π§ John The Ripper
John the Ripper (JtR) is a password cracking tool that supports hundreds of hash formats. This guide covers what we've practiced: cracking NTLMv2 hashes captured with Responder.
Quickstart β Crack NTLMv2¶
# 1. Capture the hash with Responder
sudo responder -I tun0
# The hash appears in: /usr/share/responder/logs/SMB-NTLMv2-*.txt
# 2. Crack with John (auto-detects the format)
john hash.txt
# 3. Or force the format and use a wordlist
john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# 4. Show results
john --show hash.txt
NTLMv2 hash format¶
Example:
Attack modes¶
1. Wordlist Attack¶
# Basic wordlist attack
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# With rules for password mutation
john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt
# Force format
john --wordlist=/usr/share/wordlists/rockyou.txt --rules --format=netntlmv2 hash.txt
2. Auto-detection¶
# John auto-detects the hash format
john hash.txt
# List all supported formats
john --list=formats
# Filter formats by keyword
john --list=formats | grep -i ntlm
Session management¶
# Start a named session (auto-saves progress)
john --session=crack1 --wordlist=rockyou.txt hash.txt
# Restore an interrupted session
john --restore=crack1
# Show cracked passwords
john --show hash.txt
π‘ Always use sessions for long cracks. John saves progress automatically β you can Ctrl+C and resume with
--restore.
Essential wordlists¶
# RockYou (the standard CTF wordlist)
/usr/share/wordlists/rockyou.txt.gz # Debian/Kali (gunzip first)
# SecLists (full collection)
git clone https://github.com/danielmiessler/SecLists
CTF Workflow¶
- Capture the hash β with Responder or another tool
- Identify the format β
john hash.txt(auto-detects) orjohn --list=formats | grep keyword - Crack with wordlist first β
john --wordlist=rockyou.txt hash.txt - Add rules if wordlist fails β
john --wordlist=rockyou.txt --rules=best64 hash.txt - Check progress β
john --show hash.txt - Restore interrupted sessions β
john --restore
π Related¶
Machines: [[π§βπ Responder]]
Guides: [[π NTLM]], [[π₯οΈ WinRM]]