Password security is a cornerstone of cybersecurity, and as a penetration tester or security researcher, knowing how to crack passwords is crucial. John the Ripper (JtR) is one of the most powerful tools for this job—supporting countless hash types, attack strategies, and optimizations.

But let’s be real: if you’ve ever tried using John without guidance, you might have felt overwhelmed. The documentation is dense, and while it’s incredibly powerful, it doesn’t hold your hand.

That’s where this guide comes in. I’ll walk you through setting up John, choosing the right attack modes, optimizing performance, and even some advanced tricks that aren’t always obvious. By the end, you’ll be cracking hashes like a pro—responsibly, of course.

Getting John the Ripper Up and Running

Before we crack anything, we need John installed and ready. The best way? Compiling from source to unlock all features.

Installing on Linux (Kali/Ubuntu/Debian)

First, grab the dependencies:
sudo apt update && sudo apt install build-essential libssl-dev zlib1g-dev

Then, clone and compile John:

git clone https://github.com/openwall/john -b bleeding-jumbo john
cd john/src
./configure && make -s clean && make -sj4

=> (The -sj4 speeds up compilation by using 4 CPU threads—adjust based on your system.)

Installing on Windows

You can:

• Download pre-built binaries from OpenWall.

• Or (better yet) use WSL (Windows Subsystem for Linux) for full functionality.

macOS? Homebrew Has You Covered

brew install john-jumbo

What Hashes Can John Crack? (Almost Everything)

John supports hundreds of hash types. To see them all:
./john --list=formats
Some common ones you’ll encounter:

• Linux passwords: sha512crypt (modern /etc/shadow), md5crypt (older systems)

• Windows hashes: NTLM (still widely used), LM (ancient and weak)

• Web app hashes: MD5, SHA-1, bcrypt, PBKDF2

• Wi-Fi: WPA-PSK (via .hccapx files)

=> If you’re unsure what hash you’re dealing with, John can often guess:

./john --format=auto --wordlist=rockyou.txt hashes.txt

Attacking Modes

John doesn’t just brute-force blindly—it has multiple attack strategies. Picking the right one saves time.

Dictionary Attack (Fastest for Weak Passwords)

This uses a wordlist (like the infamous rockyou.txt). ./john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
=> Always start with this. Many passwords are just common words.

Rule-Based Attacks (Smarter Wordlist Modifications)

Instead of just trying password, John can try Password123, p@ssword, etc., using mangling rules.
./john --wordlist=rockyou.txt --rules=Best64 hashes.txt
=> (The Best64 rule set is built-in and works well for most cases.)

Brute-Force (When You’re Desperate)

If the password isn’t in any wordlist, brute-forcing might work—but it’s slow.
./john --incremental=ASCII hashes.txt
This tries all possible combinations, starting with the shortest.

Hybrid Attacks (Mixing Words & Patterns)

Example: Trying summer2023, winter2024, etc. ./john --wordlist=seasons.txt --mask='?d?d?d?d' hashes.txt

=> (The ?d means “any digit”—so it appends 4 numbers.)

Optimization Tips

Use Your GPU (If Possible)

John mostly runs on CPU, but for some hashes (like NTLM or MD5), OpenCL GPU acceleration helps.
Compile with OpenCL support:
./configure --enable-opencl && make clean && make
Then run with:
./john --format=nt --device=1 hashes.txt

Better Wordlists = Faster Cracks

• Rockyou.txt (classic, but outdated)

• SecLists (more extensive, modern passwords)

• CrackStation’s list (huge, but needs storage)

Distributed Cracking (For Big Boy Jobs)

If you have multiple machines, split the work:
mpirun -np 4 ./john --format=sha512crypt hashes.txt

Practical Stuff

Cracking ZIP/RAR Files

First, extract the hash:
zip2john secret.zip > zip_hash.txt
Then crack it:
./john --wordlist=rockyou.txt zip_hash.txt

Cracking Linux Shadow Hashes

Combine /etc/passwd and /etc/shadow:
unshadow /etc/passwd /etc/shadow > linux_hashes.txt
Crack:
./john --wordlist=rockyou.txt linux_hashes.txt

Breaking NTLM (Windows) Hashes

./john --format=nt --wordlist=rockyou.txt ntlm_hashes.txt

Wi-Fi WPA Handshakes

(Some knowledge of using some network tools like Aircrack-ng or others is needed ofc).

Convert .cap to .hccapx:

hcxpcapngtool -o wifi.hccapx capture.cap

Crack:

./john --wordlist=rockyou.txt wifi.hccapx

Final Thoughts

I bear no responsibility to any illegal use of the info provided in this blog, as it is public knowledge. Use this witchcraft at your own risk and certainly don’t ask me to hack your Ex’s Instagram account because doing so will make me hack you instead.
Happy Cracking!
0x

Sources :

• Official John the Ripper Wiki
• SecLists Github
• Openwall