TechEarl

John the Ripper: The Complete Guide (Jumbo, with Real Examples)

John the Ripper is the cracker that runs anywhere and pulls a hash out of almost any encrypted file. I walk the jumbo install, auto-detection, the *2john extractors that are its killer feature, your first real crack, the cracking modes, and where John still beats hashcat. Tested on 1.9.0-jumbo-1.

Ishan Karunaratne⏱️ 7 min readUpdated
Share thisCopied
Install John the Ripper jumbo, extract hashes from files with *2john, run your first crack, use single/wordlist/incremental/mask modes, and know when John beats hashcat. Tested on 1.9.0-jumbo-1.

John the Ripper is the cracker that goes everywhere hashcat cannot. It runs happily on a CPU, on a server with no GPU, on a Raspberry Pi. It auto-detects most hash formats so you do not have to look up a mode number. And its real superpower is a small army of *2john extractors that pull a crackable hash out of almost any encrypted file: a ZIP, a RAR, a PDF, an Office document, a KeePass database, an SSH private key. If your job is "I have a locked file and need the password," John is the tool. Everything here was run on John the Ripper 1.9.0-jumbo-1.

TL;DR

Use the jumbo build (not core John), it has hundreds of formats and all the *2john extractors. The workflow for a file is: zip2john secret.zip > hash.txt, then john --wordlist=rockyou.txt hash.txt, then john --show hash.txt. For a raw hash, John usually auto-detects the format, or you force it with --format=. Its cracking modes are single (fast, uses the username as a hint), wordlist (dictionary, with --rules for mangling), incremental (smart brute force), and mask. John's edge over hashcat is file-format coverage and zero-GPU portability; hashcat's edge is raw GPU speed. Most people keep both. The fill-in-your-values reference is the John the Ripper cheat sheet.

Install John (the jumbo build)

The version that matters is jumbo, the community build with hundreds of extra formats and every *2john tool. The package managers ship it:

bash
# macOS (Homebrew), installs jumbo
brew install john-jumbo

# Debian / Ubuntu
sudo apt install john

# Arch
sudo pacman -S john

# Fedora
sudo dnf install john

Confirm you have jumbo and check the build:

bash
john --list=build-info
# Version: 1.9.0-jumbo-1

If john --list=formats prints hundreds of names (bcrypt, NT, wpapsk, Office, PDF, KeePass, RAR5...), you have jumbo. If it lists only a dozen, you have core John; install the jumbo package instead.

The John philosophy

hashcat makes you specify everything; John tries to be helpful. Three design choices shape how you use it:

  1. Auto-detection. Hand John a hash and it guesses the format. You only need --format= when the guess is ambiguous or wrong.
  2. The *2john extractors. John cannot read a .zip directly, but zip2john turns the encrypted file into a hash string John can crack. There is a 2john tool for almost every format (ls your John share directory and you will find a hundred of them).
  3. Modes, not attack numbers. Instead of -a 0/1/3, John has named modes: single, wordlist, incremental, mask. You combine them with a strategy, and running john with no mode flag walks single, then wordlist, then incremental automatically.

The *2john extractors (John's killer feature)

This is why John stays in the toolkit even when you own a GPU rig. To crack the password on an encrypted file, you first extract its hash:

bash
zip2john secret.zip      > zip.hash      # encrypted ZIP
rar2john archive.rar     > rar.hash      # RAR / RAR5
pdf2john.pl locked.pdf   > pdf.hash      # password-protected PDF
office2john.py book.xlsx > office.hash   # Word / Excel / PowerPoint
keepass2john db.kdbx     > keepass.hash  # KeePass database
ssh2john id_rsa          > ssh.hash      # passphrase on an SSH key

Then you crack the resulting hash file exactly like any other. The full file-format walkthrough is in cracking ZIP, RAR, and PDF passwords.

Your first crack

Generate an MD5 of hashcat and let John auto-detect and crack it with a small wordlist:

bash
echo -n "hashcat" | md5sum | cut -d' ' -f1 > target.hash
printf 'password\n123456\nhashcat\nletmein\n' > words.txt
john --format=raw-md5 --wordlist=words.txt target.hash

John loads the hash, runs, and finishes:

text
Loaded 1 password hash (Raw-MD5 [MD5 128/128 ASIMD 4x2])
hashcat          (?)
1g 0:00:00:00 DONE
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

The hashcat on its own line is the recovered password (the (?) means the hash had no associated username). To print results cleanly:

bash
john --show --format=raw-md5 target.hash
# ?:hashcat
#
# 1 password hash cracked, 0 left

That ?:hashcat is username:password; the ? is the placeholder for "no username." John also remembers cracks in ~/.john/john.pot, so it never re-cracks a hash you already have.

The cracking modes

John's four modes map to different strategies. You can run them explicitly or let John cycle through them.

  • Single crack (--single): fast first pass that builds candidates from the account information itself, the username, GECOS field, home directory, mangled by rules. Astonishingly effective because people base passwords on their own names. Always run it first when you have usernames.

  • Wordlist (--wordlist=FILE): the dictionary attack. Add --rules to mangle each word (the equivalent of hashcat rules):

    bash
    john --wordlist=rockyou.txt --rules hash.txt

  • Incremental (--incremental): John's brute force, but smarter than raw enumeration, it uses character frequency statistics to try likely combinations first. It will run effectively forever on a strong password; bound it with --max-length.

  • Mask (--mask=?u?l?l?l?d?d): targeted brute force when you know the password's shape, the same idea as hashcat's mask attack.

Run with no mode and John does the sensible thing automatically:

bash
john hash.txt          # single, then wordlist (default list), then incremental
john --show hash.txt   # read out whatever cracked

For big jobs, --fork=N splits the work across N CPU cores.

When John beats hashcat (and when it does not)

They are complementary, and the head-to-head comparison has the full breakdown. The quick rule:

Reach for John when:

  • You have an encrypted file (ZIP, RAR, PDF, Office, KeePass, SSH key). The *2john tooling is unmatched.
  • You have no GPU, or you are on a server, container, or low-power box.
  • You want auto-detection and the single-crack mode's username-based guessing.

Reach for hashcat when:

  • You have a GPU and a pile of raw hashes (database dumps, NTLM, WPA). It will be many times faster.
  • You want the most powerful rules and mask engine for large-scale work.

Where to go next

Sources

Authoritative references this article was fact-checked against.

Tagsjohn the ripperpassword crackingjumbotutorialzip2john

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

Fill in your hash file, wordlist and format, then copy ready-to-run John the Ripper commands for the *2john extractors and every cracking mode. Full flag reference. Tested on 1.9.0-jumbo-1.
Security

John the Ripper Cheat Sheet: Extract, Crack, Show

Set your hash file, wordlist, and format once, and every John the Ripper command below fills in with your values, ready to copy. The *2john extractors, all four cracking modes, the full flag reference, and the format list. Tested on 1.9.0-jumbo-1.

Match a hex color code with regex. 3-digit, 6-digit, and 8-digit (alpha) forms. Case-insensitive. JavaScript / Python / PHP examples, engine notes, common mistakes, test cases.
Regex

How to Match a Hex Color Code with Regex

Match a hex color code with regex. 3-digit, 6-digit, and 8-digit (alpha) forms. JavaScript / Python / PHP examples, engine notes, common mistakes, a stripped-hash variant.