📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 5 OF 180
KALI LINUX MASTERY COURSE
FREE — ALL 180 DAYS
🔵 Day 5 — John The Ripper Tutorial
Day 180 — Advanced Kali Mastery
🔐
Authorised use only. John the Ripper cracks hashes captured from systems you have authorised access to test. The commands in this tutorial use hashes from your own Metasploitable2 lab VM or practice hash files you create yourself. Cracking hashes obtained without authorisation is illegal.
New to labs? → Ethical Hacking Lab Setup at Home · Metasploitable Labs Hub
🔑
On Day 4 you used Hydra to test whether a live service would accept a weak password. Today you go one step deeper. Once you have initial access to a system — through Hydra, through an exploit, through any authorised entry point — you will often find password hashes: in /etc/shadow, in a dumped database, in a Windows SAM file, inside a locked archive. These hashes are not passwords. But they can become passwords — and John the Ripper is the tool that makes that happen, offline, at CPU speed, with no trace on the target system.
Day 5 covers John the Ripper completely — hash identification, combining shadow files, every cracking mode, rule-based attacks, and the entire family of file converters (zip2john, rar2john, pdf2john, ssh2john). All practised on hashes you generate yourself in your lab. By the end you will understand why password hashing exists, why it can still be defeated, and how to crack practical targets in authorised assessments.
📋 What You’ll Master in Day 5
What Is John the Ripper?
Identifying Hash Types
/etc/shadow Cracking with unshadow
The 3 Cracking Modes Explained
Wordlist Mode — rockyou.txt
Rule-Based Cracking (–rules)
zip2john, rar2john, pdf2john
Sessions, Show & Restore
John vs Hashcat — When to Use Each
Command Reference Card
What Is John the Ripper?
John the Ripper (JtR) is a free, open-source offline password hash cracker — one of the oldest and most widely used security tools still in active development. It takes password hashes (the stored representations of passwords, not the passwords themselves) and attempts to find the original plaintext by hashing candidate passwords and comparing results until a match is found.
Three things make John particularly useful for penetration testers:
AUTO FORMAT DETECTION
John automatically identifies the hash format from the hash string structure — MD5, SHA-1, SHA-512, NTLM, bcrypt, and hundreds more. No need to specify the format manually in most cases.
BUILT-IN FILE CONVERTERS
The *2john family (zip2john, rar2john, pdf2john, ssh2john, keepass2john) converts protected files into hash format that John can crack — no manual extraction needed.
MULTIPLE ATTACK MODES
Single crack (tries username variations), wordlist (dictionary attack), incremental (brute force all combinations), and rule-based (wordlist + mangling rules). Each serves a different cracking scenario.
💡 Use both together: Extract hashes and convert files with John’s *2john utilities. If John’s wordlist + rules mode doesn’t crack them, feed the same hash file into Hashcat for GPU-accelerated cracking. The tools complement each other. Full guide: Day 10: How Password Attacks Work.
📋 John the Ripper Command Reference Card
securityelites.com
JOHN THE RIPPER REFERENCE — KALI LINUX COURSE DAY 5 — securityelites.com
CORE WORKFLOW
unshadow passwd.txt shadow.txt > c.txt
john –wordlist=rockyou.txt c.txt
john –show c.txt
MODES
john –single hashes.txt
john –wordlist=rockyou.txt –rules hashes.txt
john –incremental=Digits hashes.txt
FILE CONVERTERS
zip2john file.zip > hash.txt
rar2john file.rar > hash.txt
pdf2john file.pdf > hash.txt
ssh2john id_rsa > hash.txt
SESSION & SHOW
john –session=name hashes.txt
john –restore=name
john –show hashes.txt
cat ~/.john/john.pot
FORMAT FLAGS
–format=NT # NTLM
–format=sha512crypt # Linux SHA-512
–format=md5crypt # Linux MD5
–format=Raw-MD5 # plain MD5
IDENTIFY HASHES
hash-identifier
john –list=formats
john –list=formats | grep sha
John the Ripper Command Reference Card — Day 5 Kali Linux Course. Six panels: core /etc/shadow workflow, three cracking modes, file converters (*2john family), session/show management, format flags, and hash identification. Screenshot for your second monitor. The recommended cracking order: single crack first → wordlist → wordlist+rules → incremental (last resort).
Day 5 Complete — 175 Tools Still to Come
The Full Kali Linux Course — One Tool Per Day.
180 Days. All Free. No Registration.
Five days in you can scan networks, find hidden directories, brute-force live services, and crack extracted hashes. The toolkit is growing. Day 6 continues the build.
Frequently Asked Questions – John the Ripper Tutorial
What is John the Ripper used for?
Offline password hash cracking — /etc/shadow hashes, Windows NTLM hashes, ZIP/RAR/PDF file passwords, SSH key passphrases, KeePass databases. Operates entirely offline: once you have the hashes, no network connection to the target is needed. Standard post-exploitation step in authorised penetration tests.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)