📝 Overview
What it is: A fast, free, and open-source password cracking software tool. Originally developed for Unix systems, it is now cross-platform and is a staple for detecting weak passwords by offline cracking of various password hashes. Target Phase: Exploitation / Post-Exploitation Operating System: Cross-Platform (Linux, Windows, macOS)
⚙️ Core Capabilities
- Auto-Detection: Automatically identifies the type of hash (MD5, SHA-1, NTLM, etc.) without the user needing to specify it manually.
- Dictionary Attacks: Uses a wordlist (like the famous
rockyou.txt) to compare hashes against common passwords. - Brute-Force (Incremental) Mode: Tries every possible combination of characters until it finds a match.
- Single Crack Mode: Uses account information (like usernames or GECOS data) to guess likely passwords for that specific user.
- Mangling Rules: Automatically applies variations to wordlist entries (e.g., changing “password” to “P@ssw0rd123”).
💻 Common Commands
| Command | Description |
|---|---|
john [hash_file] | Basic Crack: Runs John against a file, allowing it to auto-detect the hash type. |
john --wordlist=rockyou.txt [hash_file] | Dictionary Attack: Uses a specific wordlist to attempt to crack the hashes. |
john --show [hash_file] | Show Cracked: Displays the passwords that have already been successfully cracked from that file. |
john --format=NT [hash_file] | Specify Format: Forces John to treat the hashes as NTLM (useful if auto-detect fails). |
john --rules [hash_file] | Rule-Based: Applies mangling rules to the current wordlist to catch complex passwords. |
⚠️ Notes & Limitations
- CPU vs. GPU: John is primarily a CPU-based cracker. For massive datasets or complex hashes (like WPA2), Hashcat is usually preferred because it leverages the parallel processing power of a GPU.
- The “Unshadow” Step: On Linux, passwords are in
/etc/shadowbut the usernames are in/etc/passwd. To crack Linux passwords, you must first run theunshadowtool to combine them:unshadow /etc/passwd /etc/shadow > myhashes.txt. - Session Management: John automatically saves its progress. If a scan is interrupted, you can resume it using
john --restore.
🏷️ Tags
Tools CLItool PasswordCracking JohnTheRipper PostExploitation PenTestPlus