John the Ripper (often shortened to John) is an open-source password-cracking utility maintained by the Openwall project. It has been a staple of security testing since the late 1990s and remains widely used today, particularly in its community-maintained Jumbo edition, which adds support for hundreds of additional hash and file formats.
Core capabilities
John takes a list of password hashes and attempts to recover the plaintexts. It is highly capable on CPU and has competent GPU support through OpenCL builds in the Jumbo edition. It can crack Unix shadow files, Windows NTLM and NetNTLM, Active Directory KDC hashes, application-specific hashes, and encrypted archives such as ZIP, 7z, RAR, PDF, and Office documents.
Attack modes
Single-crack mode uses information already available about the target (usernames, GECOS fields) to generate likely candidate passwords. It is fast and surprisingly effective.
Wordlist mode runs a dictionary against the hashes, with optional mangling rules to multiply coverage.
Incremental mode performs a configurable brute-force walk through the keyspace, drawing on character frequency statistics to try likely combinations first.
External mode exposes a small programming interface for users who want to script custom candidate generation.
John versus Hashcat
The two tools overlap heavily and most pen testers use both. John is often preferred when CPU-only computing is available, for older or unusual hash formats, and for its ability to read directly from Unix shadow files without preprocessing. Hashcat is generally preferred where GPU performance is the limiting factor and the target hash type is in its supported list. The choice is often based on what the team has scripts for rather than absolute speed.
Use in penetration testing
John is used to crack recovered hashes during internal Active Directory engagements, on stolen application databases, and when testing the strength of cryptographic protection on archives, document files, and password manager vaults. The output is more useful than a raw “X percent cracked” number: the patterns that emerge (seasonal passwords, the company name, simple suffixes) drive policy recommendations.
Related terms
See also: Hashcat, brute force attack, and Kali Linux.
Leave a Reply