John the Ripper - Can't get cracked MD5 hash to show

Question

I'm trying to crack some MD5 hashes given in OWASP's BWA on their DVWA site. I was able to use John the Ripper and the very first time it worked fine and it showed the reversed hashes using the code:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

However, whenever I try to do it again for the exact same file, it gives back the following:

Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (Raw-MD5 [MD5 128/128 XOP 4x2])
Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2017-02-22 17:31) 0g/s 8746Kp/s 8746Kc/s 8746KC/s                   ..*7¡Vamos!
Session completed

Answer 1

As you can see in the docs http://www.openwall.com/john/doc/, John (and almost any good hash cracker) will store the cracked hashes in some sort of file/db.

This is for performance, this programs will check for already cracked hashes preventing them to spend cpu/gpu time.

In the case of John, is located at: $JOHN/john.pot ($JOHN path depends on the install)

You can view the previously cracked hashes in the terminal with the command: john --show passwd

This behavior is almost standard.

Answer 2

john --show --format=RAW-MD5 passwd

in your case, the passwd should be hash.txt

Answer 3

Well I had the same problem but where I had never run john on the hashes before so --show would have not made any sense.

The problem is that this is actually not an error or so (as I have first thought), but john simply has not found the corresponding password.

Answer 4

try john --show then enter the hash file location eg john --show Desktop/hash1.txt

or because you have run the same hash before john already has it saved in .pot file and will not run it again until it has been removed.

At your own risk try running john and john rm .pot or rm john.pot then running the same hash again.