Discussion:
Trying to understand output of john -status
Tom
2012-11-09 19:16:59 UTC
Permalink
When I type the following command while john is running I get the following.

# john -status=john
guesses: 0 time: 8:20:31:52 0%00% (3) c/s: 4068

I don't know how to interpret this but it looks like nothing is happening.
However,
When I press the space bar on the terminal window it does give me the current
PW it's tryng.

If I cat the john.pot file it shows me some passwords.

However when I type the following I get the following,

john --show john
4 password hashes cracked, 0 left

The john program continues to work, as I mentioned when I press the space bar
it shows me the current try.
I also know that that the shadow file has more passwords. I can see names in
the list with encrypted pw's in it.

I have been running this for about 2 months. Can anyone help me to understand
the results of my various commands.

Should I leave it running ? And allow it to keep trying the rest of the
passwords.
Thanks.
Solar Designer
2012-11-10 19:39:16 UTC
Permalink
Post by Tom
When I type the following command while john is running I get the following.
# john -status=john
guesses: 0 time: 8:20:31:52 0%00% (3) c/s: 4068
I don't know how to interpret this but it looks like nothing is happening.
It's just the status of that session. The session may be currently
running or not (this is not seen from the status file - you only see
where it got to when the file was last updated).

4068 c/s is rather low, but it may be OK for some hash/cipher types -
depending on what you're cracking, on what hardware, with what John
version, build, and settings.
Post by Tom
However,
When I press the space bar on the terminal window it does give me the current
PW it's tryng.
That's as intended. Yes, --status does not print this info (since it's
not included in the disk file), but a keypress does.
Post by Tom
If I cat the john.pot file it shows me some passwords.
Presumably, those were cracked by other sessions before you ran this
one, since the session named "john" thinks it hasn't cracked anything yet.
Post by Tom
However when I type the following I get the following,
john --show john
4 password hashes cracked, 0 left
That's a weird command - or rather, it's a weird filename you chose to
use here. First you called the session "john" - that's already pretty
confusing since that's also the name of the John program. Now you're
asking John to print cracked passwords for some file named "john".
What's in that file? I suggest that you avoid confusing/conflicting
names like that.
Post by Tom
The john program continues to work, as I mentioned when I press the space bar
it shows me the current try.
I also know that that the shadow file has more passwords. I can see names in
the list with encrypted pw's in it.
Have you used the "unshadow" program or are you running John on the
shadow file directly? The latter works, but is suboptimal. With
"unshadow", you might get more passwords cracked early on due to it
letting John use info such as people's names and home directory names.
Post by Tom
I have been running this for about 2 months.
Yet the above session, confusingly named "john", was started from
scratch less than 9 days ago. Maybe you wanted to restore a previously
interrupted session rather than restart it from scratch? If so, you
should have used --restore.

Also, chances are that the c/s rate can be improved a lot. You need to
mention your hash type (please include the "Loaded ..." line from John
verbatim), John version and make target used, and hardware details -
then we might be able to suggest how to speed things up.
Post by Tom
Should I leave it running ? And allow it to keep trying the rest of the
passwords.
What are you doing this for? We need to know your goals before we can
advise you on this.

Alexander

P.S. Please consider posting to john-users via e-mail rather than via Gmane.
andrew
2012-11-11 13:06:04 UTC
Permalink
I think you have pointed me in the right direction and help me straighten
out my confusion as far, being a novice at this I got confused in a few
areas but I think ?? I have straitened it out, I hope.

Thanks for your knowledge. Having read your reply I think I have confused a
few things, so I'm going to re word this email by saying how I got to where
I am. This may show the flaws in what I have done.

Of coarse I started this a few months ago so I'm going from notes I made and
memory.

First let me say that the computer I'm running has linux on it but is an
older computer. So your comments on possibly the slowness of the process is
most likely partially due to the fact that this is an older computer.

Of coarse I would love to speed up the process on this computer but IM not
sure is possible???
It's a Pentium 4 1.90 GHz EVO Compaq.
The video info is Intel 82845G /GL/GE/PE/GV controller.
Its got about 1 Gig of ram. Running linux.



My goal is to get the passwords.

I tried to follow the documentation regarding JTR as follows...

# cp /etc/passwd and /etc/shadow /somewhere

# chmod 077 each file

Put the files into /john folder
Use the following command
# ./unshadow ./passwd ./shadow >mypassword


# john mypassword

Everything seemed to work fine, in that the john.pot file contains two
passwords that I already know. e.g. administrator passwords (since I'm
administrator I already know those) These were produced fairly quickly.

I cannot remember if over the past months I restarted the program with the
command
# john -restore
If I did I think I used that simple command. BUT I know the most recent time
I certainly did because I can still see it in the terminal window with the
command in it. I had to do this because we had a little thing called
Hurricane Sandy and the power went off many times.

Now you have mentioned the following...
I said ....
Post by Solar Designer
Post by Tom
john --show john
4 password hashes cracked, 0 left
You responded ...
Post by Solar Designer
That's a weird command - or rather, it's a weird filename you chose to
use here. First you called the session "john" - that's already pretty
confusing since that's also the name of the John program. Now you're
asking John to print cracked passwords for some file named "john".
What's in that file? I suggest that you avoid confusing/conflicting
names like that.
I didn't name the session john, but I think I got confused between the
status command and the show command and the session name and the password
file. I just thought at the time that since the john.pot was called john
that john --show john was the right command.

I believe this is where I made a mistake in my report to the NG. After
reading your comments I realized that the right command is "john --show
mypassword", which gives me I think the output that is more expected. eg.

root:xxxxxxx@:0:0:root:/root:/bin/bash
admin:xxxxxxx@:101:101:e-smith
administrator:/home/e-smith:/sbin/e-smith/console

2 password hashes cracked, 16 left

Now, having made corrections to my show command option, and displaying my
output of my commands, above properly do you believe that everything is
running right?

I have a question as to how john actually works. Here is a copy of some of
the last tries.

guesses: 0 time: 51:06:37:19 0.00% (3) c/s: 4466 trying: shs1geO -
shs1god
guesses: 0 time: 51:06:37:23 0.00% (3) c/s: 4466 trying: shs1a1n -
shs1a1$
guesses: 0 time: 51:06:41:37 0.00% (3) c/s: 4466 trying: shsbL1p -
shsbLDS
guesses: 0 time: 52:04:08:42 0.00% (3) c/s: 4464 trying: 4peluc31 -
4pelucca
guesses: 0 time: 52:04:08:47 0.00% (3) c/s: 4464 trying: 4pelgo78 -
4pelgo75
guesses: 0 time: 57:08:12:25 0.00% (3) c/s: 4475 trying: Bbjipuy -
Bbjipua
guesses: 0 time: 61:03:26:23 0.00% (3) c/s: 4473 trying: m9kek! - m9kekp
guesses: 0 time: 61:03:45:42 0.00% (3) c/s: 4473 trying: ajy241 - ajy24w
guesses: 0 time: 61:04:20:53 0.00% (3) c/s: 4473 trying: bprt0r - bprt05

Is it normal that it goes back and forth between, 6 characters and 7. I
would have thought that it would try 6 characters then move to 7 and then to
8.

Or is it that in this default mode e.g. # john mypassword its just running
through all the likely combinations based on the developers experiences and
the john.conf file.

Finally you said the following ...
Post by Solar Designer
Post by Tom
P.S. Please consider posting to john-users via e-mail rather than via Gmane.
I'm not sure how to do this other than mailing lists?? But I find them
harder to manage, you have to subscribe and unsubscribe. You must get all
the commands right to do so, rather than just opening a news reader and its
there. Unless your talking about something else that I'M not getting? Why is
it that you do you not like gmane or the newsgroup method?

Thanks for feedback or comments.
Solar Designer
2012-11-11 22:10:53 UTC
Permalink
Andrew -
Post by andrew
Of coarse I would love to speed up the process on this computer but IM not
sure is possible???
Please do tell us the hash type you're cracking (the "Loaded ..." line,
verbatim), JtR version you're using, and the make target you built it with.
We can't answer your question above without that info.
Post by andrew
My goal is to get the passwords.
Why is that your goal? Normally, JtR is used to detect weak passwords
only, not to crack all passwords. The latter is usually non-practical.

If you need to re-gain access to a system for which you no longer recall
the password, it is usually most straightforward to reset the password.
Post by andrew
Now, having made corrections to my show command option, and displaying my
output of my commands, above properly do you believe that everything is
running right?
Yes, but you could probably run some additional attacks, besides letting
JtR continue with what it does by default. For example, you could
download larger wordlists and use a larger ruleset. You'll likely want
to answer the above questions before proceeding with that, though, as
your answers to them could affect what we'd recommend.
Post by andrew
Is it normal that it goes back and forth between, 6 characters and 7.
Yes.
Post by andrew
Post by Solar Designer
P.S. Please consider posting to john-users via e-mail rather than via Gmane.
I'm not sure how to do this other than mailing lists?? But I find them
harder to manage, you have to subscribe and unsubscribe. You must get all
the commands right to do so, rather than just opening a news reader and its
there. Unless your talking about something else that I'M not getting? Why
is it that you do you not like gmane or the newsgroup method?
I understand that it's a matter of personal preference for you. I do
not find mailing lists to be any more difficult to use than newsgroups
or web forums. (Un)subscribing is as easy as entering your e-mail
address on a web page and "replying" to a confirmation request e-mail.

This mailing list is pre-moderated to ensure that only on-topic messages
get through. With Gmane, this means that each and every message has to
be delayed and then approved by a moderator. For subscribers, we're
able to have some messages bypass this moderation delay. Then, if we
have to reject an off-topic or duplicate message posted via Gmane, the
Gmane web interface has the rejection message from the mailing list
manager program displayed as if it were a posting - this doesn't look
pretty and it partially defeats the purpose of rejecting the message.
(I do not anticipate the need to reject any of your messages, though.)

Alexander
Andrew
2012-11-12 19:04:59 UTC
Permalink
We are a small organization where two people left unhapply. There are a number
of files that are encryped eg VI and others where we think they used the same
passwords as their login. We would like to access those files.

Here is the loaded option..
Loaded 18 password hashes with 18 different salts (FreeBSD MD5 [128/128 SSE2
intrinsics 4x])

I believe the version is 1.7.9

At least the CHANGES file says this ...
The following changes have been made between John 1.7.8 and 1.7.9:
(I cannot see an option in john like john -version)

You mentioned the "Make Target". This is unknown to me. It is simply on the
linux that we installed on this computer as part of the linux. One of the
other fellows mentioned backtrack 5 so we dl'ed it and installed it and there
it was. Im not a programer so the only making I do is the odd time when I have
to install some softwere that needs compiling, and I follow the instructions
slavishly. Not often.

The john program has helped me to see that for example the root passwords
where very weak, since they where the first pw's to be reveled. It has been
educational. I have been incresing various pw's to 8 or more characters.

Thanks.
Solar Designer
2012-11-14 04:35:50 UTC
Permalink
Post by Andrew
We are a small organization where two people left unhapply. There are a number
of files that are encryped eg VI and others where we think they used the same
passwords as their login. We would like to access those files.
You could speed the attack up by focusing it on just those people's
passwords - not trying to crack the rest as well.
Post by Andrew
Here is the loaded option..
Loaded 18 password hashes with 18 different salts (FreeBSD MD5 [128/128 SSE2
intrinsics 4x])
Since each of your hashes has a unique salt, excluding some of the
hashes from attack will speed up the attack on the remaining hashes.
The c/s rate won't increase, but the candidate passwords per second rate
(not displayed) will.

You may also speed things up a little bit by downloading the latest JtR
-jumbo version in form of source tarball and compiling it with "make
linux-x86-sse2i" (with the trailing "i").
Post by Andrew
I believe the version is 1.7.9
At least the CHANGES file says this ...
(I cannot see an option in john like john -version)
The version number is printed when you run "john" with no arguments.
You may need to scroll up to see it, though, as the usage output is
rather long lately.
Post by Andrew
You mentioned the "Make Target". This is unknown to me. It is simply on the
linux that we installed on this computer as part of the linux. One of the
other fellows mentioned backtrack 5 so we dl'ed it and installed it and there
it was. Im not a programer so the only making I do is the odd time when I have
to install some softwere that needs compiling, and I follow the instructions
slavishly. Not often.
Understood. Well, I guess BackTrack used a slightly sub-optimal make
target for this JtR build. That said, it is also true that your
computer is just slow by modern standards - e.g., cracking these hashes
on an AMD FX-8120 CPU (under $200) running a 64-bit OS will be about 40
times faster (over 200k c/s), and a GPU will be faster yet.

Alexander
Andrew
2012-11-14 20:13:28 UTC
Permalink
Thank you this is all very sound advice.
Yes your right a faster comptuer, price is negligable.

I didnt realize that you could remove some of the hashes. I asume that you
just put it into an editor and remove each line you dont want to crack.
Just dont remove anything on that line.

We added a different word list. If that finishes with no success, then we may
compile a jumbo version.

Makes sense, thanks a lot.

Andrew.
Solar Designer
2012-11-14 23:55:49 UTC
Permalink
Post by Andrew
I didnt realize that you could remove some of the hashes. I asume that you
just put it into an editor and remove each line you dont want to crack.
Just dont remove anything on that line.
Yes, you can edit the file, or alternatively you can use the --users
option to John. For example:

john --users=joe,jill passwd

To interrupt/continue your 2-month cracking session with this change
made to it (attack only some of the hashes), you may either edit the
file with the hashes (easier) or edit the .rec file (harder: you need to
add a "--users=joe,jill" line and increase the options count number - I
do not recommend this approach as it is too easy for you to do it wrong).

Alexander

Continue reading on narkive:
Loading...