John the Ripper
John the Ripper, often simply called John or JtR, is one of the most popular and enduring open-source password security auditing and password recovery tools in the cybersecurity industry. Unlike "online" crackers that guess passwords against a live login prompt, John the Ripper is an offline password cracker.
It is designed to identify weak passwords by processing encrypted password hashes. Security professionals use it to detect users violating password-complexity policies, while penetration testers use it to recover plaintext passwords from compromised hash dumps to elevate their privileges within a network.
How Offline Password Cracking Works
To understand John the Ripper, it is essential to understand how systems store passwords. Secure systems do not save passwords in plain text; they save them as a "hash"—a one-way mathematical fingerprint of the password.
John the Ripper reverses this protection through a process of trial and verification:
Input: The tool is fed a file containing password hashes (e.g., a Unix shadow file or a Windows SAM database).
Guessing: It generates a candidate password (e.g., "password123").
Hashing: It applies the same mathematical algorithm to the candidate password to create a test hash.
Comparison: It compares the test hash to the original stolen hash. If they match, the tool has successfully "cracked" the password.
Core Cracking Modes
John the Ripper is renowned for its flexibility and intelligent cracking modes, which allow it to crack passwords faster than simple brute-force tools.
Wordlist Mode (Dictionary Attack): This is the simplest method. John reads words from a text file (a dictionary) and checks whether any match the hash. It also applies "mangling" rules, such as adding numbers to the end of words or capitalizing letters (transforming "admin" into "Admin1").
Single Crack Mode: This is often the first step in an audit. It uses information associated with the account, such as the username or full name (GECOS field), to guess passwords. For example, if the user is "John Doe," it will try "John1," "Doe123," or "JohnDoe."
Incremental Mode (Brute Force): When dictionary attacks fail, this mode tries every possible character combination. It is the most thorough but also the most time-consuming. John optimizes this by starting with the most probable character frequencies first.
External Mode: This allows advanced users to write their own custom cracking programs or filters in C language, which John compiles and uses during the attack.
"Jumbo" vs. Standard Version
There are two primary versions of the tool:
Standard Version: This is the core release, which is highly stable but supports fewer hash types (mostly Unix crypt and Windows LM).
Jumbo Version: This is the community-enhanced version that most cybersecurity professionals use. It supports hundreds of additional hash and cipher types, including PDF files, ZIP archives, cryptocurrency wallets, iTunes backups, and WPA-PSK (Wi-Fi) keys.
Frequently Asked Questions About John the Ripper
Is John the Ripper legal?
Yes, it is a legitimate security auditing tool. However, using it to crack password hashes retrieved from systems you do not have permission to test is illegal.
What is the difference between John the Ripper and Hydra?
John the Ripper is an offline cracker. It works on files (hashes) stored on your local machine. It does not generate network traffic during the attack.
Hydra is an online cracker. It attacks a live service (such as an SSH server) over the network by guessing passwords one at a time.
What is the difference between John the Ripper and Hashcat?
Both are offline crackers.
John the Ripper is generally CPU-focused and is celebrated for its automatic detection of hash types and ease of use on various operating systems.
Hashcat is primarily GPU-focused and is often faster for raw speed on heavy graphics cards, but John is often considered more versatile for complex or non-standard hash formats.
What is a "salt" in the context of John the Ripper?
A "salt" is random data added to a password before it is hashed, ensuring that two users with the same password have different hashes. John the Ripper automatically handles salts, ensuring that it tests the candidate password against the specific salt for each user.
Integrating ThreatNG and John the Ripper for Password Security
Combining ThreatNG's External Attack Surface Management (EASM) with John the Ripper's offline password auditing creates a comprehensive security workflow. ThreatNG identifies the exposed assets and leaks that fuel John the Ripper’s audits, while John the Ripper validates the strength of credentials to prevent unauthorized access.
External Discovery: Gathering the Fuel for Audits
John the Ripper (JtR) is an offline tool, meaning it needs data—specifically password hashes or encrypted files—to operate. ThreatNG’s External Discovery provides the pathways to obtain this data.
Identifying Leaked Archives: ThreatNG’s discovery engine finds sensitive files inadvertently exposed on public web servers or cloud buckets (e.g.,
backup.zip,shadow.bak,database.sql). These files often contain the hashed credentials that JtR is designed to crack.Shadow IT Detection: ThreatNG maps "Shadow IT"—forgotten development servers or legacy systems—that are less likely to be secured. These assets are prime targets for finding older, weaker hashing algorithms (such as MD5) that JtR can crack in seconds.
External Assessment: Prioritizing the Audit
ThreatNG’s External Assessment modules help security teams prioritize where to focus their password auditing efforts.
Sensitive Code Exposure
ThreatNG Assessment: This module scans public repositories (GitHub, GitLab) for leaked configuration files.
John the Ripper Application: If ThreatNG finds a
web.configor.htpasswdfile committed to a public repo, the security team can download the hashes from that file and use JtR to audit them. If JtR cracks the hash quickly (e.g., finding the password is "admin123"), it confirms a Critical Severity risk: "Weak Credentials Exposed Publicly."
Mobile App Exposure
ThreatNG Assessment: ThreatNG analyzes mobile applications for hardcoded secrets.
John the Ripper Application: Often, developers hardcode cryptographic keys or "salted" hashes inside mobile apps to authenticate users locally. JtR can be used to audit these hardcoded hashes. If JtR reverses the hash, it proves that the mobile app’s local authentication mechanism is insecure and easily bypassed.
Investigation Modules: Context for Intelligent Cracking
ThreatNG’s investigation modules provide the "intelligence" that makes JtR’s "Wordlist Mode" exponentially more effective.
Username and Social Intelligence
ThreatNG Context: This module gathers intelligence on employees, including usernames, full names, and social media activity (e.g., LinkedIn profiles).
John the Ripper Application: This data is used to build Targeted Wordlists. Instead of a generic dictionary, JtR is fed a custom list containing the company name, specific project names found by ThreatNG, and employee names. This allows JtR’s "Single Crack Mode" to guess passwords like
Company2024!orProjectX_Admin, which generic tools would miss.
Technology Stack Investigation
ThreatNG Context: ThreatNG identifies the specific software versions running on the perimeter (e.g., "Drupal 7" or "Old WordPress").
John the Ripper Application: Knowing the technology helps analysts choose the correct Hash Format in JtR. If ThreatNG identifies a legacy Drupal site, the analyst knows to set JtR to target
Drupal 7 hashes, saving hours of processing time by avoiding mismatched-format guessing.
Intelligence Repositories (DarCache)
ThreatNG’s DarCache repositories provide the most direct fuel for password auditing: actual leaked data.
Compromised Credentials: ThreatNG’s Dark Web monitoring detects credentials leaked in third-party breaches.
JtR Workflow: Security teams can take the passwords found in these leaks and add them to JtR’s "Rule-Based" attacks. JtR can then take a leaked password like
Tr0ub4dorand apply rules to see if the user merely updated it toTr0ub4dor&orTr0ub4dor1on the corporate network. This helps catch users who are "recycling" compromised passwords with only slight modifications.
Reporting and Continuous Monitoring
Unified Reporting: ThreatNG provides the high-level risk score ("F" in Account Security), while the report appendix includes the JtR audit results ("35% of harvested hashes were cracked within 1 hour"). This combination demonstrates both the risk's existence and the threat's immediacy.
Continuous Monitoring: ThreatNG monitors for new leaks 24/7. When a new employee credential dump appears on the dark web, ThreatNG alerts the team. This triggers an immediate JtR audit of those specific accounts to ensure their passwords are changed to something cryptographically strong, not just a predictable variation.
Complementary Solutions
SOAR (Security Orchestration, Automation, and Response)
Workflow: ThreatNG detects a sensitive file leak -> SOAR downloads the file -> Passes hashes to JtR -> JtR cracks them -> SOAR forces a password reset.
Benefit: This automates the remediation of weak passwords found in leaked documents without human intervention.
Active Directory (AD) Auditing
Workflow: ThreatNG identifies external users (contractors, partners). JtR audits the internal AD hashes.
Benefit: ThreatNG ensures that the external view of these users is secure (no leaks), while JtR ensures their internal access (AD password) complies with complexity policies.
Frequently Asked Questions
Does ThreatNG crack passwords? No. ThreatNG finds the exposures (files, leaks, weak configurations). John the Ripper is the tool used to test the strength of the passwords found within those exposures.
How does this help with Compliance? Frameworks like PCI DSS and NIST require strong password policies. ThreatNG identifies where policy violations might be publicly visible (e.g., leaked hashes), and JtR verifies whether those hashes correspond to weak passwords, providing evidence for compliance audits.
Can JtR be used on the cloud? Yes. If ThreatNG discovers a misconfigured cloud bucket containing password backups, those files can be downloaded and audited locally or on a dedicated cracking rig using JtR.
