This chapter covers John the Ripper (John), a powerful password cracking tool used extensively in penetration testing. For the PT0-002 exam, understanding John's modes, configuration, and usage is critical, as password cracking appears in multiple domains. Approximately 5-10% of exam questions touch on password cracking tools, with John being the most tested. You will learn how to use John to crack various hash types, optimize attacks, and interpret results—skills directly tested in Domain 5.0 (Tools and Code Analysis) and Domain 3.0 (Attacks and Exploits).
Jump to a section
John the Ripper is like a master locksmith who can open many types of locks, but his specialty is finding the right key from a huge keychain. The locksmith starts by trying the most common keys (dictionary attack). If none work, he systematically tries every possible key (brute force), but he knows that most locks have weaknesses—like a lock that clicks when a pin is slightly lifted (incremental mode). He also knows that people often use keys that look like their house key (mangling rules). The locksmith can work on multiple locks at once (multi-threading), and he can even try to open locks that were already partially picked by another locksmith (cracked passwords file). But his true power lies in being able to identify the lock type instantly and apply the most efficient technique. If the lock is a cheap padlock, he won't waste time on complex picking—he'll just shim it. Similarly, John auto-detects hash types and optimizes its attack. The locksmith keeps a log of every key tried and the result, just as John records cracked passwords in a file. Finally, the locksmith can work from a blueprint (configuration file) that specifies which locks to try first, how fast to work, and when to switch techniques—exactly how John uses john.conf to control its behavior.
What is John the Ripper?
John the Ripper is a free, open-source password cracking software tool originally developed for Unix systems but now supports Windows, macOS, and many other platforms. It is designed to detect weak passwords by performing various attacks on password hashes. The tool is named after the infamous serial killer, reflecting its purpose of 'killing' weak passwords.
John is primarily used by penetration testers and security auditors to assess password strength. It supports dozens of hash types, including DES, MD5, SHA-1, SHA-256, bcrypt, and many more. The tool is highly configurable, allowing users to fine-tune attack parameters for maximum efficiency.
How John Works Internally
John operates by taking a file containing password hashes (typically from /etc/shadow on Linux or SAM on Windows) and attempting to recover the plaintext passwords. The core mechanism involves:
Hash Recognition: John automatically detects the hash type by analyzing the hash format. For example, a hash starting with '$2y$' is bcrypt, while '$1$' is MD5 crypt.
Attack Execution: John applies one of its built-in attack modes to generate candidate passwords, hashes them using the same algorithm, and compares them to the target hashes.
Optimization: John uses multiple threads and can be configured to use incremental modes, rules, or external filters to speed up cracking.
Key Components and Defaults
Configuration File: john.conf (or john.ini on Windows) contains all settings, including character sets, rules, and attack parameters. Default location is /etc/john/john.conf on Linux.
Password File: The target hashes are stored in a file, often called hashes.txt. Each line contains a username:hash pair.
Pot File: john.pot stores successfully cracked passwords to avoid repeating work. Default location is ~/.john/john.pot.
Session Files: John saves its state periodically (default every 600 seconds) to allow resuming interrupted cracking sessions.
Attack Modes
John offers several attack modes:
Wordlist Mode: The simplest mode. John takes a wordlist (e.g., rockyou.txt) and tries each word as a password. It can apply rules (mutations) to the words. Command: john --wordlist=rockyou.txt hashes.txt
Single Crack Mode: John uses the username and other account information to generate password guesses. It is very fast but only works for weak passwords. Command: john --single hashes.txt
Incremental Mode: The most powerful but slowest mode. John tries all possible character combinations within a given length and character set. By default, it uses a predefined incremental mode for alphanumeric characters. Command: john --incremental hashes.txt
External Mode: Allows custom cracking algorithms written in C-like language. These are defined in the configuration file.
Markov Mode: Uses Markov chains to generate password guesses based on probability of character sequences.
PRINCE Mode: Uses the PRINCE (PRobability INfinite Chained Elements) algorithm to generate passwords from a wordlist by combining words.
Rule-Based Attacks
Rules are transformations applied to wordlist entries. For example, a rule might append a digit, capitalize the first letter, or substitute 'e' with '3'. Rules are defined in john.conf under the [List.Rules:Wordlist] section. Common rule sets include:
- Single (simple rules)
- Wordlist (default rules)
- Extra (aggressive rules)
- Jumbo (extensive rules, available in John the Ripper Pro)
Performance Tuning
John can be tuned for performance:
- Number of threads: --fork=N to spawn N processes (each using one core).
- Memory usage: Incremental mode uses memory proportional to the number of possible passwords.
- Session management: Use --session=name to name a session and --restore=name to resume.
Supported Hash Types
John supports over 200 hash types. Common ones include:
- descrypt (DES-based crypt)
- md5crypt (MD5-based crypt)
- bcrypt (Blowfish crypt)
- sha256crypt (SHA-256 crypt)
- sha512crypt (SHA-512 crypt)
- nt (Windows NTLM)
- lm (Windows LM)
- raw-md5 (raw MD5)
- raw-sha1 (raw SHA-1)
To list all supported formats: john --list=formats
Configuration File Details
The john.conf file is organized into sections:
- [Options]: Global settings like pot file path, default wordlist.
- [Incremental:Modes]: Defines character sets for incremental mode.
- [List.Rules:Wordlist]: Defines rules for wordlist mode.
- [External]: Contains external mode functions.
Example snippet:
[Incremental:All]
File = $JOHN/incremental.conf
CharSet = ?l?d?u
MinLen = 1
MaxLen = 8Cracking Windows Hashes
To crack Windows hashes, first extract them using tools like pwdump or mimikatz. The format is typically username:RID:LMhash:NThash:::.
Example:
Administrator:500:NO PASSWORD*********************:AAD3B435B51404EEAAD3B435B51404EE:::John can crack both LM and NT hashes. LM hashes are weak and can be cracked quickly. Command:
john --format=nt hashes.txtCracking Linux Hashes
Linux password hashes are stored in /etc/shadow. They are usually in the format $id$salt$hash. For example:
user:$6$salt$hash:18000:0:99999:7:::John automatically detects the hash type. To crack:
john hashes.txtUsing Rules with Wordlist
To apply rules, use the --rules flag. You can specify a rule set:
john --wordlist=rockyou.txt --rules=Single hashes.txtIncremental Mode Configuration
Incremental mode uses a charset file. John includes several pre-defined modes: All, Alpha, Digits, LanMan. You can define custom modes in john.conf.
External Mode Example
External mode allows custom code. Example from john.conf:
[External:Filter]
void filter()
{
int i, c;
i = 0;
while (c = word[i++])
if (c >= 'a' && c <= 'z')
word[i-1] = c - 32;
}This filter converts all letters to uppercase.
Session Management
John saves progress every 600 seconds (default). To resume a session:
john --restore=sessionname hashes.txtOutput and Logging
Cracked passwords are stored in the pot file. To show cracked passwords:
john --show hashes.txtLog file (default ~/.john/john.log) records all activity.
Integration with Other Tools
John can work with:
- Hashcat: John can generate hash files that Hashcat can use.
- Hydra: John can crack passwords offline, Hydra for online brute force.
- Metasploit: John can crack hashes obtained from Metasploit modules.
- Unshadow: Tool that combines /etc/passwd and /etc/shadow into a format John can use.
Common Command Examples
Crack a single hash:
john --format=raw-md5 hash.txtUse a specific wordlist:
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtShow cracked passwords:
john --show hashes.txtBenchmark performance:
john --test=0Crack with incremental mode:
john --incremental=All hashes.txtSecurity Considerations
John should only be used on systems you own or have explicit permission to test.
Always use strong, unique passwords to resist cracking.
John can be detected by antivirus; use caution in live environments.
Obtain Password Hashes
First, you need to acquire the password hashes from the target system. On Linux, this typically involves reading /etc/shadow (requires root). On Windows, you can use tools like pwdump, mimikatz, or fgdump to extract NTLM hashes from the SAM database. The hashes must be in a format John can read. For Linux, you may need to combine /etc/passwd and /etc/shadow using the 'unshadow' command. Example: `unshadow passwd shadow > hashes.txt`. For Windows, pwdump output is directly usable. Ensure you have proper authorization before obtaining hashes.
Identify Hash Type
John can auto-detect the hash type, but it's often beneficial to identify it manually for performance. You can use the `--format` flag to specify the hash type. To see supported formats: `john --list=formats`. Common formats: nt (NTLM), lm (LM), md5crypt, sha512crypt, bcrypt. If unsure, let John auto-detect by not specifying a format. However, specifying the correct format speeds up cracking because John won't waste time trying to match against many formats. Use `hashid` or `hash-identifier` tools to help identify the hash type.
Choose Attack Mode
Select the appropriate attack mode based on your goals and resources. For quick wins, use Single Crack Mode which leverages account information. For a wordlist attack, use `--wordlist` with a large dictionary like rockyou.txt. For maximum coverage, use Incremental Mode, but be aware it can take a very long time. You can also combine modes: start with wordlist, then use rules, then incremental. John allows session management, so you can run multiple modes sequentially. Consider the time available and the strength of the passwords.
Configure Rules and Options
Edit john.conf to customize rules, character sets, and performance settings. For wordlist attacks, you can apply rules using `--rules`. Common rule sets: Single, Wordlist, Extra, Jumbo. You can also create custom rules. For incremental mode, define the character set (e.g., loweralpha, digits) and length range. Performance options: `--fork=N` to use multiple CPU cores, `--mem-file-size` to control memory usage. Set session name with `--session=name` to manage multiple sessions. These options can significantly impact cracking speed.
Run John and Monitor Progress
Execute John with your chosen options. For example: `john --wordlist=rockyou.txt --rules=Single hashes.txt`. John will display progress, including cracked passwords as they are found. You can press Ctrl+C to pause and later resume with `--restore`. Monitor the pot file (`john --show hashes.txt`) to see cracked passwords. John saves progress periodically (default every 600 seconds) to the session file. Use `--status` to check progress without interrupting. If you need to stop, John will save state and you can resume later.
Analyze Results and Report
After cracking, review the results. Use `john --show hashes.txt` to list all cracked passwords. For uncracked hashes, consider trying different attack modes or larger wordlists. Document the cracked passwords and their associated usernames. In a penetration test, this information can be used to demonstrate weak password policy. Also note the time taken and the number of passwords cracked. Provide recommendations for password policy improvements, such as minimum length, complexity requirements, and use of multi-factor authentication.
Scenario 1: Enterprise Active Directory Password Audit
A large enterprise with 10,000 domain users wants to assess password strength. The penetration tester obtains NTLM hashes from a domain controller using a tool like fgdump or mimikatz (with proper authorization). The hashes are stored in a file ntlm.txt. The tester first runs a quick wordlist attack using the top 10,000 most common passwords from the rockyou list: john --wordlist=top10000.txt ntlm.txt. Within minutes, John cracks 15% of passwords. Next, the tester applies rules to the same wordlist: john --wordlist=top10000.txt --rules=Single ntlm.txt. This cracks an additional 10%. For high-value accounts (domain admins), the tester runs an incremental attack limited to 8 characters: john --incremental=All --max-len=8 ntlm.txt. This takes several days on a 16-core server but cracks a few more. The final report shows that 30% of passwords are weak, leading to a policy change requiring passphrases and MFA.
Scenario 2: Linux Server Password Cracking
A security auditor is assessing a Unix server farm. Using root access, they extract the shadow file from each server. They use unshadow to combine with /etc/passwd into hashes.txt. The hashes are SHA-512 crypt ($6$). The auditor uses a custom wordlist built from company terms, sports teams, and common patterns: john --wordlist=company_words.txt hashes.txt. They also enable rules to try leetspeak substitutions: --rules=Extra. After 24 hours, they crack 40% of passwords. For the remaining hashes, they switch to incremental mode limited to 6 characters: john --incremental=LowerNum --max-len=6 hashes.txt. This cracks a few more. The auditor notes that many passwords are based on the company name, leading to a recommendation to block such patterns.
Common Pitfalls
Overlooking LM hashes: In Windows environments, LM hashes are often present and extremely weak. Always crack LM hashes first as they can reveal the NT hash password.
Not using rules: Plain wordlist attacks miss many passwords that are simple mutations. Always apply at least basic rules.
Incorrect format: Using wrong format flag can slow down or prevent cracking. Use --format=auto or let John detect.
Not resuming sessions: If interrupted, use --restore to continue from where you left off, avoiding wasted time.
What PT0-002 Tests on John the Ripper
The CompTIA PenTest+ exam (PT0-002) focuses on practical knowledge of John the Ripper within Domain 5.0 (Tools and Code Analysis) and Domain 3.0 (Attacks and Exploits). Specific objectives include: - 5.1: Given a scenario, use the appropriate tool to assess the security posture of an organization. John is a key tool for password cracking. - 5.2: Explain the use of scripting languages and tools for penetration testing. John's configuration and modes are tested. - 3.5: Explain common attacks and exploits. Password cracking attacks using John are covered.
Common Wrong Answers and Why Candidates Choose Them
Choosing Hashcat over John for all scenarios: Hashcat is faster for GPU cracking, but John is more versatile for CPU and supports more hash types. The exam expects you to know when to use each.
Assuming John only cracks Linux passwords: John cracks Windows, macOS, and many other systems. Candidates often forget Windows NTLM support.
Using `--format=raw-md5` for all hashes: Many hashes are salted; raw-md5 is unsalted. Candidates may ignore salt, leading to incorrect cracking.
Believing incremental mode is always best: Incremental is powerful but slow. For quick assessments, wordlist with rules is more practical.
Specific Numbers, Values, and Terms on the Exam
Pot file location: ~/.john/john.pot (or %HOME%/.john/john.pot on Windows).
Default session save interval: 600 seconds.
Common hash formats: $1$ (MD5 crypt), $5$ (SHA-256 crypt), $6$ (SHA-512 crypt), $2y$ (bcrypt).
Wordlist mode flag: --wordlist.
Single crack mode: --single.
Incremental mode: --incremental.
Rules flag: --rules.
Show cracked: --show.
Unshadow tool: Used to combine passwd and shadow files.
Edge Cases and Exceptions
Empty passwords: John may crack them instantly; they appear as blank in the pot file.
Locked accounts: John cannot crack if account is locked; hashes may be unavailable.
Very long passwords: Incremental mode with high max length may be impractical.
Binary hashes: Some hashes are in binary format; John may need conversion.
How to Eliminate Wrong Answers
If the question mentions 'fast GPU cracking', think Hashcat, not John.
If the question involves 'rule-based mangling', John's --rules is correct.
If the question asks for 'cracking Windows hashes', John's --format=nt is appropriate.
If the question describes 'using username as password guess', John's single crack mode is the answer.
Remember that John can be used offline; if the attack is online (e.g., against a login page), the tool is Hydra or Medusa, not John.
John the Ripper is a CPU-based password cracking tool supporting over 200 hash types.
Common attack modes: single crack, wordlist, incremental, and external.
Use `--wordlist` with `--rules` for efficient cracking; incremental is slow but thorough.
The pot file (`~/.john/john.pot`) stores cracked passwords to avoid repetition.
John can crack Windows NTLM hashes with `--format=nt`.
The `unshadow` tool combines /etc/passwd and /etc/shadow for Linux cracking.
John saves session state every 600 seconds; resume with `--restore`.
Always use proper authorization; John is for authorized testing only.
On the exam, know the difference between John (offline) and Hydra (online).
John's configuration file (john.conf) controls rules, charsets, and modes.
These come up on the exam all the time. Here's how to tell them apart.
John the Ripper
CPU-optimized; uses multiple threads via --fork.
Supports over 200 hash types including many legacy formats.
Configuration via john.conf; includes rule sets and external modes.
Built-in single crack mode using account info.
Session management with automatic saving every 600 seconds.
Hashcat
GPU-optimized; uses OpenCL or CUDA for massive parallelism.
Supports over 300 hash types but fewer legacy formats.
Configuration via command-line flags and rule files; more flexible.
No single crack mode; relies on wordlists and rules.
Session management with --session and --restore; saves on Ctrl+C.
Mistake
John the Ripper can only crack Unix passwords.
Correct
John supports many hash types including Windows NTLM, LM, macOS, and application-specific hashes. Use `--format=nt` for Windows NTLM hashes.
Mistake
John always uses brute force (incremental mode) as default.
Correct
John's default mode is 'single crack' which uses account information. You must explicitly select incremental mode with `--incremental`.
Mistake
John cannot crack salted hashes.
Correct
John can crack salted hashes like md5crypt and sha512crypt. The salt is included in the hash string, and John handles it automatically.
Mistake
John the Ripper is only a command-line tool with no GUI.
Correct
While primarily CLI, there is a community-supported GUI called Johnny that provides a graphical interface for John.
Mistake
John's pot file stores cracked passwords in plaintext and can be read by anyone.
Correct
The pot file is stored in the user's home directory (`~/.john/john.pot`) with restricted permissions (typically 600). Only the user who ran John can read it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, extract NTLM hashes using a tool like pwdump or mimikatz. Save them in a file (e.g., hashes.txt). Then run: `john --format=nt hashes.txt`. To use a wordlist: `john --wordlist=rockyou.txt --format=nt hashes.txt`. John will auto-detect the format if you omit `--format=nt`, but specifying it speeds up cracking. The pot file will store cracked passwords. Use `john --show --format=nt hashes.txt` to view results.
Single crack mode uses account information (username, GECOS field) to generate password guesses. It is very fast and works well for weak passwords. Wordlist mode uses an external dictionary file. Single mode is best for initial quick checks; wordlist mode is for larger-scale cracking. Both can be combined with rules. Single mode is invoked with `--single`, wordlist with `--wordlist=file`.
If John was interrupted (e.g., Ctrl+C), it saves the session automatically every 600 seconds. To resume, use the same command but add `--restore` and the session name if you used `--session`. Example: `john --restore=sessionname hashes.txt`. If you didn't specify a session name, John uses a default session file. You can also use `--restore` without a name to resume the last session.
Yes, John supports bcrypt hashes (format: `$2a$`, `$2b$`, `$2y$`). Bcrypt is intentionally slow, so cracking takes longer. John uses CPU and can be slow against bcrypt. For faster bcrypt cracking, consider using Hashcat with a GPU. Use `--format=bcrypt` or let John auto-detect.
The pot file stores all successfully cracked passwords along with the corresponding hash and username. Its purpose is to avoid re-cracking the same password in future sessions. When you run John again, it checks the pot file and skips already cracked hashes. It also allows you to view cracked passwords with `--show`. Default location is `~/.john/john.pot`.
Custom rules are defined in john.conf under the `[List.Rules:Wordlist]` section (or other rule sets). Each rule is a line of rule commands. For example, to append '123' to each word: `$[1-9][2-9][3-9]` but simpler: `$1$2$3`. You can also use pre-defined rules like `Single`, `Extra`, `Jumbo`. To use your custom rule set, specify `--rules=YourRuleSetName`.
The `--fork=N` option tells John to spawn N processes, each working on a subset of the hashes. This uses multiple CPU cores in parallel, significantly speeding up cracking on multi-core systems. For example, `john --fork=4 hashes.txt` uses 4 processes. Note that `--fork` is only available on Unix-like systems; Windows uses threads differently.
You've just covered John the Ripper — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?