John the Ripper — Ultimate Guide

6 min readAug 20

Identifying Hashes

Online Hash Crackers

Format-Specific Cracking

  • Once you have identified the hash that you’re dealing with, you can tell john to use it while cracking the provided hash using the following syntax:
john --format=[format] --wordlist=[path to wordlist] [path to file]
  • Below is the flag to tell John that you’re giving it a hash of a specific format, and to use the following format to crack it
  • --format=

Example Usage:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

A Note on Formats:

  • When you are telling john to use formats, if you’re dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it with raw- to tell john you’re just dealing with a standard hash type, though this doesn’t always apply.
  • To check if you need to add the prefix or not, you can list all of John’s formats using syntax below and either check manually, or grep for your hash type using something like
john --list=formats
john - list=formats | grep -iF "md5"

Cracking Windows Hashes

NTHash and NTLM

  • NThash is the hash format that modern Windows Operating System machines will store user and service passwords in.
  • It’s also commonly referred to as “NTLM” which references the previous version of Windows format for hashing passwords known as “LM”, thus “NT/LM”. -You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine.
  • By using a tool like Mimikatz or from the Active Directory database: NTDS.dit.
  • You may not have to crack the hash to continue privilege escalation- as you can often conduct a…

Reverse Engineer, Red Teamer, CTF fan & creator