John the Ripper: Cracking Files, Keys, and Hashes Hashcat Can't Touch
- Tony Kelly
- May 25
- 6 min read
Series: The Community's Red Team
Post: 10 of 17
Tags: john the ripper, hash cracking, ssh keys, zip, pdf, office, password attacks, tools
Read time: ~10 min
Prerequisites: Post 09 — Hashcat
Post 09 covered Hashcat — GPU-accelerated cracking for raw hashes. Hashcat is faster at cracking hashes once you have them. John the Ripper's edge is in everything that comes before that: converting password-protected files into a format that can be cracked.
Find a password-protected zip file while pillaging a server? John. Discover an SSH private key with a passphrase? John. Grab an Office document locked with a password? John. Encounter a Linux shadow file? John handles that too.
The *2john collection of converter tools is what makes John essential — it extracts the crackable hash from inside a protected file and puts it in a format John (and sometimes Hashcat) can work with.
John vs Hashcat: The Real Division
These tools complement each other. They're not competing.
Use Hashcat when: You have raw hashes — NTLM from a SAM dump, NetNTLMv2 from Responder, Kerberoast tickets, Linux shadow hashes. Hashcat uses GPU acceleration and is dramatically faster at raw hash cracking.
Use John when: You have protected files that need conversion first — zip archives, SSH keys, PDFs, Office documents, KeePass databases. You also use John when you want automatic hash format detection or when cracking simpler hashes on a CPU-only machine.
The workflow for files is always the same: converter → crackable hash → crack.
Core Syntax
# Basic dictionary attack
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# With rules (mutation transforms on every word)
john hash.txt --wordlist=rockyou.txt --rules
# Brute force mode (incremental)
john hash.txt --incremental
# Show cracked results
john hash.txt --show
# Check what John already cracked (potfile)
john --show hash.txt
Key flags:
Flag | What it does |
--wordlist= | Dictionary file path |
--format= | Force specific hash format |
--rules | Apply default mangling rules |
--rules=Jumbo | Apply the full Jumbo rule set |
--show | Display cracked passwords from potfile |
--list=formats | List every supported format |
--incremental | Brute force mode |
--session=name | Name this session for resuming |
--restore=name | Resume a named session |
The *2john Converters
These are standalone programs that extract the crackable hash from a protected file. Run the converter, redirect output to a file, then crack that file with John.
SSH Private Key with Passphrase
Found an id_rsa file with a passphrase protecting it? This is extremely common during pillaging — SSH keys are everywhere and they're frequently protected by a weak passphrase.
ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=rockyou.txt
When you crack it, you get the passphrase used to protect the key. Then:
chmod 600 id_rsa
ssh -i id_rsa user@<target> # enter passphrase when prompted
Or use ssh-keygen to remove the passphrase entirely once you know it:
ssh-keygen -p -f id_rsa # prompts for current passphrase, then sets blank
ZIP Files
zip2john protected.zip > zip.hash
john zip.hash --wordlist=rockyou.txt
Once cracked:
unzip protected.zip # enter password when prompted
RAR Files
rar2john protected.rar > rar.hash
john rar.hash --wordlist=rockyou.txt
Password-Protected Office Documents
Word, Excel, PowerPoint files locked with a password:
office2john document.docx > office.hash
john office.hash --wordlist=rockyou.txt
Works on .docx, .xlsx, .pptx, and older .doc/.xls formats. Office document password protection is surprisingly common in corporate environments — IT teams frequently lock sensitive documents and rely on weak passwords.
PDF Files
pdf2john locked.pdf > pdf.hash
john pdf.hash --wordlist=rockyou.txt
KeePass Database
keepass2john Database.kdbx > keepass.hash
john keepass.hash --wordlist=rockyou.txt
Finding a KeePass database during an engagement is a high-value target — it potentially contains every password the user stores. Crack the master password and you have everything inside.
Linux Shadow File
When you have both /etc/passwd and /etc/shadow from a Linux system:
# Combine them first
unshadow /etc/passwd /etc/shadow > unshadowed.txt
# Crack
john unshadowed.txt --wordlist=rockyou.txt
unshadow merges the two files so John can match usernames to their hashes and use username information in rules.
Format Detection and Forcing
John tries to detect hash formats automatically. When it guesses wrong:
# List every format John knows
john --list=formats | grep -i ntlm
john --list=formats | grep -i sha512
# Force a specific format
john hash.txt --format=NT --wordlist=rockyou.txt # NTLM
john hash.txt --format=sha512crypt --wordlist=rockyou.txt # Linux shadow
john hash.txt --format=md5crypt --wordlist=rockyou.txt # Older Linux shadow
john hash.txt --format=bcrypt --wordlist=rockyou.txt # bcrypt
When John auto-detects the wrong format, no results come back and no error is shown. If rockyou should have cracked something obvious and didn't, check the format.
Rules: Transforming Wordlists
Rules tell John to mutate each word in your wordlist before hashing it. The default rules cover common transformations. Jumbo rules are more comprehensive:
# Default rules
john hash.txt --wordlist=rockyou.txt --rules
# Jumbo rule set (more transforms)
john hash.txt --wordlist=rockyou.txt --rules=Jumbo
What rules actually do to your wordlist words:
password → Password, PASSWORD, p@ssword, password1, password!
summer → Summer2024, Summer!, summ3r, SUMMER
admin → Admin123, @dmin, admin!, 4dmin
This is how you catch passwords that users "made complex" by doing obvious substitutions.
Checking the Potfile
John stores cracked passwords in ~/.john/john.pot. Always check it before starting a new crack run — the password might already be there from a previous session:
john hash.txt --show
The potfile persists across sessions. If you cracked a hash last week on the same machine, --show will display it instantly without re-running anything.
Resuming Cracked Sessions
Long crack jobs can be interrupted and resumed:
# Name the session when you start
john hash.txt --wordlist=rockyou.txt --session=mysession
# Resume it later
john --restore=mysession
Useful for large wordlists or when a crack is running overnight and you need to restart.
Single Crack Mode
John has a "single" mode that uses the username and gecos (name) information from the hash file to generate candidate passwords:
john hash.txt --single
This catches the obvious: a user named john whose password is john123 or John! or jhon. It's fast and worth running before the full wordlist attack.
A Complete File-Attack Workflow
This is what you actually do when you find a protected file during an engagement:
# 1. Identify what you have
file protected_file # zip, rar, pdf, docx, kdbx, id_rsa...
# 2. Convert to crackable hash
zip2john protected.zip > hash.txt
# (or ssh2john, pdf2john, office2john, keepass2john)
# 3. Quick single mode first
john hash.txt --single
# 4. Dictionary attack
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# 5. With rules if that misses
john hash.txt --wordlist=rockyou.txt --rules
# 6. Check what's cracked
john hash.txt --show
# 7. Use the cracked password to access the file
unzip protected.zip # or: ssh -i id_rsa user@target
Common Problems and Fixes
John says "No password hashes loaded": The converter produced an empty file, or the hash format is wrong. Check that the file you're converting actually has a password set (try opening it manually). Also verify the converter command was correct.
John says "Loaded X password hashes" but cracks nothing: Format might be wrong — try --format= explicitly. Or the password genuinely isn't in rockyou.txt — try rules, a larger wordlist, or mask attacks.
Office document hash won't crack: Older Office formats (pre-2007 .doc/.xls) use weaker encryption and crack faster. Modern Office 2016+ with AES-256 encryption is much harder. Expect longer crack times or miss entirely on strong passwords.
SSH key converter not found: On some systems the converter is ssh2john.py rather than ssh2john. Check with which ssh2john or find / -name "ssh2john*" 2>/dev/null.
Quick Reference
# SSH private key
ssh2john id_rsa > ssh.hash && john ssh.hash --wordlist=rockyou.txt
# ZIP file
zip2john file.zip > zip.hash && john zip.hash --wordlist=rockyou.txt
# RAR file
rar2john file.rar > rar.hash && john rar.hash --wordlist=rockyou.txt
# Office document
office2john document.docx > office.hash && john office.hash --wordlist=rockyou.txt
# PDF
pdf2john file.pdf > pdf.hash && john pdf.hash --wordlist=rockyou.txt
# KeePass database
keepass2john db.kdbx > keepass.hash && john keepass.hash --wordlist=rockyou.txt
# Linux shadow file
unshadow /etc/passwd /etc/shadow > unshadowed.txt && john unshadowed.txt --wordlist=rockyou.txt
# With rules
john hash.txt --wordlist=rockyou.txt --rules
john hash.txt --wordlist=rockyou.txt --rules=Jumbo
# Force format
john hash.txt --format=NT --wordlist=rockyou.txt
# Show cracked passwords
john hash.txt --show
# Single mode (username-based guesses)
john hash.txt --single
# List supported formats
john --list=formats | grep -i <type>
# Named session + resume
john hash.txt --wordlist=rockyou.txt --session=crack1
john --restore=crack1
What's Next
With hash cracking covered across both Hashcat and John, you now have a complete offline credential recovery toolkit. Post 11 (Netcat) shifts gears entirely — away from credentials and into shells. Netcat is the utility that receives reverse shells, sends files across networks, does port scanning, and acts as a raw TCP connection tool for every situation where a proper client doesn't exist. If you're doing any hands-on exploitation, you'll use Netcat in every single session.
MeshForge — Training the Community's Red Team
They count on your ignorance. The exploit only works on the uninformed.
Comments