type.

Finally, please don't forget to use the "--show" option to extract your
results.  It is unreliable to rely on the output that John the Ripper
produces while it cracks your hashes, or on the john.pot or log file
contents.  When a given hash is found on more than one user account,
it's only "--show" which guarantees to display all affected accounts.
Also, you will need "--show" in order to figure out what password files
the cracked passwords come from - you achieve this by running "--show"
on specific password files rather than on all of them at once (although
the latter is also supported).  You do not need to use "--format=..."
with "--show", although you can if you want to filter your results by
hash type.  (As an exception, you may have to use "--format=..." with
"--show" when your input files have more than one hash type per account,
which is often the case for PWDUMP output on Windows systems.)

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.