I am practicing reversing md5 hashed passwords using John the Riper and was curious about some behaviour. I added the md5 hash of zaa
to the top of the file with the hashes and when I ran john passwordFile.txt
it reversed the hash to find zaa
very quickly, but when I set it to incremental mode...well it's still running. How does incremental mode work? It has sucesffuly reversed other passwords like
cilldara
5487175a
wcjzfm
but no zaa
so it doesn't appear to be going in alphabetical order?
UPDATE: I have observed what I believe is the fact that john
never outputs the same password more than once, even between successive invocations (unless --show
option is specified). For example if a wordlist is used and cracked a password myname123
then running john
again in incremental mode, won't in fact print myname123
again; you need to do john samefile.txt --show
to get it to output (I think it caches the cracked passwords). My reasoning is from what I observed, another part is the statement answering why no passwords may be hashed:
All of the password hashes found in the file (that are of the same type as the very first recognized hash in the file unless you're using the "--format=..." option) might be already cracked by previous invocations of John
Here is one example of trying to run the command in incremental mode
[dev@localhost ~]$ john --format=raw-md5 'passwords.md5 (copy).raw' --incremental
Loaded 2 password hashes with no different salts (Raw MD5 [SSE2i 10x4x3])
No password hashes left to crack (see FAQ)
Then if I go into passwords.md5 and add a new hash at the top and rerun the results are different
[dev@localhost ~]$ john --format=raw-md5 'passwords.md5 (copy).raw' --incremental
Loaded 1002 password hashes with no different salts (Raw MD5 [SSE2i 10x4x3])
Remaining 942 password hashes with no different salts
hi (?)
The new (crappy) password was 'hi'