John the Ripper (JtR) is a password cracker that was originally developed for UNIX-based systems and was first published in 1996. With the help of this essential pentesting tool, you can check the strength of passwords and crack encrypted (or hashed) passwords using the brute force method or a dictionary attack.
The tool is available in both a GNU-licensed and a proprietary version – a community-based “Jumbo” version is also available for download on GitHub. The second version is recommended for security professionals: it has performance optimizations and has additional features such as multilingual word lists and support for 64-bit architectures on board.
This article tells you how John the Ripper works, which options the password cracking tool offers and shows you how to work with it in practical examples.
Like most other password crackers, John the Ripper works in three basic ways:
Dictionary attack: Dictionaries or password lists serve as the source. The tool enters every single existing password and tries to get the correct ID.
Brute force attack: With this type of attack, John the Ripper requires some configuration parameters, such as the minimum and maximum password length, the type of characters it contains (only letters, letters and numbers, letters, numbers and special characters) and the order of the query. Finding the ideal brute force configuration requires a certain level of expertise. Once the configuration is complete, John the Ripper tests all possible password combinations on this basis and notifies you if it is successful. This process can be very effective, but it can also be extremely time-consuming: it could take more than 9 years to crack a password that consists of nine characters (numbers, letters and special characters).
Rainbow Tables: Applications that value security do not save passwords in plain text format. Instead, you turn the identifiers into hash files. Particularly when large lists of passwords are in hash form, rainbow table attacks are recommended, in which such lists are compared with precalculated data pools in order to convert the IDs back into the correct plain text format. Compared to brute force attacks, rainbow table attacks usually promise faster cracking success – unless they are encrypted (“salted”) hash files.
John the Ripper comes with three different operating modes:
Single crack mode: The makers of John the Ripper recommend this mode as it is considered the fastest. The single crack mode works with the information from UNIX passwd files. This is particularly useful if the username is either known or easy to guess (for example, email addresses).
Wordlist mode: With this method, self-created text files or password lists can be used (ideally one password per line and no duplicates). JtR also comes with some default lists (the proprietary version offers the largest selection), but does not automatically sort the existing passwords. However, this can be done relatively easily manually:
Tr A-Z a-z < SOURCE | sort -u > TARGET
Incremental mode: This mode is the JtR equivalent to brute force and can therefore develop into an extreme time-saver – or never come to an end, depending on how complex the password to be cracked is.
In addition, JtR also provides a user-defined external mode.
A detailed use case on the official website for the tool focuses on a UNIX “shadow” file, which contains passwords for user and system accounts in hash format. Newer UNIX-based distributions save a list of user names and other information under a different path than the corresponding hash files. So the first step with John the Ripper is to merge the two files. This works with the following command:
unshadow /etc/passwd /etc/shadow > mypasswd
umask 077 ensures that the newly created “mypasswd” file has extensive authorizations and works with JtR. The easiest way to run the file in autopilot mode is via
This first lets go of the single crack mode on the newly created mypasswd file. If there is no cracking success, the second step is wordlist mode (with the default settings and lists). If all of these things fail, John the Ripper will eventually switch to incremental mode. You can also cancel the session at any time and continue it at a later time using the following command:
Here is a complete list of usage examples – you can use the “official” manual by John the Ripper via the command
man john see. Before you “get serious”, it is recommended to configure the tool according to your preferences.
It is not for nothing that John the Ripper is one of the most popular password crackers: thanks to its selection of free open source versions and extensive community support, JtR is an essential part of every Pentester toolkit.
This article is based on an article from our US sister publication CSO Online.