Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180227204832.GA19228@openwall.com>
Date: Tue, 27 Feb 2018 21:48:36 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: dmg file with lost password

Hi Ian,

Thank you for bringing this to the list.

On Mon, Feb 26, 2018 at 09:21:14AM -0500, Ian Boyd wrote:
> 1. I have been using Terminal, Xcode, and Bbedit and been trying to follow the posted instructions on Openwall, the JtR community, and from here http://easymactips.blogspot.ca/2012/09/john-ripper-tutorial-examples-and.html

These instructions are about building JtR from source, and they're out
of date.

> but the john-1.8.0.9-jumbo-macosx_v3 doesn't have the src file as it does in the instructions.

This is a binary (already built) download contributed by a user (so you
don't need to build it, hence the lack of src in there).  This build
should be readily usable, without needing Xcode.

> Then I found Johnny!!! http://openwall.info/wiki/john/johnny (super awesome and makes it easier for someone like myself) So WHO EVER made Johnny??? THANK YOU! AWESOME JOB!

Aleksey, Shinnok, and Mathieu made it.  They'd be happy to hear you
found it useful, and we should probably merge Johnny into the main jumbo
tree so that more people find it and so that we keep it consistent with
the rest of jumbo.

> 2. Using Johnny, and trying to figure out how to crack one password for my .dmg file. This program makes it easier to work with, but are there any helpful tips on who to use to crack one file?
> 	When I think I scan the file properly i get a "Warning: invalid UTF-8 seen reading??? and the computer stalls at 57% 

It's hard to help you with this without knowing exactly how you used
Johnny and what else it outputs besides that warning and the 57%.

As Claudio correctly pointed out, you should have started by using
dmg2john.  You can probably do this from Johnny itself, using the dialog
shown on this screenshot:

http://openwall.info/wiki/_media/john/johnny/johnnyscreen-6.png

I guess you need to choose dmg in the "Choose file format" drop-down.

Please confirm that you did this (or if not, do it) and please also show
us the full output from JtR (copy-paste from a Johnny window).

In our off-list discussion, I wrote that "In our experience with
forgotten passwords to .dmg files, failure is more likely than success"
and you asked "Why are dmg files usually unsuccessful to crack?"  I'll
answer here: Apple has made the "key derivation" step (deriving an
internal encryption key from a user-entered password/passphrase)
purposefully computationally expensive (slow).  This is an industry
standard thing to do, and Apple did it right (although in more recent
years even more expensive key derivation methods have been designed).
Without specialized hardware (ASICs, which some three-letter agencies
probably have, but we don't), JtR is only able to test a few thousand to
maybe 10 thousand candidate passwords per second per GPU, against a dmg
file generated/protected on a recent version of OS X.  (For ancient
versions, speeds may be 100 times higher.)  This means that a user might
realistically test, say, a billion of candidate passwords before giving
up (this might be a day on the latest high-end GPU, or a few months on a
laptop/desktop CPU - but exact times may vary greatly).  And that's just
not enough to crack a semi-strong password/passphrase unless quite some
information about what it can vs. cannot be like is known (can be
recalled and input to the program).  Of course, the weakest passwords
(such as those within the top few million of common passwords) can be
cracked anyway, but when people ask for help it's unusual for their
forgotten password/phrase to be a common one (although this happens).

I hope this helps.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.