hack3rs.ca network-security

/learning/tools/john-the-ripper :: tool-guide-12

defender@hack3rs:~/learning/tools$ open john-the-ripper

John the Ripper

Password auditing & hash analysis

John the Ripper is a password auditing tool defenders use in authorized environments to test hash resilience, learn how different hash formats behave, and produce evidence-based credential security recommendations.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

$Name the specific question this tool answers — and one question it cannot answer alone.
$Run the simplest command in a lab against a host you control; read every field in the output before moving on.
$Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
$Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
$Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

$Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
$State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
$Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
$Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
$Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

$Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
$Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
$Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
$Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
$Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Official John the Ripper documentation release notes Official project page and releases Openwall project Openwall project resources

ethical-use-and-defense-scope

Use John the Ripper only for authorized password auditing, incident response validation, or account recovery workflows with explicit written scope. Hash files and recovered passwords are sensitive security data requiring strict access, storage, and retention controls.

Test only hashes from systems and accounts within the documented scope. Password auditing requires written approval, clear objectives, and a commitment to specific remediation actions.

The defensive outcome should be stronger controls — better password policies, MFA coverage, privileged account review, credential hygiene improvements — not just a list of recovered passwords.

tool-history-origin-and-purpose

$When created: Created in the mid-1990s (originally by Solar Designer; early releases commonly cited in 1996).
$Why it was created: Administrators and defenders needed a way to test password strength against real hashes and detect weak credentials before adversaries could exploit them.

John the Ripper was created as a password security auditing and recovery tool to help identify weak password hashes and improve system password security.

why-defenders-still-use-it

Defenders use John the Ripper for authorized password audits, training, and validation of password policies and hash handling practices. It remains useful for teaching password cracking concepts, hash formats, and defensive remediation planning.

How the tool evolved

+Expanded with jumbo/community variants, more hash format support, and broader platform use.
+Became a staple in password auditing and DFIR training workflows.
+Still valuable as a teaching tool for credential security fundamentals and policy validation.

when-this-tool-is-a-good-fit

+Authorized internal password audits for policy validation and credential hygiene review.
+Incident response validation after a hash database exposure or credential compromise.
+Training on hash formats, salt behavior, and what password storage parameters actually cost an attacker.
+Prioritized remediation planning for weak passwords on privileged and high-value accounts.

when-to-use-another-tool-or-source

!When you need host process/user context, pair with endpoint or OS logs.
!When you need ownership and business impact, pair with CMDB/ticketing/asset context.
!When the tool output is ambiguous, validate using a second evidence source before concluding.
!When production risk is high, test in a lab first and use change coordination.

1. What John the Ripper Solves for Defenders

John the Ripper password cracker tests whether stored hashes and password policies hold up against realistic guessing techniques. A short authorized audit often reveals that the policy is technically enforced but permits patterns — dictionary words with digit suffixes — that fall quickly.

It is also one of the best tools for learning how password storage formats actually work. Hash format detection, salt handling, and how storage parameters (bcrypt cost factor, PBKDF2 iterations) change attack speed are all visible through John-based labs in a way that documentation cannot match.

Used with proper scope, John produces evidence that prioritizes remediation: these specific accounts on these specific systems have weak passwords that would fall to a realistic attack.

2. Defensive Workflow: From Hash Input to Remediation

Validate hash format and input integrity before running anything at scale. Mixed or misparsed hash sources waste time and produce conclusions that are wrong in ways that are hard to detect. Use John's format detection and run five known-password hashes at the right format to confirm before expanding.

Write down the test plan before you start: wordlist-only first, then rules, then incremental if budget allows. Record what was attempted, in what order, and for how long. Stakeholders need to understand what a "nothing recovered" result means given the scope of the test.

Translate every result into risk and action. Which accounts had weak passwords, which were privileged, which controls failed, and which remediation steps are committed to and owned.

3. Comparing John the Ripper and Hashcat in Teaching

Both tools audit password hashes, but they teach different workflows. John handles format detection and format extraction well and has a simpler onramp for new learners. Hashcat is faster with GPU acceleration and has more granular rule and mask controls. Learning both gives defenders a more complete picture of the attack surface.

Across both tools, emphasize the same principles: authorization, scope documentation, secure evidence handling, remediation focus, and honest interpretation of what a limited test budget does and does not prove.

Which tool is used matters less than the rigor of the audit process and whether the findings actually change the organization's credential security posture.

4. Expert Habits for Password Audit Work

Expert auditors document format assumptions, wordlist choices, rule sets, and test budget. They do not present a limited test window as proof that passwords are strong — they document what was tested and what was not.

They sort results by account criticality before reporting. A recovered password on a privileged admin account gets immediate remediation. A recovered password on a read-only reporting account gets scheduled remediation. The list is not the deliverable; the prioritized action plan is.

After each audit, they brief the team on what the results mean for password policy, MFA rollout, and hash storage configuration — so the improvement compounds across the organization, not just in the audited user population.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. Authorized internal password audits for policy validation and credential hygiene review.

Suggested starting block: Format Detection And Baseline Audit

$Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
$Run the first command from the selected command block; note the timestamp and interface used.
$Read the output field by field — identify what the tool confirmed versus what it inferred.
$Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
$Write one sentence stating your finding, your confidence level, and the next action.

2. Incident response validation after a hash database exposure or credential compromise.

Suggested starting block: Rules And Session Handling

$Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
$Run the first command from the selected command block; note the timestamp and interface used.
$Read the output field by field — identify what the tool confirmed versus what it inferred.
$Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
$Write one sentence stating your finding, your confidence level, and the next action.

3. Training on hash formats, salt behavior, and what password storage parameters actually cost an attacker.

Suggested starting block: Defensive Findings Tracking

$Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
$Run the first command from the selected command block; note the timestamp and interface used.
$Read the output field by field — identify what the tool confirmed versus what it inferred.
$Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
$Write one sentence stating your finding, your confidence level, and the next action.

4. Prioritized remediation planning for weak passwords on privileged and high-value accounts.

Suggested starting block: Format Detection And Baseline Audit

$Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
$Run the first command from the selected command block; note the timestamp and interface used.
$Read the output field by field — identify what the tool confirmed versus what it inferred.
$Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
$Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Format Detection And Baseline Audit

Beginner

Command

john --list=formats | head -n 30

Example Output

descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, agilekeychain, aix-ssha1, aix-ssha256,
andOTP, ansible, argon2, Bitcoin, BitLocker, Blockchain,
sha1crypt, sha256crypt, sha512crypt, chap, CRC32, cloudkeychain,
...420 formats total

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Rules And Session Handling

Intermediate

Command

john --wordlist=wordlist.txt --rules hashes.txt --session=jtr-audit

Example Output

Using default input encoding: UTF-8
Loaded 3 password hashes with 2 different salts
Proceeding with wordlist mode, words: wordlist.txt
Proceeding with "Single crack" mode
1g 0:00:00:15 3.22% (ETA: 10:35:12) 0.06g/s 6672p/s

Defensive Findings Tracking

Advanced

Command

mkdir -p jtr-audit/{inputs,outputs,notes}

Example Output

# no output — directory created successfully

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Format Detection And Baseline Audit

Beginner

Command

john --list=formats | head -n 30

Command Anatomy

$Base command: john
$Primary arguments/options: --list=formats | head -n 30
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Quick evidence extraction from logs or command output.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes

descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, agilekeychain, aix-ssha1, aix-ssha256,
andOTP, ansible, argon2, Bitcoin, BitLocker, Blockchain,
sha1crypt, sha256crypt, sha512crypt, chap, CRC32, cloudkeychain,
...420 formats total

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Format Detection And Baseline Audit

Beginner

Command

john --wordlist=wordlist.txt hashes.txt

Command Anatomy

$Base command: john
$Primary arguments/options: --wordlist=wordlist.txt hashes.txt
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes

Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts (md5crypt [MD5 512/512 AVX512BW 16x3])
Will run 4 OpenMP threads
password1        (user1)
1g 0:00:00:02 DONE 0.4464g/s 4552p/s Session completed.

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Format Detection And Baseline Audit

Beginner

Command

john --show hashes.txt

Command Anatomy

$Base command: john
$Primary arguments/options: --show hashes.txt
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes

user1:password1:1001:1001:::/bin/bash
user3:letmein:1003:1003:::/bin/bash

2 password hashes cracked, 1 left

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rules And Session Handling

Intermediate

Command

john --wordlist=wordlist.txt --rules hashes.txt --session=jtr-audit

Command Anatomy

$Base command: john
$Primary arguments/options: --wordlist=wordlist.txt --rules hashes.txt --session=jtr-audit
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes

Using default input encoding: UTF-8
Loaded 3 password hashes with 2 different salts
Proceeding with wordlist mode, words: wordlist.txt
Proceeding with "Single crack" mode
1g 0:00:00:15 3.22% (ETA: 10:35:12) 0.06g/s 6672p/s

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rules And Session Handling

Intermediate

Command

john --restore=jtr-audit

Command Anatomy

$Base command: john
$Primary arguments/options: --restore=jtr-audit
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes

Restoring interrupted session: jtr-audit
Loaded 3 password hashes (md5crypt [MD5 512/512 AVX512BW 16x3])
Remaining 2 (out of 3) hashes
Continuing...

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Rules And Session Handling

Intermediate

Command

john --status=jtr-audit

Command Anatomy

$Base command: john
$Primary arguments/options: --status=jtr-audit
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes

Session: jtr-audit
Status: Running
Guesses: 1  time 0:00:00:15  1.5% ETA: 10:35:12
Speed: 6503p/s current, 6503p/s average

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Findings Tracking

Advanced

Command

mkdir -p jtr-audit/{inputs,outputs,notes}

Command Anatomy

$Base command: mkdir
$Primary arguments/options: -p jtr-audit/{inputs,outputs,notes}
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes

# no output — directory created successfully

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Findings Tracking

Advanced

Command

printf "account,result,criticality,action,owner\n" > jtr-audit/notes/findings.csv

Command Anatomy

$Base command: printf
$Primary arguments/options: "account,result,criticality,action,owner\n" > jtr-audit/notes/findings.csv
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes

account  result  criticality  action  owner

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Defensive Findings Tracking

Advanced

Command

column -s, -t jtr-audit/notes/findings.csv

Command Anatomy

$Base command: column
$Primary arguments/options: -s, -t jtr-audit/notes/findings.csv
$Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.

Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes

account  result  criticality  action  owner

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Format Detection And Baseline Audit

john --list=formats | head -n 30
john --wordlist=wordlist.txt hashes.txt
john --show hashes.txt

Rules And Session Handling

john --wordlist=wordlist.txt --rules hashes.txt --session=jtr-audit
john --restore=jtr-audit
john --status=jtr-audit

Defensive Findings Tracking

mkdir -p jtr-audit/{inputs,outputs,notes}
printf "account,result,criticality,action,owner\n" > jtr-audit/notes/findings.csv
column -s, -t jtr-audit/notes/findings.csv

defensive-use-cases

$Authorized internal password audits for policy validation and credential hygiene review.
$Incident response validation after a hash database exposure or credential compromise.
$Training on hash formats, salt behavior, and what password storage parameters actually cost an attacker.
$Prioritized remediation planning for weak passwords on privileged and high-value accounts.

common-mistakes

$Skipping format validation and drawing conclusions from misparsed or mixed hash input.
$Reporting recovered passwords in a flat list without prioritizing by account criticality.
$Storing hash files and recovered credentials without access controls or secure handling.
$Presenting a limited wordlist-only test result as evidence that the passwords are strong.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

$Pick the least disruptive command that can still answer the question — then run that one first.
$Before you look at output, write one sentence stating what you expect to see.
$Mark each output field as 'observed' or 'inferred by tool' before acting on it.
$Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
$During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
$When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

?What question is this tool best suited to answer first?
?What permissions or scope approvals are needed before using it?
?Which second evidence source should you pair with it for higher confidence?
?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints

#Start from the tool’s role and the scenario you are investigating.
#Never rely on one tool alone for high-confidence incident decisions.
#Document normal output patterns during calm periods so anomalies are easier to spot.
#Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Create test hashes with known passwords, run John's format detection, and confirm you selected the right mode before scaling.
# Run a wordlist-only test, then add rules, and compare what each pass recovered — and what it did not.
# Build a remediation tracker sorted by account criticality and map each recovered credential to a specific action.
# Run the same hash set through Hashcat and compare the workflows, noting where each tool has an advantage.

<- previous tool Aircrack-ng -> next tool Ncat