See our complete list of top penetration testing tools.
John the Ripper is a fine tool for checking on password vulnerability. It should be viewed as more of a supplemental tool than a primary one in the penetration arsenal. As it combines several approaches to password cracking into one, it is well worth trying out.
Type of tool: Password cracker
Key Features: Passwords are a weak link in enterprise security. As requirements get stiffer for the number and type of characters, bad habits multiply such as post-it notes on screens, Word docs with passwords listed, retaining default passwords and other workarounds. That’s why cybercriminals go after passwords so often. Once a hacker steals credentials, they can enter sensitive systems or wait in ambush to stage a devastating attack against a prized asset.
Penetration testing, therefore, pays close attention to password cracking. John the Ripper is a free, easy to use, open source tool that takes the best aspects of various password crackers and unites them into one package. As such it can be harnessed by pen testers to detect weak passwords and find a way into a system or database.
John the Ripper works by using the dictionary method favored by attackers as the easiest way to guess a password. It takes text string samples from a word list using common dictionary words. It can also deal with encrypted passwords, and address online and offline attacks.
Differentiator: It is a free tool that is easy to use and it is aimed squarely at password cracking.
What it can’t do: Vulnerability analysis and test for other areas of penetration beyond passwords.