TryHackMe John the Ripper: I Cracked 10 Passwords in 30 Minutes

Learned John the Ripper by cracking MD5, SHA1, SHA256, Whirlpool, NTLM hashes, plus ZIP files, RAR archives, and SSH keys. Everything fell to rockyou.txt. If your password is in a wordlist, it’s not a password — it’s a suggestion.

The Setup

John the Ripper = password cracking tool that’s been around since 1996.

What it does:

• Takes a hash (scrambled password)
• Tries millions of passwords from wordlists
• Compares each guess to the hash
• Tells you when it finds a match

This room covered:

• Basic hash cracking (MD5, SHA1, SHA256, Whirlpool)
• Windows NTLM hashes
• Linux /etc/shadow hashes
• Password-protected ZIPs
• Password-protected RARs
• SSH private key passphrases

The Three Modes (And Why You Only Need Two)

John has three cracking modes. Here’s what they actually do:

1. Single Crack Mode

john --single --format=raw-md5 hash.txt

What it does: Uses the username to generate password guesses.

Example: If the username is “joker”, it tries:

• joker
• Joker
• JOKER
• joker123
• Joker!
• j0ker
• joker1

Why it works: People use their own name/username in passwords way more than they should.

Speed: FAST — seconds to minutes

In the room: Cracked “Jok3r” instantly because the username was “Joker”

2. Wordlist Mode (The Real One)

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

What it does: Tries every password from a wordlist file.

Rockyou.txt: 14 million passwords from a real 2009 data breach. If your password is in this list, it’s already compromised.

Speed: FAST for weak passwords (seconds), SLOW for strong ones (never finishes)

In the room: Cracked literally everything with rockyou.txt

3. Incremental Mode (Brute Force)

john --incremental hash.tx

What it does: Tries every possible character combination. a, b, c, aa, ab, ac… forever.

Speed: EXTREMELY SLOW

Reality: You’ll never use this. If wordlist mode didn’t crack it, the password is probably strong enough that brute force would take years.

In the room: Never needed it

Hash Types and Formats

John can crack basically any hash type. Here’s what I encountered:

Basic Hashes

Identify the hash type:

python3 hash-id.py
# OR
john hash.txt

John auto-detects most formats, but sometimes you need to specify:

john --format=raw-md5 hash.txt        # MD5
john --format=raw-sha1 hash.txt       # SHA1
john --format=raw-sha256 hash.txt     # SHA256
john --format=whirlpool hash.txt      # Whirlpool

Results from the room:

• MD5 hash → cracked to “biscuit”
• SHA1 hash → cracked to “kangeroo”
• SHA256 hash → cracked to “microphone”
• Whirlpool hash → cracked to “colossal”

All fell in seconds with rockyou.txt.

Windows NTLM Hashes

john --format=nt hash.txt --wordlist=rockyou.txt

Windows stores passwords as NTLM hashes. If you can dump these (with Mimikatz or similar), John cracks them.

Room result: “mushroom”

Linux /etc/shadow Hashes

Linux stores password hashes in /etc/shadow, but John needs context from /etc/passwd too.

Why?

• /etc/passwd = usernames and user info (world-readable)
• /etc/shadow = actual password hashes (root only)

Combine them with unshadow:

unshadow passwd.txt shadow.txt > unshadowed.txt
john unshadowed.txt --wordlist=rockyou.txt

This gives John the username, which helps with Single mode and understanding the hash format.

Room result: Root password was “1234” (lol)

Cracking Files (Not Just Hashes)

John has helper tools to extract hashes from password-protected files:

ZIP Files

zip2john secure.zip > zip_hash.txt
john zip_hash.txt --wordlist=rockyou.txt

Room result: Password was “pass123”

RAR Archives

rar2john secure.rar > rar_hash.txt
john rar_hash.txt --wordlist=rockyou.txt

Room result: Password was “password” (seriously)

SSH Private Keys

ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=rockyou.txt

SSH private keys can have passphrases. If someone steals your private key but it’s passphrase-protected, John can crack that too.

Room result: Passphrase was “mango”

Pattern here? All these passwords (pass123, password, mango) are in rockyou.txt. That’s the point.

What I Actually Learned

1. Most Passwords Are Terrible

Every single hash in this room fell to rockyou.txt. Yes, it’s a beginner room with intentionally weak passwords, but here’s the reality:

Real breach statistics:

• “123456” — used by millions
• “password” — used by millions
• “qwerty” — used by millions
• Variations of these — used by millions more

If your password is:

• A dictionary word
• A common phrase
• Your name + numbers
• Already in a data breach

It will crack in seconds.

2. Hash Type Doesn’t Matter for Weak Passwords

The room had me crack:

• MD5 (considered weak)
• SHA256 (considered strong)
• Whirlpool (super strong)

All fell in seconds.

Why? Because “biscuit” is a terrible password whether you hash it with MD5 or SHA256. The hash algorithm doesn’t save you from a weak password.

3. Single Mode is Underrated

john --single hash.txt

Single mode uses the username to guess passwords. It cracked “Jok3r” from the username “Joker” instantly.

Why this matters in real attacks:

• Corporate accounts often use FirstnameLastname format
• People include their company name in passwords
• Users reuse parts of their username

Before running a massive wordlist, try Single mode first. It’s fast and catches the low-hanging fruit.

4. File Protection is Password Protection

ZIP files, RAR archives, SSH keys — they’re all just password hashes in disguise.

The workflow:

1. Extract the hash with zip2john / rar2john / ssh2john
2. Crack it like any other hash
3. Use the password to open the file

Real-world scenario: You find an encrypted backup ZIP on a compromised server. If it’s protected with “backup2024”, you’re in.

The One Defense That Actually Works

After cracking all these passwords, here’s what would’ve stopped me:

Long, random, unique passwords.

Examples of uncrackable passwords:

K7$mP2@qX9#vL4wN5&tR8
correct-horse-battery-staple-purple-elephant
mJ9#pL2@vK8$nR4&wQ7

Why these work:

• Not in any wordlist
• Too long for brute force
• Random enough that rules won’t generate them

Use a password manager:

• Bitwarden (free, open source)
• 1Password
• KeePass

Let it generate random passwords. You only need to remember one master password.

Practical Commands Reference

Basic cracking:

# Let John auto-detect
john hash.txt --wordlist=rockyou.txt

# Specify format
john --format=raw-md5 hash.txt --wordlist=rockyou.txt

# Try single mode first
john --single hash.txt

# Show cracked passwords
john --show hash.txt

File cracking:

# ZIP
zip2john file.zip > hash.txt
john hash.txt --wordlist=rockyou.txt

# RAR
rar2john file.rar > hash.txt
john hash.txt --wordlist=rockyou.txt

# SSH key
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=rockyou.txt

Linux shadow:

unshadow passwd.txt shadow.txt > combined.txt
john combined.txt --wordlist=rockyou.txt

Windows NTLM:

john --format=nt hash.txt --wordlist=rockyou.txt

Custom Rules (Advanced)

John supports custom rules to mutate wordlist entries:

Common rules:

• c = Capitalize first letter (password → Password)
• u = Uppercase all (password → PASSWORD)
• $[0-9] = Append number (password → password1)
• ^[0-9] = Prepend number (password → 1password)
• Az"[A-Z]" = Append capital letter (password → passwordA)

Using custom rules:

john --wordlist=rockyou.txt --rules=THMRules hash.txt

Reality: Rockyou.txt already has so many variations that custom rules often aren’t needed for weak passwords.

Real-World Application

If I were pentesting and found password hashes:

Step 1: Try Single mode (30 seconds)

john --single hashes.txt

Catches username-based passwords instantly.

Step 2: Try rockyou.txt (5–10 minutes)

john --wordlist=rockyou.txt hashes.txt

Catches weak passwords.

Step 3: Check results

john --show hashes.txt

Step 4: Try larger wordlists if needed

john --wordlist=/usr/share/wordlists/seclists/Passwords/probable-v2-top12000.txt hashes.txt

Step 5: Give up on strong passwords

If it hasn’t cracked by now, the password is probably actually good. Move on to other attack vectors.

What I wouldn’t do: Run incremental mode for days. That’s a waste of time. Strong passwords exist.

The Uncomfortable Truth

This room was easy because the passwords were weak. But here’s the thing:

Real data breaches show the same pattern.

When researchers analyze leaked password databases:

• 50% of passwords are in common wordlists
• 10% are variations of common passwords
• Only 40% are actually unique/strong

Translation: Half of all passwords crack instantly with tools like John.

Your takeaway:

• Use a password manager
• Generate random passwords
• Enable 2FA everywhere
• Assume password-only authentication is broken

Final Thoughts

John the Ripper is stupid simple:

1. Feed it a hash
2. Feed it a wordlist
3. Wait for results

The tool isn’t complicated. What’s complicated is understanding that password security is fundamentally broken because humans are terrible at creating random strings.

Key lessons:

• Single mode for username-based guesses
• Wordlist mode for everything else
• Incremental mode is useless for real work
• File passwords are just hashes in disguise
• Most passwords crack in seconds
• Only random, long, unique passwords survive

If you use “Password123!” anywhere, change it. Now.

Related posts:

• Benign: The Imposter Account That Almost Fooled Me
• ItsyBitsy: When 0.4% of Traffic is 100% Malicious
• CVE-2024–42327: Real Zabbix SQL Injection

Tags: #TryHackMe #JohnTheRipper #PasswordCracking #Hashing #Pentesting #OffensiveSecurity

Use strong passwords. Use 2FA. Use a password manager. Seriously.