john the ripper

john the ripper

John the Ripper is the main tool for cracking encrypted password. John offers different operating modes. It is possible to perform dictionary or brute force attacks. It also automatically detects the type of encryption used by the hash.

Basic command

For use john we must have password hash saved in a file. John’s basic command is:

john filehash

With john it is also possible crack passwords of linux users. In Linux OS you can find usernames stored in “/etc/passwd” file while the relatives passwords are in “/etc/shadow” file. These two files must be combined using unshadow command:

unshadow /etc/passwd /etc/shadow > filehash

Now that filehash has been created we can use john with its basic command:

john filehash

This is its simplest command.

Unlike Linux in Windows OS for crack passwords hashes we need a SAM file. Sam is the hash file of the Windows passwords. To get it there are some way: through “meterpreter” shell (running hashdump command) or via some useful tools like  pwdumppwdump_7SAMinsidefgdumpophcrackl0phtcracksamdump2, etc…. It is also stored in registry HKEY_LOCAL_MACHINE\SAM (but this registry isn’t accessible while system is running and requires “SYSTEM” privileges).

Finally when john founds valid passwords it saves them in $JOHN/john.pot. The john.pot file isn’t human-friendly, so you should use the following command to display the cracked password:

john --show filehash

However, if the


option was used during cracking (see below), it is necessary to repeat the same format option when show option is used. Then the command will be the following:

john --show filehash --format={FORMAT}
Dictionary attack

You also can use a wordlist file to do a dictionary attack and in this case the command will be as follow:

john --wordlist=/path/to/filewordlist filehash
Format option

Another option is –format=. This tells John what format the password hash is and force to use that. An example:

john --format=NT filehash

In –format option we can put many kind of hashes format. Here are some: bf, bsdi, crypt, deshmac-md5krb4krb5LM, md4-gen, md5, mssql, mysqlmysql-sha1netlmnsldap, NT, ssharaw-md5, raw-sha1raw-sha224, ssh, and so on.

Brute force attack

This option is for Brute Force mode.

Rules option

Another powerful john the ripper feature is the –rules option. It can be applied against a wordlist file to modify it. You can add –rules option for apply mangling rules. First you need to add [List.Rules] in the john.conf file:


This example rules (named “Reverse”) takes a wordlist file and reverses all the words in it. The following command do the job, showing the result on the screen:

john --rules=Reverse --wordlist=wordlistfile.txt --stdout

Another simple example is to reflect the words of a wordlist file:


and then the command is:

john --rules=Reflect --wordlist=wordlistfile.txt --stdout

In this example if the wordlist file had been composed from password and monkey word the result of execution would be the following:


Here is a list of useful simple rules:

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments