What is John the Ripper?
John the Ripper (JtR) is one of the oldest and most versatile open-source password crackers in existence. It auto-detects hash types, supports dictionary attacks, brute-force mode, and rule-based mangling — all from a single command. While hashcat is faster on GPU, John excels in versatility and ease of use, particularly for cracking password-protected files like ZIP archives, PDF documents, SSH private keys, and /etc/shadow entries directly without any preprocessing.
The community-maintained Jumbo version (installed on Kali as john) extends the base tool with hundreds of additional hash formats and the essential *2john helper scripts that extract crackable hashes from files.
Only crack hashes and files from systems you own or have explicit written permission to test. Unauthorized password cracking violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# John (Jumbo) is pre-installed on Kali sudo apt update sudo apt install john -y # Check version and confirm Jumbo build john --version # List all supported hash formats john --list=formats # List formats matching a keyword john --list=formats | grep -i ntlm john --list=formats | grep -i sha
Basic Usage
Point John at a file containing hashes and it will auto-detect the format and begin cracking in default wordlist mode.
# Auto-detect hash type and crack with built-in wordlist john hashes.txt # Specify a custom wordlist john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # Specify hash format explicitly (faster — skips auto-detect) john --format=NT hashes.txt john --format=sha512crypt hashes.txt john --format=bcrypt hashes.txt # Show cracked passwords after a session john --show hashes.txt # Show cracked with format specified john --show --format=NT hashes.txt
Cracking Linux Shadow Files
# Step 1: Combine /etc/passwd and /etc/shadow into one file unshadow /etc/passwd /etc/shadow > combined.txt # Step 2: Crack with rockyou wordlist john --wordlist=/usr/share/wordlists/rockyou.txt combined.txt # Or brute-force with incremental mode (tries all combinations) john --incremental combined.txt # Show all cracked passwords john --show combined.txt
Cracking Windows Hashes
# Crack NTLM hashes (from hashdump / impacket-secretsdump) john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt ntlm_hashes.txt # Crack NTLMv2 hashes (from Responder captures) john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt ntlmv2.txt # Crack LM hashes (legacy Windows) john --format=LM --wordlist=/usr/share/wordlists/rockyou.txt lm_hashes.txt
Cracking Password-Protected Files
The *2john helper scripts extract a crackable hash from protected files. These are bundled with John on Kali.
# --- ZIP archive --- zip2john protected.zip > zip_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt # --- RAR archive --- rar2john protected.rar > rar_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt # --- SSH private key (id_rsa) --- ssh2john id_rsa > ssh_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt # --- PDF document --- pdf2john protected.pdf > pdf_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt pdf_hash.txt # --- KeePass database (.kdbx) --- keepass2john database.kdbx > keepass_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt keepass_hash.txt # --- 7-Zip archive --- 7z2john protected.7z > 7z_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt 7z_hash.txt # --- Microsoft Office documents (.docx, .xlsx) --- office2john document.docx > office_hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt office_hash.txt
Attack Modes
# --- Dictionary attack (most common) --- john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # --- Dictionary + rules (mangling — tries Password, P@ssw0rd, PASSWORD etc.) --- john --wordlist=/usr/share/wordlists/rockyou.txt --rules hashes.txt # Apply a specific named ruleset john --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo hashes.txt john --wordlist=/usr/share/wordlists/rockyou.txt --rules=KoreLogic hashes.txt # --- Incremental (full brute-force — all character combos) --- john --incremental hashes.txt # Incremental limited to digits only (fast for PINs) john --incremental=Digits hashes.txt # Incremental limited to alphanumeric john --incremental=Alnum hashes.txt # --- Mask attack (pattern-based brute-force) --- # ?l = lowercase, ?u = uppercase, ?d = digit, ?s = symbol john --mask='?u?l?l?l?d?d?d?d' hashes.txt # e.g. Pass1234 # --- Single crack mode (uses login name and GECOS fields as candidates) --- john --single hashes.txt
Session Management
Long cracking sessions can be paused and resumed — John saves progress automatically.
# Name a session for tracking john --wordlist=/usr/share/wordlists/rockyou.txt --session=mycrack hashes.txt # Restore a previously interrupted session john --restore=mycrack # Restore the most recent unnamed session john --restore # Check cracking status while John is running # Press any key while John runs to see status # Or send status signal: john --status=mycrack
Common Flags
--wordlist=<file>— Specify a wordlist for dictionary attack--format=<type>— Explicitly set hash format--rules— Apply word mangling rules to wordlist--rules=<name>— Apply a named ruleset (Jumbo, KoreLogic, etc.)--incremental— Full brute-force mode--incremental=<mode>— Brute-force limited to a character set--mask=<pattern>— Mask-based pattern attack--single— Single crack mode using username/GECOS data--show— Display cracked passwords from a previous session--session=<name>— Name the current cracking session--restore=<name>— Resume a saved session--list=formats— List all supported hash formats--fork=<N>— Use N CPU processes in parallel
Common Use Cases
- Cracking
/etc/shadowhashes after gaining read access to a Linux system - Cracking NTLM hashes obtained from
hashdumporimpacket-secretsdump - Cracking NTLMv2 hashes captured with Responder during MITM attacks
- Unlocking password-protected ZIP, RAR, SSH keys, PDFs, and KeePass databases in CTF challenges
- Testing password policy strength by cracking an organization's own exported hashes
- Rule-based wordlist expansion to find passwords that follow common patterns
John vs Hashcat
Both tools crack hashes but serve different strengths. John is CPU-based, versatile, and handles file-based targets natively via *2john helpers. Hashcat is GPU-accelerated and dramatically faster on large hash lists but requires hash extraction beforehand. For CTF and general pentesting, John's *2john ecosystem makes it the faster choice to get started; for cracking thousands of hashes from a database dump, Hashcat with a GPU wins every time.
Further Reading
The John the Ripper documentation at openwall.com/john covers all formats and rule syntax in depth. For rule writing and advanced wordlist generation, study the /etc/john/john.conf ruleset file on Kali. Practice cracking on TryHackMe's "John the Ripper" room and CTF hash challenges on hackzia.site labs — both cover the essential *2john workflows in guided scenarios.