TechEarl

John the Ripper Cheat Sheet: Extract, Crack, Show

Set your hash file, wordlist, and format once, and every John the Ripper command below fills in with your values, ready to copy. The *2john extractors, all four cracking modes, the full flag reference, and the format list. Tested on 1.9.0-jumbo-1.

Ishan Karunaratne⏱️ 7 min readUpdated
Share thisCopied
Fill in your hash file, wordlist and format, then copy ready-to-run John the Ripper commands for the *2john extractors and every cracking mode. Full flag reference. Tested on 1.9.0-jumbo-1.

The John the Ripper reference I keep open while working a file. Set your hash file, wordlist, and format once, and every command rewrites itself with your values, ready to copy. Below that is the full flag reference, the *2john extractor list, and the common formats. New to John? Start with the John the Ripper guide. Everything here was verified on John the Ripper 1.9.0-jumbo-1 (the jumbo build).

Set your values once

Try it with your own values

Set these once. Every command picks up your values. John usually auto-detects the format, so you only need to set it when forcing a specific type.

Step 1: extract the hash from a file

If you are cracking an encrypted file, turn it into a hash first with the matching *2john tool, then point John at the output:

bash
zip2john secret.zip > :hashfile      # then crack :hashfile below

Swap zip2john for the tool that matches your file: rar2john, pdf2john.pl, office2john.py, keepass2john, ssh2john. The full list is in the extractor table further down. Raw database hashes (MD5, NTLM, bcrypt) skip this step, they go straight into the hash file.

Ready-to-run cracking commands

Auto-detect and crack (John guesses the format from the hash):

bash
john --wordlist=:wordlist :hashfile

Force the format + wordlist (when auto-detect is ambiguous):

bash
john --format=:format --wordlist=:wordlist :hashfile

Wordlist + rules (mangle each word, the highest-yield attack):

bash
john --format=:format --wordlist=:wordlist --rules :hashfile

Single crack mode (build guesses from the username, run this first):

bash
john --single --format=:format :hashfile

Incremental (John's statistics-driven brute force, bound the length):

bash
john --incremental --max-length=8 :hashfile

Mask attack (targeted brute force when you know the shape):

bash
john --format=:format --mask=:mask :hashfile

Use all your CPU cores (split the job with fork):

bash
john --fork=:fork --format=:format --wordlist=:wordlist :hashfile

Show what you have cracked (read results from the pot file):

bash
john --show --format=:format :hashfile

The full flag reference

John the Ripper Flag Reference

Every flag organised by task. Jumbo build, tested on 1.9.0-jumbo-1.

Core & detection

john hash.txtWith no mode flag, John runs single, then wordlist, then incremental automatically.
--format=raw-md5Force a hash format. Needed when auto-detect is ambiguous. See --list=formats.
--list=formatsList every supported format (hundreds in jumbo).
--list=build-infoShow the build and version. Confirm you have jumbo.
--testSelf-test and benchmark the formats.
--show hash.txtPrint cracked passwords as username:password. Add =left for the uncracked ones.

Extract hashes from files (*2john)

zip2john file.zip > hash.txtEncrypted ZIP (PKZIP and WinZip/AES).
rar2john file.rar > hash.txtRAR3 and RAR5 archives.
7z2john.pl file.7z > hash.txt7-Zip archives.
pdf2john.pl file.pdf > hash.txtPassword-protected PDF.
office2john.py file.docx > hash.txtWord, Excel, PowerPoint (2007 onward).
keepass2john file.kdbx > hash.txtKeePass database master password.
ssh2john id_rsa > hash.txtPassphrase on an encrypted SSH private key.
gpg2john secret.gpg > hash.txtGnuPG symmetric / private key passphrase.

Cracking modes

--singleSingle crack: builds candidates from the username/GECOS. Fast, run first.
--wordlist=rockyou.txtWordlist (dictionary) mode.
--wordlist=rockyou.txt --rulesWordlist with word-mangling rules. The highest-yield attack.
--rules=JumboUse a named rules section. Jumbo is the big built-in set.
--incrementalStatistics-driven brute force. Bound with --max-length.
--mask=?u?l?l?l?d?dMask mode: targeted brute force by pattern.
--loopbackUse already-cracked passwords as the wordlist (reuse patterns).

Scope & performance

--fork=4Split work across 4 processes (CPU cores).
--max-length=8Cap candidate length (essential for incremental).
--min-length=6Skip candidates shorter than 6.
--users=adminCrack only the named user(s).
--groups=0Crack only users in the given group (e.g. root group 0).
--devices=1Select OpenCL device for the *-opencl formats.

Session & output

--session=audit1Name the session so you can resume it.
--restore=audit1Resume a named, interrupted session.
--status=audit1Print the status of a running/paused session.
--pot=custom.potUse a specific pot file instead of ~/.john/john.pot.
--show=leftPrint the hashes that are still uncracked.

The *2john extractors

The jumbo build ships around a hundred of these. The ones you will actually reach for:

ToolCracks the password on a...hashcat equivalent mode
zip2johnZIP archive (PKZIP / WinZip-AES)17200 / 13600
rar2johnRAR3 / RAR5 archive12500 / 13000
7z2john.pl7-Zip archive11600
pdf2john.plPDF document10500 / 10600 / 10700
office2john.pyWord / Excel / PowerPoint9400 / 9500 / 9600
keepass2johnKeePass database13400
ssh2johnencrypted SSH private key22911
gpg2johnGnuPG key / message17010 / 17020

The file-cracking walkthrough is in crack ZIP, RAR, and PDF passwords.

Common formats (--format=)

John usually auto-detects, but when it asks, these are the names:

Hash--format=
Raw MD5 / SHA-1 / SHA-256raw-md5 / raw-sha1 / raw-sha256
NTLMNT
bcryptbcrypt
sha512crypt $6$ / sha256crypt $5$sha512crypt / sha256crypt
Argon2argon2
WPA handshakewpapsk
NetNTLMv2netntlmv2
Kerberos TGS-REP / AS-REPkrb5tgs / krb5asrep
ZIP / RAR5 / PDF / Office / KeePassZIP / RAR5 / PDF / Office / KeePass

Where to go next

Sources

Authoritative references this article was fact-checked against.

Tagsjohn the rippercheat sheetpassword crackingzip2johnreference

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

Install John the Ripper jumbo, extract hashes from files with *2john, run your first crack, use single/wordlist/incremental/mask modes, and know when John beats hashcat. Tested on 1.9.0-jumbo-1.
Security

John the Ripper: The Complete Guide (Jumbo, with Real Examples)

John the Ripper is the cracker that runs anywhere and pulls a hash out of almost any encrypted file. I walk the jumbo install, auto-detection, the *2john extractors that are its killer feature, your first real crack, the cracking modes, and where John still beats hashcat. Tested on 1.9.0-jumbo-1.

Practical XXEinjector reference by task: target options, request file format, OOB vs direct modes, PHP filter wrappers, file enumeration, and listeners.
Security

XXEinjector Cheat Sheet: Every Flag I Actually Use

A field reference for XXEinjector: target options, request file format with the XXEINJECT marker, OOB and direct modes, PHP filter wrappers, file enumeration, logging, and custom listeners. Grouped by what you are trying to do.

Practical fuxploider reference by task: target, true/false regex, extension fuzzing, cookies, headers, proxy, threading, and post-upload pivot.
Security

fuxploider Cheat Sheet: Every Flag I Actually Use

A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.