John the ripper password cracked or not?

  • I have the shadow file from an embedded device running linux. Trying to use John to crack it. There is only the 'root' hash in the shadow file.

    12 seconds in, John finds the password for 'root', but the program hasn't stopped trying.

    JohnFAQ says

    "The four speed metrics are as follows: g/s is successful guesses per second (so it'll stay at 0 until at least one password is cracked)"

    g/s is 0.07782@12 seconds. Does this mean the password has been cracked? If yes, why is it still trying?

    <you don't need to know>:$ john --fork=4   shadow 
    Created directory: <you don't need to know>.john
    Loaded 1 password hash (md5crypt [MD5 32/64 X2])
    Node numbers 1-4 of 4 (fork)
    Press 'q' or Ctrl-C to abort, almost any other key for status
    <root password>            (root)
    4 1g 0:00:00:12 3/3 0.07770g/s 9250p/s 9250c/s 9250C/<you dont need to know>
    3 0g 0:00:00:44 3/3 0g/s 13337p/s 13337c/s 13337C/s asdonn3..asdonta
    1 0g 0:00:00:44 3/3 0g/s 9417p/s 9417c/s 9417C/s mammse..mamb23
    2 0g 0:00:00:44 3/3 0g/s 9407p/s 9407c/s 9407C/s jojhe1..jojhoy
    3 0g 0:00:00:46 3/3 0g/s 13414p/s 13414c/s 13414C/s jhoctri..jhoctre
    1 0g 0:00:00:46 3/3 0g/s 9422p/s 9422c/s 9422C/s alazur..alazus
    2 0g 0:00:00:46 3/3 0g/s 9412p/s 9412c/s 9412C/s 25075j..25074a
    1 0g 0:00:00:48 3/3 0g/s 9426p/s 9426c/s 9426C/s jelola..jelold
    2 0g 0:00:00:48 3/3 0g/s 9414p/s 9414c/s 9414C/s 12m_t..12m_1
    3 0g 0:00:00:48 3/3 0g/s 13482p/s 13482c/s 13482C/s nhiro..nhiry
    2 0g 0:00:00:49 3/3 0g/s 9416p/s 9416c/s 9416C/s clbeh..clbie
    1 0g 0:00:00:49 3/3 0g/s 9427p/s 9427c/s 9427C/s cutt37..cutuxa
    3 0g 0:00:00:49 3/3 0g/s 13511p/s 13511c/s 13511C/s staleesa..staleest
    1 0g 0:00:00:53 3/3 0g/s 9433p/s 9433c/s 9433C/s tbj12..tbj14
    Waiting for 3 children to terminate
    3 0g 0:00:00:53 3/3 0g/s 13647p/s 13647c/s 13647C/s poott3..poott5
    2 0g 0:00:00:53 3/3 0g/s 9421p/s 9421c/s 9421C/s mcala1..mcalas
    Session aborted

  • From the documentation:

    Similarly to "--node", there's almost no communication between the processes with "--fork". Hashes successfully cracked by one process continue being cracked by other processes. Just like with "--node", this is mostly OK for saltless hash types or when there's just one salt, but it is a serious drawback when many different salts are present and their number could potentially be decreasing as some hashes get cracked. To have the cracked hashes (and possibly salts) removed from all processes, you may interrupt and restore the session once in a while.

    You started 4 processes based on your screen, the 4th one successfully cracked the hash, but the other 3 will continue. Note that the 4th process doesn't output anything anymore on your screen.

    Processes 1-3 will most likely never find a match, since there would be no point to test the same passwords between different process, and a collision is highly unlikely.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2