John the Ripper (JtR) is a password security auditor. This page is a practical reference — installation, wordlists, the *2john extractor family, and common flags.
The community-supported "jumbo" build ships with most of the format-specific extractors you'll need. On Debian/Ubuntu:
sudo apt install john
For the latest jumbo features (Office, ODF, RAR5, many more formats) build from source:
git clone https://github.com/openwall/john.git cd john/src ./configure && make -s clean && make -sj4 cd ../run ./john --test=0
John rarely operates on the original file directly. Each supported format has a matching extractor that emits a John-compatible hash line:
office2john.py <doc.docx> — Microsoft Office fileslibreoffice2john.py <file.odt> — OpenDocument fileszip2john <archive.zip> — ZIP archivesrar2john <archive.rar> — RAR3/RAR5 archivespdf2john.pl <file.pdf> — PDF fileskeepass2john <file.kdbx> — KeePass databasesPipe the output to a file and feed it to John:
office2john.py secret.docx > hash.txt john --wordlist=rockyou.txt hash.txt
The single most useful wordlist is rockyou.txt: a ~14-million-entry leak of real user passwords. Ship with SecLists for more specialised lists:
git clone https://github.com/danielmiessler/SecLists.git
For slow KDFs (Office, ODF, RAR5), small high-quality lists work better than large ones — every extra iteration costs real time.
Rules transform a base wordlist (append digits, substitute letters, capitalise, etc.). Enable the built-in rule-set with:
john --wordlist=rockyou.txt --rules=KoreLogic hash.txt
Incremental mode ("brute force") generates candidates based on character-frequency statistics:
john --incremental hash.txt
Recovered passwords are written to ~/.john/john.pot. To display them:
john --show hash.txt
Prefer GPU acceleration? See our Hashcat tutorial for mask attacks and CUDA/OpenCL tuning.