|
Message-ID: <20080320024008.GA31065@openwall.com> Date: Thu, 20 Mar 2008 05:40:08 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: what JtR is and what it is not; password recovery (was: Retrieving yahoo password) Hi John, On Wed, Mar 19, 2008 at 06:38:05PM -0700, John W. Dowling wrote: > I purchased John the Ripper in hops of retrieving an old yahoo > password. Is this possible? The short answer is no. And I have refunded your purchase (although your desire to support the project is appreciated). In fact, I was unsure about approving this posting to john-users - I could respond privately instead. However, this sort of confusion is very common, so maybe it makes sense to address it on the list. John the Ripper is primarily a password security auditing tool, not a password recovery tool (although it can sometimes be used as such). JtR Pro for Mac OS X is typically used to audit users' passwords off of other machines that one administers. Those other machines may run a variety of Unix-like operating systems (Linux, *BSD, Solaris, HP-UX, etc., and some versions of OS X) or Windows. For JtR to work, you need to provide it with file(s) containing hashes of user passwords - and those hashes have to be of a supported type. After a while, JtR will successfully crack those hashes that correspond to weak passwords, but it will fail to crack those that are strong. Thus, you, as a system administrator, can identify which user accounts have weak passwords. You may then lock those accounts, force password change, or act in some other way. Now, speaking of password recovery: For operating system passwords, it is usually more straightforward to reset those passwords rather than to recover the old ones. This assumes that you have physical access, and thus you can type "magic" commands to the bootloader, boot off a CD, or the like. The exact procedure is specific to each OS (and sometimes even to a given OS version and setup). Indeed, this has nothing to do with John the Ripper. In some cases, it is also possible to use (or misuse) John the Ripper to recover weak operating system passwords in the same way as you would audit those passwords. There may be a difficulty in obtaining the password file (with the password hashes in it) without already having administrative privileges to the system. Speaking of recovery of application passwords, such as those for e-mail or IM accounts: For locally-stored passwords, it is usually most straightforward to use special-purpose password recovery tools, such as those linked from: http://www.openwall.com/passwords/ Yes, unfortunately most of those support the Windows flavors of the applications only. Speaking of e-mail clients (POP3 and IMAP), the "Advanced Mailbox Password Recovery" product listed at: http://www.openwall.com/passwords/e-mail.shtml includes a POP3 and IMAP server emulator that will intercept and display your password off an arbitrary system (including non-Windows) if you're able to alter the server name setting (or maybe the "hosts" file). For passwords that are not locally stored in any form, the only legal way to recover them is by following the service provider's password recovery procedure(s) or by contacting the service provider and asking for assistance. None of this has anything to do with John the Ripper. Finally, there exist server-side applications (such as website CMSes and forums like Drupal and phpBB, and DBMSes like Oracle and MySQL). These typically store password hashes, similarly to what operating systems do for users' passwords. It may thus be possible to use John the Ripper to audit the security of such passwords, and to misuse it to recover some of such passwords (the weak ones). This requires that the given hash type be supported by John the Ripper - and there's such a wide variety of hash types in use by the various server-side applications that only the more common ones are supported (and even those will typically require the use of user-contributed patches to John the Ripper). I hope this "generic" response helps. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.