|
Message-ID: <BLU0-SMTP173D849F0E968AFAB1A7B7FFDFB0@phx.gbl> Date: Fri, 15 Jun 2012 08:51:25 +0200 From: Frank Dittrich <frank_dittrich@...mail.com> To: john-users@...ts.openwall.com Subject: Re: possible bug in MySQL SHA1 format On 06/15/2012 05:05 AM, Dhiru Kholia wrote: > I found the following behaviour of john to be confusing, > > $ ../run/john --format=mysql-sha1 ~/37_MySQL_hashes_uniq > Loaded 5 password hashes with no different salts (MySQL 4.1 > double-SHA-1 [SSE2i 8x]) > Suppressed 1 duplicate lines. > admin (mint) > admin (root) > admin (test) > guesses: 3 time: 0:00:00:05 0.00% (3) c/s: 7631K trying: L8D - Sand1 > Use the "--show" option to display all of the cracked passwords reliably > Session aborted > $ ../run/john --format=mysql-sha1 --show ~/37_MySQL_hashes_uniq # CORRECT > mint:admin > root:admin > test:admin > > 3 password hashes cracked, 2 left > $ ../run/john --format=mysql-sha1 --show=left ~/37_MySQL_hashes_uniq # OK > admn:*C41CDE80C01C7840D262C32F5FAB08830AA4D6C7 > $ ../run/john --format=mysql-sha1 ~/37_MySQL_hashes_uniq > Loaded 5 password hashes with no different salts (MySQL 4.1 > double-SHA-1 [SSE2i 8x]) > Remaining 2 password hashes with no different salts # BUG? > Suppressed 1 duplicate lines. > guesses: 0 time: 0:00:00:01 0.00% (3) c/s: 1585K trying: montr6 - morda2 > > ... > > Questions: > > 1. Hash "*C41CDE80C01C7840D262C32F5FAB08830AA4D6C7 " is repeated in > the input file and cracked already but why is it shown in > "--show=left"? When I repeat the test, my john.pot just contains *4ACFE3202A5FF5CF467898FC58AAB1D615029441:admin So, hash *C41CDE80C01C7840D262C32F5FAB08830AA4D6C7 is not cracked. > 2. "--show=left" shows once hash left but running john shows > "Remaining 2 password hashes". When you don't specify a cracking mode like --wordlist, --incremental, --markov --external=..., john uses single mode (1), then wordlist mode (with --rules) (2), then incremental mode (3). For single mode, the user names (and GECOS fields, if they exist...) are required, that's why john reports 2 remaining hashes. (It is the same reason why 5 hashes instead of 2 are reported in your first run.) If you would run --wordlist=... , --incremental[=...], --markov[=...] or --external=..., then john will just report one remaining hash. So the problem is more that --show=left does suppress duplicate hashes even if user names and/or other fields differ. This is unfortunate, but the fix is not that easy to implement, as discussed here: http://www.openwall.com/lists/john-users/2012/06/06/2 Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.