John the Ripper (JtR) is a password cracker originally developed for UNIX based systems 1996 has been published. Using this essential pen testing tool, you can check password strength and crack encrypted (or hashed) passwords using brute force methods or dictionary attacks.
The tool is available in both a GNU licensed and a proprietary version – moreover, on GitHub a community-based “Jumbo” variant is also available for download. Recommended for security professionals second version: It features performance optimizations and has additional features such as multilingual dictionaries and support for 64-bit architectures on board.
This article tells you how John the Ripper works, what possibilities the tool offers to crack passwords and shows you how you can work with it in practice with an example guide.
Like most other password crackers, John the Ripper works in three basic ways:
Dictionary attack: Dictionaries or password lists serve as resources. The tool will enter any existing password and try to extract the correct ID from it.
Brutal Attack: In this type of attack, John the Ripper needs some configuration parameters, such as the minimum and maximum password length, the type of characters it contains (only letters, letters and numbers, letters, numbers and special characters), and the order of the search. Finding the ideal brute force configuration requires a certain level of expertise. Once the configuration is complete, John the Ripper will test all possible password combinations based on this and notify you if successful. This process can be very effective, but also extremely time consuming: it can: last more than 9 yearsto crack a password consisting of nine characters (numbers, letters and special characters).
Rainbow tables: Applications that value security do not store passwords in plain text. Instead, you convert the IDs into hash files. Rainbow table attacks, which compare such lists to precomputed data pools to convert the identifiers back into the correct plain text format, are particularly recommended when large lists of hashed passwords are available. Compared to brute force attacks, rainbow table attacks usually promise faster cracking success – unless they’re encrypted (“salted“) hash files.
John the Ripper brings three different operating modes: Of:
Single crack mode: The creators of John the Ripper recommend this mode as it is considered the fastest. The single crack mode works with the information from UNIX passwd files. This is especially effective when the username is known or easy to guess (e-mail addresses, for example).
Glossary Mode: Text files or password lists that you have created yourself can be used with this method (ideally one password per line and no duplicates). JtR also comes with some default lists (the proprietary version offers the largest selection), but doesn’t automatically sort the existing passwords. However, this can be done manually relatively easily:
Tr A-Z a-z < SOURCE | sort -u > TARGET
Incremental mode: This mode is JtR’s equivalent of brute force, so it can become an extreme waste of time – or never end, depending on the complexity of the password being cracked.
In addition, JtR also offers a custom remote mode providing.
A detailed use case on the tool’s official website focuses on a UNIX “shadow” file containing passwords for user and system accounts in the hash format contains. Newer UNIX-based distributions store a list of usernames and other information in a different path than the corresponding hash files. Therefore, the first step with John the Ripper is to merge the two files. This works with the following command:
unshadow /etc/passwd /etc/shadow > mypasswd
umask 077 ensures that the newly created “mypasswd” file is fully privileged and works with JtR. The easiest way to run the file in autopilot mode is via
This initially unleashes the single crack mode on the newly created mypasswd file. If the cracking fails, the second step is Wordlist mode (with the preset defaults and lists). When all else fails, John the Ripper eventually switches to incremental mode. You can also cancel the session at any time and continue at a later time with the following command:
Here’s a full list of usage examples – you can get the “official” John the Ripper manual with the command
man john to see. Before getting “serious”, it is recommended to use the tool according to their preferences configure.
John the Ripper is one of the most popular password crackers for a reason: its selection of free open source versions and strong community support make JtR an essential part of any pentester toolkit.
This post is based on an article from our US sister publication, CSO Online.