headers
Shashank Khanvilkar | 5 Oct 2005 18:55
Picon

Newbie question on jtc show

Hi,
I couldn't find any info on this.
I am trying to crack a windows2000/XP passwd file. I was able to extract 
information using pwdump2 and the dump file contains something like below:
--SNIP--`````````
#>cat passwd.2
Administrator:500:aad1b433b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d9e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
--SNIP--

I then used jtc as below
#>jtc passwd.2

it started doing something, spit out some messages (which i have no idea 
what they mean, where to get more doc on this)
finally when i stopped it and did
#>john -show passwd.2
Administrator:???????:500:31d6cfe0d16ae931b73c59d9e0c089c0:::
Guest:???????:501:31d6cfe0d16ae931b73c59d7e0c089c0:::
--SNIP--

what do these "???" signify

Any help appreciated.
Shashank

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Solar Designer | 5 Oct 2005 19:22
Favicon

Re: Newbie question on jtc show

On Wed, Oct 05, 2005 at 11:55:55AM -0500, Shashank Khanvilkar wrote:
> I am trying to crack a windows2000/XP passwd file. I was able to extract 
> information using pwdump2 and the dump file contains something like below:
> --SNIP--`````````
> #>cat passwd.2
> Administrator:500:aad1b433b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d9e0c089c0:::
> Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
> --SNIP--

The above looks correct, although it appears that you've been re-typing
this (why?) and made two typos in the Administrator's password hash.

Both Guest and Administrator (with the typos corrected) have empty
passwords, and the current version of John the Ripper reports that
correctly.

> I then used jtc as below
> #>jtc passwd.2
> 
> it started doing something, spit out some messages (which i have no idea 
> what they mean, where to get more doc on this)

As the README says, "Cracked passwords will be printed to the terminal ..."
What you should have seen are the cracked passwords (or their halves) -
in this case just empty strings - followed by the corresponding usernames
in braces.

> finally when i stopped it and did
> #>john -show passwd.2
> Administrator:???????:500:31d6cfe0d16ae931b73c59d9e0c089c0:::
(Continue reading)

Permalink | Reply | 2 comments |
headers
One21921 | 5 Oct 2005 20:00
Picon
Favicon

Re: Newbie question on jtc show

Hi. I need help running john the ripper. Can you help me and show me how to 
install it?
Permalink | Reply | 501 comments |
headers
Shashank Khanvilkar | 5 Oct 2005 22:51
Picon

Re: Newbie question on jtc show


>>--SNIP--`````````
>>#>cat passwd.2
>>Administrator:500:aad1b433b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d9e0c089c0:::
>>Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
>>--SNIP--
> 
> 
> The above looks correct, although it appears that you've been re-typing
> this (why?) and made two typos in the Administrator's password hash.

Yes I realised this just now. Some mistake.

> 
>>finally when i stopped it and did
>>#>john -show passwd.2
>>Administrator:???????:500:31d6cfe0d16ae931b73c59d9e0c089c0:::
>>Guest:???????:501:31d6cfe0d16ae931b73c59d7e0c089c0:::
>>--SNIP--
>>
>>what do these "???" signify
> 
> 
> John uses the question marks to indicate uncracked portions of
> partially-cracked passwords.  However, in your case this appears to be a
> bug in the version of John you're using.  What version was that?
> 
> There's a known bug like that in version 1.6.38 (and only in that
> version).  If that's what you were using, please upgrade to 1.6.39.
I changed the version and it seems to be working now.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Solar Designer | 6 Oct 2005 02:51
Favicon

Re: Newbie question on jtc show

On Wed, Oct 05, 2005 at 09:22:23PM +0400, Solar Designer wrote:
> On Wed, Oct 05, 2005 at 11:55:55AM -0500, Shashank Khanvilkar wrote:
> > #>john -show passwd.2
> > Administrator:???????:500:31d6cfe0d16ae931b73c59d9e0c089c0:::
> > Guest:???????:501:31d6cfe0d16ae931b73c59d7e0c089c0:::
> > --SNIP--
> > 
> > what do these "???" signify
> 
> John uses the question marks to indicate uncracked portions of
> partially-cracked passwords.  However, in your case this appears to be a
> bug in the version of John you're using.  What version was that?

This was determined to be a bug in John 1.6 ("stable") in that it fails
to properly detect LM hashes of empty passwords when those hashes are
encoded with lowercase characters.  I believe the original PWDUMP used
all-uppercase characters.

This has been corrected shortly after John 1.6 release...  Yes, it's
high time I put out a John 1.7.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

--

-- 
To unsubscribe, e-mail
(Continue reading)

Permalink | Reply | 0 comments |
headers
Heiko Schulz | 6 Oct 2005 22:18
Picon
Favicon

problem with unafs

Hi:

I tried to use unafs to convert my kaserver.DB0 file, but it failed.
It works very well on an old kaserver.DB0 from Transarc AFS 3.4; so
I believe unafs is unable to handle newer openafs databases. Who can
help me? I tried the debian version 1.6.37 and john-1.6.39 from source.

Best regards
Heiko Schulz

-- 
Dr. Heiko Schulz
Fachbereich Mathematik
Systemadministration
Pfaffenwaldring 57
Raum 8.313
Universität Stuttgart

Tel.   : (0711) 685 5344
Fax    : (0711) 685 5348
E-Mail : schulz@...

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
Permalink | Reply | 0 comments |
headers
Lionel Cons | 7 Oct 2005 17:31
Picon
Picon

Re: problem with unafs

Heiko Schulz writes:
 > I tried to use unafs to convert my kaserver.DB0 file, but it failed.
 > It works very well on an old kaserver.DB0 from Transarc AFS 3.4; so
 > I believe unafs is unable to handle newer openafs databases. Who can
 > help me? I tried the debian version 1.6.37 and john-1.6.39 from source.

Heiko,

I've made some tests on my side and it seems that some kaserver.DB0
files created by OpenAFS contain incorrect header information.

Try the following patch, it works for me.

Cheers,

Lionel

--- unafs.c~    2002-04-10 16:13:25.000000000 +0200
+++ unafs.c     2005-10-07 17:29:49.000000000 +0200
 <at>  <at>  -41,6 +41,7  <at>  <at> 
        size =
                ((long)buffer[6] << 8) +
                (long)buffer[7];
+       if (size == 0) size = 64;
        if (fseek(file, size, SEEK_SET)) pexit("fseek");

        if (fread(buffer, 8, 1, file) != 1) return 1;

--

-- 
To unsubscribe, e-mail
(Continue reading)

Permalink | Reply | 501 comments |
headers
O.A Anthony | 7 Oct 2005 20:09
Picon
Favicon

Re: Newbie question on jtc show

yes

One21921@... wrote:Hi. I need help running john the ripper. Can you help me
and show me how to 
install it?

		
---------------------------------
Yahoo! for Good
 Click here to donate to the Hurricane Katrina relief effort.
Permalink | Reply | 501 comments |
headers
Solar Designer | 9 Oct 2005 01:09
Favicon

Re: problem with unafs

On Fri, Oct 07, 2005 at 05:31:54PM +0200, Lionel Cons wrote:
> I've made some tests on my side and it seems that some kaserver.DB0
> files created by OpenAFS contain incorrect header information.
> 
> Try the following patch, it works for me.

Thanks!  I've applied this patch to my tree for now, although it'd be
great to hear from Heiko that the patch works for him as well.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
Permalink | Reply | 501 comments |
headers
Heiko Schulz | 9 Oct 2005 13:48
Picon
Favicon

Re: problem with unafs

On Sun, Oct 09, 2005 at 03:09:56AM +0400, Solar Designer wrote:
> On Fri, Oct 07, 2005 at 05:31:54PM +0200, Lionel Cons wrote:
> > I've made some tests on my side and it seems that some kaserver.DB0
> > files created by OpenAFS contain incorrect header information.
> > 
> > Try the following patch, it works for me.
> 
> Thanks!  I've applied this patch to my tree for now, although it'd be
> great to hear from Heiko that the patch works for him as well.
> 

It worked very well also for me.

Heiko

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
Permalink | Reply | 0 comments |

Gmane