If you’re just getting into password cracking and wondering which tools are actually worth learning, you’re in the right place. The world of password cracking tools can feel overwhelming at first—between GPU-tuned hash busters, wordlist generators, and obscure syntax-heavy programs, it’s easy to get lost in the noise.
This guide cuts through the hype and gives you a clear starting point. We’ll cover the most widely used password cracking tools in the industry—like Hashcat and John the Ripper—and explain what each tool is good at, how they differ, and when you’d reach for one over the other. We’ll also walk through some supporting utilities that help identify hash types, generate wordlists, and optimize your cracking workflow.
Whether you’re doing CTFs, building a home cracking rig, or just want to know what makes passwords crumble, this post is your beginner-friendly map to the password cracking landscape.
Core Password Cracking Tools
While there are countless password cracking utilities floating around the cybersecurity space, in practice, nearly all serious password cracking efforts funnel down to two primary tools: Hashcat and John the Ripper.
At their core, both tools perform the fundamental task of password cracking: taking plaintext candidates, hashing them using the target algorithm, and comparing the result against a list of known hashes. This hashing-and-comparison cycle is the beating heart of password cracking.
These aren’t just popular tools—they’re industry standards. Both are backed by actively maintained codebases, strong community support, and deep feature sets tailored to real-world cracking workflows.
Hashcat
CodeBase:
https://github.com/hashcat/hashcat
Wiki:
https://hashcat.net/wiki/doku.php?id=hashcat
The Case for John the Ripper
With few exceptions, Hashcat is the preferred and more powerful tool for password cracking. Plus, to its credit, Hashcat has far fewer murders to its name. However, John the Ripper still holds a respectable place in a password cracker’s arsenal. If you’re restricted to CPU-only cracking, John the Ripper offers better optimization than Hashcat in most cases.
Support for Newer Algorithms
Another point in John the Ripper‘s favor is its support for the Argon2 algorithm. This extended algorithm support underscores the tool’s active development. The John the Ripper codebase sees more frequent updates and releases than Hashcat, which, despite being actively maintained, progresses at a much slower pace. The fact that Hashcat still lacks support for Argon2 highlights this difference.
A Final Strong Use Case for JtR: Dynamic Mode
One of the last remaining strong use cases for John the Ripper is its custom dynamic algorithm mode. This feature can be thought of in two main contexts.
Dynamic Mode – Unknown Hashing Algorithm
The first use case is when you don’t know what hashing algorithm was used. John the Ripper’s dynamic mode can iterate through various known and hybrid algorithm combinations to try and identify a matching structure. That said, if you’re in a situation like this, John the Ripper actually isn’t your best option—MDXfind is a much faster and more comprehensive tool for hash type discovery across a broader range of algorithms.
Dynamic Mode – Known But Unsupported Hashing Algorithm
The real value in John the Ripper’s dynamic mode lies in its ability to define and crack custom hashing algorithms—those that don’t conform to any predefined structure.
For example, consider a custom scheme like: md5(salt + password + md5(password))
While this construction isn’t cryptographically complex—it just chains known functions in an uncommon way—neither Hashcat nor JtR supports it as a built-in mode. However, with JtR’s dynamic mode, you can create a custom algorithm to start cracking with just a few lines in a configuration using the dynamic scripting syntax. There’s no need to write C code or recompile anything; you can define and execute the hash structure directly from a config file.
On the other hand, Hashcat would require a custom module to handle this type of hash. Creating such a module is non-trivial—it demands fluency in C and a solid understanding of Hashcat’s plugin architecture. For most users, this is a significant barrier.
Dynamic Mode is not Perfect…
Now, John the Ripper’s custom dynamic mode for hashing algorithm configuration isn’t without its limitations. One of the most significant drawbacks I’ve encountered is its handling of variable salt lengths. So, JtR Dynamic mode may not work If your salt string length is not a fixed size; although there may be workarounds in certain situations. While dynamic mode offers a powerful and flexible solution for custom hash formats, it’s not perfect.
JtR, The Bottom Line.
When to use John the Ripper.
- CPU only on a single computer.
- On newer algorithms Hashcat does not support; Argon2.
- On a known but unsupported hashing algorithm using dynamic mode.
Outside of these niche scenarios, Hashcat remains the superior choice. Its performance, extensibility, and ecosystem make it the core tool you should rely on for the vast majority of password cracking tasks.
So, Why is Hashcat Better?
The defining feature that makes Hashcat the de facto number one password cracking tool is its extensive support for GPU-accelerated cracking.
While John the Ripper does offer GPU acceleration, it’s only available for a subset of hash types. Many algorithms still fall back to CPU-only execution, limiting performance. In contrast, Hashcat supports GPU acceleration for every hash type it implements, giving it a significant advantage in both versatility and speed.
The modern architecture of Hashcat was built from the ground up with GPUs in mind. It’s optimized to leverage the massive parallelism of modern graphics cards, enabling it to reach hash rates that far exceed those achievable by John the Ripper.
And when it comes to password cracking, speed is everything. The higher your hash rate, the more password candidates you can test—and the better your chances of a successful crack. This focus on speed and efficiency is why Hashcat remains the gold standard in password cracking tools.
It’s More Then just Speed, It’s Community
Now, there are certainly scenarios where I’d gladly trade John the Ripper’s slower hash rate for a specific feature or capability it offers. But even in those cases, Hashcat still comes out ahead.
Both tools have their limitations, but Hashcat’s widespread adoption within the cybersecurity community has fostered a vibrant ecosystem of companion tools, wrappers, optimizers, and automation frameworks—all designed to extend and enhance its functionality. Whether you’re managing distributed cracking tasks, optimizing rule sets, generating smart brute-force masks, or visualizing cracking progress, there’s likely a tool built specifically with Hashcat in mind.
This community investment—and the speed at which tooling and support continue to evolve around Hashcat—is something that John the Ripper has simply not kept pace with. In practice, this means that with Hashcat, you’re not just choosing a tool—you’re choosing an ecosystem.
Moving Forward, We Are Using Hashcat
For the reasons outlined above—and many more that we won’t delve into here—our focus moving forward will be exclusively on Hashcat within the password cracking blog series. It serves as the foundational tool for all the password cracking systems we will build and implement. Hashcat isn’t just a preferred option; it’s the core building block of our cracking infrastructure.
Password Cracking Supplemental Tools
Beyond the core cracking engines—Hashcat and John the Ripper—there’s a vast number of supplemental tools that are essential. These tools fill in critical gaps: from preprocessing wordlists and generating mangling rules to parsing hash dumps and organizing large cracking campaigns. Without them, you’re leaving efficiency and insight on the table.
Hashtopolis
Hashtopolis is a distributed password cracking manager designed to let you scale your cracking efforts across multiple CPU and GPU systems. It centralizes control, making it easy to coordinate and monitor cracking tasks from a single interface.
Key benefits of Hashtopolis include:
- Workload distribution across a fleet of agents, enabling you to fully utilize available compute resources
- Centralized management of wordlists, rule sets, masks, and preconfigured attack profiles
- Progress tracking and task automation, streamlining the entire cracking workflow
Codebase: https://github.com/hashtopolis/server
Wiki: https://github.com/hashtopolis/server/wiki
MDXfindMDXfind
MDXfind helps identify unknown hash algorithms by testing wordlists against hashes using many algorithm variations. It’s fast and effective.
Note: MDXfind is closed-source and has minimal documentation, which can make setup and usage less straightforward. You will need to play around with the tool to understand how it works.
Codebase: https://www.techsolvency.com/pub/bin/mdxfind/
Wiki: https://0xln.pw/MDXfindbible
rling
rling is a high-performance de-duplication tool for large wordlists or hashlists. While de-duping sounds simple, handling gigabytes of text quickly exposes the limits of typical tools. Once your file hits a million+ lines, tools like rling become essential—standard utilities just can’t handle the scale efficiently.
Codebase/Wiki: https://github.com/Cynosureprime/rling
Hashgen (Cyclone’s Hash Generator)
Hashgen quickly converts plaintext into various hash formats, among other features. You won’t need it often—until you do. It’s perfect for testing, validation, and custom hash generation on demand. You may encounter nested hashes like SHA1(MD5(plaintext)). In these cases, pre-hashing your wordlist (e.g., to MD5) before feeding it into Hashcat set to crack SHA1 can successfully recover the original password.
Codebase/Wiki: https://github.com/cyclone-github/hashgen
HashID
HashID helps identify the algorithm behind a hash, especially when formats overlap (e.g., 32-char hex). Hashcat offers limited detection too, but HashID is more thorough.
Codebase/Wiki: https://github.com/psypanda/hashID
ruleprocessorY
ruleprocessorY is a powerful utility that extends Hashcat’s native rule engine with advanced capabilities such as:
- Multi-byte replacement (e.g., replacing
!with!) - Rule deduplication to eliminate redundant rules
- Rule optimization for cleaner, more efficient processing
This tool becomes absolutely essential when you begin working with slower hashing algorithms like bcrypt, scrypt, or PBKDF2.
By preprocessing and streamlining your rule sets with ruleprocessorY, you dramatically improve efficiency, reduce overhead, and increase your chances of success. I cannot stress enough how critical this tool becomes once you move beyond high-speed hash types.
Codebase/Wiki: https://github.com/0xVavaldi/ruleprocessorY
PACK: Password Analysis and Cracking Kit
PACK (Password Analysis and Cracking Toolkit) is a collection of utilities designed to help you analyze known password lists to uncover patterns and structure. With this data, you can then build more intelligent and targeted attacks.
Using PACK, you can:
- Analyze password composition (lengths, character classes, etc.)
- Generate brute force masks that reflect the most common patterns in real-world passwords
- Tailor Hashcat rule files to focus on mutations that are statistically more likely to succeed
For example, if a dataset reveals that a majority of passwords follow the pattern ?u?l?l?l?l?d?d (e.g., “Chris23”), PACK can help you identify that pattern and turn it into a focused mask for brute forcing.
Codebase/Wiki: https://github.com/iphelix/pack
And More…
There are countless other tools in the password cracking ecosystem that I haven’t covered here. In this blog post, I chose to focus on the foundational tools used in basic password cracking workflows—the ones that form the core of most cracking setups.
That said, there’s a whole class of more advanced tools and techniques specifically tailored for attacking passphrases and high-entropy passwords that I haven’t touched on yet. These tools often incorporate probabilistic models, NLP techniques, and deep learning to intelligently generate candidates that mimic human language patterns.
Those will be saved for a future post, where we’ll dive deeper into the specialized tooling and methodologies designed for next-level password cracking.
Wrapping-up – Password Cracking: The Tools You Need to Know
Getting started with password cracking doesn’t require a wall of GPUs or a toolbox full of obscure utilities—it just takes the right set of tools and a solid understanding of what each one brings to the table.
At the end of the day, the best password cracking tool is the one that gets the job done efficiently. Knowing when to use it, and how to use it effectively, is what separates wasted compute cycles from real results.
In the next post of this password cracking series, we’ll focus on mastering Hashcat’s attack modes and gaining a deeper understanding of attack keyspace—equipping you with the knowledge to build smarter, faster, and more effective cracking strategies.
Related posts:
Password Cracking: Starting at Absolute Zero
Password Cracking for Fun and Profit
CVE-2021-29255 Vulnerability Disclosure
Lab: Exploiting CVE-2021-29255
Webserver VHosts Brute-Forcing
RedTeam Tip: Hiding Cronjobs
HTB Walkthrough: Support
How to Stay on Top of Cybersecurity News
HTB Dante Skills: Network Tunneling Part 1
Guide to Attending DEF CON 31
Leave a Reply