Perhaps you need a quick overview on how to use the password-cracking tool John the Ripper, or you may be a beginner and wondering why you haven’t been able to get it to work. If that’s you, you’ve come to the right place. We’ve prepared a straightforward tutorial on how to use John the Ripper for you.
A must-have in the pentester’s toolkit, John the Ripper cracks passwords using a rainbow table approach: comparing them with an inbuilt table of hashes. We’ll review John the Ripper’s three major password-cracking modes and several usage examples, with short exercises for those new to this ruthless tool.
But be warned: We don’t condone using John the Ripper for malicious purposes. With great power comes great responsibility.
Without further ado, let’s get cracking.
What Is John the Ripper?
Jack the Ripper was a murderer in 1888 in London, England. Just as people exposed to Jack the Ripper died, passwords exposed to John the Ripper are no longer secret.
You can deploy John the Ripper inside Kali Linux with the following terminal command instantly:
john
Hence, for simplicity, we’ll call John the Ripper “John” from this point onward. John’s various options help you customize your experience uncovering passwords:
john -h
John the Ripper Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your John the Ripper commands! With our John the Ripper Command Generator, you can simply say what you need John the Ripper to do, and we will generate the command for you.
Modes for Cracking Passwords
John the Ripper offers three main password-cracking modes: Single, Wordlist, and Incremental.
Single Crack Mode
Our example here is a username-password pair based on the 1986 Tom Cruise movie, which released its sequel in 2022.
In Single Crack Mode, John takes a string and generates variations of that string to generate a set of passwords. For example, you can use this Mode to generate password variations of the username “topgun”
with the corresponding password “Topgun”
(or TopGun, ToPgUn, tOpGuN,
and so on).
Use the --format
flag to specify the hash type and the --single (-si)
flag to let John know we want to use the Single Crack Mode.
Afterward, we’ll crack more complex passwords with John’s Wordlist Mode.
Try this exercise
- Designate a short string (
topgun
) as a username and variations on its capitalization as the password (such as Topgun). - Show the output of the SHA-256-hashed password:
echo -n 'Topgun' | sha256sum
- Create a new text file (
simple.txt
) to store the username and the password hash value from prior steps:echo -n 'topgun:4558ce5abe3b1e70bbadc3b95f2ff84f54d0a5c30fb524ceebfd401f8233fda7' > simple.txt
- Run
simple.txt
through John the Ripper’s Single Crack Mode (change the--format
argument as you see fit):john --single --format=raw-sha256 simple.txt
- Get results.
A self-contained tutorial on generating a password for Single Crack Mode
Oops: If you hash your desired password with the following wrong command instead, you’ll hash an unintended line break at the end:
echo Topgun | sha256sum # wrong command
Wordlist Mode
In Wordlist Mode, we’ll provide John with a list of passwords. John will generate hashes for them in real-time and compare them with our password hash. In this example, we will use the well-known RockYou wordlist, which you can preview at
cat /usr/share/wordlists/rockyou.txt | less
Feel free to copy it to your current working directory to simplify the commands using the --wordlist (-w)
flag:
cp /usr/share/wordlists/rockyou.txt rockyou
Now let’s pass text files containing password hashes through John:
john --wordlist=rockyou --format=raw-sha256 crack.txt
john -w=rockyou --format=raw-sha256 crack.txt
Try this exercise
- Pipe a hash based on one or more dictionary words (optionally with numbers) to SHA-256:
echo -n 'password1234' | sha256sum
- Write your username, a colon (:), and the hash as a single long string into a new text file
(crack.txt): echo user01:b9c950640e1b3740e98acb93e669c65766f6670dd1609ba91ff41052ba48c6f3>>crack.txt
- Repeat Steps 1 and 2 to generate as many username-password pairs as desired and append them to
crack.txt.
- Run
crack.txt
through John the Ripper’s Wordlist Mode:john --wordlist=rockyou --format=raw-sha256 crack.txt
- Get results.
Left: John the Ripper Wordlist Mode in action
Right: Generating hashes for three simple passwords
John finds these three passwords rapidly. The weaker the password is, the faster John cracks them.
Let’s move on to John’s final Incremental Mode.
Incremental Mode
In Incremental Mode, John tries all possible character combinations as passwords. This process can be time-consuming if the password is too long or if alphanumeric characters and symbols comprise the password.
You won’t use this Mode unless you don’t have any other options. Typically, a combination of social engineering attacks and Wordlist Mode will help you uncover most passwords.
The syntax for Incremental Mode is:
john --incremental --incremental-charcount=N --format=FORMAT passwords_to_crack.txt
john -inc --incremental-charcount=N --format=FORMAT passwords_to_crack.txt
Let’s break down each flag:
Incremental Mode flags
- The
--incremental (-inc)
flag tells John to use the Incremental Mode. - The
--incremental-charcount=N
flag, where N is a positive integer, is for setting the maximum number of digits in the password. - The
--format
option tells John the hash type of your passwords.
Try this exercise
- Pipe a hash on a simple alphanumeric password to SHA-256:
echo -n 'passw0rd' | sha256sum
- Write your username, a colon (:), and the hash as a single long string into a new text file
(inc.txt): echo user02:8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9>>inc.txt
- Run inc.txt through John the Ripper’s Wordlist Mode:
john --incremental --format=raw-sha256 inc.txt
- Get results.
Generated password hashes
Cracking password hashes in Incremental Mode
Now that we know how to use John the Ripper, we shall move on to specific use cases.
Cracking Passwords With John the Ripper
Now that we know the different modes, let’s examine some real-world examples of when and how to crack passwords with John.
Choosing a Wordlist
John’s default Wordlist is a file located in /usr/share/john/password.lst
in Kali Linux, but its power is finite compared with custom wordlists such as those found by John’s developer OpenWall https://www.openwall.com/wordlists/.
Apart from RockYou, the Wordlists all.lst
(downloadable as all.gz
) and huge.lst
are good candidates for the --wordlist
flag.
Edit the Wordlist by amending the following line in /usr/share/john/john.conf:
Wordlist = $JOHN/password.lst
To make John work more efficiently, remove duplicate entries from and sort the contents of your chosen Wordlist file.
Cracking ZIP files
John has a utility called zip2john. zip2john
helps us to get the hash from zip files. Other “2john”
utilities exist, such as the rar2john
utility for cracking a RAR file.
To crack a password-protected ZIP file, we first get the hash of the ZIP file’s password:
zip2john file.zip > zip.hashes
This command gets the hash from the ZIP file and stores it in the zip.hashes file.
Now you can crack the hash with John:
john zip.hashes # Single Crack Mode
john --wordlist=rockyou zip.hashes # Using the RockYou wordlist
Try this exercise
- Create a password-protected ZIP archive (
classified.zip
) on Kali Linux: right click on a file/folder, select “Create Archive…”, choose “ZIP” as the compression method, expand “Other options” to give it a weak password, and click “Create.” - Export the ZIP hash to
zip.hashes: zip2john classified.zip > zip.hashes
- Run
zip.hashes
through John the Ripper:john zip.hashes
- Get results.
Step 1: Create a password-protected ZIP archive on Kali Linux
Steps 2 to 4: zip2john followed by John the Ripper usage
Cracking SSH Keys
The ssh2john
utility creates a hash from your private key file. If your private key file path is /home/kali/.ssh/id_rsa
, and you want to store the hash as myHash.txt
, the syntax is:
ssh2john /home/kali/.ssh/id_rsa > myHash.txt
Try this exercise
- Use the following command to generate an RSA key pair with a passphrase:
ssh-keygen
- Export the hashed private key file to a new file
(myHash.txt): ssh2john /home/kali/.ssh/id_rsa > myHash.txt
- Run
myHash.txt
through John the Ripper:john --wordlist=rockyou myHash.txt
- Get results
Step 1: Demo of ssh-keygen
Cracking Linux Passwords
Linux stores password data in two files:
/etc/passwd
stores information such as username, user id, and login shell;/etc/shadow
is the password file containing data such as hash and expiry date.
A utility bundled with John the Ripper called unshadow can combine both files for cracking. Here, we’ll name the combined file lin.txt
:
unshadow /etc/passwd /etc/shadow > lin.txt
Cracking Linux hashes is tricky; Kali Linux’s John the Ripper doesn’t readily detect the hash type of Linux (crypt
), where the --wordlist
flag is optional. If you omit the --format
flag below, John won’t crack anything at all:
john --format=crypt [--wordlist=rockyou] lin.txt
Once John has uncovered the passwords, you may view them using the command below:
john --show --format=crypt lin.txt
Try this exercise
- Create a new user on Kali Linux:
sudo useradd user1
- Give the new user a weak password:
sudo passwd user1
- Repeat steps 1 and 2 as desired to create two more new user accounts
user2
anduser3
with weak passwords. - Unshadow the Linux password hashes for all users:
unshadow /etc/passwd /etc/shadow > lin.txt
- Export only the usernames and passwords of the three new users to a new file
(lin3.txt): tail -n -3 lin.txt > lin3.txt
- Run it through John the Ripper:
john --format=crypt --wordlist=rockyou lin3.txt
- Get results.
Cracking Windows Passwords
Windows stores hashed passwords in the SAM database. SAM uses the LM/NTLM hash format for passwords. As getting passwords from the SAM database is beyond the scope of this article, we suggest generating your own LM/NTLM hashes to test out this functionality and echo
them to a text file, say win.txt
, as shown in the demonstration:
The syntax for cracking this file containing the LM/NTLM hashes is the following, where the --wordlist
flag is optional:
john --format=LM [--wordlist=rockyou] win.txt
Once John has uncovered the passwords, you may view them using the command below:
john --show --format=LM win.txt
Try this exercise
- Designate a short string (
topgun
) as a username and variations on its capitalization as the password (such asTopgun
). - Pass the password from step 1 into an LM/NTLM hash function, such as via a website as shown below.
- Create a new text file (
ntlm.txt
) to store the username and the password hash value from prior steps:echo -n 'topgun::0BA224CF1C751F31AAD3B435B51404EE:D66B0428599B168372A76C8AB73A76A2:::' > ntlm.txt
- Run
ntlm.txt
through John the Ripper’s Single Crack Mode (change the--format
argument as you see fit):john --format=LM --single ntlm.txt
- Get results. The capitalization of the cracked password may differ from what you’ve intended.
Step 2:
Step 3 and 4:
Choosing Specific Hashes to Crack
If you want to override John’s behavior of discovering the hash independently, you may tell John which hash type you’re looking for using the --format=HASH_TYPE
flag. Choices for HASH_TYPE
include Raw-MD
(MD5), Raw-SHA1
(SHA-1), Raw-SHA256
(SHA-256), SSH, RADIUS, TACACS-Plus
(TACACS+), ZIP
, and RAR
.
You can find all hash formats John supports using the following commands:
john --list=formats
john --list=subformats
Other Useful Commands
Here is a brief cheat sheet of John the Ripper commands:
Flag | Description |
---|---|
--show FILE | Show cracked passwords based on hashes from FILE |
--rules, -ru | Enable word-mangling rules to teach John the Ripper how to generate passwords |
--status | Print the status of an interrupted or running session |
--session=NAME | Give a new John the Ripper session a NAME , to which John will form the session file name NAME.rec; useful for running multiple instances of John in parallel or to be able to recover later a session other than the last one you interrupt |
--restore[=NAME] | Continue an interrupted cracking session, reading state information from the specified session file or the default session at the file path $JOHN/john.rec |
--save-memory=LEVEL | Enable memory saving at LEVEL 1, 2, or 3. Level 1 tells John not to waste memory on login names, and may speed things up. Levels 2 and 3 reduce John’s use of performance optimizations involving large lookup tables and thus may impact performance negatively. |
--test[=TIME] | Run tests (and benchmarks, unless TIME is explicitly 0), each spanning TIME seconds |
& | This symbol only applies to Kali Linux and other Unix-based operating systems. When you put this symbol at the end of a John the Ripper command, you run it in the background. |
--format=NAME | Specify the hash type for John the Ripper to detect |
--list=formats, --list=subformats | Reveal the hash types John the Ripper supports |
--single, -si | Enable Single Crack Mode |
--wordlist=FILE, -w=FILE | Enable Wordlist Mode, specifying a Wordlist (dictionary attack) |
--incremental, -inc | Enable Incremental Mode |
Find the complete official documentation for John the Ripper here.
Conclusion
We hope learning how to use John the Ripper helps you, whether you’re exploring cyber security or aiming to become a professional hacker or penetration tester. For more resources, read our blog posts on hacking and check out our courses below: