John the Ripper (Jumbo) — Install, Use, Optimise (2026)

CPU password cracker with 400+ hash format support — best for unusual hash types not in hashcat.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt — Jumbo)

sudo apt install john-the-ripper-jumbo

Source (recommended for latest formats)

git clone https://github.com/openwall/john && cd john/src && ./configure && make -s clean && make -sj4

macOS

brew install john-jumbo

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Crack with default rules + wordlist

john --wordlist=rockyou.txt hashes.txt

Show cracked

john --show hashes.txt

Specific format (e.g., NT)

john --format=NT --wordlist=rockyou.txt hashes.txt

Apply rule list

john --wordlist=rockyou.txt --rules=Jumbo hashes.txt

ZIP archive

zip2john target.zip > zip.hash; john zip.hash

PDF

pdf2john.pl protected.pdf > pdf.hash; john pdf.hash

KeePass database

keepass2john target.kdbx > kp.hash; john kp.hash

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• --fork=4 uses 4 CPU cores. Default is 1 — easy 4-8× speedup.
• CPU-bound — most hash modes 100-1000× slower than GPU hashcat. Use John when format isn’t in hashcat or you don’t have a GPU.
• --rules=Jumbo (3000+ rules) is the kitchen-sink — slow but thorough.
• --restore resumes interrupted sessions automatically (state in ~/.john/john.rec).
• --mask=?u?l?l?d?d?d?s for targeted brute force when pattern is known.
• Format detection: john --list=formats for all 400+ — useful when hashcat doesn’t cover it.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Without --rules John runs straight wordlist only — misses 80% of crackable passwords.
• Format auto-detection sometimes picks wrong (Raw-MD5 vs Raw-SHA1). Specify with --format=.
• john --show requires same hashes.txt + same format flag — easy to forget and think nothing cracked.
• Jumbo build takes 10-15 min on first compile. Pre-built packages often miss recent formats.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• Hashcat — GPU accelerated, faster for common formats.
• Rar2john / office2john / etc. — John Jumbo bundles 50+ format extractors.

India context and engagement notes

When you grab a backup file (.zip / .pdf / .kdbx / .docx), John’s *2john extractors are usually the only practical path. Pair with rockyou + custom rules for high success on Indian-corporate-naming-convention passwords.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.