LabEx
Log InJoin Free

Understand John the Ripper Basic Modes

Kali LinuxBeginner
Practice Now

Introduction

John the Ripper (JtR) is a powerful and widely-used open-source password security auditing and password recovery tool. It can be used by system administrators to test the strength of passwords on their systems and by security professionals to recover lost passwords. Understanding its different operational modes is key to using it effectively.

In this lab, you will get hands-on experience with the basic cracking modes of John the Ripper. You will learn how to use its help options and explore its default behavior. Then, you will dive into its four primary modes: Single Crack, Wordlist, Incremental, and External mode, learning the purpose and basic usage of each.

Explore John the Ripper Help Options

In this step, you will start by exploring the built-in help documentation for John the Ripper. The help menu is an essential resource that provides a quick reference for the tool's syntax, command-line options, and available modes.

To view the main help page, simply run the john command with the --help flag. This will display a summary of the most common options and their descriptions.

Execute the following command in your terminal:

john --help

You will see a detailed output listing various options. Pay attention to the flags that specify different cracking modes, such as --single, --wordlist, and --incremental.

John the Ripper 1.9.0-jumbo-1 [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]

--single                   "single crack" mode
--wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
--rules                    enable word mangling rules for wordlist mode
--incremental[=MODE]       "incremental" mode [using section MODE]
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             new session [called NAME]
--status[=NAME]            print status of a session [called NAME]
--show[=LEFT]              show cracked passwords [if =LEFT, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [don't] load this (these) user(s) only
--groups=[-]GID[,..]       load users of this (these) group(s) only
... (output truncated) ...

This command gives you a solid overview of what John the Ripper can do. In the following steps, we will explore some of these modes in practice.

Identify John the Ripper Default Cracking Modes

In this step, you will learn how John the Ripper operates by default. When you run john on a password file without specifying a mode, it doesn't just pick one method. Instead, it intelligently cycles through its most effective modes in a default order: first "single" mode, then "wordlist" mode, and finally "incremental" mode. This provides a good balance between speed and thoroughness.

Our setup script has already created a file named mypasswd.txt in your current directory (~/project). This file contains a user entry with a simple, hashed password.

Let's run John the Ripper on this file without any mode flags to observe its default behavior.

john mypasswd.txt

John will start the cracking process. You will see status updates as it works. Since the password is simple, it should be cracked very quickly.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100.0g/s 12000p/s 12000c/s 12000C/s rolez..pimpin
Use the "--show" option to display all of the cracked passwords reliably
Session completed

As you can see, John successfully cracked the password (password) for the user testuser. It also helpfully suggests using the --show option to view cracked passwords later.

To confirm the cracked password, you can use the --show option:

john --show mypasswd.txt

This will display all the passwords that have been successfully cracked for the given file.

testuser:password:1001:1001::/home/testuser:/bin/sh

1 password hash cracked, 0 left

This confirms that the default mode sequence was successful.

Differentiate Between Single Crack and Wordlist Mode

In this step, you will learn about two of the most fundamental cracking modes: "single crack" and "wordlist".

First, it's important to know that John the Ripper stores cracked passwords in a file called john.pot located in the ~/.john/ directory. To re-run a cracking session on an already cracked password, we must first remove this file. Let's do that now.

rm ~/.john/john.pot

Single Crack Mode

Single crack mode is a fast and efficient mode that generates password candidates based on information about the user account itself, such as the username or GECOS field data. It applies common mutations (like adding numbers or symbols) to these candidates.

Let's run John in single crack mode explicitly using the --single flag.

john --single mypasswd.txt

The output will be similar to the default run, as this is the first mode John tries. It's very effective against passwords that are variations of the username.

Wordlist Mode

Wordlist mode is one of the most popular password cracking techniques. It uses a pre-compiled list of words (a dictionary or wordlist) and tries each one as a password. John comes with a default wordlist, typically located at /usr/share/john/password.lst.

Let's first remove the pot file again to reset the session.

rm ~/.john/john.pot

Now, run John in wordlist mode, explicitly pointing to its default wordlist using the --wordlist flag.

john --wordlist=/usr/share/john/password.lst mypasswd.txt

You will see John load the wordlist and attempt to crack the hash. Since "password" is a very common password, it's included in the default list and will be found almost instantly.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:35) 100.0g/s 12000p/s 12000c/s 12000C/s passwo..pascal
Use the "--show" option to display all of the cracked passwords reliably
Session completed

This demonstrates how to direct John to use a specific dictionary file for its attack.

Understand Incremental Mode Basics

In this step, you will explore "incremental" mode. This mode is essentially a brute-force attack. It systematically tries all possible combinations of characters up to a certain length. While it is the most comprehensive mode, it can also be extremely time-consuming for passwords of even moderate complexity.

Incremental mode's behavior is defined in the john.conf file, which specifies character sets (e.g., Alnum for alphanumeric, All for all characters) and length constraints.

First, let's reset the cracking session by removing the john.pot file again.

rm ~/.john/john.pot

Now, let's run John in incremental mode. We will specify the Digits character set, which tells John to try all possible numeric combinations. We use the --incremental flag for this.

john --incremental=Digits mypasswd.txt

You will see John start trying combinations like "0", "1", "2", "00", "01", etc. Since our password is "password" (all letters), this attack will not succeed. You can press Ctrl+C to stop it after a few seconds.

Now, let's try a more appropriate character set. We'll use the default incremental mode, which typically starts with common character sets like lowercase letters.

Reset the session one more time:

rm ~/.john/john.pot

Run the command without specifying a character set:

john --incremental mypasswd.txt

This time, John will use its predefined sequence of character sets. Since "password" consists of lowercase letters, the Lower or Alpha character set will eventually find it.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:40) 100.0g/s 12000p/s 12000c/s 12000C/s passwo..pascal
Session completed

Incremental mode is your last resort when other, faster modes have failed.

Learn About External Mode Functionality

In this step, you will be introduced to "external" mode. This is the most advanced and flexible of John's modes. It allows you to define custom password-generation logic using a C-like scripting language directly within the john.conf configuration file. This is powerful for creating highly targeted attacks that other modes can't handle.

While writing external scripts is an advanced topic, you can easily use the pre-defined external modes that come with John. Let's first list the available external modes defined in /etc/john/john.conf.

grep '^\[' /etc/john/john.conf | grep 'External:'

This command filters the configuration file to show you the names of the external mode sections.

[External:Compiler]
[External:Double]
[External:Hybrid]
[External:Keyboard]
[External:LanManager]
[External:Shift]
[External:Status]
[External:Wordlist]

You can see several built-in external functions. Let's try using the Wordlist external mode. This mode essentially mimics the standard wordlist mode but is implemented as an external script, making it a good example.

First, as always, reset the session.

rm ~/.john/john.pot

Now, run John using the --external flag, specifying the Wordlist mode.

john --external=Wordlist mypasswd.txt

The output will look very similar to when you ran the standard wordlist mode because the underlying logic is the same: it uses the default wordlist to find the password.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:45) 100.0g/s 12000p/s 12000c/s 12000C/s passwo..pascal
Session completed

External mode unlocks near-limitless possibilities for generating password candidates, making it a tool for expert users who need to implement custom cracking logic.

Summary

In this lab, you have successfully explored the fundamental cracking modes of John the Ripper. You learned how to navigate its help options and observed its default behavior, which intelligently combines multiple modes for efficiency.

You gained hands-on experience with:

  • Single Crack Mode: A fast mode that uses user-specific information to guess passwords.
  • Wordlist Mode: A common technique that uses a dictionary of words.
  • Incremental Mode: A comprehensive brute-force mode that tries all character combinations.
  • External Mode: An advanced, scriptable mode for creating custom password-generation rules.

Understanding these core modes is the first step toward mastering John the Ripper for password security auditing and recovery tasks. You are now equipped with the foundational knowledge to choose the right mode for different scenarios.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux