Password strength is one of the most critical elements of user account security. In cybersecurity, we use offline password cracking tools to test if stored password hashes can be cracked using dictionary attacks or brute force. John the Ripper (JTR) is the industry-standard open-source tool for password strength auditing and recovery.
In this beginner-friendly tutorial, you’ll learn how to set up John the Ripper, extract hashes from systems, use wordlists to speed up recovery, and enforce strong password policies in your organization.
We will cover:
- What John the Ripper is and how it works.
- Installing JTR on Windows, Linux, and macOS.
- Extracting and cracking Linux user hashes (
unshadow). - Performing advanced wordlist and rule-based attacks.
- Setting up GPU acceleration.
What is John the Ripper?
John the Ripper is an offline password cracker. Unlike online brute-forcing tools such as Hydra (which log in to interactive protocols like SSH or FTP), John operates on a database of password hashes stored locally.
How Offline Cracking Works:
- The Hash File: The auditor gains access to the database of hashed credentials (e.g., Active Directory database,
/etc/shadowfile, or database exports). - Payload Generation: JTR takes candidate words (like
password123) and runs them through the same cryptographic hashing algorithm (like SHA-512, MD5, or bcrypt) that was used to encrypt the target hashes. - Comparison: JTR compares the generated hash with the target hash. If they match, the password has been cracked.
Because this happens offline, there are no lockout policies, network latency, or logging systems to stop the auditor from testing millions of passwords per second. You can capture authentication handshakes from network traffic using tools like Wireshark and extract the hashes to crack them offline with John.
How to Install John the Ripper
For security audits, you should install the John the Ripper Jumbo version. The Jumbo version includes community additions, support for hundreds of new hash formats, and GPU acceleration.
🐧 Linux
On Debian-based systems (Ubuntu, Kali Linux):
sudo apt update
sudo apt install john -y🍎 macOS
macOS users can install the Jumbo version using Homebrew:
brew install john-jumbo🪟 Windows
- Download the pre-built binaries from the official Openwall Site.
- Extract the downloaded ZIP file.
- The executables are located in the
/runfolder. Open Command Prompt, navigate to the/runfolder, and execute command strings from there.
Step-by-Step Tutorial: Cracking Your First Password Hash
Let’s walk through how to audit local Linux user passwords. Linux systems separate the user listing from the password hashes. The user details are in /etc/passwd (publicly readable), while the cryptographic password hashes are stored in /etc/shadow (readable only by root).
Step 1: Combine Passwd and Shadow (Unshadow)
Before John can crack the hashes, it needs the username and hash combined into a single file. We use the unshadow utility for this:
sudo unshadow /etc/passwd /etc/shadow > hashes.txtThis merges the files and outputs them into a new file named hashes.txt.
Step 2: Run John in Default Mode
JTR has a smart default mode called “Single Crack Mode” followed by wordlist modes. Run it on the extracted file:
john hashes.txtJohn will automatically detect the hash type (e.g., sha512crypt) and start matching candidate passwords.
Step 3: Show Cracked Passwords
To view the results of the cracked passwords, run:
john --show hashes.txtThe terminal will display the username and password matches side-by-side.
Advanced Password Auditing: Wordlists and Rules
Running John in default mode is effective, but for deep audits, you need targeted wordlists. The most popular wordlist in security testing is the rockyou.txt wordlist, containing over 14 million compromised real-world passwords.
1. Using a Specific Wordlist
To feed a custom wordlist to JTR:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt2. Implementing Mangling Rules
Users often take standard words and modify them (e.g., adding 123! to the end, or replacing E with 3). John has a powerful rules engine that automatically applies these modifications (called mangling) to every word in your wordlist:
john --rules --wordlist=company_keywords.txt hashes.txt3. Specifying Hash Format
If you know the exact hash format (e.g., NTLM hashes from Windows Active Directory), specifying it speeds up the process significantly because JTR doesn’t waste time auto-detecting the signature:
john --format=NT hash_file.txtCommon format flags include raw-md5, raw-sha1, NT, md5crypt, and bcrypt.
Speeding Up Cracking with GPU Acceleration
Complex password hashes (like bcrypt or argon2) are designed to be slow. Cracking them on a CPU can take months. John the Ripper Jumbo supports OpenCL, enabling you to offload the heavy computation to high-performance graphic cards.
To list your available GPU devices:
john --list=opencl-devicesTo run a scan using OpenCL:
john --format=wpapsk-opencl --wordlist=rockyou.txt wpa_handshake.txtEthical Use Warning
⚠️ IMPORTANT: Password cracking is highly intrusive. Only audit password hashes that you have legal ownership over, or systems where you have formal, signed authorization (such as a Penetration Testing Agreement). Running password crackers on unauthorized hashes is a violation of computer misuse laws globally.
Conclusion
John the Ripper is a foundational tool in the security practitioner’s arsenal. By understanding how to merge hash directories, run dictionary attacks, apply mangling rules, and leverage GPU power, you can audit your network accounts to ensure no user is utilizing weak or compromised credentials.
Discussion
Loading comments...