What is John the Ripper?

John the Ripper (often abbreviated as “John”) is a free, open-source password cracking tool originally developed for Unix systems but now available on multiple platforms. It’s one of the most popular password security auditing and recovery tools included in Kali Linux’s arsenal.

John is designed to:

• Detect weak passwords
• Perform dictionary attacks
• Execute brute-force attacks
• Use hybrid attacks (combining dictionary and brute-force)
• Leverage rainbow tables (with additional configuration)

How John Works

John employs several password cracking techniques:

1. Dictionary Attack: Tries words from a wordlist against password hashes
2. Brute-force Attack: Tries all possible character combinations
3. Incremental Mode: Customizable brute-force with character set and length parameters
4. Rule-based Attack: Applies transformation rules to dictionary words
5. Markov Mode: Uses statistical models to generate likely passwords

John supports hundreds of hash types (including MD5, SHA-1, NTLM, bcrypt, and more) and can automatically detect many hash formats.

Installation in Kali Linux

John comes pre-installed in Kali Linux. To verify installation and check the version:

john --version

If you need to install or reinstall it:

sudo apt update
sudo apt install john -y

For additional wordlists (recommended):

sudo apt install wordlists

Basic Usage Examples

1. Cracking a simple password file

john password_file.txt

2. Using a specific wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt password_file.txt

3. Showing cracked passwords

john --show password_file.txt

4. Cracking a specific hash type (e.g., MD5)

john --format=raw-md5 hashes.txt

Advanced Usage Examples

1. Incremental mode (brute-force)

john --incremental password_file.txt

2. Using rules for more sophisticated attacks

john --wordlist=wordlist.txt --rules password_file.txt

3. Cracking SSH private keys

ssh2john id_rsa > id_rsa.hash
john id_rsa.hash

4. Distributed cracking (multiple machines)

john --node=1/4 password_file.txt  # First node of four

5. Restoring interrupted sessions

john --restore

6. Cracking password-protected ZIP files

zip2john archive.zip > zip_hash.txt
john zip_hash.txt

7. Cracking Windows NTLM hashes

john --format=nt hashes.txt

Command-Line Options

Here are some important John options:

Real-World Use Cases

1. Password Auditing: Security professionals use John to test password strength in their organizations.
2. Forensic Investigations: Recovering passwords from seized systems during investigations.
3. Password Recovery: Legitimate recovery of forgotten passwords (with proper authorization).
4. Security Research: Testing new hash algorithms and password security measures.
5. CTF Challenges: Many Capture The Flag competitions include password cracking challenges.

Troubleshooting Tips

1. Hash Identification: If John can’t auto-detect your hash format:

• Use john --list=formats to see supported formats
• Try hash-identifier to identify unknown hashes

2. Performan2ce Issues:

• Use --fork to utilize multiple CPU cores
• For GPU acceleration, consider using John’s Jumbo version with OpenCL support

3. Memory Errors:

• Reduce the number of forked processes with --fork
• Try --memory=4096 to limit memory usage (adjust value as needed)

4. Session Restoration:

• Always use --session=NAME for important jobs
• The .pot file stores cracked passwords; don’t delete it

5. Format Not Supported:

• Install the “john-jumbo” package for additional hash formats

   sudo apt install john-jumbo

6. Slow Cracking:

• Use more targeted wordlists
• Apply rules to make dictionary attacks more effective
• Consider using masks for brute-force if you know password structure

1. Initial Password Cracking Attempt

john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt

What this does:

• Uses the wordlist located at /usr/share/john/password.lst
• Applies mangling rules (--rules) to modify words from the wordlist
• Attempts to crack passwords in the unshadowed.txt file

Output Explanation:

Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"

• John automatically detected the hash type as sha512crypt (common for Linux shadow files)
• It notes the hash could also be interpreted as generic “crypt” format

Loaded 1 password hash (sha512crypt [64/64])
toor             (root)

• Successfully cracked the password “toor” for the root account
• Took 7 seconds at 482 candidates per second (c/s)

2. Creating an MD5 Hash for Testing

echo -n test2 | md5sum
echo -n test2 | md5sum | awk '{print $1}' > hash

• Creates an MD5 hash of the string “test2”
• The -n flag prevents echo from adding a newline character
• Stores just the hash value (without the filename) in a file named “hash”

3. Creating a Small Wordlist

for x in $(seq 0 9); do echo test$x >> wordlists; done
grep test2 wordlists
wc -l wordlists

• Generates a wordlist containing “test0” through “test9”
• Verifies “test2” is in the wordlist
• Confirms the wordlist has 10 entries

4. Checking Supported MD5 Formats

john --list=formats | grep -i 'md5'

• Lists all hash formats John supports
• Filters for formats containing “md5” (case insensitive)
• Shows various MD5-related formats including Raw-MD5, md5crypt, etc.

5. Cracking the MD5 Hash

john --format=raw-md5 --wordlist=wordlists hash

What this does:

• Specifies the exact hash format (raw-md5) to avoid autodetection
• Uses our custom wordlist (wordlists)
• Targets our previously created hash file (hash)

Output Explanation:

Warning: no OpenMP support for this hash type, consider --fork=2

• Indicates this hash type doesn’t support parallel processing via OpenMP
• Suggests using --fork to create multiple processes

Warning: Only 10 candidates left, minimum 12 needed for performance.

• Our wordlist is very small (only 10 entries)
• John prefers larger wordlists for better performance metrics

test2            (?)

• Successfully cracked the hash – the password is “test2”
• The (?) indicates John isn’t certain about the username (since we only provided the hash)

Key Lessons from This Example

1. Hash Type Specification: When John’s autodetection is uncertain (like with sha512crypt vs crypt), explicitly specifying the format with --format is more reliable.
2. Wordlist Creation: You can quickly generate targeted wordlists for testing purposes.
3. Performance Considerations:

• Small wordlists trigger warnings
• Some hash types don’t support parallel processing

4. Complete Workflow: This shows a full cycle from:

• Creating a test hash
• Generating a wordlist
• Configuring John
• Running the crack
• Interpreting results

5. Real-World Application: For actual MD5 cracking, you would:

• Use larger, more comprehensive wordlists
• Consider adding rules for more complex variations
• Potentially use brute-force if dictionary attacks fail

Improving This Example

For more effective cracking, you might modify the commands:

1. Using a better wordlist:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash

2. Adding parallel processing:

john --format=raw-md5 --wordlist=wordlists --fork=2 hash

3. Applying rules to the small wordlist:

john --format=raw-md5 --wordlist=wordlists --rules hash

John the Ripper Utilities

John the Ripper comes with an extensive collection of utilities that extend its functionality beyond basic password cracking. These tools primarily convert various file formats and password hashes into formats that John can process. Here’s a detailed breakdown:

Core Components

Main Binary

• john: The primary password cracking tool

Helper Utilities

• unshadow: Combines /etc/passwd and /etc/shadow files for Unix password cracking
• unique: Removes duplicates from wordlists to improve efficiency
• base64conv: Converts between different base64 encodings

Format-Specific Converters

Archive Formats

• zip2john: Extracts hashes from ZIP archives
• rar2john: Extracts hashes from RAR archives
• 7z2john: Extracts hashes from 7-Zip archives
• bitlocker2john: Extracts hashes from BitLocker encrypted drives
• dmg2john: Extracts hashes from Apple Disk Images

Password Managers

• keepass2john: Extracts hashes from KeePass databases
• lastpass2john: Extracts hashes from LastPass vaults
• bitwarden2john: Extracts hashes from Bitwarden vaults
• 1password2john: Extracts hashes from 1Password vaults

Network Protocols

• hccap2john/hccapx2john: Converts Wi-Fi handshake captures (WPA/WPA2)
• vncpcap2john: Extracts VNC passwords from pcap files
• sipdump: Extracts SIP authentication hashes
• ike-scan2john: Converts IKE PSK hashes
• radius2john: Extracts RADIUS authentication hashes

Disk Encryption

• luks2john: Extracts LUKS encryption headers
• truecrypt2john: Extracts TrueCrypt/VeraCrypt headers
• geli2john: Extracts FreeBSD GELI encryption headers

Document Formats

• pdf2john: Extracts hashes from PDF files
• office2john: Extracts hashes from Microsoft Office documents
• libreoffice2john: Extracts hashes from LibreOffice documents

Operating System Specific

• mac2john: Extracts macOS user password hashes
• aix2john: Extracts AIX password hashes
• racf2john: Extracts IBM RACF mainframe passwords

Development/Utilities

• calc_stat: Calculates statistics for Markov mode
• cprepair: Repairs corrupted .pot files
• genmkvpwd: Generates master key variants for testing

Advanced Converters

Cryptocurrency Wallets

• bitcoin2john: Extracts Bitcoin wallet hashes
• electrum2john: Extracts Electrum wallet hashes
• ethereum2john: Extracts Ethereum wallet hashes

Specialized Formats

• signal2john: Extracts Signal messenger encryption passwords
• telegram2john: Extracts Telegram local passwords
• known_hosts2john: Extracts SSH known_hosts entries

Usage Patterns

Basic Conversion

utility2john input_file > output_hash
john output_hash

Example: Cracking a ZIP File

zip2john protected.zip > zip_hash.txt
john --wordlist=rockyou.txt zip_hash.txt

Example: Cracking Wi-Fi Handshake

hccap2john capture.cap > wpa_hash.txt
john --wordlist=rockyou.txt wpa_hash.txt

Installation Notes

Most of these utilities come pre-installed with:

• john package (core utilities)
• john-data package (additional converters)
• john-jumbo package (extended format support)