John the Ripper
John the Ripper is a fast password cracker available for multiple operating systems. Crack Unix passwords, Windows hashes, MD5, and many other hash types.
Installation
Linux/Ubuntu
# Install from repositories
sudo apt update
sudo apt install john
# Build from source (jumbo version with more features)
git clone https://github.com/openwall/john.git
cd john/src
./configure
make -s clean && make -sj4
sudo cp ../run/john /usr/local/bin/
# Verify
john --versionmacOS
# Homebrew
brew install john-jumbo
# Or via MacPorts
sudo port install johnWindows
# Chocolatey
choco install john
# Or download from:
# https://www.openwall.com/john/Basic Usage
Common Hash Types
# Crack with auto format detection
john hash.txt
# Specify hash format explicitly
john --format=md5 hash.txt
john --format=sha512 hash.txt
john --format=bcrypt hash.txt
john --format=LM hash.txtShow Results
# Show cracked passwords
john --show hash.txt
# Show in specific format
john --show=left hash.txt
john --show=right hash.txt
# Show with pot file
john --pot=john.pot --show hash.txtDictionary Attacks
Basic Dictionary Attack
# Use default wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Use custom wordlist
john --wordlist=mywordlist.txt hash.txt
# Combine multiple wordlists
cat list1.txt list2.txt > combined.txt
john --wordlist=combined.txt hash.txt
# Show remaining time
john --wordlist=rockyou.txt --status hash.txtExtract Hashes from Files
# Extract Windows password hashes
samdump2 SAM SYSTEM > hashes.txt
john hashes.txt
# Extract Linux shadow file hashes
sudo unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt
# Extract SQL Server hashes
msfvenom ... (use hash extraction)
john --format=mssql hashes.txt
# Extract from /etc/shadow (requires root)
sudo cat /etc/shadow | john -Rules & Mutations
Apply Rules
# Use single rule
john --wordlist=rockyou.txt --rules hash.txt
# Use specific ruleset
john --wordlist=rockyou.txt --rules=single hash.txt
john --wordlist=rockyou.txt --rules=extra hash.txt
# Create custom rules in john.conf
# Then use:
john --wordlist=list.txt --rules=custom_rule hash.txtCommon Rules
# Most common rule variations
john --wordlist=list.txt --rules hash.txt
# Single password rules
john --format=md5 --rules=single hash.txt
# Extra mutation rules
john --format=sha1 --rules=extra hash.txtBrute Force Attacks
Brute Force Mode
# Brute force all combinations
john --incremental hash.txt
# Brute force lowercase only
john --incremental=lower hash.txt
# Brute force digits
john --incremental=digits hash.txt
# Brute force alphanumeric
john --incremental=alnum hash.txt
# Custom character set
john --format=md5 --incremental=custom --external=custom hash.txtResume Cracking
# Resume previous session
john --restore
# Resume with different format
john --restore --format=md5
# Check session status
john --status
# Abort session
john --abortHash Format Specifications
| Format | Description | Usage |
|---|---|---|
md5 | MD5 hashes | john --format=md5 |
sha1 | SHA-1 hashes | john --format=sha1 |
sha256 | SHA-256 hashes | john --format=sha256 |
sha512 | SHA-512 hashes | john --format=sha512 |
bcrypt | Bcrypt hashes | john --format=bcrypt |
lm | Windows LM hashes | john --format=lm |
ntlm | Windows NTLM hashes | john --format=ntlm |
phpass | WordPress hashes | john --format=phpass |
mysql | MySQL hashes | john --format=mysql |
mssql | SQL Server hashes | john --format=mssql |
Utility Tools
Hash Extraction Tools
# Extract hashes from various sources
unshadow /etc/passwd /etc/shadow > combined.txt
john combined.txt
# Extract from zip archives
zip2john file.zip > hash.txt
john hash.txt
# Extract from PDF
pdf2john file.pdf > hash.txt
john hash.txt
# Extract from RAR
rar2john file.rar > hash.txt
john hash.txt
# Extract from encrypted SSH key
ssh2john id_rsa > hash.txt
john hash.txtJohn Tools Location
# Find john utilities
ls /usr/share/john/
# Common tools:
# unshadow - combine passwd/shadow
# unafs - extract AFS hashes
# undrop - DROP DATABASE log parser
# unique - remove duplicates from wordlistsPractical Examples
Crack Linux Passwords
# Get passwd and shadow files
sudo cat /etc/passwd > passwd.txt
sudo cat /etc/shadow > shadow.txt
# Combine and crack
unshadow passwd.txt shadow.txt > combined.txt
john --wordlist=/usr/share/wordlists/rockyou.txt combined.txt
# Show results
john --show combined.txtCrack Windows Hashes
# Extract from SAM registry
# Using external tools (mimikatz, pwdump, etc.)
samdump2 SAM SYSTEM > hashes.txt
# Crack NTLM hashes
john --format=ntlm hashes.txt
# View results
john --show=left hashes.txtCrack WordPress Passwords
# Extract WordPress hashes from database
# SELECT user_login, user_pass FROM wp_users;
# Create hash file (username:hash)
john --format=phpass wordpress_hashes.txt
# Show cracked passwords
john --show wordpress_hashes.txtCreate Hash File
# MD5 hash format: hash only
echo "5d41402abc4b2a76b9719d911017c592" > hashes.txt
# With username: username:hash
echo "admin:5d41402abc4b2a76b9719d911017c592" > hashes.txt
# Multiple hashes
cat << EOF > hashes.txt
user1:hash1
user2:hash2
user3:hash3
EOFPerformance Options
Optimization
# Use OpenMP (multi-threading)
john --fork=4 --wordlist=rockyou.txt hash.txt
# Use GPU acceleration (if supported)
john --format=sha512-gpu hash.txt
# Single thread (for debugging)
john --fork=1 hash.txt
# Show performance
john --testResource Management
# Check current sessions
john --status=all
# Set resource limits
john --nolog --wordlist=list.txt hash.txt
# Reduce memory usage
john --incremental=digits hash.txtTroubleshooting
No Passwords Cracked
# Verify hash format
john --list=formats | grep -i md5
# Test with known hash
echo "5d41402abc4b2a76b9719d911017c592:hello" | john --format=md5 --show --stdin
# Check wordlist
wc -l /usr/share/wordlists/rockyou.txt
# Try different format
john --format=raw-md5 hash.txtSession Management
# Clear sessions
rm ~/.john/john.pot
# Remove session file
rm john.ses
# Check status
john --statusSecurity Best Practices
- Only use on authorized systems
- Secure cracked passwords immediately
- Document all testing activities
- Use strong wordlists for comprehensive attacks
- Consider computational cost vs. likelihood
- Implement password policies
- Use salted hashes
- Prefer bcrypt/scrypt over MD5
Wordlist Resources
- rockyou.txt (commonly included)
- SecLists: https://github.com/danielmiessler/SecLists
- CrackStation: https://crackstation.net/
- Weakpass: https://weakpass.com/
Last updated: 2025-03-30