John the Ripper Tutorial: Beginner's Guide to Password Cracking

Password cracking is one of the most fundamental skills in offensive security and penetration testing. Whether you are auditing your organization's password policy or practicing for a certification exam, understanding how password cracking tools work is essential. John the Ripper, commonly called JtR or simply John, is one of the oldest and most capable password cracking tools available, and it remains a staple in every red teamer's toolkit.

This guide walks you through everything a beginner needs to know: installation, hash identification, wordlist attacks, rule-based cracking, and more, all with real commands you can run in your lab environment.

What Is John the Ripper?

John the Ripper is a free, open-source password security auditing and recovery tool originally developed by Solar Designer. It was built for Unix systems but now supports Windows, macOS, and dozens of hash formats including MD5, SHA-1, SHA-256, bcrypt, NTLM, and many others.

There are two main versions you need to know about:

• John the Ripper (community edition): The original version, available at openwall.com, solid and widely supported.
• Jumbo patch / Jumbo version: A community-enhanced fork that adds support for hundreds of additional hash formats, GPU cracking, and extra utilities. This is the version most practitioners use.

If you are serious about password auditing and want to build real-world skills, the Redfox Cybersecurity Academy curriculum covers John the Ripper in depth alongside other essential offensive security tools at academy.redfoxsec.com.

Installing John the Ripper on Linux

Installing on Kali Linux or Parrot OS

Both Kali and Parrot ship with John pre-installed. To confirm it is available and check the version:

john --version


[cta]

If it is not installed, run:

sudo apt update && sudo apt install john -y


[cta]

Installing the Jumbo Version from Source

The Jumbo version is significantly more powerful. Installing from source gives you the latest features:

sudo apt install build-essential libssl-dev zlib1g-dev git -y
git clone https://github.com/openwall/john -b bleeding-jumbo john-jumbo
cd john-jumbo/src
./configure && make -s clean && make -sj4
cd ../run
./john --version


[cta]

After a successful build, the john binary lives in john-jumbo/run/. You can add it to your PATH for convenience:

export PATH=$PATH:/path/to/john-jumbo/run


[cta]

Understanding Hash Formats and How John Identifies Them

Before cracking, you need to know what type of hash you are dealing with. John can auto-detect many formats, but specifying the format explicitly is faster and more reliable.

Common Hash Formats

Hash TypeExampleJtR Format FlagMD55f4dcc3b5aa765d61d8327deb882cf99--format=raw-md5SHA-15baa61e4c9b93f3f0682250b6cf8331b7ee68fd8--format=raw-sha1SHA-2565e884898da28047151d0e56f8dc6292...--format=raw-sha256NTLM8846F7EAEE8FB117AD06BDD830B7586C--format=ntbcrypt$2a$12$...--format=bcryptLinux shadow (SHA-512)$6$salt$hash--format=sha512crypt

[cta]

Using hash-identifier and hashid

Two companion tools help you identify unknown hashes before passing them to John:

pip3 install hashid
hashid '5f4dcc3b5aa765d61d8327deb882cf99'


[cta]

Output will suggest likely formats:

Analyzing '5f4dcc3b5aa765d61d8327deb882cf99'
[+] MD2
[+] MD5
[+] MD4


[cta]

You can also use John's own --list=formats to see every format it supports:

john --list=formats | grep -i ntlm


[cta]

Preparing Hash Files for John the Ripper

John expects hashes in a plain text file, one hash per line. Depending on the source, you may also include a username in the format username:hash.

Example: Creating a Test Hash File

Generate a test MD5 hash using Python:

python3 -c "import hashlib; print('testuser:' + hashlib.md5(b'password123').hexdigest())" > hashes.txt
cat hashes.txt


[cta]

Output:

testuser:482c811da5d5b4bc6d497ffa98491e38


[cta]

Extracting Hashes from Linux /etc/shadow

On a machine you are authorized to test, you can pull shadow file entries and feed them directly to John:

sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt


[cta]

The unshadow utility is bundled with John and merges the passwd and shadow files into the combined format John expects.

Running Your First Crack: Wordlist Attack

A wordlist attack, also called a dictionary attack, is the most common and often most productive attack method. You supply a file of candidate passwords, and John hashes each one and compares it to your target.

Using rockyou.txt

The rockyou.txt wordlist is the industry-standard starting point. On Kali, it lives at /usr/share/wordlists/rockyou.txt.gz. Decompress it first:

gunzip /usr/share/wordlists/rockyou.txt.gz


[cta]

Then run a wordlist attack:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt


[cta]

John will display cracked passwords in real time. Once finished, retrieve results with:

john --show hashes.txt


[cta]

Output example:

testuser:password123

1 password hash cracked, 0 left


[cta]

This is one of those moments where the simplicity of the tool masks how powerful it really is. If a user chose password123, John finds it in seconds. Building an intuition for what makes passwords weak or resilient is a core skill covered in detail at Redfox Cybersecurity Academy.

Brute-Force Mode in John the Ripper

When a wordlist attack fails, you move to brute force. John calls this "incremental mode." It tries every possible character combination up to a defined length.

Running Incremental Mode

john --incremental hashes.txt


[cta]

You can target specific character sets using built-in modes:

john --incremental=Digits hashes.txt      # numbers only
john --incremental=Alpha hashes.txt       # letters only
john --incremental=Alnum hashes.txt       # alphanumeric


[cta]

Brute force is computationally expensive. For anything beyond six or seven characters, it becomes impractical without GPU acceleration. That is where Hashcat becomes a better choice for long brute-force campaigns, but John's incremental mode is excellent for short PINs and simple passwords.

Rule-Based Attacks: The Most Underrated Feature

Rule-based attacks are where John the Ripper genuinely shines compared to simpler tools. Rules transform wordlist candidates on the fly: capitalizing letters, appending numbers, substituting characters, and much more.

Applying Built-In Rulesets

John ships with several powerful rulesets defined in john.conf. The most commonly used is --rules=Jumbo (available in the Jumbo build):

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=Jumbo --format=raw-md5 hashes.txt


[cta]

The Single ruleset is fast and effective against usernames embedded in passwords:

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=Single --format=raw-md5 hashes.txt


[cta]

Writing Custom Rules

Custom rules live in john.conf under [List.Rules:YourRuleName]. Here is an example that appends common suffixes to each word:

[List.Rules:CustomAppend]
Az"[0-9][0-9]"
Az"[0-9][0-9][0-9]"
Az"!"
Az"123"
Az"@"


[cta]

Save this in your john.conf, then invoke it:

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=CustomAppend --format=raw-md5 hashes.txt


[cta]

Rule syntax in John is expressive. A means "append", z means "to the end", and the string in quotes is the appended content. You can also use c to capitalize, l to lowercase, r to reverse, and d to duplicate the word. Mastering rule syntax is a skill that separates beginners from experienced password auditors.

Cracking NTLM Hashes from Windows Environments

In Windows penetration testing engagements, you will often encounter NTLM hashes extracted from the SAM database or dumped via tools like Impacket's secretsdump.py. John handles these natively.

Example NTLM Hash Crack

Assume you have extracted an NTLM hash in the format username:RID:LM:NTLM::: from a secrets dump:

administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::


[cta]

Save it to ntlm_hashes.txt, then crack it:

john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm_hashes.txt


[cta]

For the full secretsdump output format, use the --format=netlmv2 or --format=netntlmv2 flags when dealing with Net-NTLMv2 challenge-response captures from tools like Responder:

john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt captured_hashes.txt


[cta]

Understanding how Windows authentication hashes work and how to audit them responsibly is a significant component of red team operations. The structured learning path at Redfox Cybersecurity Academy walks you through the full Windows credential attack chain in authorized lab environments.

Cracking ZIP, PDF, and SSH Key Passwords

The Jumbo version of John ships with a suite of helper scripts that extract crackable hashes from protected files. These scripts follow the naming convention *2john.

Cracking a Password-Protected ZIP File

zip2john protected.zip > zip_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt


[cta]

Cracking a Password-Protected PDF

pdf2john protected.pdf > pdf_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt pdf_hash.txt


[cta]

Cracking an Encrypted SSH Private Key

If you capture an encrypted id_rsa file during an engagement, extract its hash and attack it:

ssh2john id_rsa > ssh_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt


[cta]

These *2john utilities are often overlooked by beginners, but in real-world engagements they are extremely useful. Finding a password-protected archive on a target system and recovering the password can unlock credentials, configuration files, and other sensitive materials.

Useful John the Ripper Options and Flags

Checking Progress During a Running Session

John runs in the background by default. Press any key while it is running to see a status update, or send it a signal:

kill -USR1 $(pidof john)


[cta]

Restoring an Interrupted Session

Long cracking sessions can be interrupted. John saves its progress automatically. Resume with:

john --restore


[cta]

Running Multiple Instances

For parallel cracking across hash sets, use session names:

john --session=session1 --wordlist=rockyou.txt hashes1.txt &
john --session=session2 --wordlist=rockyou.txt hashes2.txt &


[cta]

Outputting Cracked Passwords to a File

john --show hashes.txt | tee cracked_output.txt


[cta]

John the Ripper vs. Hashcat: When to Use Which

Both tools are excellent and many practitioners use them together. Here is a practical comparison to guide your choice:

Use John the Ripper when:

• You want an all-in-one tool with built-in utilities like unshadow and *2john converters
• You are working on a CPU-based system without a dedicated GPU
• You need rule-based attacks with John's powerful and expressive rule syntax
• You are cracking less common or proprietary hash formats covered by the Jumbo build

Use Hashcat when:

• You have access to a GPU and need maximum cracking speed
• You are running large-scale attacks against NTLM or MD5 with massive wordlists
• You want mask attacks with fine-grained character set control

For most beginners, starting with John the Ripper is the right call. Its rule engine, format coverage, and built-in utilities make it easier to learn the fundamentals. Once you are comfortable, adding Hashcat to your workflow is a natural progression.

Setting Up a Safe Practice Lab

Every command and technique in this guide must only be used against systems you own or have explicit written authorization to test. Setting up a local lab is straightforward:

• Install VirtualBox or VMware and spin up a Kali Linux VM
• Create a second VM running an older Ubuntu or Windows Server image
• Generate your own test hashes using Python or openssl passwd
• Practice recovering those hashes using the techniques above

# Generate a SHA-512 crypt hash for practice
openssl passwd -6 -salt randomsalt mypassword


[cta]

This gives you a realistic $6$ hash to feed into John without touching any real system. Responsible practice in isolated lab environments is foundational to ethical security work.

Wrapping Up

John the Ripper is one of those tools that rewards the time you invest in learning it. A beginner can get results in minutes with a simple wordlist attack, but the real power comes from understanding hash formats, building custom rule sets, and chaining attacks intelligently. From Linux shadow files to encrypted SSH keys to NTLM dumps, John's coverage is broad and its Jumbo build pushes that coverage even further.

The skills covered in this tutorial sit at the core of penetration testing, red team operations, and security auditing. If you want to build on these fundamentals with structured, hands-on labs and expert-guided training, Redfox Cybersecurity Academy offers a comprehensive curriculum designed for practitioners who want real skills, not just theory.

Keep your practice ethical, document your methodology, and always operate within authorized boundaries.