John the Ripper: Comprehensive Password Cracking Guide
Master John the Ripper for password recovery and security testing. Complete guide covering hash formats, attack modes, rules, and session management.
John the RipperPassword CrackingHash CrackingPenetration TestingSecurity ToolsNTLMKerberosPassword Auditing
Introduction
John the Ripper (JtR) is one of the oldest and most trusted password cracking tools in the security community. First released in 1996, it remains actively developed and widely used for password auditing, penetration testing, and forensics. Unlike GPU-focused tools like Hashcat, John excels at CPU-based cracking and offers excellent auto-detection capabilities for hash formats.
John the Ripper is available in two main versions: the free community-enhanced "Jumbo" version (recommended) with 400+ hash formats, and the official core version. Most distributions include the Jumbo version by default.
Installation
Install John the Ripper
# Kali Linux (pre-installed, Jumbo version)
john --version
# Ubuntu/Debian
sudo apt install john
# Install bleeding-edge Jumbo version
sudo apt install git build-essential libssl-dev zlib1g-dev
git clone https://github.com/openwall/john.git
cd john/src
./configure && make -s clean && make -sj4Verify Installation
# Check installed formats
john --list=formats | wc -l
# Should show 400+ formats in Jumbo version
# Test with example
echo 'test:$1$12345678$aiccj83HRD'tmp/JA1ki/' > test.hash
john test.hash --wordlist=/usr/share/wordlists/rockyou.txtConfigure OpenMP (Optional)
For multi-core CPU performance:
# Check OpenMP support
john --list=build-info | grep -i openmp
# Use all cores (automatic in newer versions)
john --fork=4 hash.txtHash Format Identification
John's auto-detection is one of its strongest features.
Automatic Detection
# John automatically detects most hash formats
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Shows detected format
# Using default input encoding: UTF-8
# Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])Manual Format Specification
# List all supported formats
john --list=formats
# List formats with descriptions
john --list=formats --verbosity=2
# Search for specific format
john --list=formats | grep -i ntlm
# Specify format explicitly
john --format=raw-md5 hash.txt --wordlist=wordlist.txtCommon Hash Formats
| Hash Type | John Format | Hashcat Mode | Common Source |
|---|---|---|---|
| MD5 | raw-md5 | 0 | Web apps, legacy systems |
| SHA1 | raw-sha1 | 100 | Git, SVN, older apps |
| SHA256 | raw-sha256 | 1400 | Modern hashes |
| SHA512 | raw-sha512 | 1700 | Unix passwords |
| NTLM | nt | 1000 | Windows systems |
| NTLMv2 | netntlmv2 | 5600 | Windows auth |
| bcrypt | bcrypt | 3200 | Modern web apps |
| KeePass | keepass | 13400 | Password managers |
| Kerberos AS-REP | krb5asrep | 18200 | AS-REP roasting |
| Kerberos TGS-REP | krb5tgs | 13100 | Kerberoasting |
| MD5-crypt | md5crypt | 500 | Unix /etc/shadow |
| SHA512-crypt | sha512crypt | 1800 | Modern Linux |
| ZIP | zip | 17200+ | Encrypted archives |
pdf | 10400+ | Protected PDFs |
Use john --list=formats --format=<name> to see format-specific options and requirements. For example: john --list=formats --format=krb5tgs
Basic Usage
Simple Wordlist Attack
# Basic dictionary attack
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Specify format explicitly
john --format=nt ntlm_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Multiple hash files
john hash1.txt hash2.txt hash3.txt --wordlist=wordlist.txtShow Cracked Passwords
# Display cracked passwords
john --show hashes.txt
# Show with format specified
john --show --format=nt ntlm_hashes.txt
# Show only usernames
john --show --format=nt ntlm_hashes.txt | cut -d: -f1Incremental Mode (Brute-Force)
# Default incremental mode
john --incremental hashes.txt
# Specific character set (Alpha: a-zA-Z)
john --incremental=Alpha hashes.txt
# Digits only (0-9)
john --incremental=Digits hashes.txt
# Lower case letters
john --incremental=Lower hashes.txt
# Custom incremental mode (configured in john.conf)
john --incremental=Custom hashes.txtRules and Mutations
John's rule engine is powerful for password mutations.
Using Built-in Rules
# Use default rules (best first)
john --rules hashes.txt --wordlist=wordlist.txt
# Specify rule set
john --rules=Single hashes.txt
# Jumbo-specific rules
john --rules=Jumbo hashes.txt --wordlist=wordlist.txt
# All rules (warning: very slow)
john --rules=All hashes.txt --wordlist=wordlist.txtRule Sets Explained
Single Mode - Uses information from username/GECOS fields:
# Automatically tries username-based mutations
john --single hashes.txt
# Examples: if username is "john"
# Tries: john, John, JOHN, john123, john2023, etc.Wordlist Mode with Rules - Applies mutations to dictionary:
# Common mutations: capitalization, leet speak, appending
john --wordlist=wordlist.txt --rules=Wordlist hashes.txtCustom Rules
Create custom rules in john.conf or as external file:
# Example custom rule file (custom.rule)
cat > custom.rule << 'EOF'
# Append common years
$2 $0 $2 $3
$2 $0 $2 $4
$2 $0 $2 $5
# Capitalize and append
c $! $!
c $1 $2 $3
# Leet speak substitutions
sa@ so0 se3 si1 sl1
# Toggle case and append year
T0 $2 $0 $2 $4
EOF
# Use custom rule
john --rules=custom --wordlist=wordlist.txt hashes.txtTesting Rules
# Preview rule transformations
echo "password" | john --rules=All --stdout | head -20
# Output might include:
# password
# Password
# PASSWORD
# password1
# password123
# drowssap (reversed)
# p@ssword (leet)Practical Examples
Cracking NTLM Hashes
# Windows SAM dump format
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Create hash file (username:hash format works best)
cat > ntlm.txt << 'EOF'
Administrator:8846f7eaee8fb117ad06bdd830b7586c
Guest:31d6cfe0d16ae931b73c59d7e0c089c0
User1:32ed87bdb5fdc5e9cba88547376818d4
EOF
# Crack with wordlist and rules
john --format=nt ntlm.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules
# Show results
john --show --format=nt ntlm.txtKerberoasting (TGS-REP Tickets)
# Save tickets from impacket GetUserSPNs.py
john --format=krb5tgs tgs_tickets.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules
# Service accounts often use weak passwords
john --format=krb5tgs tgs_tickets.txt --wordlist=common_passwords.txtAS-REP Roasting
# Crack AS-REP responses from impacket GetNPUsers.py
john --format=krb5asrep asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules
# Show cracked
john --show --format=krb5asrep asrep.txtLinux /etc/shadow Passwords
# Unshadow combines /etc/passwd and /etc/shadow
unshadow /etc/passwd /etc/shadow > unshadowed.txt
# Crack with john
john unshadowed.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Show results
john --show unshadowed.txtCracking KeePass Databases
# Extract hash from KeePass database
keepass2john Database.kdbx > keepass.hash
# Crack the hash
john --format=keepass keepass.hash --wordlist=/usr/share/wordlists/rockyou.txt
# With rules for better coverage
john --format=keepass keepass.hash --wordlist=wordlist.txt --rulesZIP Archive Passwords
# Extract hash from protected ZIP
zip2john protected.zip > zip.hash
# Crack
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
# Show password
john --show zip.hashSSH Private Key Passphrases
# Extract hash from encrypted SSH key
ssh2john id_rsa > ssh.hash
# Crack passphrase
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt --rulesSession Management
John includes robust session management for long-running cracks.
Named Sessions
# Start named session
john --session=my_session hashes.txt --wordlist=wordlist.txt
# Session automatically saved on interrupt (Ctrl+C)Checking Status
# Check status of running session
john --status
# Status of specific session
john --status=my_session
# Output example:
# 0g 0:00:01:23 3.45% (ETA: 12:34:56) 0g/s 1234Kp/s 1234Kc/s 1234KC/sRestoring Sessions
# Resume last session
john --restore
# Resume specific session
john --restore=my_session
# Sessions stored in: ~/.john/*.recAborting Gracefully
# Press any key during cracking to see status
# Press Ctrl+C once to save and exit cleanly
# Press Ctrl+C twice to force immediate exit (loses progress)Advanced Features
Mask Mode (Similar to Hashcat)
# Available in John Jumbo version
# Use mask attack for known patterns
# Example: 8 digits
john --mask='?d?d?d?d?d?d?d?d' hashes.txt
# Uppercase + 6 lowercase + 2 digits
john --mask='?u?l?l?l?l?l?l?d?d' hashes.txt
# Mask placeholders:
# ?l = lowercase (a-z)
# ?u = uppercase (A-Z)
# ?d = digits (0-9)
# ?s = special characters
# ?a = all printable ASCIIMarkov Mode
# Statistical mode based on character frequency
john --markov hashes.txt
# Specify Markov level (higher = more candidates)
john --markov=100 hashes.txt
# Combine with wordlist
john --markov --wordlist=wordlist.txt hashes.txtExternal Mode
Create custom cracking logic in C:
// In john.conf [List.External:MyMode]
void init()
{
word[0] = 'a';
word[1] = 0;
}
int generate()
{
if (word[0] > 'z')
return 0;
word[0]++;
return 1;
}# Use external mode
john --external=MyMode hashes.txtLoopback Mode
Reuse cracked passwords for further attacks:
# Enable loopback
john --loopback hashes.txt --wordlist=wordlist.txt --rules
# Cracked passwords become new candidates with rules appliedMulti-Core Processing
# Use all available CPU cores
john --fork=4 hashes.txt --wordlist=wordlist.txt
# Automatically detects core count (newer versions)
john --fork=-1 hashes.txtJohn vs Hashcat Comparison
| Feature | John the Ripper | Hashcat |
|---|---|---|
| Performance | CPU-focused | GPU-focused (much faster) |
| Hash Detection | Excellent auto-detection | Manual mode specification |
| Ease of Use | Simpler syntax | More complex options |
| Format Support | 400+ formats | 350+ modes |
| Rules | Powerful built-in rules | Requires external rule files |
| Cross-platform | Linux/Windows/macOS | Linux/Windows/macOS |
| Session Management | Simple restore | Named sessions |
| Best For | Quick tests, CPU-only systems | Large-scale cracking, GPU systems |
Use John for quick initial tests and hash identification, then switch to Hashcat for heavy-duty GPU-accelerated cracking.
Optimization Tips
Performance Tuning
# Use optimized formats when available
john --list=formats | grep -i "opencl\|cuda"
john --format=nt-opencl hashes.txt
# Benchmark formats
john --test --format=nt
# Use all CPU cores
export OMP_NUM_THREADS=8
john hashes.txtWordlist Strategies
# Start with small, targeted wordlists
john hashes.txt --wordlist=common_passwords.txt
# Progress to larger wordlists with rules
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo
# Use domain-specific wordlists
john hashes.txt --wordlist=company_wordlist.txt --rulesEfficient Rule Usage
# Start with single mode (fast, uses context)
john --single hashes.txt
# Then wordlist with light rules
john --wordlist=wordlist.txt --rules=Single hashes.txt
# Finally heavy rules if needed
john --wordlist=wordlist.txt --rules=Jumbo hashes.txtTroubleshooting
Hash Format Not Recognized
# List all formats
john --list=formats
# Try format variations
john --format=Raw-MD5 hash.txt # or
john --format=raw-md5 hash.txt # or
john --format=md5 hash.txt
# Check hash format requirements
john --list=formats --format=nt --verbosity=5"No password hashes loaded"
# Check hash file format
cat hash.txt
# Should be: username:hash or just hash
# Try different format
john --format=raw-md5 hash.txt
# Enable verbose mode
john --format=nt --wordlist=wordlist.txt hash.txt --verbosity=5Poor Performance
# Check if GPU-accelerated format available
john --list=formats | grep -i opencl
# Use format with -opencl suffix
john --format=nt-opencl hashes.txt
# Fork to use all cores
john --fork=-1 hashes.txtSession Corruption
# Remove corrupted session
rm ~/.john/*.rec
# Start fresh
john hashes.txt --wordlist=wordlist.txtUseful Scripts and Tools
Hash Extraction Tools
John includes several utilities for extracting hashes:
# Common extraction tools in John's run directory
keepass2john Database.kdbx
rar2john archive.rar
zip2john archive.zip
pdf2john document.pdf
ssh2john id_rsa
office2john document.docx
1password2john 1Password.agilekeychainCustom Wordlist Generation
# Generate wordlist from text
john --wordlist=document.txt --stdout --rules > custom_wordlist.txt
# Generate incremental passwords
john --incremental=Alpha --stdout --max-length=8 > alpha8.txt
# Combine multiple wordlists
cat wordlist1.txt wordlist2.txt | sort -u > combined.txtPot File Management
# John stores cracked passwords in pot file
# Location: ~/.john/john.pot
# View pot file
cat ~/.john/john.pot
# Format: hash:password
# Clear pot file (start fresh)
rm ~/.john/john.pot
# Use custom pot file
john --pot=custom.pot hashes.txtConfiguration
John's configuration is stored in john.conf:
Custom Incremental Mode
[Incremental:Custom]
File = $JOHN/alpha.chr
MinLen = 6
MaxLen = 8
CharCount = 26Custom Rule Set
[List.Rules:MyRules]
# Append year
$2$0$2$3
# Capitalize first
c
# Toggle case
T0Wordlist Rules
# Edit john.conf or use external file
john --wordlist=wordlist.txt --rules=MyRules hashes.txtReal-World Scenarios
Scenario 1: Windows Domain Audit
# Extract hashes with secretsdump.py
secretsdump.py domain/user:password@dc01
# Format for john
cat hashes.txt | cut -d: -f4 > ntlm_only.txt
# Quick check with common passwords
john --format=nt ntlm_only.txt --wordlist=top1000.txt
# Deep crack with rules
john --format=nt ntlm_only.txt --wordlist=/usr/share/wordlists/rockyou.txt --rulesScenario 2: KeePass Database Recovery
# Extract hash
keepass2john Database.kdbx > keepass.hash
# Try common patterns first
john --format=keepass keepass.hash --wordlist=common_patterns.txt
# Use rules for mutations
john --format=keepass keepass.hash --wordlist=wordlist.txt --rules=JumboScenario 3: Kerberoasting Campaign
# Get TGS tickets
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
# Crack with john
john --format=krb5tgs tgs.txt --wordlist=/usr/share/wordlists/rockyou.txt --rules
# Check progress
john --status
# Show cracked
john --show --format=krb5tgs tgs.txtResources
- John the Ripper Official Site - Main project page
- Jumbo Community Fork - GitHub repository
- John FAQ - Frequently asked questions
- Format Documentation - Hash format details
- Rule Syntax - Complete rule reference
- John Wiki - Community documentation
Conclusion
John the Ripper remains an essential tool for password security auditing despite being over 25 years old. Its excellent hash auto-detection, powerful rule engine, and CPU optimization make it perfect for initial assessments and systems without GPU access. Combined with Hashcat for GPU-accelerated cracking, it forms a complete password auditing toolkit.
Always ensure you have proper authorization before conducting password cracking activities. Use John the Ripper responsibly for legitimate security testing, compliance auditing, and forensics purposes only.
For additional password cracking tools and techniques, check out our guides on Hashcat, Hydra, and Active Directory Attacks.
Last updated on
Hashcat: Advanced Password Cracking with GPU Acceleration
Master Hashcat for password recovery and security testing. Complete guide covering hash modes, attack types, rules, and optimization techniques.
Nmap Advanced Guide: Mastering Network Reconnaissance
Advanced Nmap techniques for penetration testing including NSE scripting, IDS/firewall evasion, large-scale scanning, and real-world attack scenarios.