Overview

Password cracking is an essential skill in penetration testing. Two tools dominate this space: Hashcat (GPU-focused) and John the Ripper (CPU-focused with GPU support). Let's compare them head-to-head.

GPU vs CPU Performance

Hash TypeHashcat (RTX 4090)John the Ripper (CPU)Speed Ratio |-----------|--------------------|-----------------------|-------------| MD5164 GH/s850 MH/s193x SHA-25622 GH/s320 MH/s69x bcrypt184 kH/s45 kH/s4x NTLM300 GH/s1.2 GH/s250x

Attack Modes

Hashcat Attack Modes

• Dictionary Attack (-a 0): Straight wordlist attack
• Combination Attack (-a 1): Combine two wordlists
• Brute-Force (-a 3): Mask-based attack
• Rule-Based (-a 0 -r rules): Apply transformation rules
• Hybrid (-a 6, -a 7): Wordlist + mask combinations

John the Ripper Modes

• Single Crack: Uses login names and GECOS info
• Wordlist: Dictionary with optional rules
• Incremental: Brute-force with character frequency optimization
• External: Custom cracking modes via C-like config

When to Use Which

Choose Hashcat when:

• You have a powerful GPU
• Cracking large hash lists
• Need maximum speed for common hash types
• Working with modern hash algorithms

Choose John the Ripper when:

• Working with exotic/uncommon hash formats
• Need automatic hash detection
• Running on servers without GPUs
• Need incremental mode's smart brute-force

Practical Example

Hashcat: Crack NTLM hashes with rockyou
hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
John: Crack shadow file
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=All /etc/shadow
Hashcat: Mask attack for 8-char passwords
hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d?d?s

Conclusion

Both tools are essential in a penetration tester's arsenal. Use Hashcat for raw GPU power and John for versatility. Many professionals use both in their workflows.