Hashcat vs John the Ripper (JTR)
Hashcat and John the Ripper are both popular tools for password cracking. Both have pros and cons, and in this article, we will review some of them.
Quick list
If you don’t feel like looking through everything here are the main points.
Hashcat
Pros:
- Fantastic GPU support
- Support for most compute binaries (Open Cl, Apple Metal, etc)
- Support for most OS’s
- Support for plenty of hash types (full list here)
- Able to detect hash type
Cons:
- Hash detection is not great
- Some drivers lower performance (not hashcat’s fault)
John the Ripper
Pros:
- Support for hash types that Hashcat does not support (full list here)
- Support for most OS’s
- Able to do hash detection
- Able to take advantage of CPU specific optimizations
Cons:
- GPU support for specific hash types only
- Some hashes need to be converted
- Getting CUDA to work is a pain
Personal Reviews
These are my experiences with both. You may have different results.
Hashcat
Hashcat has been my main tool for a while thanks to its GPU support. I mostly use it for NTLMv2 and wpa cracking. I found that cracking was slower with wordlists than with brute force or rule attacks. I think this is due to bandwidth limitations from my drive to the GPU. This issue does not persist with rule and brute force attacks as candidates are generated on the GPU, removing the bandwidth limitation.
The optimized kernel option doubled NTLMv2 hashrates but did not do anything for wpa cracking. I also disabled hardware monitoring as it killed the process at 80 degrees. I used the wordlists from crackstation.net and the kamaji34K ruleset from the Kaonashi project.
I tested hashcat on linux and windows and it seems linux is better with AMD gpus (compute mode was on for both OS’s). Nvidia CUDA performance was mostly similar for both though NTLMv2 performance was a bit better on linux.
John the Ripper (JTR)
I used JTR on windows for cracking RSA keys encrypted with triple DES (hashcat does not have support for this). First I had to convert the hash to something JTR could read. It took me forever to realize that ssh2john was what I needed. SSH is also able to use RSA certificates for encryption so I was able to put my keys through ssh2john. My first run with JTR had very poor performance. This was because it defaulted to using my CPU instead of GPU. Luckily JTR had an opencl option for ssh and I used that.
However, JTR still defaulted to CPU and I had to force it to use the GPU. This time JTR errored out and after a bit of research it seems Nvidia moved the nvopencl64.dll file somewhere else. This was fixed by copying it to C:/Windows/System32/ where JTR needed it to be. Once everything was working performance was 100 times better (I am not exaggerating).
Conclusion
Hashcat and John the Ripper both have their use cases. Hashcat has much better support for GPU cracking while JTR is better for different hash types. I’m sure I missed lots of specific details as my tests were not very thorough. It is up to you which tool is better.
