John the Ripper: Beginner’s Tutorial and Review

John the Ripper is a popular password-cracking tool that can be used to perform brute-force attacks using various encryption technologies and word lists. It’s often what pen-testers and ethical hackers use to find the true passwords behind hashes.

This open-source package is free to download and features several modules for generating hashes from a range of file types, including Secure Shell (SSH) keys with ssh2john, .kbdx files with keepass2john, and password-protected zip archives with zip2john. You can then use these hashes as input to find the password with John the Ripper.

Pen-testing distributions such as Kali Linux and Parrot OS usually include the complete package so that you won’t need additional installations.

John the Ripper can demonstrate how easy it is to reveal weak passwords (and the seemingly more sophisticated ones) using a leaked database and a free tool.

Of course, it’s only one tool in the pen-tester’s arsenal, but it’s convenient to use and automates many manual operations that would otherwise need to be run.

Also read: Top Open Source Penetration Testing Tools

How to set up your test environment

You’ll need a proper lab to test the command lines. A straightforward approach is to set up a virtual machine using VirtualBox or VMWare and employ the Kali Linux OS, as it comes pre-installed with John the Ripper.

You can use the tool on other flavors of Linux as well and install with this command:

sudo apt-get install john -y

However, you may have to install additional modules manually to crack specific file types, such as zip archives. You’ll also need samples to attack, which are easy to find on platforms such as GitHub. However, Kali Linux on a virtual machine is the easiest way for you to get started with the tool.

In terms of hardware, tutorials sometimes recommend large RAM (16GB) and a good graphics processing unit (GPU). But that would be for more advanced uses so that any recent computer will do the job correctly. For our example, we won’t need a powerful machine.

How does password cracking work?

Before we dive into a practical example, you have to understand the basics of password cracking. The most popular techniques associated with password cracking are brute-force and dictionary attacks. It often occurs after stealing critical data, such as databases containing credentials. In the worst-case scenario, the credentials are in plain text, but most of the time you only get a hash.

Still, if the password is short and/or weak, John the Ripper can quickly crack such data. In general, the time required to crack passwords is directly linked to the strength of the password but, above all, its length.

That’s why experts often say these kinds of attacks are about time and calculation power, but if you don’t secure your passwords, they will be found at the speed of light. Or at least a good GPU.

How do you crack passwords with John the Ripper?

The “john” command offers an extensive range of options and flags that allow you to run accurate sessions and match the specific format and encryption of your targeted password.

The tool has built-in wordlists that automatically apply by default, but you can specify your own with –wordlist and the path to your custom wordlist.

Using only the built-in features and the MD5 hash of a weak password (not even “123456”), I was able to retrieve the true password in seconds:

echo “4f95578c0f588e028b8e2ea441fc683b” > hash.txt

john hash.txt –format=Raw-MD5

# julien2022 (?)

Cracking different file types

Supported file formats often require “prep tools” before running John. Here’s a quick reference:

UNIX shadow example (realistic workflow)

A more realistic workflow involves cracking Linux system accounts. You can combine /etc/passwd and /etc/shadow files with the unshadow tool. First, ensure that permissions are restrictive by using umask 077. Next, you combine passwd and shadow into one file, then run John the Ripper against that combined file. If you stop and want to resume, you then use john –restore to rerun it.

umask 077

unshadow /etc/passwd /etc/shadow > mypasswd

john mypasswd

john –restore

How do you secure passwords against the Ripper?

The best recommendation for defending against tools like John the Ripper is to have a strong password policy, requiring MFA or by using passkeys.

Again, the length is the key. It’s the most critical point you have to check. Unfortunately, poor security policies often lead users to predictable strategies and sometimes limit passwords to eight characters or less. However, whenever possible, use longer strings.

There are security products and open-source modules that can scan your databases and enforce the use of strong passwords, as well as prompt users to update them regularly. To ease the user experience with all of those complicated passwords, use a password manager to autofill credentials or explore SSO options.

Indeed, the best password is probably the one you can’t remember, as there are known techniques to build custom wordlists based on famous songs, artists, movies and other elements, including various combinations you might find clever.

Bottom line: John the Ripper review

In my experience, John the Ripper deserves its reputation, with far more pros than cons.

Pros

• Easy to install and beginner-friendly (GUI version)
• Suitable for CPU-based cracking against smaller wordlists
• Supports a large range of encryption and formats
• Intelligence: uses sessions to remember previous results and can detect multiple hash types (Unix, Windows, Kerberos, etc.) and salts automatically
• Efficient when combined with open-source wordlists like seclists
• Can be completed with Johnny for those who prefer using a graphical user interface (GUI) instead of command lines

Cons

• Depends too much on the results of previous cyber attacks (e.g., leaks, stolen hash)
• Slower than Hashcat for GPU-based attacks
• Not optimized for distributed cracking during larger penetration test engagements

Why John still matters

John the Ripper remains one of the reliable and flexible password-cracking tools available today. Its combination of multiple modes, broad file type support, and session handling features makes it valuable not only for penetration testers but also for IT professionals who want to audit password strength in real-world conditions.

While it’s powerful, the real takeaway isn’t about breaking passwords — it’s about understanding how weak credentials can be exploited. By experimenting with John the Ripper in a controlled lab environment, security teams can better appreciate the importance of strong, unique, and regularly updated passwords.

If you’re serious about penetration testing or security auditing, John the Ripper is an essential tool to learn — but always remember to use it ethically and responsibly.

If you’d like to explore the entire lifecycle, check out our article, Penetration Testing Phases: Steps, Tools & Methodology. It walks you step-by-step through a full pentesting framework, equipping you with the methodology needed to conduct thorough and effective security assessments.