Discussion:
[john-users] dmg2john.py Text file rendering
Jordan Cross
2015-01-30 16:32:13 UTC
Permalink
I'm relatively new to this process and this format, so please forgive me,
my questions a out of ignorance.

I have a .dmg file that was created through the Mac OS X disk utility and
it is about 1.02gb, and I am unsure of which form of encryption that was
used. I believe that there are two options during creation: AES 128 and AES
256. I am unsure of the version of JTR that I am running, it has slipped my
mind. However, the version I have wasn't compiled including dmg2john.py. I
wound up getting it from GitHub. When running the dmg2john I can
successfully get a rendered .txt file. However, the first time I dumped the
file in, using single mode, too "excessive hashes" were loaded for
cracking. I canceled that process and tried one more time and now it
replies with "No password hashes loaded (see FAQ)"

Can anyone explain to me what's going on?
Solar Designer
2015-02-08 16:27:45 UTC
Permalink
Jordan,
Post by Jordan Cross
I have a .dmg file that was created through the Mac OS X disk utility and
it is about 1.02gb, and I am unsure of which form of encryption that was
used. I believe that there are two options during creation: AES 128 and AES
256. I am unsure of the version of JTR that I am running, it has slipped my
mind.
Please either find out which version of JtR you're using (and let us
know) or download and try a recent version (and let us know which one as
well). To find out JtR version, run it in a terminal without giving it
any command-line options. It will print a lengthy usage summary, but
before that it will also print its version number (you might need to
scroll up to see it).
Post by Jordan Cross
However, the version I have wasn't compiled including dmg2john.py.
dmg2john.py is a script that is run as-is, it is not to be "compiled".
I guess what you mean is that your version did not include that script.
However, it might have included dmg2john binary executable, which is
compiled from some C source files. These two implementations of
dmg2john provide similar functionality (but there may be differences).
Post by Jordan Cross
I wound up getting it from GitHub.
Which branch?
Post by Jordan Cross
When running the dmg2john I can successfully get a rendered .txt file.
Great! Now just feed it to a recent enough version of JtR.
Post by Jordan Cross
However, the first time I dumped the
file in, using single mode, too "excessive hashes" were loaded for
cracking.
What do you mean by "too "excessive hashes" were loaded for cracking"?
What did this look like?
Post by Jordan Cross
I canceled that process and tried one more time and now it
replies with "No password hashes loaded (see FAQ)"
This suggests that either your password was cracked, or you received
false positives (although for a .dmg file that is unexpected). Please
try running "./john --show" on your .txt file (the dmg2john output)?
Does it print a cracked password? Does that password work? Having
tried that, you may "rm john.pot" and start over, this time observing
the behavior more closely so that you can report it to us in here.
Post by Jordan Cross
Can anyone explain to me what's going on?
Definitely some confusion is going on. Other than that, it's unclear.
Let's find out, or avoid the problem by using a newer version.

Alexander
Jordan Cross
2015-02-09 15:17:35 UTC
Permalink
The version that I am using is

"John the Ripper password cracker, ver: 1.7.9-jumbo-7 [macosx-x86-64]"
Post by Solar Designer
Jordan,
Post by Jordan Cross
I have a .dmg file that was created through the Mac OS X disk utility and
it is about 1.02gb, and I am unsure of which form of encryption that was
used. I believe that there are two options during creation: AES 128 and
AES
Post by Jordan Cross
256. I am unsure of the version of JTR that I am running, it has slipped
my
Post by Jordan Cross
mind.
Please either find out which version of JtR you're using (and let us
know) or download and try a recent version (and let us know which one as
well). To find out JtR version, run it in a terminal without giving it
any command-line options. It will print a lengthy usage summary, but
before that it will also print its version number (you might need to
scroll up to see it).
Post by Jordan Cross
However, the version I have wasn't compiled including dmg2john.py.
dmg2john.py is a script that is run as-is, it is not to be "compiled".
I guess what you mean is that your version did not include that script.
However, it might have included dmg2john binary executable, which is
compiled from some C source files. These two implementations of
dmg2john provide similar functionality (but there may be differences).
Post by Jordan Cross
I wound up getting it from GitHub.
Which branch?
Post by Jordan Cross
When running the dmg2john I can successfully get a rendered .txt file.
Great! Now just feed it to a recent enough version of JtR.
Post by Jordan Cross
However, the first time I dumped the
file in, using single mode, too "excessive hashes" were loaded for
cracking.
What do you mean by "too "excessive hashes" were loaded for cracking"?
What did this look like?
Post by Jordan Cross
I canceled that process and tried one more time and now it
replies with "No password hashes loaded (see FAQ)"
This suggests that either your password was cracked, or you received
false positives (although for a .dmg file that is unexpected). Please
try running "./john --show" on your .txt file (the dmg2john output)?
Does it print a cracked password? Does that password work? Having
tried that, you may "rm john.pot" and start over, this time observing
the behavior more closely so that you can report it to us in here.
Post by Jordan Cross
Can anyone explain to me what's going on?
Definitely some confusion is going on. Other than that, it's unclear.
Let's find out, or avoid the problem by using a newer version.
Alexander
Solar Designer
2015-02-09 15:32:42 UTC
Permalink
Post by Jordan Cross
The version that I am using is
"John the Ripper password cracker, ver: 1.7.9-jumbo-7 [macosx-x86-64]"
OK, this one is pretty old (it's from 2012), and it does not support
.dmg file cracking at all.

Please upgrade to 1.8.0-jumbo-1. To run it on OS X (although you don't
have to), you'd need to install Xcode and build JtR from source.

You might have better luck by building it on a Linux machine with some
GPUs, though. The .txt file you got from dmg2john.py on OS X is meant
to be usable on other systems as well.

And yes, we should probably prepare a binary build of 1.8.0-jumbo-1 (or
newer) for OS X.

Alexander
Jordan Cross
2015-02-09 15:47:06 UTC
Permalink
I appreciate the help. I will certainly do a newer build.
Post by Solar Designer
Post by Jordan Cross
The version that I am using is
"John the Ripper password cracker, ver: 1.7.9-jumbo-7 [macosx-x86-64]"
OK, this one is pretty old (it's from 2012), and it does not support
.dmg file cracking at all.
Please upgrade to 1.8.0-jumbo-1. To run it on OS X (although you don't
have to), you'd need to install Xcode and build JtR from source.
You might have better luck by building it on a Linux machine with some
GPUs, though. The .txt file you got from dmg2john.py on OS X is meant
to be usable on other systems as well.
And yes, we should probably prepare a binary build of 1.8.0-jumbo-1 (or
newer) for OS X.
Alexander
Loading...