Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20080320024008.GA31065@openwall.com>
Date: Thu, 20 Mar 2008 05:40:08 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: what JtR is and what it is not; password recovery (was: Retrieving yahoo password)

Hi John,

On Wed, Mar 19, 2008 at 06:38:05PM -0700, John W. Dowling wrote:
> I purchased John the Ripper in hops of retrieving an old yahoo  
> password.  Is this possible?

The short answer is no.  And I have refunded your purchase (although
your desire to support the project is appreciated).

In fact, I was unsure about approving this posting to john-users - I
could respond privately instead.  However, this sort of confusion is
very common, so maybe it makes sense to address it on the list.

John the Ripper is primarily a password security auditing tool, not a
password recovery tool (although it can sometimes be used as such).

JtR Pro for Mac OS X is typically used to audit users' passwords off of
other machines that one administers.  Those other machines may run a
variety of Unix-like operating systems (Linux, *BSD, Solaris, HP-UX,
etc., and some versions of OS X) or Windows.

For JtR to work, you need to provide it with file(s) containing hashes
of user passwords - and those hashes have to be of a supported type.
After a while, JtR will successfully crack those hashes that correspond
to weak passwords, but it will fail to crack those that are strong.
Thus, you, as a system administrator, can identify which user accounts
have weak passwords.  You may then lock those accounts, force password
change, or act in some other way.

Now, speaking of password recovery:

For operating system passwords, it is usually more straightforward to
reset those passwords rather than to recover the old ones.  This assumes
that you have physical access, and thus you can type "magic" commands to
the bootloader, boot off a CD, or the like.  The exact procedure is
specific to each OS (and sometimes even to a given OS version and setup).
Indeed, this has nothing to do with John the Ripper.

In some cases, it is also possible to use (or misuse) John the Ripper to
recover weak operating system passwords in the same way as you would
audit those passwords.  There may be a difficulty in obtaining the
password file (with the password hashes in it) without already having
administrative privileges to the system.

Speaking of recovery of application passwords, such as those for e-mail
or IM accounts:

For locally-stored passwords, it is usually most straightforward to use
special-purpose password recovery tools, such as those linked from:

	http://www.openwall.com/passwords/

Yes, unfortunately most of those support the Windows flavors of the
applications only.  Speaking of e-mail clients (POP3 and IMAP), the
"Advanced Mailbox Password Recovery" product listed at:

	http://www.openwall.com/passwords/e-mail.shtml

includes a POP3 and IMAP server emulator that will intercept and display
your password off an arbitrary system (including non-Windows) if you're
able to alter the server name setting (or maybe the "hosts" file).

For passwords that are not locally stored in any form, the only legal
way to recover them is by following the service provider's password
recovery procedure(s) or by contacting the service provider and asking
for assistance.

None of this has anything to do with John the Ripper.

Finally, there exist server-side applications (such as website CMSes and
forums like Drupal and phpBB, and DBMSes like Oracle and MySQL).  These
typically store password hashes, similarly to what operating systems do
for users' passwords.  It may thus be possible to use John the Ripper to
audit the security of such passwords, and to misuse it to recover some
of such passwords (the weak ones).  This requires that the given hash
type be supported by John the Ripper - and there's such a wide variety
of hash types in use by the various server-side applications that only
the more common ones are supported (and even those will typically
require the use of user-contributed patches to John the Ripper).

I hope this "generic" response helps.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.