Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BLU0-SMTP173D849F0E968AFAB1A7B7FFDFB0@phx.gbl>
Date: Fri, 15 Jun 2012 08:51:25 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: possible bug in MySQL SHA1 format

On 06/15/2012 05:05 AM, Dhiru Kholia wrote:
> I found the following behaviour of john to be confusing,
> 
> $ ../run/john --format=mysql-sha1  ~/37_MySQL_hashes_uniq
> Loaded 5 password hashes with no different salts (MySQL 4.1
> double-SHA-1 [SSE2i 8x])
> Suppressed 1 duplicate lines.
> admin            (mint)
> admin            (root)
> admin            (test)
> guesses: 3  time: 0:00:00:05 0.00% (3)  c/s: 7631K  trying: L8D - Sand1
> Use the "--show" option to display all of the cracked passwords reliably
> Session aborted
> $ ../run/john --format=mysql-sha1  --show ~/37_MySQL_hashes_uniq  # CORRECT
> mint:admin
> root:admin
> test:admin
> 
> 3 password hashes cracked, 2 left
> $ ../run/john --format=mysql-sha1  --show=left  ~/37_MySQL_hashes_uniq  # OK
> admn:*C41CDE80C01C7840D262C32F5FAB08830AA4D6C7
> $ ../run/john --format=mysql-sha1  ~/37_MySQL_hashes_uniq
> Loaded 5 password hashes with no different salts (MySQL 4.1
> double-SHA-1 [SSE2i 8x])
> Remaining 2 password hashes with no different salts # BUG?
> Suppressed 1 duplicate lines.
> guesses: 0  time: 0:00:00:01 0.00% (3)  c/s: 1585K  trying: montr6 - morda2
> 
> ...
> 
> Questions:
> 
> 1. Hash "*C41CDE80C01C7840D262C32F5FAB08830AA4D6C7 " is repeated in
> the input file and cracked already but why is it shown in
> "--show=left"?

When I repeat the test, my john.pot just contains
*4ACFE3202A5FF5CF467898FC58AAB1D615029441:admin
So, hash *C41CDE80C01C7840D262C32F5FAB08830AA4D6C7 is not cracked.

> 2. "--show=left" shows once hash left but running john shows
> "Remaining 2 password hashes".

When you don't specify a cracking mode like --wordlist, --incremental,
--markov --external=..., john uses
single mode (1), then wordlist mode (with --rules) (2), then incremental
mode (3).

For single mode, the user names (and GECOS fields, if they exist...) are
required, that's why john reports 2 remaining hashes.
(It is the same reason why 5 hashes instead of 2 are reported in your
first run.)

If you would run --wordlist=... , --incremental[=...], --markov[=...] or
--external=..., then john will just report one remaining hash.

So the problem is more that --show=left does suppress duplicate hashes
even if user names and/or other fields differ.
This is unfortunate, but the fix is not that easy to implement, as
discussed here:

http://www.openwall.com/lists/john-users/2012/06/06/2

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.