John the Ripper: Beginner’s Tutorial and Review - eSecurity Planet

___ facebook linkedin x NEWSLETTER BEST PRODUCTS RESOURCES NETWORKS CLOUD THREATS TRENDS ENDPOINT APPLICATIONS MORE PRODUCTS SHARE John the Ripper: Beginner’s Tutorial and Review Learn how to install and use John the Ripper with step-by-step examples and more tips. Beginner-friendly tutorial plus review. WRITTEN BY JULIEN MAURY REVIEWED BY: KEN UNDERHILL SEP 3, 2025 eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More This open-source package is free to download and features several modules for generating hashes from a range of file types, including Secure Shell (SSH) keys with ssh2john, .kbdx files with keepass2john, and password-protected zip archives with zip2john. You can then use these hashes as input to find the password with John the Ripper. Pen-testing distributions such as Kali Linux and Parrot OS usually include the complete package so that you won’t need additional installations. John the Ripper can demonstrate how easy it is to reveal weak passwords (and the seemingly more sophisticated ones) using a leaked database and a free tool. Of course, it’s only one tool in the pen-tester’s arsenal, but it’s convenient to use and automates many manual operations that would otherwise need to be run. Also read: Top Open Source Penetration Testing Tools Featured Partners Advertisement 1 ManageEngine ADSelfService Plus VISIT WEBSITE Good For Any Company Size Core Features Access Management, Compliance Management and 9 more Integrations Active Directory, ManageEngine ADManager Plus and 4 more 2 1Password VISIT WEBSITE Good For Any Company Size Core Features Password Generator, Password Vault and 1 more Integrations Microsoft Teams, Okta and 1 more 3 Keeper VISIT WEBSITE Good For Any Company Size Core Features Password Generator, Password Vault and 1 more Integrations Android Wear, Apple Touch ID and 5 more CONTENTS How to set up your test environment How does password cracking work? How do you crack passwords with John the Ripper? How do you secure passwords against the Ripper? Bottom line: John the Ripper review How to set up your test environment You’ll need a proper lab to test the command lines. A straightforward approach is to set up a virtual machine using VirtualBox or VMWare and employ the Kali Linux OS, as it comes pre-installed with John the Ripper. You can use the tool on other flavors of Linux as well and install with this command: sudo apt-get install john -y However, you may have to install additional modules manually to crack specific file types, such as zip archives. You’ll also need samples to attack, which are easy to find on platforms such as GitHub. However, Kali Linux on a virtual machine is the easiest way for you to get started with the tool. In terms of hardware, tutorials sometimes recommend large RAM (16GB) and a good graphics processing unit (GPU). But that would be for more advanced uses so that any recent computer will do the job correctly. For our example, we won’t need a powerful machine. How does password cracking work? Before we dive into a practical example, you have to understand the basics of password cracking. The most popular techniques associated with password cracking are brute-force and dictionary attacks. It often occurs after stealing critical data, such as databases containing credentials. In the worst-case scenario, the credentials are in plain text, but most of the time you only get a hash. Still, if the password is short and/or weak, John the Ripper can quickly crack such data. In general, the time required to crack passwords is directly linked to the strength of the password but, above all, its length. That’s why experts often say these kinds of attacks are about time and calculation power, but if you don’t secure your passwords, they will be found at the speed of light. Or at least a good GPU. How do you crack passwords with John the Ripper? The “john” command offers an extensive range of options and flags that allow you to run accurate sessions and match the specific format and encryption of your targeted password. The tool has built-in wordlists that automatically apply by default, but you can specify your own with –wordlist and the path to your custom wordlist. Using only the built-in features and the MD5 hash of a weak password (not even “123456”), I was able to retrieve the true password in seconds: echo “4f95578c0f588e028b8e2ea441fc683b” > hash.txt john hash.txt –format=Raw-MD5 # julien2022 (?) Cracking different file types Supported file formats often require “prep tools” before running John. Here’s a quick reference: Format Prep Tool Sample Command Run John ZIP archive zip2john zip2john secret.zip > hash.txt john –format=zip hash.txt KeePass database keepass2john keepass2john db.kdbx > hash.txt john hash.txt SSH private key ssh2john ssh2john id_rsa > hash.txt john hash.txt BitLocker drive bitlocker2john bitlocker2john dump.bin > hash.txt john hash.txt macOS DMG image dmg2john dmg2john file.dmg > hash.txt john hash.txt RAR archive rar2john rar2john file.rar > hash.txt john hash.txt GPG private key gpg2john gpg2john secret.gpg > hash.txt john hash.txt UNIX shadow example (realistic workflow) A more realistic workflow involves cracking Linux system accounts. You can combine /etc/passwd and /etc/shadow files with the unshadow tool. First, ensure that permissions are restrictive by using umask 077. Next, you combine passwd and shadow into one file, then run John the Ripper against that combined file. If you stop and want to resume, you then use john –restore to rerun it. umask 077 unshadow /etc/passwd /etc/shadow > mypasswd john mypasswd john –restore How do you secure passwords against the Ripper? The best recommendation for defending against tools like John the Ripper is to have a strong password policy, requiring MFA or by using passkeys. Again, the length is the key. It’s the most critical point you have to check. Unfortunately, poor security policies often lead users to predictable strategies and sometimes limit passwords to eight characters or less. However, whenever possible, use longer strings. There are security products and open-source modules that can scan your databases and enforce the use of strong passwords, as well as prompt users to update them regularly. To ease the user experience with all of those complicated passwords, use a password manager to autofill credentials or explore SSO options. Indeed, the best password is probably the one you can’t remember, as there are known techniques to build custom wordlists based on famous songs, artists, movies and other elements, including various combinations you might find clever. Bottom line: John the Ripper review In my experience, John the Ripper deserves its reputation, with far more pros than cons. Pros Easy to install and beginner-friendly (GUI version) Suitable for CPU-based cracking against smaller wordlists Supports a large range of encryption and formats Intelligence: uses sessions to remember previous results and can detect multiple hash types (Unix, Windows, Kerberos, etc.) and salts automatically Efficient when combined with open-source wordlists like seclists Can be completed with Johnny for those who prefer using a graphical user interface (GUI) instead of command lines Cons Depends too much on the results of previous cyber attacks (e.g., leaks, stolen hash) Slower than Hashcat for GPU-based attacks Not optimized for distributed cracking during larger penetration test engagements Why John still matters John the Ripper remains one of the reliable and flexible password-cracking tools available today. Its combination of multiple modes, broad file type support, and session handling features makes it valuable not only for penetration testers but also for IT professionals who want to audit password strength in real-world conditions. While it’s powerful, the real takeaway isn’t about breaking passwords — it’s about understanding how weak credentials can be exploited. By experimenting with John the Ripper in a controlled lab environment, security teams can better appreciate the importance of strong, unique, and regularly updated passwords. If you’re serious about penetration testing or security auditing, John the Ripper is an essential tool to learn — but always remember to use it ethically and responsibly. If you’d like to explore the entire lifecycle, check out our article, Penetration Testing Phases: Steps, Tools & Methodology. It walks you step-by-step through a full pentesting framework, equipping you with the methodology needed to conduct thorough and effective security assessments. JULIEN MAURY eSecurity Planet contributor Julien Maury writes about penetration testing, code security, open source security and more. He is a backend developer, a mentor and a technical writer who enjoys sharing his knowledge and learning new concepts. RECOMMENDED FOR YOU... PRODUCTS Top 7 Threat Intelligence Platforms & Software Threat intelligence platforms help analyze and share cyber threat data. Discover top TIPs , their features, use cases, and comparisons. KEN UNDERHILL JAN 29, 2026 PRODUCTS Top 7 Exposure Management Platforms Exposure management platforms help teams prioritize and reduce security risk. Compare top platforms, features, and use cases. KEN UNDERHILL JAN 22, 2026 PRODUCTS 6 Best SIEM Tools & Software Find the best security information and event management (SIEM) tool for your organization. Compare the top solutions now. KEN UNDERHILL NOV 25, 2025 PRODUCTS From Reactive to Ready: A Practical Security Maturity Playbook for Lean Teams Learn how Graylog helps lean security teams cut noise, boost visibility, and achieve readiness with smarter workflows and automation. KEN UNDERHILL NOV 20, 2025 eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics. facebook linkedin x COMPANY About us Contact us Advertise with us CATEGORIES Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace. TERMS OF SERVICE PRIVACY POLICY CALIFORNIA - DO NOT SELL MY INFORMATION We use cookies and other data collection technologies to provide the best experience for our customers. You may request that your data not be shared with third parties here: Do Not Sell My Data.