John the Ripper

John the Ripper is a free and open-source password security auditing and password recovery tool available for many operating systems. It is designed to detect weak passwords in Unix/Linux and Windows systems.

Basic Usage

# Basic usage with automatic format detection
john hash.txt

# Specify a format
john --format=raw-md5 hash.txt

# Use wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# Show cracked passwords
john --show hash.txt

Extracting Hashes

Shadow File (Linux)

# First, combine /etc/passwd and /etc/shadow
unshadow /etc/passwd /etc/shadow > hashes.txt

# Then crack with John
john hashes.txt

Windows NTLM Hashes

Zip Files

RAR Files

PDF Files

SSH Keys

Attack Modes

Dictionary Attack

Incremental Mode (Brute Force)

Rules-Based Attack

Common Hash Formats

Advanced Options

Custom Rules

John's custom rules allow you to create complex password transformations. Add these to the john.conf file:

Integration in Pentesting Workflow

  1. Extract hashes from the target system

  2. Identify hash types (hashid or hash-identifier can help)

  3. Select appropriate attack method based on hash type and context

  4. Begin with quick wordlist attacks using common passwords

  5. Move to rule-based attacks if simple wordlists fail

  6. Use incremental (brute force) mode as a last resort for short passwords

Tips for Effective Usage

  • Always start with the most likely password patterns for your target

  • Use the --pot option to save cracked passwords for future reference

  • Leverage session management for long-running cracks

  • Use custom rules based on the target organization (company name, founding year, etc.)

  • For Linux shadow files, target lower-privileged users first as they often have weaker passwords

  • Use --show to display already cracked passwords without rerunning the attack

Real-World Example: Cracking Linux Passwords

Additional Resources

PreviousGobusterNextHydra

Last updated