Ethical hackers and penetration testers often tries to break into a system, and one of the main techniques is to crack the password of the system.

Attackers always need wordlists for different purposes, if he/she gathers enough information about the target, such as birth dates, children name, pets name, etc. Then he/she can create a reliable custom wordlist of the target.

One of the widely used wordlist generators is Crunch. Crunch is a wordlist generator tool where you can specify a standard character set or a character set you specify, it can generate all possible combinations and permutations with your custom rules you set.

Below are the main features of Crunch which makes it the first choice of many penetration testers:

  • The output of crunch can be sent to the screen, or file, or to any other program.
  • If the generation is quite long, you can pause and resume in any time.
  • It can breakup output by number of lines, or file size (especially if your generation is huge).
  • Supports upper and lower case characters separately.
  • You can specify the minimum and maximum length of the password, as well as optional character set of your choice.

If you have already Crunch installed in your machine (using Kali or any other Linux distribution), then skip the next section and dive into Using Crunch section. Otherwise, just keep reading.

Installing Crunch

If you’re on Kali Linux, you shouldn’t follow this step, as it comes pre-installed. However If you’re on Debian-based Linux distribution, such as Ubuntu, Debian, or Linux Mint, type the following commands and you’re good to go:

$ sudo apt-get update
$ sudo apt-get install -y crunch

On Fedora, CentOS or Red Hat systems:

$ sudo yum install crunch

Using Crunch

The most common use case in crunch is to set minimum and maximum length. For instance, if you want the default character set and minimum length of 8 and maximum length of 12:

$ crunch 8 12

This will output:

Crunch will now generate the following amount of data: 1286229582978279680 bytes
1226644118288 MB
1197894646 GB
1169818 TB
1142 PB
Crunch will now generate the following number of lines: 99246106575066880
...

Of course, that’s a massive amount of combinations, and you want to cancel this right now using CTRL+C, otherwise it’ll start generating in the standard output (in your terminal).

In the second example, let’s specify our character set:

$ crunch 8 12 abcdef

This will generate all combinations that has minimum length of 8 and maximum length of 12 and only has the characters ‘a’, ‘b’, ‘c’, ‘d’, ‘e’, and ‘f’. Here is the output:

Crunch will now generate the following amount of data: 33432756480 bytes
31883 MB
31 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 2611802880
aaaaaaaa
aaaaaaab
aaaaaaac
aaaaaaad
aaaaaaae
aaaaaaaf
aaaaaaba
aaaaaabb
...

That’s about 31GB of data, you may want to cancel this as well.

As you can see, by default, crunch generates a wordlist of size number of characters to the power of maximum length, so the repeating characters will take into account as well. If you want to generate words that don’t have repeating characters, then you should use the -p option:

$ crunch 8 12 -p fun

If we specify the -p parameter, then the minimum and maximum length are ignored, this will generate all possible combinations of the word “fun” without repetition, the output:

Crunch will now generate approximately the following amount of data: 24 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 6
fnu
fun
nfu
nuf
ufn
unf

As you can see, only 6 words were generated, as "fun" has length of 3, the resulting number of lines should be 3! = 3 x 2 x 1 = 6.

Specifying Patterns

Crunch supports specifying patterns as well:

$ crunch 5 5 -t [email protected]@

This will generate words with length of 5 that starts with "fun" and permutes all lowercase characters (@), output:

Crunch will now generate the following amount of data: 4056 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 676
funaa
funab
funac
funad
funae
...

The special character '@' is for lowercase characters, you can also use ',' for uppercase characters, '%' for numbers and '^' for symbols.

Here is another example:

$ crunch 8 8 -t @@word%%

Words with length 8 and starts with two any lowercase characters, then the word "word" and then any two numbers, output:

Crunch will now generate the following amount of data: 608400 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 67600
aaword00
aaword01
aaword02
aaword03
aaword04
...

Now what if you don’t want to start from 'aa' ? Say you want to start from 'ha', how can you do that ? Well, the -s parameter comes into rescue:

$ crunch 8 8 -t @@word%% -s haword00

Output:

Crunch will now generate the following amount of data: 444600 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 49400
haword00
haword01
haword02
haword03
...

Specifying Output File

This is the most important, we do not want our wordlist to output to the screen. Instead, we want to write it to a file:

$ crunch 5 5 abcdef -o wordlist.txt

Output:

Crunch will now generate the following amount of data: 46656 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 7776

crunch: 100% completed generating output

Now let’s check our file using the cat command:

$ cat wordlist.txt

Output:

aaaaa
aaaab
aaaac
aaaad
aaaae
...

Now if the output is too huge and you want to make parts of your output file, you can easily do that along with -c parameter:

$ crunch 2 4 abcdef0123456789 -o START -c 5000

This will generate multiple output files where each file has 5000 words, let’s use ls command to see our newly generated files:

$ ls *.txt

Output:

0eda-1151.txt  25ea-3861.txt  5cfa-6f71.txt  730a-8681.txt  aa-ac21.txt    b0ba-c331.txt  d7ca-fa41.txt
1152-25d9.txt  3862-5ce9.txt  6f72-73f9.txt  8682-9999.txt  ac22-b0a9.txt  c332-d7b9.txt  fa42-0ec9.txt

Conclusion

Awesome, now you know the most common use cases of Crunch, I invite you to use the man command to see the complete manual of crunch utility:

$ man crunch

There are great examples there as well.

Learn also: How to Get your Public IP Address in Linux.

Happy generating!