John the Ripper is a free password cracking software tool. It was designed to test password strength, brute-force encrypted (hashed) passwords, and crack passwords via dictionary attacks. John the Ripper is a part of the Rapid7 family of penetration testing/ hacking tools. Also, John is already installed on Kali Linux.

First, we advocate for ethical hacking.

Originally developed for the Unix operating system, it can run on many different platforms. John the Ripper supports hundreds of hash and cipher types, including for:

  • User passwords of Unix flavors (Linux, Solaris, etc.)
  • macOS
  • Windows
  • Web apps (such as WordPress)
  • Database servers (SQL, LDAP, etc.)
  • Network traffic captures
  • Encrypted private keys (such as SSH, and cryptocurrency wallets)
  • Filesystems and disks
  • Archives (ZIP, RAR, 7z)
  • Document files (PDF, Microsoft Office’s, etc.)

The tool comes in two versions:

  • GNU-licensed: it is free and open source (FOSS) version.
  • Pro: It designed for use by professional pen testers, has additional features such as multilingual wordlists, performance optimizations and 64-bit architecture support. This version is the most used among penetration testers for cracking passwords.

Of course, an enhanced “jumbo” community release has also been made available on the open-source GitHub repo.

The official website for John the Ripper is on Openwall. You can grab the source code and binaries there.



How does John the Ripper Work? 

John the Ripper runs in three ways:

  • Dictionary Attack: In this mode, John the Ripper takes text string samples (usually from a file, called a wordlist, containing large number of words, phrases and possible passwords derived from previously leaked data dumps or breaches), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. Dictionary words could also be altered in a randomized manner to check if they work this way
  • Brute Force Attack: First, see this blog. In this type of attack, John the Ripper goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently used characters first. The process can be effective but excruciatingly slow, sometimes it takes years to do this. That’s exactly why that security professionals suggest to choose a long and complex password that consists of a combination of different character types. However, this positive point is also significant that this method could identify those passwords having no existence in a dictionary.
  • Rainbow tables: In this way, a pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form. This way is faster than brute-forcing, but this way will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity.



John the Ripper Modes 

This tool provides at least four modes:

  • Single crack: This mode can be helpful in cases when a user has set a password for an account based on commonly available information or phrase in the username (e.g. admin: admin888).
  • Wordlist: As you can see, the dictionary attack method uses this mode.
  • Incremental: This mode is used by brute-force method.
  • External: It’s an optional mode. In this mode, John the Ripper may use program code to generate words.