Terminal GuideJohn the Ripper: Password Cracker Guide
John the Ripper is one of the most widely used open-source password security auditing and recovery tools. This guide covers cracking modes, hash format support, custom rules, wordlist optimization, and practical usage for security professionals and system administrators.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Basic Cracking
john hashfileAuto-detect and crackjohn --wordlist=dict.txt hashWordlist modejohn --single hashfileSingle crack modejohn --incremental hashfileBrute-force modeHash Extraction
unshadow passwd shadow > hashLinux passwordszip2john file.zip > hashZIP archiverar2john file.rar > hashRAR archivessh2john id_rsa > hashSSH private keySession Management
john --show hashfileShow cracked passwordsjohn --restoreResume last sessionjohn --session=name hashNamed sessionjohn --statusCheck session statusFormat & Rules
--format=raw-md5Specify hash format--rules=AllApply all rules--list=formatsList supported formats--list=rulesList available rulesDownloadable Image Preview
Overview
John the Ripper (often abbreviated as "John" or "JtR") is a free, open-source password cracking tool originally developed by Solar Designer for Unix systems. It is designed to detect weak passwords by attempting to crack password hashes through multiple attack strategies.
John supports hundreds of hash and cipher types, including traditional Unix crypt(3) hashes, Windows LM/NTLM, Kerberos AFS, and many application-specific formats. It runs on a wide range of platforms including Linux, macOS, Windows, and BSD.
Key strengths of John the Ripper include its auto-detection of hash types, multiple cracking modes that can be combined, a powerful rules engine for word mangling, and the ability to resume interrupted sessions. It is the go-to CPU-based password cracking tool used by penetration testers and system administrators worldwide.
Installation
Debian / Ubuntu
# Install the core version from repositories
sudo apt update
sudo apt install john
# Install the jumbo version (recommended, more features)
sudo apt install john-jumbo
# Verify installation
john --versionmacOS
# Install via Homebrew (jumbo version)
brew install john-jumbo
# Or using MacPorts
sudo port install john-jumbo
# Verify installation
john --versionBuild from Source
Building from source gives you the latest features and allows you to enable OpenMP for multi-core support.
# Install build dependencies
sudo apt install build-essential libssl-dev zlib1g-dev
# Clone the jumbo repository
git clone https://github.com/openwall/john.git
cd john/src
# Configure with OpenMP support
./configure
# Build using all available cores
make -sj$(nproc)
# Binary will be at ../run/john
../run/john --versionJumbo vs Core
John the Ripper comes in two editions. The core version is the official release maintained by Solar Designer, supporting a limited set of hash formats with highly optimized code. The jumbo version is a community-enhanced fork that adds support for hundreds of additional hash formats, *2john extraction tools, GPU support via OpenCL, and extended rule capabilities. For most use cases, the jumbo version is recommended.
Cracking Modes
John the Ripper provides four main cracking modes. When no mode is specified, John uses its default order: single crack mode first, then wordlist mode with rules, and finally incremental mode.
Single Crack Mode
Single crack mode uses login names, GECOS fields, and home directory names from the password file as candidate passwords, applying mangling rules to generate variations. This is the fastest mode and often cracks a significant number of weak passwords.
# Run single crack mode
john --single hashfile
# Single crack mode with specific format
john --single --format=sha512crypt hashfileWordlist Mode
Wordlist mode (dictionary attack) tries each word from a wordlist file. When combined with rules, each word is mangled to produce additional candidates (e.g., appending numbers, changing case, substituting characters).
# Basic wordlist attack
john --wordlist=/usr/share/wordlists/rockyou.txt hashfile
# Wordlist with rule-based mangling
john --wordlist=wordlist.txt --rules hashfile
# Wordlist with specific rule set
john --wordlist=wordlist.txt --rules=All hashfile
# Pipe words from stdin
cat custom_words.txt | john --stdin hashfile/usr/share/wordlists/rockyou.txt. You may need to decompress it first with gunzip /usr/share/wordlists/rockyou.txt.gz.Incremental Mode
Incremental mode is a brute-force approach that tries all possible character combinations. John uses character frequency tables to try the most likely combinations first, making it more efficient than naive brute force. You can specify character sets to narrow the search space.
# Default incremental mode (all printable ASCII)
john --incremental hashfile
# Only lowercase alphabetic characters
john --incremental=Lower hashfile
# Only digits
john --incremental=Digits hashfile
# Alphanumeric characters
john --incremental=Alnum hashfile
# Set maximum password length
john --incremental --max-length=8 hashfileExternal Mode
External mode allows you to define custom cracking functions using a C-like language in the john.conf configuration file. This provides the ultimate flexibility for generating candidate passwords based on custom patterns or algorithms.
# Use a predefined external mode
john --external=Filter_Alpha hashfile
# External modes are defined in john.conf
# Example: [List.External:MyMode]
# void init() { word[0] = 'a'; length = 1; }
# void generate() { ... }
# void filter() { ... }Hash Formats and Extraction
John the Ripper (jumbo) supports over 300 hash types. Before cracking, you often need to extract hashes from their source into a format that John can process. The jumbo version includes numerous *2john utilities for this purpose.
# List all supported hash formats
john --list=formats
# List formats matching a pattern
john --list=formats | grep -i sha
# Show details about a specific format
john --list=format-details --format=raw-sha256Linux Passwords (unshadow)
On Linux systems, password hashes are stored in /etc/shadow while user information is in /etc/passwd. The unshadow utility combines these files into a format John can process.
# Combine passwd and shadow files (requires root)
sudo unshadow /etc/passwd /etc/shadow > hashes.txt
# Crack the combined file
john hashes.txt
# Crack with a specific wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txtZIP Files (zip2john)
# Extract hash from a password-protected ZIP file
zip2john protected.zip > zip_hash.txt
# Crack the ZIP password
john zip_hash.txt
# With a wordlist
john --wordlist=wordlist.txt zip_hash.txtPDF Files (pdf2john)
# Extract hash from a password-protected PDF
pdf2john protected.pdf > pdf_hash.txt
# Some installations use the Python script
python /usr/share/john/pdf2john.py protected.pdf > pdf_hash.txt
# Crack the PDF password
john pdf_hash.txtSSH Keys (ssh2john)
# Extract hash from a passphrase-protected SSH key
ssh2john id_rsa > ssh_hash.txt
# Some installations use the Python script
python /usr/share/john/ssh2john.py id_rsa > ssh_hash.txt
# Crack the SSH key passphrase
john ssh_hash.txtrar2john, keepass2john, office2john, and gpg2john. Run ls /usr/share/john/*2john* to see all available extraction tools on your system.Basic Usage
Here are the most common workflows when using John the Ripper for password auditing.
# Auto-detect hash format and start cracking
john hashfile
# Specify the hash format explicitly
john --format=raw-md5 hashfile
# Show cracked passwords
john --show hashfile
# Show cracked passwords with usernames
john --show --users hashfile
# Count cracked vs uncracked
john --show hashfile | tail -1
# Save session for later resumption
john --session=audit1 --wordlist=dict.txt hashfile
# Resume an interrupted session
john --restore=audit1
# Check session status (from another terminal)
john --status=audit1
# Limit to specific users
john --users=admin,root hashfile
# Crack only a specific group
john --groups=0 hashfileCustom Rules
John's rule engine is one of its most powerful features. Rules define transformations applied to wordlist entries to generate password candidates. They can capitalize letters, append or prepend characters, substitute characters, reverse strings, and much more.
Rule Syntax
Rules use a compact syntax where each character represents an operation. Rules are defined in the john.conf configuration file under [List.Rules:RuleName] sections.
Common Rule Commands
| Rule | Description |
|---|---|
| l | Convert entire word to lowercase |
| u | Convert entire word to uppercase |
| c | Capitalize first letter, lowercase rest |
| C | Lowercase first letter, uppercase rest |
| t | Toggle case of all characters |
| r | Reverse the word |
| d | Duplicate the word (e.g., passpass) |
| $X | Append character X to end |
| ^X | Prepend character X to beginning |
| sXY | Substitute all X with Y |
| Az"STR" | Append string STR |
| A0"STR" | Prepend string STR |
Rule Examples
# Add rules to john.conf under a custom section
# [List.Rules:MyRules]
# Capitalize and append two digits
c $[0-9]$[0-9]
# Append common symbols
$! $@ $# $$ $%
# Leet speak substitutions
sa@ se3 si1 so0
# Capitalize and append year
c Az"2024" Az"2025" Az"2026"
# Reverse then capitalize
r c
# Use custom rules from the command line
john --wordlist=dict.txt --rules=MyRules hashfile
# Use built-in rule sets
john --wordlist=dict.txt --rules=Jumbo hashfile
john --wordlist=dict.txt --rules=KoreLogic hashfile
john --wordlist=dict.txt --rules=All hashfile--rules=All option applies every defined rule, generating an enormous number of candidates. Start with --rules (default rules) or --rules=Wordlist for faster initial runs, and escalate to more aggressive rule sets only when needed.Wordlist Optimization
Effective password cracking depends heavily on the quality of your wordlists. Here are techniques for preparing and optimizing wordlists for use with John.
# Sort and deduplicate a wordlist
sort wordlist.txt | uniq > wordlist_clean.txt
# Remove entries shorter than 6 characters or longer than 20
awk 'length >= 6 && length <= 20' wordlist.txt > wordlist_filtered.txt
# Combine multiple wordlists
cat list1.txt list2.txt list3.txt | sort -u > combined.txt
# Generate a wordlist from John's incremental mode output
john --incremental --stdout --max-length=6 > generated.txt
# Use John to apply rules and output candidates (for review)
john --wordlist=base.txt --rules --stdout > expanded.txt
# Create a targeted wordlist from a website
cewl https://target.example.com -d 3 -m 5 -w custom_wordlist.txt
# Remove passwords that don't meet policy (e.g., 8+ chars, mixed case)
grep -P '^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).{8,}$' wordlist.txt > policy.txtPractical Examples
Linux Password Audit
Auditing Linux system passwords is one of the most common use cases for John the Ripper. This workflow checks whether user passwords meet security requirements.
# Step 1: Extract password hashes (requires root)
sudo unshadow /etc/passwd /etc/shadow > linux_hashes.txt
# Step 2: Run single crack mode first (fast, catches weak passwords)
john --single linux_hashes.txt
# Step 3: Run wordlist mode with common passwords
john --wordlist=/usr/share/wordlists/rockyou.txt --rules linux_hashes.txt
# Step 4: Check results
john --show linux_hashes.txt
# Step 5: Generate a report of cracked accounts
john --show linux_hashes.txt | awk -F: '{print "WEAK PASSWORD: " $1}' > audit_report.txt
# Step 6: Clean up sensitive files when done
rm -f linux_hashes.txtZIP File Password Recovery
# Extract hash from the protected ZIP file
zip2john confidential.zip > zip_hash.txt
# Try common passwords first
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt
# If wordlist fails, try with rules
john --wordlist=/usr/share/wordlists/rockyou.txt --rules=All zip_hash.txt
# If the password is short, try incremental mode
john --incremental --max-length=6 zip_hash.txt
# Show the recovered password
john --show zip_hash.txtSSH Key Passphrase Recovery
# Extract hash from the SSH private key
ssh2john ~/.ssh/id_rsa > ssh_hash.txt
# Attempt recovery with a wordlist
john --wordlist=wordlist.txt ssh_hash.txt
# Try wordlist with rules for common variations
john --wordlist=wordlist.txt --rules ssh_hash.txt
# Show the recovered passphrase
john --show ssh_hash.txt
# Clean up
rm -f ssh_hash.txtOptions Reference
John the Ripper Options
| Option | Description |
|---|---|
| --single | Single crack mode using GECOS information |
| --wordlist=FILE | Wordlist mode with specified dictionary file |
| --incremental[=MODE] | Incremental (brute-force) mode with optional charset |
| --external=MODE | External mode defined in john.conf |
| --rules[=SECTION] | Enable word mangling rules |
| --format=FORMAT | Force a specific hash format |
| --show | Display previously cracked passwords |
| --users=NAME | Crack only specified user(s) |
| --groups=GID | Crack only specified group(s) |
| --session=NAME | Name the session for restore capability |
| --restore[=NAME] | Resume a previously interrupted session |
| --status[=NAME] | Show status of a running or interrupted session |
| --max-length=N | Set maximum password length to try |
| --min-length=N | Set minimum password length to try |
| --fork=N | Fork N processes for parallel cracking |
| --pot=FILE | Use specified pot file for cracked passwords |
| --stdin | Read candidate passwords from standard input |
| --stdout | Output generated candidates without cracking |
| --list=WHAT | List capabilities (formats, rules, etc.) |
| --test | Run benchmark tests |
Tips and Best Practices
- Start with fast modes first. Run single crack mode before wordlist mode, and wordlist mode before incremental mode. This order maximizes the chance of cracking passwords quickly.
- Use sessions for long-running jobs. Always use
--session=namefor cracking operations that may take hours or days so you can resume with--restore=name. - Leverage multi-core CPUs. Use the
--fork=Noption to split work across multiple CPU cores (where N is the number of cores). - Specify the format explicitly. While John auto-detects hash types, specifying
--formatavoids misidentification and can improve performance. - Customize john.conf. The configuration file controls default behavior, rule sets, wordlists, and incremental mode character frequencies. Tailoring it for your environment yields better results.
- Protect your pot file. John stores cracked password pairs in
~/.john/john.pot. This file contains sensitive data and should be secured with appropriate permissions. - Combine with Hashcat. For GPU-accelerated cracking, use Hashcat as a complement to John. John excels at CPU-based cracking with its rule engine, while Hashcat leverages GPU power for raw speed.
- Create targeted wordlists. Generic wordlists are a starting point, but targeted lists based on the organization, industry, or user context dramatically improve success rates.
- Benchmark your system. Run
john --testto see cracking speeds for different hash types on your hardware, helping you estimate how long an attack will take. - Document your findings. When conducting audits, record methodology, results, and recommendations. Use
john --showoutput to generate reports showing which accounts have weak passwords.
Related Tools
John the Ripper works well alongside other security tools for comprehensive password auditing and penetration testing:
- Hashcat -- GPU-accelerated password recovery tool. Use Hashcat when you need raw cracking speed on modern GPUs, and John for CPU-based attacks with advanced rules.
- Hydra -- Online password brute-forcing tool for network services (SSH, FTP, HTTP, etc.). While John cracks offline hash files, Hydra targets live services.
- Nmap -- Network scanner for discovering hosts and services. Use Nmap to identify targets and services before running credential attacks with John or Hydra.
- CeWL -- Custom wordlist generator that scrapes websites. Pair with John for targeted attacks using organization-specific vocabulary.
- Metasploit -- Penetration testing framework that can extract hashes from compromised systems for offline cracking with John.
Official Documentation
For authoritative information, refer to the official documentation:
Related Articles
Hashcat: Advanced Password Recovery Guide
Master Hashcat for GPU-accelerated password recovery. Learn attack modes, hash types, rule-based attacks, and optimization techniques.
THC Hydra: Network Login Brute Force Guide
Complete guide to THC Hydra for network authentication testing. Learn protocol-specific attacks for SSH, FTP, HTTP, and more with practical examples.
Nmap: Network Scanner & Security Auditing Tool Guide
Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.
Metasploit Framework: Penetration Testing Guide
Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.