You are not logged in.
I am seeing an odd behavior with `john`. When running it on Arch, it opens and listens on TCP port 1024 for some reason. Doing the same test on Kali does not open a port.
To reproduce:
I reinstalled john just in case:
```
sudo pacman -Rns john
sudo pacman -S john
```
Check that port 1024 is not open:
```
sudo ss -lntp
```
Run john with a file it won't crack immediately:
```
john zip.hash
```
While that's running check ports again:
```
sudo ss -lntp
```
This shows up now:
```
LISTEN 0 4096 0.0.0.0:1024 0.0.0.0:* users:(("john-non-xop",pid=26820,fd=29))
```
Why?
Doing the same test on Kali does not open this port. Could this possibly be a malicious binary in the Arch repo?
Confirming the package and integrity:
```
> pacman -Qkk john
john: 566 total files, 0 altered files
> pacman -Qo /usr/sbin/john
/usr/bin/john is owned by john 1.9.0.jumbo1-11
> pacman -Qo /usr/lib/john/john-non-xop
/usr/lib/john/john-non-xop is owned by john 1.9.0.jumbo1-11
```
SHA sums:
```
> sha256sum /usr/sbin/john
6e6a457ed3f64b8293eb029f44e067045f6026b987198e533799d1bde517ab99 /usr/sbin/john
> sha256sum /usr/lib/john/john-non-xop
4efc9d812906eb816e4ca9f63a0d2a75c421b1a1fb15d95236beddaffc87dcf3 /usr/lib/john/john-non-xop
> sha1sum /usr/sbin/john
ea4b616542dffb919ac3c42077122cb28ec80fe3 /usr/sbin/john
> sha1sum /usr/lib/john/john-non-xop
c76ad1c9e3bc0725c2eb15371cafc95be42b4576 /usr/lib/john/john-non-xop
```
Can anyone at least reproduce this and confirm the behavior?
And if you want to test with the exact file (it shouldn't matter but this one's from a CTF):
```
cat zip.hash
```
```
backup.zip:$pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$::backup.zip:style.css, index.php:backup.zip
```
Last edited by jekyllhyde (2025-09-06 20:38:15)
Offline
Looks like it has to do specifically with the jumbo version of john from https://github.com/openwall/john which has some MPI feature that I guess allows multiple workers to run and communicate with each other using the TCP port.
Can disable the TCP port being opened by running john like:
```
OMPI_MCA_btl=^tcp john zip.hash
```
Offline