john

John the Ripper is an offline password auditing tool used to test how strong passwords are by attempting to recover the original password from its stored hash. A hash is the scrambled, one-way representation of a password that most systems store instead of the password itself. When a security team has a file of these hashes (from a database backup or penetration test), John tries combinations from wordlists and other methods to figure out what the original passwords were.

This version (called the "jumbo" community edition) supports hundreds of hash and cipher formats: Unix crypt types, Windows NTLM and LM hashes, various web application hash formats like MD5 and SHA-256 used raw, SQL and LDAP server hashes, and encrypted file containers such as ZIP, RAR, PDF, and macOS disk images. To crack one of those file types, a companion tool (for example zip2john or pdf2john) first extracts the hash from the file, and then you feed that output into John.

Cracking can run in several modes: using a wordlist (a file of common passwords), a wordlist plus mangling rules that generate variations, or a brute-force pattern that tries all combinations within defined limits. Sessions can be paused and resumed, and the tool saves found passwords to a file called john.pot so you can see results and avoid re-processing already-cracked hashes.

The software runs on Linux, macOS, Windows, and several other platforms. It can distribute work across multiple CPU cores and also supports GPU acceleration for formats that benefit from it. There is a separate graphical interface called Johnny for users who prefer not to use the command line. The project is licensed under the GNU GPL version 2 and is developed on GitHub through pull requests.