> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/tools/john-the-ripper.md).

# John The Ripper

### John the Ripper (JtR)

Open-source password cracker, first released 1996. Use the **jumbo** variant — it has performance optimizations, 64-bit support, multilingual wordlists, and more hash formats.

Also ships with a full suite of `*2john` conversion tools for cracking files (archives, SSH keys, KeePass DBs, etc.).

***

#### Cracking Modes

**1. Single Crack Mode**

Rule-based. Generates candidates from the target's own **username, home directory, and GECOS fields** (full name, phone, etc.), then applies common password mutation rules. Best for Linux `/etc/passwd` or `/etc/shadow` targets.

```bash
john --single passwd
```

Example — given this passwd entry:

```
r0lf:$6$ues25dIanlctrWxg$nZHV...:0:0:Rolf Sebastian:/home/r0lf:/bin/bash
```

JtR extracts `r0lf`, `Rolf`, `Sebastian`, `/home/r0lf` and mutates them (e.g. `Smith1`, `r0lf123`, `SEBASTIAN!`). In this case it cracked the hash successfully.

> Use this first when you have a passwd/shadow file — it's fast and often works on lazy sysadmins.

***

**2. Wordlist Mode**

Standard dictionary attack. One password per line in the wordlist.

```bash
john --wordlist=<wordlist_file> <hash_file>

# With built-in or custom rules (mutations like appending numbers, capitalizing, etc.)
john --wordlist=/usr/share/wordlists/rockyou.txt --rules <hash_file>
```

Multiple wordlists: separate with a comma.

***

**3. Incremental Mode**

Markov chain-based brute-force. Smarter than pure brute-force — prioritizes statistically likely passwords based on training data. Most exhaustive but slowest.

```bash
john --incremental <hash_file>
```

View/customize character sets in config:

```bash
grep '# Incremental modes' -A 100 /etc/john/john.conf
```

Default built-in modes: `ASCII` (95 chars, max 13 len), `UTF8`, `Latin1`. Can define custom `.chr` files for targeted character sets.

> Use incremental only when single + wordlist have failed and the password is known to be short.

***

#### Identifying Hash Formats

Use `hashid -j` to get both the format name and the JtR format string:

```bash
hashid -j 193069ceb0461e1d40d216e32c79c704
```

When `hashid` returns multiple candidates, use context (where did the hash come from?) to pick the right format. Then pass it explicitly:

```bash
john --format=<format> <hash_file>

# Examples
john --format=raw-md5 hashes.txt
john --format=nt hashes.txt
john --format=sha512crypt shadow.txt
```

**Key formats to know for CPTS:**

| Format flag               | Hash type                           |
| ------------------------- | ----------------------------------- |
| `raw-md5`                 | MD5                                 |
| `raw-sha1` / `raw-sha256` | SHA family                          |
| `nt`                      | Windows NTLM                        |
| `mscash2`                 | Domain Cached Credentials v2 (DCC2) |
| `netntlmv2`               | NTLMv2 challenge/response           |
| `sha512crypt`             | Linux shadow (`$6$`)                |
| `bcrypt`                  | bcrypt (`$2b$`)                     |
| `keepass`                 | KeePass DB                          |
| `zip` / `rar`             | Encrypted archives                  |
| `ssh`                     | SSH private key passphrase          |

Reference: [PentestMonkey hash examples](https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)

***

#### Cracking Files with \*2john

Convert protected files into JtR-compatible hashes, then crack normally.

```bash
# General pattern
<tool> <file> > file.hash
john --wordlist=/usr/share/wordlists/rockyou.txt file.hash

# Common examples
ssh2john id_rsa > ssh.hash
zip2john archive.zip > zip.hash
rar2john archive.rar > rar.hash
keepass2john database.kdbx > keepass.hash
office2john document.docx > office.hash
pdf2john document.pdf > pdf.hash
```

Find all available 2john tools on your system:

```bash
locate *2john*
```

***

#### Useful JtR Flags

```bash
# Show already-cracked passwords from a session
john --show <hash_file>

# Resume an interrupted session
john --restore

# Specify format explicitly
john --format=<format> <hash_file>

# Combine wordlist + rules
john --wordlist=rockyou.txt --rules=best64 <hash_file>
```

**What it is:** A password cracker. You give it a hash, it tries to figure out the original password.

**Single crack mode** is the "lazy" mode — instead of a wordlist, it uses info already in the passwd file. It looks at the username (`r0lf`), real name (`Rolf Sebastian`), home dir (`/home/r0lf`) and mutates them. So it tries things like `r0lf1`, `Rolf1`, `Sebastian!`, `SEBASTIANR0LF`, etc. Works surprisingly often because people use their own name as a password.

**Wordlist mode** is your main weapon. You hand it `rockyou.txt` (14 million real passwords) and it just tries every single one against the hash. Add `--rules` and JtR also tries mutations of each word — so `password` becomes `Password`, `password1`, `P@ssword`, etc. automatically.

**Incremental mode** is statistical brute-force. Instead of random `aaa, aab, aac...` it uses Markov chains — basically trained on real password patterns — so it tries more likely combos first. Still slow for long passwords, use it as a last resort.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/tools/john-the-ripper.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
