🛡️ Methodology Checklist
- Auto-detect and crack:
john [HASH_FILE] - Specify wordlist:
john --wordlist=[WORDLIST] [HASH_FILE] - Specify format:
john --format=[FORMAT] [HASH_FILE] - List supported formats:
john --list=formats | grep [HASHTYPE] - Apply rules:
john --rules=Jumbo --wordlist=[WORDLIST] [HASH_FILE] - Show cracked:
john --show [HASH_FILE] - Continue interrupted session:
john --restore
🎯 Operational Context
Use when: Hash format auto-detection needed, or cracking non-NTLM hashes (Unix shadow, SSH keys, archive passwords) on CPU.
Think Dumber First: john hash.txt --wordlist=rockyou.txt — john auto-detects format for most common hash types. No -format flag needed for auto-detect. Use --show after cracking to display results.
Skip when: NTLM/MD5/SHA1 on a GPU machine — hashcat is 10-100x faster; john is best for specialized formats (SSH key, PDF, Office docs).
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
john --wordlist=/usr/share/wordlists/rockyou.txt [HASH_FILE] | Wordlist (dictionary) attack |
john --single passwd | Single crack mode — uses username metadata |
john --incremental [HASH_FILE] | Brute-force with Markov chain statistics |
john --format=[FORMAT] [HASH_FILE] | Specify hash format manually |
john [HASH_FILE] --show | Show already-cracked passwords |
hashid -j [HASH] | Identify hash type + JtR format name |
locate *2john* | Find all hash extraction tools |
python3 ssh2john.py [KEY_FILE] > ssh.hash | Extract hash from encrypted SSH key |
python3 office2john.py [FILE].docx > office.hash | Extract hash from Office document |
python3 pdf2john.py [FILE].pdf > pdf.hash | Extract hash from PDF |
zip2john [ARCHIVE].zip > zip.hash | Extract hash from ZIP archive |
rar2john [ARCHIVE].rar > rar.hash | Extract hash from RAR archive |
keepass2john [DB].kdbx > keepass.hash | Extract hash from KeePass database |
bitlocker2john -i [IMAGE].vhd > bitlocker.hashes | Extract hash from BitLocker drive image |
john --wordlist=rockyou.txt ssh.hash | Crack SSH key passphrase |
🔬 Deep Dive & Workflow
Three Cracking Modes
| Mode | Command | When to Use |
|---|---|---|
| Single | --single passwd | Linux shadow file — uses GECOS user data to generate guesses |
| Wordlist | --wordlist=rockyou.txt | Standard dictionary attack — fastest, highest success rate |
| Incremental | --incremental | Last resort brute-force — Markov chain prioritizes likely combos over pure random |
Wordlist Mode + Rules
Apply transformation rules to expand the wordlist with common user patterns:
john --wordlist=rockyou.txt --rules [HASH_FILE]Rules are defined in /etc/john/john.conf under [List.Rules:Wordlist].
The 2john Workflow
JtR cannot crack binary files directly — only text-format hashes. Use the *2john tools to extract a hash representation:
# SSH key with passphrase
python3 ssh2john.py id_rsa > ssh.hash
john --wordlist=rockyou.txt ssh.hash
john ssh.hash --show
# Office doc (Word, Excel)
python3 office2john.py Protected.docx > office.hash
john --wordlist=rockyou.txt office.hash
# ZIP archive
zip2john archive.zip > zip.hash
john --wordlist=rockyou.txt zip.hashFind all available converters: locate *2john*
Hash Format Reference
| Hash Type | JtR Format Flag |
|---|---|
| Linux shadow (SHA-512) | sha512crypt |
| Linux shadow (MD5) | md5crypt |
| Windows NTLM | nt |
| Windows LM | lm |
| MSSQL | mssql / mssql05 |
| Kerberos 5 TGS | krb5tgs |
| ZIP | zip |
| RAR | rar |
| SSH key | ssh |
| KeePass | keepass |
Identifying Hash Format
hashid -j 193069ceb0461e1d40d216e32c79c704
# [+] RIPEMD-128 [JtR Format: ripemd-128]Use the format string directly: john --format=ripemd-128 hash.txt
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| john returns ‘no password hashes loaded’ | Format not detected | Specify format: john --list=formats | grep -i [TYPE] then john --format=[FORMAT] hash.txt |
| john shows ‘Loaded 0 password hashes’ | Hash file empty or wrong encoding | Check file: cat hash.txt | xxd | head — look for encoding issues; BOM character breaks loading |
| Cracking very slow | Single-core default | Use: john --fork=4 hash.txt for 4 cores; or john --node=1-4/4 for distributed |
| john cracks same hash repeatedly | Already cracked, not showing | Run john --show hash.txt to display all cracked; results stored in ~/.john/john.pot |
| SSH key cracking fails | Key format not recognized | Convert first: ssh2john id_rsa > id_rsa.hash then crack the converted hash file |
📝 Reporting Trigger
Finding Title: Password Hash Cracked via Dictionary Attack Impact: Dictionary attack recovers plaintext password from hash, enabling authenticated access to all services where the account is used, bypassing all authentication controls without generating authentication failure logs. Root Cause: Password based on common dictionary word or simple pattern susceptible to wordlist attack. No account-level breach monitoring. Recommendation: Enforce password policies that prohibit common words and patterns. Implement password breach checking (HaveIBeenPwned API) at password change time. Deploy MFA to make cracked passwords insufficient for authentication.