John the Ripper - Pentools

John the Ripper is one of the most well known  hash cracking tools. It combines a fast cracking speed, with an extraordinary range of compatible hash types. 


Wordlists is the list of words that you can hash and compare during a dictionary attack 

There are many different wordlists out there, a good collection to use can be found in the SecLists repository -  

Location of wordlist in Kali Linux - /usr/share/wordlists

John Basic Syntax

The basic syntax of John the Ripper commands is as follows

john --wordlist=[path to wordlist] [path to file]

Example : john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

Identifying Hashes

We are able to use other tools to identify the hash, and then set john to use a specific format. 

Online hash identifier :

To install hash identifier in kali linux 


Then simply launch it with python3 and then enter the hash you're trying to identify- and it will give you possible formats!

Format-Specific Cracking

Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax:

john --format=[format] --wordlist=[path to wordlist] [path to file]

example : john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

A Note on Formats:

When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply. To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like john --list=formats | grep -iF "md5".

Cracking Basic Hashes

Example Usage:

john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

Cracking Hashes from /etc/shadow

The /etc/shadow file is the file on Linux machines where password hashes are stored. It also stores other information, such as the date of last password change and password expiration information. It contains one entry per line for each user or user account of the system. This file is usually only accessible by the root user- so in order to get your hands on the hashes you must have sufficient privileges, but if you do- there is a chance that you will be able to crack some of the hashes.


John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:

unshadow [path to passwd] [path to shadow]

Example Usage:

unshadow local_passwd local_shadow > unshadowed.txt

Note: When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:

FILE 1 - local_passwd

Contains the /etc/passwd line for the root user:


FILE 2 - local_shadow

Contains the /etc/shadow line for the root user:



We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. We should not need to specify a mode here as we have made the input specifically for John, however in some cases you will need to specify the format as we have done previously using: --format=sha512crypt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt

Cracking Windows Hashes

NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM".

format : john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt  /home/kali/Desktop/hash2.txt

Single Crack Mode

In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.

If we take the username: Markus

Some possible passwords could be:

Markus1, Markus2, Markus3 (etc.)
MArkus, MARkus, MARKus (etc.)
Markus!, Markus$, Markus* (etc.)

Using Single Crack Mode

For example if we wanted to crack the password of the user named "Joker", using single mode, we'd use:

john --single --format=[format] [path to file]

--single - This flag lets john know you want to use the single hash cracking mode.

Example Usage:

john --single --format=raw-sha256 hashes.txt

A Note on File Formats in Single Crack Mode:

If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt





Cracking a Password Protected Zip File

We can use John to crack the password on password protected Zip files. Again, we're going to be using a separate part of the john suite of tools to convert the zip file into a format that John will understand

Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand, and hopefully crack. The basic usage is like this:

zip2john [options] [zip file] > [output file]

Example Usage

zip2john > zip_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Cracking a Password Protected RAR Archive

Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:

rar2john [rar file] > [output file]

Example Usage

rar2john rarfile.rar > rar_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt

Cracking SSH Key Passwords

As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with.Note that if you don't have ssh2john installed, you can use, which is located in the /opt/john/ If you're doing this, replace the ssh2john command with python3 /opt/ or on Kali, python /usr/share/john/

ssh2john [id_rsa private key file] > [output file]

Example Usage

ssh2john id_rsa > id_rsa_hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt


Post a Comment