LabEx
Log InJoin Free

Kali Password Cracking with John

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the fundamentals of password cracking using Kali Linux, focusing on the powerful tool John the Ripper. The main objective is to understand how to crack Linux password hashes, which are encrypted representations of passwords typically stored in the /etc/shadow file. This skill is essential in penetration testing to identify weak passwords and improve system security.

When you open the terminal, you will be automatically placed into a Kali Linux container shell. All commands in this lab should be executed within this environment. Through guided, step-by-step instructions, you will work with sample hash files, create and use custom wordlists, compare cracking tools like John the Ripper and Hashcat, and save your results for analysis. This lab is designed for beginners and provides a clear, practical learning experience in a controlled environment.

Setting Up the Environment and Installing Tools

In this first step, we will prepare the Kali Linux environment by installing the necessary tools for password cracking. As mentioned, your terminal session is already running inside a Kali Linux container.

We will use two primary tools: John the Ripper, a versatile and widely-used password cracker, and Hashcat, another powerful tool known for its speed and flexibility. Hashcat requires an OpenCL runtime, so we will also install a CPU OpenCL package in this container.

First, update the package list to ensure you have access to the latest software versions.

apt update

Next, install John the Ripper, Hashcat, and the CPU OpenCL runtime using the following command. The -y flag automatically confirms the installation.

apt install -y john hashcat pocl-opencl-icd

The installation process may take a few minutes. Once it completes, you can verify that John the Ripper is installed correctly by running it without any options.

john

You should see the help and version information, which confirms the tool is ready. The output will look similar to this:

John the Ripper 1.9.0-jumbo-1+bleeding-aec1328d6c 2021-11-02 10:45:52 +0100 OMP [linux-gnu 64-bit x86_64 AVX512BW AC]
Copyright (c) 1996-2021 by Solar Designer and others
Homepage: https://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
...

Next, verify the Hashcat installation by checking its version.

hashcat --version

The expected output will display the version number, such as:

v6.2.5

With both tools installed and verified, your environment is now prepared for the password cracking exercises in the following steps.

Creating a Sample Hash File

Now that the tools are installed, we need some data to work with. In this step, you will create a file containing real Linux password hashes that John the Ripper can actually process. These hashes are formatted to mimic those found in the /etc/shadow file, which securely stores user password information on Linux systems. This allows you to practice cracking in a safe, controlled manner.

All operations will be performed in the /root directory of the Kali container. We'll create the hash file directly with pre-generated real hashes for simple, common passwords that can be cracked quickly.

Create the sample hash file directly with the following command:

cd /root
echo -e "user1:\$6\$randomsalt\$WS2qjCQ1JrmZv8otdbtntIYu6lRzkk2aIVhgIMdMexOcvD9bEAoxtKcyZLXbR3wlhOOPBscJbLCPUU/fYjFhM0:18234:0:99999:7:::\nuser2:\$6\$anothersalt\$ZffCt8y5Hl8gLYS79/rhyT76C12kNhuOvkFR8Ll0RXcjQz2Nzuh3VUdT//e21HYfH6fP9btOp2aG22O3S7q1z/:18234:0:99999:7:::" > sample_hashes.txt

Alternatively, you can create the file manually by copying and pasting the content:

cd /root
cat > sample_hashes.txt << 'EOF'
user1:$6$randomsalt$WS2qjCQ1JrmZv8otdbtntIYu6lRzkk2aIVhgIMdMexOcvD9bEAoxtKcyZLXbR3wlhOOPBscJbLCPUU/fYjFhM0:18234:0:99999:7:::
user2:$6$anothersalt$ZffCt8y5Hl8gLYS79/rhyT76C12kNhuOvkFR8Ll0RXcjQz2Nzuh3VUdT//e21HYfH6fP9btOp2aG22O3S7q1z/:18234:0:99999:7:::
EOF

The $6$ prefix in each line indicates that the hash is a SHA-512 crypt hash, a common standard for modern Linux systems. The format follows the shadow file structure: username:hashed_password:last_change:min_age:max_age:warning:inactive:expire:reserved.

To confirm that the file was created correctly, display its contents using the cat command:

cat /root/sample_hashes.txt

The output should show the two user entries with real hash values:

user1:$6$randomsalt$WS2qjCQ1JrmZv8otdbtntIYu6lRzkk2aIVhgIMdMexOcvD9bEAoxtKcyZLXbR3wlhOOPBscJbLCPUU/fYjFhM0:18234:0:99999:7:::
user2:$6$anothersalt$ZffCt8y5Hl8gLYS79/rhyT76C12kNhuOvkFR8Ll0RXcjQz2Nzuh3VUdT//e21HYfH6fP9btOp2aG22O3S7q1z/:18234:0:99999:7:::

Important Notes:

  • These are real, properly formatted SHA-512 hashes that John the Ripper can process.
  • The passwords are password and 123456 - very simple and common passwords that are guaranteed to be in John's default wordlist.
  • This ensures quick cracking for demonstration purposes, typically within seconds.

With this sample data file ready, you now have a target for your password cracking practice. In the next step, you will use John the Ripper to attempt to crack these hashes.

Cracking Hashes with John the Ripper's Default Mode

With the sample hash file in place, it's time to begin cracking with John the Ripper. By default, John uses several modes, including a "single crack" mode that uses the username and other information to guess passwords, followed by a wordlist mode with its built-in password list. This is a great starting point for identifying weak, common passwords.

Run the following command to start the cracking process on your sample_hashes.txt file.

john /root/sample_hashes.txt

John will load the hashes and begin its cracking session. You will see output indicating its progress. Since we created real hashes with very simple, common passwords (password and 123456), John should be able to crack them quickly using its default wordlist mode.

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 512/512 AVX512BW 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
...

You can let John run for a while to attempt cracking, or stop the process with Ctrl-C if you want to check the results early. To view any passwords that have been cracked, use the --show option.

john --show /root/sample_hashes.txt

If the passwords are successfully cracked, the output should look like this:

user1:password:18234:0:99999:7:::
user2:123456:18234:0:99999:7:::

2 password hashes cracked, 0 left

Since we used very simple passwords (password and 123456) that are almost certainly in John's default wordlist, these hashes should be cracked very quickly - often within seconds. The success demonstrates that John the Ripper is working correctly with our real hash file and shows how quickly weak passwords can be compromised.

In the next step, we will explore how to provide John with custom wordlists and adjust various parameters to improve cracking efficiency.

Using a Custom Wordlist with John the Ripper

Relying on default settings is often not enough. A targeted attack using a custom wordlist can be far more effective. A wordlist is simply a text file containing one potential password per line. In this step, you will create a small, custom wordlist and use it with John the Ripper.

Create a file named custom_wordlist.txt in the /root directory with a few common passwords, including the ones we know are in our hash file.

echo -e "password\n123456\nadmin123\ntest1234\nqwerty\npassword123" > /root/custom_wordlist.txt

Verify the contents of your new wordlist.

cat /root/custom_wordlist.txt

The output should display the six passwords you just added:

password
123456
admin123
test1234
qwerty
password123

Now, run John the Ripper again, but this time, specify your custom wordlist using the --wordlist option.

john --wordlist=/root/custom_wordlist.txt /root/sample_hashes.txt

This command tells John to test every password in custom_wordlist.txt against the hashes in sample_hashes.txt. Since our wordlist contains the actual passwords (password and 123456) that correspond to the hashes in our file, John should crack them very quickly.

After the process finishes, check the results again.

john --show /root/sample_hashes.txt

Since our wordlist contains the correct passwords, the output should now show the cracked credentials:

user1:password:18234:0:99999:7:::
user2:123456:18234:0:99999:7:::

2 password hashes cracked, 0 left

This demonstrates the effectiveness of targeted wordlist attacks. By including the actual passwords in our custom wordlist, we were able to crack the hashes much faster than relying on John's default wordlist alone. This technique is fundamental to targeted password attacks. Next, we will see how to perform a similar attack with Hashcat.

Cracking Hashes with Hashcat for Comparison

While John the Ripper is an excellent tool, it's good practice to be familiar with alternatives like Hashcat. Hashcat is renowned for its speed, especially on systems with GPUs. Here, we will perform the same dictionary attack using Hashcat.

Hashcat prefers a clean file containing only the hash values. Use the awk command to extract the second field (the hash) from sample_hashes.txt and save it to a new file, clean_hashes.txt.

awk -F':' '{print $2}' /root/sample_hashes.txt > /root/clean_hashes.txt

Verify the contents of the new file.

cat /root/clean_hashes.txt

The output should contain only the hash strings:

$6$randomsalt$WS2qjCQ1JrmZv8otdbtntIYu6lRzkk2aIVhgIMdMexOcvD9bEAoxtKcyZLXbR3wlhOOPBscJbLCPUU/fYjFhM0
$6$anothersalt$ZffCt8y5Hl8gLYS79/rhyT76C12kNhuOvkFR8Ll0RXcjQz2Nzuh3VUdT//e21HYfH6fP9btOp2aG22O3S7q1z/

Now, run Hashcat. You need to specify the hash mode (-m 1800 for SHA-512 crypt) and the attack mode (-a 0 for a straight dictionary attack).

hashcat -m 1800 -a 0 /root/clean_hashes.txt /root/custom_wordlist.txt

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: /root/clean_hashes.txt
Time.Started.....: Mon Sep  1 06:33:21 2025 (0 secs)
Time.Estimated...: Mon Sep  1 06:33:21 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/root/custom_wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      226 H/s (5.08ms) @ Accel:8 Loops:1024 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests (total), 1/2 (50.00%) Digests (new), 2/2 (100.00%) Salts
Progress.........: 6/12 (50.00%)
Rejected.........: 0/6 (0.00%)
Restore.Point....: 0/6 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4096-5000
Candidate.Engine.: Device Generator
Candidates.#1....: password -> password123

Before running the attack, confirm that Hashcat can detect an OpenCL backend:

hashcat -I

If this command reports that no OpenCL platform is available, install the CPU OpenCL runtime and check again:

apt update
apt install -y pocl-opencl-icd
hashcat -I

After OpenCL is detected, run the cracking command again. If Hashcat prints a warning in this containerized environment, append --force.

hashcat -m 1800 -a 0 /root/clean_hashes.txt /root/custom_wordlist.txt --force

After the attack completes, view the cracked passwords by running the command with the --show flag.

hashcat -m 1800 -a 0 /root/clean_hashes.txt /root/custom_wordlist.txt --show

When the attack succeeds, Hashcat displays each hash followed by the cracked password, separated by a colon:

$6$randomsalt$WS2qjCQ1JrmZv8otdbtntIYu6lRzkk2aIVhgIMdMexOcvD9bEAoxtKcyZLXbR3wlhOOPBscJbLCPUU/fYjFhM0:password
$6$anothersalt$ZffCt8y5Hl8gLYS79/rhyT76C12kNhuOvkFR8Ll0RXcjQz2Nzuh3VUdT//e21HYfH6fP9btOp2aG22O3S7q1z/:123456

This step has introduced you to Hashcat as a powerful alternative for password cracking. In the final step, you will learn to properly document your findings.

Summary

In this lab, you have gained hands-on experience with fundamental password cracking techniques in a Kali Linux environment. You began by setting up your workspace, installing essential tools like John the Ripper and Hashcat. You then learned to prepare target data by creating a sample hash file that mimics Linux's /etc/shadow format.

You practiced using John the Ripper with both its default settings and a custom wordlist, and you explored Hashcat as a powerful alternative. Finally, you learned the critical step of saving your findings for documentation and reporting. These skills form a solid foundation for penetration testing and highlight the importance of implementing strong password policies to defend against such attacks.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux