Password Attackspasswordcrackingwordlistbruteforcehashrules

John the Ripper

John the Ripper is an active password cracking tool designed to detect weak passwords through dictionary attacks, rule mangling, and brute force methods. It supports numerous hash types and includes utilities for preprocessing wordlists and extracting hashes from various formats.

Description

John the Ripper helps systems administrators identify weak passwords that are easy to guess or crack via brute force. It supports crypt(3) hashes from Unix systems, Kerberos AFS, Windows NT/2000/XP/2003 LM hashes, and many more with contributed patches. The tool can automatically email users about weak passwords using the mailer utility.

Common use cases include cracking password hashes from shadow files, testing wordlists for uniqueness with the unique tool, and converting various encrypted files to John-compatible formats using specialized extractors like wpapcap2john or pdf2john. It offers modes like wordlist, incremental, mask, and PRINCE for flexible attack strategies.

The package includes john-data for character sets and scripts, plus companion tools like unique for deduplicating wordlists, mailer for notifications, and unshadow for combining passwd and shadow files.

How It Works

John loads password hashes, identifies their format (e.g., sha512crypt, Raw-MD5), and applies cracking modes: wordlist mode uses dictionaries with optional mangling rules; incremental mode generates systematic passwords; mask mode uses patterns; PRINCE combines word elements. It supports forking for parallelism, OpenMP, and memory-saving options. Utilities like unique use hashing (configurable memory via -mem) to remove duplicates while preserving order; extractors parse files into crackable hash lines.

Installation

bash

sudo apt install john

Flags

--wordlist=/usr/share/john/password.lstUse specified wordlist file for dictionary attack

--rulesApply mangling rules to wordlist candidates

--format=raw-md5Force loading hashes as specific format like Raw-MD5

--showDisplay all cracked passwords reliably

-vVerbose mode for unique, outputs line counts

-inp=fnameInput filename for unique (reads from stdin by default)

-cut=lenTrim input lines to specified length before unique processing

Examples

Crack sha512crypt hashes in unshadowed.txt using wordlist and rules; found password 'toor' for root

john --wordlist=/usr/share/john/password.lst --rules unshadowed.txt

Create a raw MD5 hash file from plaintext 'test2'

echo -n test2 | md5sum | awk '{print $1}' > hash

Generate wordlist with test0 to test9 including target 'test2'

for x in $(seq 0 9); do echo test$x >> wordlists; done

List all supported MD5-related hash formats

john --list=formats | grep -i 'md5'

Crack Raw-MD5 hash using small wordlist; successfully found 'test2'

john --format=raw-md5 --wordlist=wordlists hash

Remove duplicates from allwords.txt saving unique entries to uniques.txt with verbose output

unique -v -inp=allwords.txt uniques.txt

Send email warnings to users with weak passwords from password file

mailer PASSWORD-FILE

Combine passwd and shadow files for cracking

unshadow PASSWORD-FILE SHADOW-FILE

Updated 2026-04-16kali.org ↗