Ethical hackers and penetration testers often tries to break into a system, and one of the main techniques is to crack the password of the system.
Attackers always need wordlists for different purposes, if he/she gathers enough information about the target, such as birth dates, children name, pets name, etc. Then he/she can create a reliable custom wordlist of the target.
One of the widely used wordlist generators is Crunch. Crunch is a wordlist generator tool where you can specify a standard character set or a character set you specify, it can generate all possible combinations and permutations with your custom rules you set.
Below are the main features of Crunch which makes it the first choice of many penetration testers:
- The output of crunch can be sent to the screen, or file, or to any other program.
- If the generation is quite long, you can pause and resume in any time.
- It can breakup output by number of lines, or file size (especially if your generation is huge).
- Supports upper and lower case characters separately.
- You can specify the minimum and maximum length of the password, as well as optional character set of your choice.
If you have already Crunch installed in your machine (using Kali or any other Linux distribution), then skip the next section and dive into Using Crunch section. Otherwise, just keep reading.
If you’re on Kali Linux, you shouldn’t follow this step, as it comes pre-installed. However If you’re on Debian-based Linux distribution, such as Ubuntu, Debian, or Linux Mint, type the following commands and you’re good to go:
$ sudo apt-get update $ sudo apt-get install -y crunch
On Fedora, CentOS or Red Hat systems:
$ sudo yum install crunch
The most common use case in crunch is to set minimum and maximum length. For instance, if you want the default character set and minimum length of 8 and maximum length of 12:
$ crunch 8 12
This will output:
Crunch will now generate the following amount of data: 1286229582978279680 bytes 1226644118288 MB 1197894646 GB 1169818 TB 1142 PB Crunch will now generate the following number of lines: 99246106575066880 ...
Of course, that’s a massive amount of combinations, and you want to cancel this right now using CTRL+C, otherwise it’ll start generating in the standard output (in your terminal).
In the second example, let’s specify our character set:
$ crunch 8 12 abcdef
This will generate all combinations that has minimum length of 8 and maximum length of 12 and only has the characters ‘a’, ‘b’, ‘c’, ‘d’, ‘e’, and ‘f’. Here is the output:
Crunch will now generate the following amount of data: 33432756480 bytes 31883 MB 31 GB 0 TB 0 PB Crunch will now generate the following number of lines: 2611802880 aaaaaaaa aaaaaaab aaaaaaac aaaaaaad aaaaaaae aaaaaaaf aaaaaaba aaaaaabb ...
That’s about 31GB of data, you may want to cancel this as well.
As you can see, by default, crunch generates a wordlist of size number of characters to the power of maximum length, so the repeating characters will take into account as well. If you want to generate words that don’t have repeating characters, then you should use the
$ crunch 8 12 -p fun
If we specify the
-p parameter, then the minimum and maximum length are ignored, this will generate all possible combinations of the word “fun” without repetition, the output:
Crunch will now generate approximately the following amount of data: 24 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 6 fnu fun nfu nuf ufn unf
As you can see, only 6 words were generated, as
"fun" has length of 3, the resulting number of lines should be 3! = 3 x 2 x 1 = 6.
Crunch supports specifying patterns as well:
$ crunch 5 5 -t [email protected]@
This will generate words with length of 5 that starts with
"fun" and permutes all lowercase characters (
Crunch will now generate the following amount of data: 4056 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 676 funaa funab funac funad funae ...
The special character
'@' is for lowercase characters, you can also use
',' for uppercase characters,
'%' for numbers and
'^' for symbols.
Here is another example:
$ crunch 8 8 -t @@word%%
Words with length 8 and starts with two any lowercase characters, then the word
"word" and then any two numbers, output:
Crunch will now generate the following amount of data: 608400 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 67600 aaword00 aaword01 aaword02 aaword03 aaword04 ...
Now what if you don’t want to start from
'aa' ? Say you want to start from
'ha', how can you do that ? Well, the
-s parameter comes into rescue:
$ crunch 8 8 -t @@word%% -s haword00
Crunch will now generate the following amount of data: 444600 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 49400 haword00 haword01 haword02 haword03 ...
Specifying Output File
This is the most important, we do not want our wordlist to output to the screen. Instead, we want to write it to a file:
$ crunch 5 5 abcdef -o wordlist.txt
Crunch will now generate the following amount of data: 46656 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 7776 crunch: 100% completed generating output
Now let’s check our file using the
$ cat wordlist.txt
aaaaa aaaab aaaac aaaad aaaae ...
Now if the output is too huge and you want to make parts of your output file, you can easily do that along with
$ crunch 2 4 abcdef0123456789 -o START -c 5000
This will generate multiple output files where each file has 5000 words, let’s use
ls command to see our newly generated files:
$ ls *.txt
0eda-1151.txt 25ea-3861.txt 5cfa-6f71.txt 730a-8681.txt aa-ac21.txt b0ba-c331.txt d7ca-fa41.txt 1152-25d9.txt 3862-5ce9.txt 6f72-73f9.txt 8682-9999.txt ac22-b0a9.txt c332-d7b9.txt fa42-0ec9.txt
Awesome, now you know the most common use cases of Crunch, I invite you to use the man command to see the complete manual of crunch utility:
$ man crunch
There are great examples there as well.
Learn also: How to Get your Public IP Address in Linux.