--Show does'nt show anything

[S3j5b0]

Hi, I have intalled John on my ubuntu 20 machine using snap, I have the following version:
John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]

For a exercise, I have a file with some passwords that need to be cracked. I run john from my terminal as such:

ask@Garsy:~/Notes/TA/AppliedInfoSec/PassCracking$ john --format=Raw-MD5 passwords_md5.txt
Using default input encoding: UTF-8
Loaded 3413 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Remaining 3355 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=4
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 8 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/snap/john-the-ripper/current/run/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
brawlers         (ccook)
semicolon        (hughesli)
bousier10        (kamartin)
piero1013        (richardc)

And as you can see, I crack some passwords.
But now I want to use --show to see these passwords:

ask@Garsy:~/Notes/TA/AppliedInfoSec/PassCracking$ john --show passwords_md5.txt
0 password hashes cracked, 6826 left

And john claims that no passwords have been cracked. This seems strange.

I tried looking in the john.pot file, only to find out that there is none!
How can this be?

[solardiz]

Hi @S3j5b0. This would be more appropriately brought up on john-users rather than here, but anyway:

Try adding --format=Raw-MD5 along with --show. That john.pot looks empty for you is weird, but then you didn't mention how long you let the attack run and whether/how you stopped it before the --show. There's some buffering on writes into that file (up to 1 minute's worth of cracked passwords by default). It is also possible that you're looking at a different john.pot file than your invocation of john used.

[claudioandre-br]

This is the bleeding snap package:

• I dont' have your file, so I created one and removed john.pot (a clean run):
  $ john --format=Raw-MD5 -list=format-tests | cut -f3 > ~/passwords_md5.txt

• Run the cracking session for a defined and short amount of time:
  $ john --format=Raw-MD5 passwords_md5.txt --max-run=60

• Find the john.pot file:
  ls /home/YOURNAME/snap/john-the-ripper/current/.john/john.*

$ john --show passwords_md5.txt
?:test1
?:test3
?:test

3 password hashes cracked, 19 left

$ john --show passwords_md5.txt --format=dynamic_0
?:test1
?:test1
?:test
?:test
?:test3
?:
?:1
?:12
?:123
?:1234
?:12345

11 password hashes cracked, 1 left

$ john --show passwords_md5.txt --format=raw-md5
?:test1
?:test1
?:test
?:test
?:test3
?:
?:1
?:12
?:123
?:1234
?:12345
?:test

12 password hashes cracked, 1 left

$ cat /home/claudio/snap/john-the-ripper/current/.john/john.pot
$dynamic_0$827ccb0eea8a706c4c34a16891f84e7b:12345
$dynamic_0$81dc9bdb52d04dc20036dbd8313ed055:1234
$dynamic_0$202cb962ac59075b964b07152d234b70:123
$dynamic_0$d41d8cd98f00b204e9800998ecf8427e:
$dynamic_0$098f6bcd4621d373cade4e832627b4f6:test
$dynamic_0$c4ca4238a0b923820dcc509a6f75849b:1
$dynamic_0$5a105e8b9d40e1329780d62ea2265d8a:test1
$dynamic_0$8ad8757baa8564dc136c1e07507f4a98:test3
$dynamic_0$c20ad4d76fe97759aa27a0c99bff6710:12

[claudioandre-br]

Sorry, previous message was incomplete:

• the pot file is in the /home/YOURNAME/snap/john-the-ripper/current/.john folder. This is a rule for all snap packages.
• reasoning: sandboxing. There is no conflict between a snap execution and a normal (built from source) john execution.
• please try adding --format=Raw-MD5 along with --show.

[solardiz]

@claudioandre-br Why the discrepancy between your 3 --show results? Is it really from your use of options, or was e.g. the pot file changing?

[claudioandre-br]

I have to test again using john built from source. Anyway, 99% sure:

• This is john itself (and this behavior is not new for me). Fast (maybe simple is a better word) formats like raw-mdX behave this way.
• It is really from my use of options and you can reproduce.

---

Some changes in this behavior after 1.9.0-jumbo-1 are a possibility. I really don't know.

[solardiz]

@claudioandre-br Weird stuff. I think we need to open a separate/real issue to discuss this and see if we want to change anything. I think reasonable expectation would be for --show without --format to either work just as well or not work at all, not to produce partial output, as long as only one hash type is involved.

[claudioandre-br]

--show always confused me.

Anyway, #1469 is another example when unifying and --show are present.

[solardiz]

@claudioandre-br Oh, I now realize that the way you constructed passwords_md5.txt you got differently encoded hashes in there, as we're testing the different encodings among our test vectors. This explains the discrepancies, and isn't something a new user would commonly run into.

Anyway, cracking those hashes like you did, I get this hint:

Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably

and this gives:

12 password hashes cracked, 1 left

which is probably correct, as the cracking ended with a 12g line yet continued running (if it were not interrupted). There are 13 lines in passwords_md5.txt.

So I think there's nothing for us to fix here. We already print a recommendation of the right options to use, and they work correctly.