John the Ripper — Versatile Password Cracker
What It Does
Section titled “What It Does”John the Ripper is a versatile password cracker that works on CPU. Best at cracking Linux system passwords (/etc/shadow), password-protected archives (ZIP, RAR, 7z), SSH keys, Office documents, KeePass databases, and PDFs. Its key advantage over hashcat is the *2john family of utilities that extract crackable hashes from files. John auto-detects hash types and supports dictionary, rule-based, and incremental (brute force) attacks.
Running the Examples Script
Section titled “Running the Examples Script”# No target argument requiredbash scripts/john/examples.sh
# No direct Makefile target for base examples# Use the use-case scripts below insteadThe script creates sample hash files for practice, then prints 10 example commands covering dictionary attacks, hash extraction, format specification, and session management.
Install
Section titled “Install”brew install john-jumboUse john-jumbo (not john) to get the *2john hash extraction utilities.
sudo apt install johnsudo dnf install johnWordlist Setup
Section titled “Wordlist Setup”John needs a wordlist for dictionary attacks. Download rockyou.txt (~14M passwords, ~140MB):
make wordlists# or: bash wordlists/download.shThis places rockyou.txt in the project’s wordlists/ directory. The use-case scripts reference it automatically via $WORDLIST.
Key Flags to Remember
Section titled “Key Flags to Remember”| Flag | What It Does |
|---|---|
--wordlist=<file> | Dictionary attack with wordlist |
--rules=<name> | Apply word mangling rules (best64, jumbo, etc.) |
--format=<type> | Specify hash format (raw-md5, sha512crypt, bcrypt, nt, etc.) |
--show | Display cracked passwords |
--incremental | Brute force mode (tries all combinations) |
--fork=<n> | Use N CPU cores for parallel cracking |
--users=<name> | Target specific user only |
--list=formats | List all supported hash formats |
--restore=<name> | Resume an interrupted session |
--mask=<pattern> | Mask-based attack (if you know password pattern) |
Hash Extraction Utilities (*2john)
Section titled “Hash Extraction Utilities (*2john)”John’s killer feature — extract crackable hashes from password-protected files:
| Utility | Extracts From |
|---|---|
unshadow | Linux passwd + shadow files |
zip2john | ZIP archives |
rar2john | RAR archives |
7z2john | 7-Zip archives |
pdf2john | PDF documents |
ssh2john | SSH private keys |
keepass2john | KeePass databases |
office2john | Office documents (docx, xlsx, pptx) |
gpg2john | GPG/PGP keys |
dmg2john | macOS disk images |
bitlocker2john | BitLocker volumes |
Cracking Progression (recommended order)
Section titled “Cracking Progression (recommended order)”john hashes.txt— default mode (auto-detect format, try common passwords)john --wordlist=rockyou.txt hashes.txt— dictionary attackjohn --wordlist=rockyou.txt --rules=best64 hashes.txt— dictionary + rulesjohn --incremental hashes.txt— brute force (last resort, slow)john --show hashes.txt— display cracked passwords
Use-Case Scripts
Section titled “Use-Case Scripts”crack-linux-passwords.sh — Extract and crack /etc/shadow hashes
Section titled “crack-linux-passwords.sh — Extract and crack /etc/shadow hashes”Demonstrates the full workflow for cracking Linux system passwords. Uses unshadow to combine /etc/passwd and /etc/shadow into a format John can process, then cracks with dictionary and rule-based attacks.
When to use: After gaining root access to a Linux system and extracting password files, or during post-exploitation to recover plaintext credentials for lateral movement.
Linux hash type prefixes:
$6$= SHA-512 (most common on modern Linux)$5$= SHA-256$y$= yescrypt (newer distros like Debian 11+)$2b$= bcrypt (some BSD systems)$1$= MD5 (legacy, insecure)
Key commands:
# Step 1: Combine passwd and shadow filessudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
# Step 2: Crack with default settings (auto-detects hash type)john unshadowed.txt
# Crack with a wordlistjohn --wordlist=wordlists/rockyou.txt unshadowed.txt
# Crack with wordlist + rules for word mutationsjohn --wordlist=wordlist.txt --rules=best64 unshadowed.txt
# Target a specific user onlyjohn --users=admin unshadowed.txt
# Use multiple CPU coresjohn --fork=4 --wordlist=rockyou.txt unshadowed.txt
# Specify hash format explicitlyjohn --format=sha512crypt unshadowed.txt
# Show cracked passwordsjohn --show unshadowed.txtMake target: make crack-linux-pw
crack-archive-passwords.sh — Crack password-protected archives
Section titled “crack-archive-passwords.sh — Crack password-protected archives”Cracks password-protected ZIP, RAR, 7z, PDF, SSH keys, KeePass databases, and Office documents. Uses a two-step process: first extract the hash with a *2john utility, then crack the extracted hash.
When to use: When you encounter a password-protected file during an engagement — encrypted archives from file shares, locked PDFs, passphrase-protected SSH keys, KeePass vaults.
Key commands:
# ZIP: extract hash then crackzip2john protected.zip > zip.hashjohn --wordlist=wordlists/rockyou.txt zip.hash
# RAR: extract hash then crackrar2john protected.rar > rar.hashjohn --wordlist=rockyou.txt rar.hash
# 7-Zip: extract hash then crack7z2john protected.7z > 7z.hashjohn --wordlist=rockyou.txt 7z.hash
# PDF: extract hash then crackpdf2john protected.pdf > pdf.hashjohn --wordlist=rockyou.txt pdf.hash
# SSH private key: extract passphrase hash then crackssh2john id_rsa > ssh.hashjohn --wordlist=rockyou.txt ssh.hash
# KeePass database: extract hash then crackkeepass2john database.kdbx > keepass.hashjohn --wordlist=rockyou.txt keepass.hash
# Office document: extract hash then crackoffice2john protected.docx > office.hashjohn --wordlist=rockyou.txt office.hash
# Show cracked passwordjohn --show zip.hash
# Crack with a mask if you know the password pattern (e.g., 4 digits)john --mask='?d?d?d?d' zip.hashMake target: make crack-archive TARGET=<file>
identify-hash-type.sh — Identify unknown hash types by pattern
Section titled “identify-hash-type.sh — Identify unknown hash types by pattern”Helps identify unknown hash types by analyzing their length, character set, and prefix. Shows how to find the correct John format for cracking. Pass a hash string as an argument for automatic pattern analysis.
When to use: When you have a hash but don’t know the algorithm. Before running John or hashcat, you need to know the format.
Quick reference:
| Length | Characters | Likely Type | John Format |
|---|---|---|---|
| 32 | hex | MD5 or NTLM | raw-md5 or nt |
| 40 | hex | SHA-1 | raw-sha1 |
| 64 | hex | SHA-256 | raw-sha256 |
| 128 | hex | SHA-512 | raw-sha512 |
$6$... | mixed | SHA-512crypt | sha512crypt |
$5$... | mixed | SHA-256crypt | sha256crypt |
$1$... | mixed | MD5crypt | md5crypt |
$2b$... | mixed | bcrypt | bcrypt |
$P$... | mixed | phpass (WordPress) | phpass |
Key commands:
# List all supported formatsjohn --list=formats
# Search for formats matching a keywordjohn --list=formats | grep -i md5john --list=formats | grep -i sha
# Auto-detect format by running John directlyjohn hash.txt
# Analyze a specific hash interactivelybash scripts/john/identify-hash-type.sh '5f4dcc3b5aa765d61d8327deb882cf99'Make target: make identify-hash TARGET=<hash>
Practice Against Lab Targets
Section titled “Practice Against Lab Targets”make lab-up
# If you extract MD5 hashes from DVWA via SQL injection:# 1. Save them to a fileecho "admin:5f4dcc3b5aa765d61d8327deb882cf99" > dvwa-hashes.txt
# 2. Crack with Johnjohn --format=raw-md5 --wordlist=wordlists/rockyou.txt dvwa-hashes.txt
# 3. Show resultsjohn --show --format=raw-md5 dvwa-hashes.txt
# Practice archive cracking: create a test ZIP and crack itecho "secret data" > /tmp/secret.txtzip -P test123 /tmp/test.zip /tmp/secret.txtzip2john /tmp/test.zip > /tmp/test.hashjohn /tmp/test.hash- John auto-detects hash format in most cases — only use
--formatwhen it guesses wrong - The
*2johnutilities are John’s superpower — hashcat cannot extract hashes from files - John uses CPU by default; for GPU-heavy cracking, prefer hashcat
- Cracked passwords are stored in
~/.john/john.pot—--showreads from this potfile - Use
--fork=<n>to use multiple CPU cores (set to number of physical cores) - John’s
--rulesapplies word mutations (capitalize, append numbers, leet speak, etc.) - The
--incrementalmode tries all character combinations — effective but very slow for long passwords - Session management: John auto-saves progress. Use
--restoreto resume after interruption - On macOS, install with
brew install john-jumboto get*2johnutilities (zip2john, rar2john, etc.) - John and hashcat complement each other: John for file extraction + CPU cracking, hashcat for GPU speed