Before completing this lab, ensure you are working in a legal and safe environment. If you haven't already, you can set up your own hacking lab by completing our first tutorial:

Setting Up Your Free Virtual Hacking Environment

Now we are going to learn one of the most famous password auditing tools in Kali Linux:

John the Ripper

John the Ripper, usually just called John, is a password cracking and password auditing tool.

Security professionals use it to test whether passwords are weak, reused, predictable, or easy to guess.

This is important because passwords are still one of the weakest parts of most systems.

A lot of hacking does not start with advanced malware or zero-day exploits.

It starts with weak passwords.

What John the Ripper Actually Does

John does not magically “recover” passwords.

It takes a password hash and tries to guess the original password.

Here is the simple version:

1. A password gets turned into a hash.
2. John guesses a password.
3. John hashes that guess.
4. John compares the guessed hash to the real hash.
5. If they match, John found the password.

That is why weak passwords are dangerous.

If the password is something like:

password123

or:

letmein

or:

summer2024

John may find it very quickly.

If the password is long, random, and unique, cracking it becomes much harder.

Step 1 – Start Kali Linux

Open VMware.

Start your Kali Linux virtual machine.

Log in with the username and password you created during your Kali setup.

Open the terminal.

You can usually open it by pressing:

CTRL + ALT + T

or by clicking the terminal icon.

Step 2 – Check If John Is Installed

Kali usually includes John the Ripper by default.

Check by running:

john

If John is installed, you should see help information and usage options.

You can also check the version with:

john --list=build-info

If John is not installed for some reason, install it with:

sudo apt update
sudo apt install john

Step 3 – Create a Working Folder

Let’s keep this lab organized.

Run:

cd ~
mkdir john-lab
cd john-lab

Now check that you are inside the folder:

pwd

You should see something like:

/home/secret-lab/john-lab

This is where we will create our test files.

Step 4 – Create a Simple Test Hash

For this beginner lab, we are going to create our own sample password hash.

This keeps the lab clean and easy to understand.

Run:

openssl passwd -1 password123

This creates an MD5-based password hash for:

password123

Your output will look something like this:

$1$abcd1234$6QJ7vQzAqN5FvZqzPZPZx/

Your exact output will probably be different.

That is normal.

The important part is that you now have a hash.

Step 5 – Save the Hash to a File

Copy the hash output from the terminal.

Now create a file called:

hash.txt

Use nano:

nano hash.txt

Paste the hash into the file.

Then save it:

CTRL + O

Press Enter.

Then exit:

CTRL + X

Now confirm the file exists:

ls

View the file:

cat hash.txt

You should see your hash printed on the screen.

Step 6 – Run John Against the Hash

Now we can run John:

john hash.txt

John will try to identify the hash type and begin cracking.

Because our test password is weak, John may find it quickly.

When John finishes, you may see something like:

password123

If it does not show immediately, do not panic.

John may still be running or may have already saved the cracked password.

Step 7 – Show Cracked Passwords

To show cracked passwords, run:

john --show hash.txt

You should see output showing the cracked password.

Example:

?:password123

That means John successfully matched the hash to the original password.

Step 8 – Understand What Just Happened

This is the important part.

John did not reverse the hash.

Hashes are designed to be one-way.

Instead, John guessed possible passwords, hashed those guesses, and checked whether the results matched.

That is password cracking in simple terms.

This is why password strength matters.

Weak password:

password123

Strong password style:

river-coffee-window-91-purple-moon

Even better:

a long random password stored in a password manager

Step 9 – Using a Wordlist

A wordlist is a file full of possible passwords.

Kali often includes a famous wordlist called:

rockyou.txt

It is commonly located here:

/usr/share/wordlists/rockyou.txt.gz

Notice the .gz ending.

That means it is compressed.

To check if it exists, run:

ls /usr/share/wordlists/

If you see:

rockyou.txt.gz

you can unzip it with:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Now confirm it exists:

ls /usr/share/wordlists/

You should now see:

rockyou.txt

Step 10 – Crack the Hash with rockyou.txt

Now run John again, but this time tell it to use the wordlist:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Then show the result:

john --show hash.txt

If password123 is in the wordlist, John should find it.

This is called a dictionary attack.

A dictionary attack does not try every possible character combination.

Instead, it tries likely passwords from a list.

That is why common passwords are terrible.

Step 11 – Clear John’s Previous Results

John remembers cracked passwords.

That is useful, but it can confuse beginners during labs.

John stores cracked results in a file called:

john.pot

To clear previous John results for a fresh test, run:

rm ~/.john/john.pot

If the file does not exist, that is fine.

You can also check where John stores files with:

john --list=build-info

Step 12 – Create a Second Test Password

Let’s create a new test hash.

This time, use:

openssl passwd -1 football

Copy the hash output.

Create a new file:

nano football-hash.txt

Paste the hash.

Save and exit:

CTRL + O

Press Enter.

CTRL + X

Now run:

john --wordlist=/usr/share/wordlists/rockyou.txt football-hash.txt

Then:

john --show football-hash.txt

You should see:

football

This proves the same process works with different hashes.

Step 13 – Create a Harder Password

Now let’s create a stronger password hash.

Run:

openssl passwd -1 'BlueCoffeeTigerMountain91!'

Copy the hash.

Create a file:

nano strong-hash.txt

Paste the hash.

Save and exit.

Now try to crack it:

john --wordlist=/usr/share/wordlists/rockyou.txt strong-hash.txt

This one may not crack quickly.

It may not crack at all with that wordlist.

That is the lesson.

Strong passwords make password cracking much harder.

Step 14 – Stop John While It Is Running

If John keeps running and you want to stop it, press:

CTRL + C

This stops the current cracking session.

You can resume later with:

john --restore

John is designed for long-running cracking jobs.

Some password cracking attempts can take minutes, hours, days, weeks, or much longer depending on the password strength and hash type.

Step 15 – View John Sessions

John can manage cracking sessions.

To start a named session:

john --session=test1 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

To restore that session later:

john --restore=test1

This is useful when working with larger hash files.

Step 16 – Understanding Hash Types

Not all hashes are the same.

Some are fast to crack.

Some are much slower.

Examples of hash types include:

• MD5
• SHA1
• SHA256
• SHA512
• bcrypt
• NTLM
• Linux shadow hashes

Older and faster hash types are usually easier to attack.

Modern password storage should use slow, salted password hashing methods.

That is one reason good system design matters.

Step 17 – Let John Detect the Hash Format

In many cases, you can just run:

john hash.txt

John will try to detect the hash format automatically.

But sometimes you need to tell John the format manually.

To list supported formats, run:

john --list=formats

This list is large.

Do not try to memorize it.

Just understand that John supports many different hash formats.

Step 18 – Using John Against Linux Password Files

Linux stores password-related information in two important files:

/etc/passwd

and:

/etc/shadow

The /etc/passwd file stores user account information.

The /etc/shadow file stores password hashes.

Normal users cannot read /etc/shadow.

That is a security feature.

To prepare Linux password hashes for John, there is a tool called:

unshadow

It combines /etc/passwd and /etc/shadow into a format John can understand.

On your own Kali VM, you can test this with:

sudo unshadow /etc/passwd /etc/shadow > kali-hashes.txt

Then run:

john kali-hashes.txt

To show cracked results:

john --show kali-hashes.txt

This is useful for understanding how Linux password auditing works.

Do not do this on systems you do not own or administer.

Step 19 – Using John with Metasploitable

Metasploitable is intentionally vulnerable and was built for practice.

If you are logged into Metasploitable directly, you can explore how Linux password files work there too.

Log into Metasploitable with:

Username: msfadmin
Password: msfadmin

You can view account information with:

cat /etc/passwd

You cannot normally read /etc/shadow unless you have elevated access.

That is the point.

The shadow file is protected because it contains password hashes.

In later tutorials, once we learn exploitation and privilege escalation, you will understand why attackers care so much about gaining access to /etc/shadow.

For now, just understand this:

If an attacker gets password hashes, they may try to crack them offline with a tool like John.

Step 20 – Why Offline Cracking Is Dangerous

Online login guessing is noisy.

It may trigger:

• account lockouts,
• alerts,
• logs,
• rate limits,
• security monitoring.

Offline cracking is different.

If an attacker steals hashes, they can attack those hashes on their own machine without repeatedly touching the original system.

That is why protecting password hashes matters.

It is also why strong password storage matters.

Step 21 – Password Auditing Lessons

John teaches several important lessons:

Weak Passwords Fail Fast

Passwords like these are bad:

password
password123
admin
welcome
football
qwerty
letmein

They are common, predictable, and often included in wordlists.

Longer Passwords Are Better

Length matters a lot.

This is better:

coffee-river-window-laptop-742

than this:

P@ss1

Short “complex” passwords are often worse than long passphrases.

Reused Passwords Are Dangerous

If someone reuses the same password across multiple services, one leaked password can create multiple compromises.

Password Managers Help

Humans are bad at creating and remembering many strong passwords.

Password managers solve that problem.

Step 22 – Clean Up Your Lab Files

When you are finished, you can remove the lab folder if you want.

Move back to your home folder:

cd ~

Remove the lab folder:

rm -r john-lab

Only do this if you are sure you no longer need the files.

Common Beginner Mistakes

Thinking John Reverses Hashes

John does not reverse hashes.

It guesses passwords and compares hashes.

Using Only One Wordlist

A single wordlist will not crack everything.

Wordlists are only as good as the guesses inside them.

Assuming No Result Means Secure

If John does not crack a password quickly, that does not automatically mean the password is perfect.

It only means John did not crack it with that method, wordlist, and amount of time.

Ignoring Password Reuse

Password reuse is one of the biggest real-world problems.

Even strong passwords become dangerous when reused across multiple accounts.

Running Commands Without Understanding Them

Do not just copy commands.

Understand what each one does.

That is how you actually learn.

Useful John Commands

Basic cracking

john hash.txt

Use a wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Show cracked passwords

john --show hash.txt

List formats

john --list=formats

Resume interrupted session

john --restore

Start named session

john --session=test1 hash.txt

Restore named session

john --restore=test1

Combine passwd and shadow files

sudo unshadow /etc/passwd /etc/shadow > hashes.txt

Closing Thoughts

John the Ripper is one of the most important password auditing tools in Kali Linux.

But the real lesson is not just how to run John.

The real lesson is understanding why weak passwords fail.

John teaches you that:

• common passwords are dangerous,
• short passwords are dangerous,
• reused passwords are dangerous,
• stolen hashes are dangerous,
• and password storage matters.

This is why cybersecurity professionals care so much about password policies, password managers, multi-factor authentication, and proper system hardening.

In the next tutorials, we will continue building real-world cybersecurity skills inside our Kali Linux lab.

Please Subscribe to keep up with future tutorials, and always feel free to contact me or leave a comment below.