John the Ripper

John is a password cracking tool that has multiplatform support

John is arguably an inferior tool to hashcat but is easier to work with

It supports 4 different modes. It starts with the first mode and works its way down

  1. Single Crack mode
  2. wordlist mode
  3. incremental mode
  4. external mode

Single crack mode


this uses variations of account name /etc/passwd account information

It applies various hybrid alertations of the fields to creat its guesses.

Wordlist Mode

-wordlist filename

uses dictionary wordlist file with hybrid to generate permutated password guesses

This mode relies on dictionary terms for guesses

Incremental mode


Uses brute force guessing

This tries all possible character combos to determine the password. This is a brute force attack. This mode could run forever

External mode


uses an external program to generate guesses

This is optional. It relies on external programs to assist in guessing

The autosense feature within John can help determine the correct formatting needed for cracking.

It can autodetect the following formats

  • Windows LANMAN
  • OpenBSD’s Blowfish
  • FreeBSD’s MD5
  • BSDI’s extended DES
  • Standard and double-length DES

The Jumbo patch adds support for Windows NT hashses.

Cracked passwords are printed on the screen and stored in the file john.pot

Make sure to delete the john.pot file if you are testing in your environment

Look for john.pot files while pentesting