🔵 Day 5 — John The Ripper Tutorial
Day 180 — Advanced Kali Mastery
🔐
Authorised use only. John the Ripper cracks hashes captured from systems you have authorised access to test. The commands in this tutorial use
hashes from your own Metasploitable2 lab VM or practice hash files you create yourself. Cracking hashes obtained without authorisation is illegal.
New to labs? → Ethical Hacking Lab Setup at Home · Metasploitable Labs Hub 🔑
On Day 4 you used Hydra to test whether a live service would accept a weak password. Today you go one step deeper. Once you have initial access to a system — through Hydra, through an exploit, through any authorised entry point — you will often find password hashes: in /etc/shadow, in a dumped database, in a Windows SAM file, inside a locked archive. These hashes are not passwords. But they can become passwords — and John the Ripper is the tool that makes that happen, offline, at CPU speed, with no trace on the target system.
Day 5 covers John the Ripper completely — hash identification, combining shadow files, every cracking mode, rule-based attacks, and the entire family of file converters (zip2john, rar2john, pdf2john, ssh2john). All practised on hashes you generate yourself in your lab. By the end you will understand why password hashing exists, why it can still be defeated, and how to crack practical targets in authorised assessments.
📋 What You’ll Master in Day 5
What Is John the Ripper?
John the Ripper (JtR) is a free, open-source offline password hash cracker — one of the oldest and most widely used security tools still in active development. It takes password hashes (the stored representations of passwords, not the passwords themselves) and attempts to find the original plaintext by hashing candidate passwords and comparing results until a match is found.
Three things make John particularly useful for penetration testers:
AUTO FORMAT DETECTION
John automatically identifies the hash format from the hash string structure — MD5, SHA-1, SHA-512, NTLM, bcrypt, and hundreds more. No need to specify the format manually in most cases.
BUILT-IN FILE CONVERTERS
The *2john family (zip2john, rar2john, pdf2john, ssh2john, keepass2john) converts protected files into hash format that John can crack — no manual extraction needed.
MULTIPLE ATTACK MODES
Single crack (tries username variations), wordlist (dictionary attack), incremental (brute force all combinations), and rule-based (wordlist + mangling rules). Each serves a different cracking scenario.
📚 Day 5 in context: Day 4 used
Hydra for online cracking against live services. John is the offline counterpart — it works on hashes you have already captured. In a real pentest, you use Hydra before gaining access (testing login pages), then John after gaining access (cracking extracted hashes from
/etc/shadow). Together they cover both sides of credential attacks.
Identifying Hash Types — Before You Crack Anything
Before cracking a hash you need to know what type it is — the cracking algorithm depends entirely on the hash format. Hash formats have distinctive visual patterns you will learn to recognise, and Kali Linux ships with hash-identifier to automate this when you are unsure.
# ─── Common hash format patterns ─────────────────────────────────
$1$salt$hash….. # MD5 (Linux crypt) — 22 chars after salt
$2y$10$salt..hash….. # bcrypt — very slow to crack
$5$salt$hash….. # SHA-256 (Linux)
$6$salt$hash……. # SHA-512 (Linux) — modern default
5f4dcc3b5aa765d61d8327deb882cf99 # MD5 — 32 hex chars
aad3b435b51404eeaad3b435b51404ee: # NTLM (Windows) — 32 hex chars with colon
da39a3ee5e6b4b0d3255bfef95601890afd80709 # SHA-1 — 40 hex chars# ─── hash-identifier tool (interactive) ──────────────────────────
hash-identifier
HASH: 5f4dcc3b5aa765d61d8327deb882cf99
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials – MD4(MD4(($pass)).(strtolower($username)))
# ─── List all John formats ────────────────────────────────────────
john –list=formats # full list (400+ formats)
john –list=formats | grep -i sha # filter for SHA variants
john –list=formats | grep -i ntlm # find NTLM format name
/etc/shadow Cracking — The Core Workflow
On Linux systems, user passwords are stored as hashes in /etc/shadow — readable only by root. After gaining root access to a system in an authorised penetration test, extracting and cracking these hashes is a standard post-exploitation step that demonstrates the full impact of weak passwords across all accounts on the system.
securityelites.comKali Linux — John the Ripper /etc/shadow Workflow (Authorised Lab: Metasploitable2)
# ─── Step 1: On Metasploitable2 (as root) — grab both files ─────
root@metasploitable:~# cat /etc/passwd > /tmp/passwd.txt
root@metasploitable:~# cat /etc/shadow > /tmp/shadow.txt
# ─── Step 2: Transfer files to Kali (from Kali terminal) ─────────
┌──(kali㉿kali)-[~]
└─$ scp msfadmin@192.168.56.101:/tmp/passwd.txt .
└─$ scp msfadmin@192.168.56.101:/tmp/shadow.txt .
# ─── Step 3: Combine with unshadow ──────────────────────────────
└─$ unshadow passwd.txt shadow.txt > combined.txt
└─$ head -3 combined.txt
root:$1$uY2BPPnx$bXEDyQXbA7:0:0:root:/root:/bin/bash
msfadmin:$1$XN10Zj2c$Rt:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
# ─── Step 4: Crack with wordlist mode ────────────────────────────
└─$ john –wordlist=/usr/share/wordlists/rockyou.txt combined.txt
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (md5crypt, MD5 [MD5 32/64 X2])
Press ‘q’ or Ctrl-C to abort…
msfadmin (msfadmin)
batman (sys)
123456789 (klog)
# ─── Step 5: Show all cracked passwords ─────────────────────────
└─$ john –show combined.txt
msfadmin:msfadmin:1000:1000:…
sys:batman:3:3:…
klog:123456789:103:104:…
3 password hashes cracked, 4 left
John the Ripper /etc/shadow workflow — five steps: extract both files from Metasploitable2, transfer to Kali, combine with unshadow, crack with rockyou.txt, show results. Three passwords cracked: msfadmin (same as username), sys (batman), klog (123456789). All weak passwords found in the top 100K of rockyou.txt. In a real pentest report: all three are HIGH severity — trivially guessable credentials on system accounts.
1
Extract /etc/passwd and /etc/shadow
Requires root on the target. Both files needed — passwd has usernames, shadow has hashes. cat /etc/shadow on your Metasploitable2 VM.
2
Combine with unshadow
unshadow passwd.txt shadow.txt > combined.txt
3
Crack with John
john –wordlist=/usr/share/wordlists/rockyou.txt combined.txt
4
Show cracked passwords
john –show combined.txt
# Results stored in ~/.john/john.pot — persist between sessions
The 3 Cracking Modes — Choosing the Right Approach
MODE 1
Single Crack Mode — Fastest, Smartest First
Tries username variations. Run before wordlist mode — often finds passwords instantly.
# Single mode: tries variations of username as password
# msfadmin → msfadmin, Msfadmin, MSFADMIN, msfadmin1, etc.
john –single combined.txt
# Single mode on a specific format:
john –single –format=sha512crypt combined.txt
MODE 2
Wordlist Mode — Dictionary Attack
Most commonly used. Tries every word in the list. Add –rules for massive coverage boost.
# Basic wordlist mode:
john –wordlist=/usr/share/wordlists/rockyou.txt combined.txt
# Wordlist + rules (best coverage, see rules section below):
john –wordlist=/usr/share/wordlists/rockyou.txt –rules combined.txt
# With Jumbo ruleset (more aggressive mangling):
john –wordlist=rockyou.txt –rules=Jumbo combined.txt
MODE 3
Incremental Mode — Brute Force All Combinations
Tries every possible character combination. Guaranteed to work eventually — but may take years on strong passwords.
# Incremental (all printable chars) — very slow on long passwords:
john –incremental combined.txt
# Incremental digits only — fast for PIN-style passwords:
john –incremental=Digits combined.txt
# Incremental lowercase only:
john –incremental=Lower combined.txt
# Practical use: only for short passwords (≤6 chars) or digit PINs
Wordlist Mode in Depth — Choosing and Using Wordlists
# ─── Prepare rockyou.txt (decompress once) ───────────────────────
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
# ─── Basic wordlist crack ─────────────────────────────────────────
john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
# ─── Specify format explicitly (when auto-detect fails) ──────────
john –wordlist=rockyou.txt –format=NT hashes.txt # NTLM
john –wordlist=rockyou.txt –format=sha512crypt hashes.txt # SHA-512
john –wordlist=rockyou.txt –format=md5crypt hashes.txt # MD5 Linux
john –wordlist=rockyou.txt –format=bcrypt hashes.txt # bcrypt
# ─── Create a practice hash file yourself ────────────────────────
echo -n “password123” | md5sum # make an MD5 hash
482c811da5d5b4bc6d497ffa98491e38 ← paste this into test.txt
john –wordlist=rockyou.txt –format=Raw-MD5 test.txt # crack it
💡 Practice safely: Create your own test hashes with
echo -n "yourword" | md5sum or
sha256sum. Paste the hash into a text file. Crack it with John. This lets you test every mode and format without needing a lab VM ready. You know the answer before you start — perfect for learning. See also:
Password Cracking Explained and
How Hackers Crack Passwords in Seconds.
Rule-Based Cracking — The Biggest Coverage Multiplier
Rules are the most underused feature in John the Ripper. A rule takes each word from your wordlist and generates dozens of variations — capitalisation patterns, number appending, l33t substitutions, prefix/suffix additions. A 14-million-word rockyou.txt with --rules effectively tests hundreds of millions of password candidates, covering the most common real-world password creation patterns.
# ─── What –rules does to each wordlist word ─────────────────────
# Input word: “password”
password → password, Password, PASSWORD, password1, password!
→ p@ssword, passw0rd, p@ssw0rd, Password123, password2024
→ drowssap (reversed), Password! Password@ Password## ─── Run wordlist + default rules ────────────────────────────────
john –wordlist=rockyou.txt –rules hashes.txt
# ─── Run wordlist + Jumbo rules (more thorough) ──────────────────
john –wordlist=rockyou.txt –rules=Jumbo hashes.txt
# ─── Run wordlist + KoreLogic rules (comprehensive) ──────────────
john –wordlist=rockyou.txt –rules=KoreLogicRules hashes.txt
# ─── View which rules are available ──────────────────────────────
john –list=rules
File Password Cracking — zip2john, rar2john, pdf2john & More
The *2john utilities extract the password hash from a protected file so John can crack it. This family of tools covers almost every common password-protected file format encountered in penetration testing.
securityelites.comTHE *2JOHN FAMILY — CRACK ANY PROTECTED FILE FORMAT
📦 ZIP FILES
zip2john protected.zip > zip.hash
john –wordlist=rockyou.txt zip.hash
john –show zip.hash
📦 RAR FILES
rar2john protected.rar > rar.hash
john –wordlist=rockyou.txt rar.hash
john –show rar.hash
📄 PDF FILES
pdf2john protected.pdf > pdf.hash
john –wordlist=rockyou.txt pdf.hash
john –show pdf.hash
🔑 SSH PRIVATE KEYS
ssh2john id_rsa > ssh.hash
john –wordlist=rockyou.txt ssh.hash
john –show ssh.hash
🗄️ KEEPASS DATABASE
keepass2john database.kdbx > kp.hash
john –wordlist=rockyou.txt kp.hash
john –show kp.hash
🪟 WINDOWS NTLM
# From Metasploit hashdump:
admin:500:aad3b…:8846F…::
john –format=NT –wordlist=rockyou.txt ntlm.txt
Pattern: [format]2john [file] > [hash_file] → john –wordlist=[list] [hash_file] → john –show [hash_file]
The *2john File Converter Family — six file types with a consistent three-step workflow: convert to hash → crack with wordlist → show result. Covers ZIP, RAR, PDF, SSH private keys, KeePass databases, and Windows NTLM hashes. The pattern is always the same: extract the hash from the file, then crack the hash with John. Create your own practice files: zip -e test.zip test.txt (set a simple password) → zip2john test.zip → john crack it.
# ─── Create a practice ZIP file to crack ─────────────────────────
echo “secret data” > secret.txt
zip -e protected.zip secret.txt
# set password: “iloveyou”# Extract the hash:
zip2john protected.zip > zip_hash.txt
# Crack it:
john –wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt
# Show result:
john –show zip_hash.txt
protected.zip:iloveyou::protected.zip:secret.txt:protected.zip
Sessions, Show & Restore — Managing Long Cracks
# ─── Named sessions (resume large jobs) ──────────────────────────
john –wordlist=rockyou.txt
–session=mycrack hashes.txt
# CTRL+C to pause · resume with:
john –restore=mycrack
# ─── Show all cracked passwords ───────────────────────────────────
john –show hashes.txt
john –show –format=NT hashes.txt # specify format if needed
# ─── View the crack pot (all previously cracked) ─────────────────
cat ~/.john/john.pot
# Results persist here — won’t retry already-cracked hashes
# ─── Check progress during a running crack ────────────────────────
# Press any key during a john run to see status:
1234p 0:00:00:30 3% (ETA: 10:23:42) 41.1p/s “dragon”
# 1234 passwords tried, 30 sec elapsed, 3% done, 41 per second
John the Ripper vs Hashcat — When to Use Each
| Aspect | John the Ripper | Hashcat |
|---|
| Processing | CPU-based | GPU-based — 10–100× faster |
| Format detection | Automatic | Manual (-m flag with number) |
| File converters | Built-in (zip2john, pdf2john…) | None (use john’s converters) |
| Ease of use | Simpler — auto-detects, fewer flags | More flags, steeper learning curve |
| Best for | Learning, small hash sets, file passwords | Large hash files, production cracking |
| In pentest order | First — learn here, quick wins | Scale up — when John is too slow |
💡 Use both together: Extract hashes and convert files with John’s *2john utilities. If John’s wordlist + rules mode doesn’t crack them, feed the same hash file into Hashcat for GPU-accelerated cracking. The tools complement each other. Full guide:
Day 10: How Password Attacks Work.
📋 John the Ripper Command Reference Card
securityelites.comJOHN THE RIPPER REFERENCE — KALI LINUX COURSE DAY 5 — securityelites.com
CORE WORKFLOW
unshadow passwd.txt shadow.txt > c.txt
john –wordlist=rockyou.txt c.txt
john –show c.txt
MODES
john –single hashes.txt
john –wordlist=rockyou.txt –rules hashes.txt
john –incremental=Digits hashes.txt
FILE CONVERTERS
zip2john file.zip > hash.txt
rar2john file.rar > hash.txt
pdf2john file.pdf > hash.txt
ssh2john id_rsa > hash.txt
SESSION & SHOW
john –session=name hashes.txt
john –restore=name
john –show hashes.txt
cat ~/.john/john.pot
FORMAT FLAGS
–format=NT # NTLM
–format=sha512crypt # Linux SHA-512
–format=md5crypt # Linux MD5
–format=Raw-MD5 # plain MD5
IDENTIFY HASHES
hash-identifier
john –list=formats
john –list=formats | grep sha
John the Ripper Command Reference Card — Day 5 Kali Linux Course. Six panels: core /etc/shadow workflow, three cracking modes, file converters (*2john family), session/show management, format flags, and hash identification. Screenshot for your second monitor. The recommended cracking order: single crack first → wordlist → wordlist+rules → incremental (last resort).
Day 5 Complete — 175 Tools Still to Come
The Full Kali Linux Course — One Tool Per Day.
180 Days. All Free. No Registration.
Five days in you can scan networks, find hidden directories, brute-force live services, and crack extracted hashes. The toolkit is growing. Day 6 continues the build.
Frequently Asked Questions – John the Ripper Tutorial
What is John the Ripper used for?
Offline password hash cracking — /etc/shadow hashes, Windows NTLM hashes, ZIP/RAR/PDF file passwords, SSH key passphrases, KeePass databases. Operates entirely offline: once you have the hashes, no network connection to the target is needed. Standard post-exploitation step in authorised penetration tests.
What is the difference between John the Ripper and Hashcat?
John: CPU-based, automatic hash detection, built-in file converters (*2john), easier to use — best for learning and small hash sets. Hashcat: GPU-based (10–100× faster), manual format specification, no built-in converters, steeper learning curve — best for large hash files in production. Use both together: John for conversion and quick wins, Hashcat to scale up.
What is unshadow in John the Ripper?
A utility that combines /etc/passwd (usernames, world-readable) and /etc/shadow (hashes, root-only) into a single file that John can process. Usage: unshadow passwd.txt shadow.txt > combined.txt. Required before cracking Linux system password hashes.
How do I crack a ZIP file password with John the Ripper?
Two steps: (1) zip2john file.zip > zip.hash (2) john --wordlist=rockyou.txt zip.hash. Same pattern for RAR (rar2john), PDF (pdf2john), SSH keys (ssh2john), KeePass (keepass2john).
What is john –rules and how does it work?
Applies word-mangling rules to every wordlist entry — capitalisation, number suffixes, l33t substitutions, reversals. Turns “password” into Password, password1, p@ssword, Password123, etc. A 14M wordlist with –rules effectively tests hundreds of millions of variations. Use –rules=Jumbo for the expanded ruleset.
Is John the Ripper legal to use?
Legal on hashes from systems you own or have explicit authorisation to test — your own Metasploitable2 lab, authorised pentest targets, your own files. John never connects to the target during cracking (offline only). The act of capturing hashes must be authorised; cracking them locally is fine within that authorised scope.
📚 Further Reading and Resources
ME
Mr Elite
Founder, SecurityElites.com | Penetration Tester | Kali Linux Educator
Password cracking is where penetration testing stops being theoretical and becomes real. When John cracks sys:batman from a production server’s shadow file in under 30 seconds, the conversation in the debriefing room changes. The remediation is not technical — it is cultural. Strong, unique passwords enforced by policy and checked against breach databases. John the Ripper does not create that problem. It makes the problem visible. That is the value of learning to use it properly in an authorised context.
Coming Up — Day 6
Nikto — Web Server Vulnerability Scanning
You found directories with Gobuster. Now scan those web servers for known misconfigurations and outdated software.
Course Hub →
