CRITICAL LEGAL NOTICE - READ CAREFULLY

This tool is for AUTHORIZED SECURITY TESTING ONLY. Using password cracking tools on systems or accounts you do not own or have explicit written permission to test is ILLEGAL and constitutes a federal crime under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.

Legal uses include: Your own accounts, systems you own, authorized penetration testing with written permission, security research in isolated lab environments.

Illegal uses include: Breaking into someone else's accounts, unauthorized access to systems, stealing credentials, any use without explicit permission.

By proceeding, you acknowledge that you will only use these techniques for lawful, authorized purposes. Misuse can result in criminal prosecution, fines, and imprisonment.

What is John the Ripper?

John the Ripper (often called "John" or "JtR") is one of the most popular and powerful password cracking tools in cybersecurity. It's a free, open-source password security auditing and password recovery tool available for many operating systems.

Key Concept

John doesn't "hack" passwords in real-time. Instead, it takes password hashes (encrypted representations of passwords) and attempts to find the original plaintext password by testing millions of possibilities per second.

Why Do Security Professionals Use John?

  • Password Auditing: Test if your organization's passwords are strong enough
  • Penetration Testing: Assess the strength of captured password hashes
  • Incident Response: Recover access to encrypted systems when passwords are lost
  • Security Research: Study password patterns and improve defensive strategies
  • Compliance Testing: Verify that password policies are actually effective

How Fast Can It Crack?

Modern hardware can test millions (even billions with GPU acceleration) of passwords per second. A weak password like "password123" in MD5 format can be cracked in milliseconds. However, a strong 12+ character password with mixed characters can take centuries to crack.

Important Reality Check

Movies and TV shows dramatically misrepresent password cracking. In reality, cracking a truly strong password (14+ characters, mixed case, numbers, symbols) is practically impossible with current technology. John's power comes from exploiting WEAK passwords and common patterns.

Understanding Password Hashing

Before we can crack passwords, we must understand how they're stored. Systems don't store passwords in plaintext - they store mathematical representations called hashes.

What is a Hash?

A hash is a one-way mathematical function that converts any input into a fixed-length output. The same input always produces the same output, but you cannot reverse the process to get the original input from the hash.

# Example: The word "password" hashed with different algorithms

MD5:
5f4dcc3b5aa765d61d8327deb882cf99

SHA1:
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

SHA256:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Common Hash Types You'll Encounter

  • MD5: 32 hex characters. Fast but cryptographically broken. Still widely used in older systems. Example: 5f4dcc3b5aa765d61d8327deb882cf99
  • SHA1: 40 hex characters. Also considered weak. Found in older databases. Example: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
  • SHA256: 64 hex characters. Strong but can still be brute-forced if the password is weak.
  • bcrypt: Starts with $2a$, $2b$, or $2y$. Designed to be slow (good for security). Example: $2a$10$N9qo8uLOickgx2ZMRZoMy.ABCD...
  • NTLM: Windows password hashes. 32 hex characters, no salt. Notoriously weak.
Pro Tip: Identifying Hashes

Length is your first clue: 32 chars = MD5 or NTLM, 40 = SHA1, 64 = SHA256. Prefixes like $2a$ indicate bcrypt. The hash-identifier tool can automate this.

Attack Modes: How John Cracks Passwords

John the Ripper uses several different strategies to crack passwords. Understanding when to use each mode is crucial for success.

1. Dictionary Attack

The most common and often most effective method. John reads through a wordlist (dictionary) of potential passwords and tests each one.

john --wordlist=rockyou.txt --format=raw-md5 hashes.txt

Best for: Users who choose dictionary words, common phrases, or popular passwords.
Speed: Very fast - millions of attempts per second.
Success rate: High for weak passwords (30-60% in real audits).

2. Brute Force Attack

Try every possible combination of characters up to a certain length. Extremely thorough but very slow.

john --incremental --format=raw-md5 hashes.txt

Best for: Short passwords (1-8 characters) or when all else fails.
Speed: Depends on length. 6 chars = hours, 8 chars = days/weeks, 10+ chars = impractical.
Success rate: 100% given enough time, but time is usually the limiting factor.

3. Rule-Based Attack

Apply transformation rules to dictionary words. This catches variations like "Password123!" from the word "password".

john --wordlist=rockyou.txt --rules --format=raw-md5 hashes.txt

Common rules: Capitalize first letter, add numbers to end, replace letters with numbers (l33tspeak), add special characters.
Best for: Users who take a dictionary word and modify it slightly.
Success rate: Significantly higher than pure dictionary (can double crack rate).

Rule Examples

If dictionary contains "password", rules generate:
Password, PASSWORD, password1, password123, P@ssw0rd, password!, passworD1!, etc.

4. Hybrid Attack

Combines dictionary words with brute force on part of the password. For example, dictionary word + any 3 digits.

5. Mask Attack

Similar to brute force but you specify a pattern. Example: 8 characters, starts with capital, ends with 2 digits.

Wordlists: The Fuel for Cracking

Your wordlist quality directly impacts success. Garbage in, garbage out.

Famous Wordlists

  • rockyou.txt: 14 million real passwords from the 2009 RockYou breach. The gold standard for password cracking. Most security professionals' first choice.
  • SecLists: Curated collection of wordlists for security testing, including passwords, usernames, and more.
  • CrackStation: 1.5 billion entries. Massive but slow to process.
  • john.txt: Built-in wordlist with John, focused on common passwords.
Wordlist Management

Bigger is not always better. A targeted 100,000 word list of industry-specific terms can outperform a generic 10 million word list. Always consider your target when choosing a wordlist.

Creating Custom Wordlists

For targeted attacks (authorized testing only!), you can create custom wordlists based on:

  • Company name and variations
  • Industry-specific terminology
  • Location names (city, building, street names)
  • Employee names, pet names, sports teams
  • Keyboard patterns (qwerty, 12345, asdfgh)
# Tools for generating custom wordlists
cewl https://targetcompany.com -m 6 -w company-words.txt
cupp -i # Interactive tool for person-specific wordlists

Identifying Hash Types

Before cracking, you must tell John what type of hash it's dealing with. Getting this wrong means zero results.

Visual Identification

# MD5 - 32 hex characters
5f4dcc3b5aa765d61d8327deb882cf99

# SHA1 - 40 hex characters
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

# SHA256 - 64 hex characters
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

# NTLM - 32 hex characters (same length as MD5, context matters!)
8846f7eaee8fb117ad06bdd830b7586c

# bcrypt - starts with $2a$, $2b$, or $2y$
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

# Linux SHA512 - starts with $6$
$6$rounds=5000$GokFcXvIpazxnF..$sZWXuzcJCuQN1L4WVu4U...

Using John to Identify

# John can sometimes auto-detect the format
john --format=list hashes.txt

# List all formats John supports
john --list=formats

Understanding Crack Time

Why can some passwords be cracked in seconds while others would take centuries?

Factors That Affect Cracking Speed

  • Hash Algorithm: MD5 is extremely fast to compute (billions per second). bcrypt is designed to be slow (thousands per second).
  • Password Length: Each additional character exponentially increases the search space.
  • Character Set: Lowercase only = 26 options per character. Add uppercase, numbers, symbols = 94+ options per character.
  • Hardware: GPU acceleration can be 100x faster than CPU-only cracking.
  • Attack Method: Dictionary = fast. Brute force = slow. Rules = medium.
Real-World Expectations

Weak passwords (dictionary words, common patterns): Seconds to minutes
Medium passwords (dictionary + numbers): Minutes to hours
Strong passwords (12+ mixed characters): Years to centuries
Enterprise-grade (14+ characters, properly random): Effectively uncrackable

Why This Matters for Defense

This is why security professionals recommend:

  • Passwords 14+ characters minimum (16+ is better)
  • Passphrases instead of passwords ("correct horse battery staple" vs "P@ssw0rd!")
  • Unique passwords for every account (password managers)
  • Multi-factor authentication (even if password is cracked, attacker still can't get in)

Ethical and Legal Boundaries

This cannot be stressed enough: the line between legal security testing and illegal hacking is consent and authorization.

Legal Scenarios

  • Testing your own systems and accounts
  • Authorized penetration testing with a signed contract and defined scope
  • Security research in isolated lab environments with no real targets
  • Academic research with proper ethics approval
  • Password recovery for your own lost/forgotten passwords

Illegal Scenarios

  • Cracking passwords on systems you don't own without explicit written permission
  • Using cracked credentials to access accounts without authorization
  • Testing "just to see if you can" on production systems you don't own
  • Sharing or selling cracked credentials
  • Any activity that causes damage or unauthorized access
Legal Consequences Are Real

Under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide, unauthorized password cracking can result in:
- Up to 10 years in federal prison (20 years for repeat offenders)
- Fines up to $250,000
- Civil lawsuits from victims
- Permanent criminal record
- End of your career in technology

ALWAYS get explicit written permission before testing ANY system you don't personally own.

Professional Boundaries

Even in authorized testing, you must:

  • Stay within the defined scope (if you're authorized to test Server A, don't test Server B)
  • Protect any cracked credentials (treat them as highly sensitive)
  • Report findings professionally without exploiting them
  • Delete captured hashes and cracked passwords when testing is complete
  • Never use testing as an opportunity to access personal data or pivot to unauthorized systems

Ready to Practice?

Now that you understand the theory, head to the Cracker Lab tab to simulate password cracking in a safe environment. Then test your knowledge in the Challenges section!

Interactive Learning

The Cracker Lab provides a simulated environment with pre-loaded hashes. You can practice different attack modes and see realistic output without any risk. All activity is local to your browser - no real cracking is happening.

Sample Hashes:

Output Console

John the Ripper 1.9.0-jumbo-1 (Simulated Training Environment)
Loaded 0 password hashes
Ready. Load hashes and select attack parameters to begin.
Attempts 0
Speed 0 p/s
Cracked 0

Your Progress

0 of 10 challenges completed 0 points

Basic Commands

john --format=raw-md5 hashes.txt
Crack MD5 hashes using default settings
john --wordlist=rockyou.txt hashes.txt
Use dictionary attack with rockyou wordlist
john --show hashes.txt
Display already cracked passwords
john --format=NT hashes.txt
Crack NTLM hashes (Windows passwords)

Attack Modes

john --wordlist=rockyou.txt --rules hashes.txt
Apply transformation rules to wordlist (recommended)
john --incremental hashes.txt
Brute force attack (try all combinations)
john --incremental=Digits hashes.txt
Brute force numbers only (PINs, numeric passwords)
john --mask=?u?l?l?l?l?d?d hashes.txt
Mask attack: Capital + 4 lowercase + 2 digits

Format Specifications

john --format=raw-sha1 hashes.txt
Crack SHA1 hashes (40 hex characters)
john --format=raw-sha256 hashes.txt
Crack SHA256 hashes (64 hex characters)
john --format=bcrypt hashes.txt
Crack bcrypt hashes (starts with $2a$, $2b$, $2y$)
john --format=sha512crypt hashes.txt
Crack Linux SHA512 hashes (starts with $6$)

Session Management

john --session=mysession hashes.txt
Start a named session (can resume later)
john --restore=mysession
Resume a previously interrupted session
john --status
Show status of current/last session
john --list=formats
List all supported hash formats

Advanced Techniques

john --wordlist=rockyou.txt --rules=Jumbo hashes.txt
Use specific rule set (Jumbo = comprehensive)
john --wordlist=rockyou.txt --min-length=8 hashes.txt
Only try passwords 8+ characters long
john --pot=custom.pot --show hashes.txt
Use custom pot file (stores cracked passwords)
john --fork=4 hashes.txt
Use 4 CPU cores for faster cracking

Mask Attack Patterns

?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digit (0-9)
?s = special (!@#$%...)
?a = all characters
?b = binary (0x00-0xFF)
# Common mask patterns:
?u?l?l?l?l?d?d # Capital + 4 lowercase + 2 digits (e.g., "Admin99")
?u?l?l?l?l?d?d?d?d # Capital + 4 lowercase + 4 digits (e.g., "Pass2024")
?d?d?d?d?d?d # 6-digit PIN
?u?l?l?l?l?l?l?d?s # Uppercase + 6 lowercase + digit + special

Progress Management

Statistics

0 / 10
0
0
0

About This Lab

This training lab simulates John the Ripper in a safe, browser-based environment. All cracking activity is simulated - no actual password cracking is performed. This tool is designed for educational purposes to teach security professionals about password security and authorized testing techniques.

Version: 1.0.0
Last Updated: December 2025
Part of: Hexworth Prime - Dark Arts Vault