John the Ripper ("John") is an open-source password-cracking tool that recovers passwords from hashes, known for its flexibility and its huge set of format helpers (the ***2john tools) that extract crackable hashes from files, ZIP archives, KeePass databases, SSH keys, PDFs, and more. It auto-detects many hash types and cracks with wordlists, rules, and incremental modes. Where [Hashcat](/learn/credential-access/what-is-hashcat) leans on raw GPU speed, John shines at breadth of formats** and CPU flexibility.
What John the Ripper is
John the Ripper is a long-standing password cracker. Like Hashcat it hashes candidate passwords and looks for matches, but its signature strength is breadth: it can auto-detect formats and, through its ***2john** companion tools, turn all kinds of protected files into crackable hashes.
That means John cracks not just OS password hashes but the secrets inside archives, key files, and documents, which is why it is a staple after any credential or file haul.
How it is used and payload
John cracks both OS hashes and file secrets:
- Linux /etc/shadow:
unshadow passwd shadow > h.txt && john --wordlist=rockyou.txt h.txt - NT hashes:
john --format=nt nt.txt - Files via
*2john:ssh2john id_rsa > k.txt,zip2john file.zip > z.txt,keepass2john db.kdbx > kp.txt, thenjohn k.txt. - Show cracked results:
john --show h.txt.
A weak passphrase on a key or archive falls just like a weak login. Documented for defensive context.
How to defend
- Use strong passphrases on SSH keys, archives, and password databases, the exact targets of
*2john. - Enforce long account passwords so OS hashes resist cracking.
- Protect the source material (hashes, key files, encrypted archives) so there is nothing to feed John.
- Prefer hardware-backed keys (security keys, TPM) over passphrase-only secrets where possible.
- Detect the theft of key files and credential stores that precedes offline cracking.