Sometimes life leaves us with no options. You’ve tried all the other methods of cracking open an encrypted file or gaining access to a WPA Wi-Fi network but nothing seems to work. But there’s one thing that will always work: Brute-Force attacks. There is a catch however, sometimes brute-forcing takes forever, which is a bit inconvenient. Nevertheless, it is important to learn how to do it and that is just what we’re going to do here.

This tutorial is going to introduce you to a nifty little tool called Crunch, a wordlist generator. Nearly all brute-force attacks require a wordlist and Crunch is simply the best way to make them. Crunch generates all possible combinations and permutations giving you a complete wordlist of the character set you specify. Let’s see how this works.

How Does Crunch Work?

Let’s consider a super simple example. We have a system that takes in a one digit password. Yes, that is pretty terrible but it’ll help us understand brute-forcing. We can instruct Crunch to create a wordlist which we can then use to brute-force this system. The output will be:

0
1
2
3
4
5
6
6
7
8
9

How about say a wordlist for 2 character password with lower case letters?

aa
ab
ac
ad
...
ba
bb
bc
...
zy
zz

The above list will contain 26×26=676 combinations and this was just 2 characters. You can see how this can get out of hand pretty quickly when we need long passwords with numbers, upper and lower case letters and symbols. Today, almost all kinds of brute-force attacks need wordlists that are upwards of billions of combinations. This is why brute-forcing sucks. But Crunch can make it a bit easier by taking care of the wordlist.

How To Use Crunch?

Since Crunch is one of the pre-installed packages in Kali, we don’t need to install it from the source. We can directly start using it.

Now let’s take a look at the basic syntax:

 crunch [minimum length] [maximum length] [charset / extra options]

For example:

crunch 1 5 abc123 –o wordlist.txt
  • First of all, we specify that we need to cover password length from 1 to 5.
  • The -o [filename] option allowsus to save the wordlist to a text file, in this case wordlist.txt.
  • abc123 are the characters that we want the wordlist to contain.

And this is what it looks like when you run it:

It shows you how much space the wordlist will take and how many lines it will have. The wordlist that the above command generates is pretty small. Here’s how it looks:

When we wish to specify some symbols in our character set, we need to seperate them with \. Crunch then ignores the \ and uses the symbols in between. Like this:

crunch 1 5 abc\!\*\( -o wordlist.txt

Before we move on to more complicated examples, let’s go over the most commonly used options first:

  • -b: The maximum size of the wordlist (along with -o START)
  • -c: Numbers of lines in the wordlist (along with -o START)
  • -d: Limit the number of duplicate characters
  • -f: Specify a list of character sets from the charset.lst file
  • -o: Output the wordlist to a file
  • -s: Specify a particular string to begin the words with
  • -p: Print permutations without repeating characters (cannot be used with -s)
  • -z: compress the output wordlist file, accompanied by -o

Crunch Example Commands

Now, crunch doesn’t only have to be used for dumb brute-force attacks. We can use it to generate smarter lists as well, like all passwords starting with 123 or all possible phone numbers with a particular area code. Now let’s take a look at a few such interesting commands:

crunch 4 5 -p abc

When we use the -p permutation switch, the minimum and maximum password length are ignored because only our character set dictates the number of permutations. Nevertheless they are still needed to satisfy the syntax. The above command will produce ` abc, acb, bac, bca, cab, cba`.

crunch 4 5 -p xeus hack .com

Another permutation example, this one specifies individual words instead of a character set. And the output:

crunch 2 6

You don’t always need to specify a character set, by default crunch will use lower case alphabets. The above command will display a wordlist that starts at aa and ends at zzzzzz.

Sometimes we want to split up the output into smaller files so that it’s easier to manage:

crunch 1 8 abcd1234 –b 15mb –o START

Here we’re telling crunch that we want to split up the output into files no more than 5MB each. This will output:

We can also use the -z option (if we want to output to a file along with -o) to compress the wordlist. Crunch supports gzip, bzip2, lzma, and 7z.

crunch 1 5 abc123 –o wordlist.txt -z gzip

The above command creates our wordlist and then compress it with the gzip algorithm.

We can also pipe the output of crunch into other programs.

aircrack-ng:

  crunch 2 6 abc123 | aircrack-ng /root/Mycapfile.cap -e MyESSID -w-

airolib-ng:

crunch 5 6 1234 --stdout | airolib-ng testdb -import passwd -

You can look up the manual for Crunch by typing man crunch This will give you the complete help documentation along with detailed descriptions of all the different options as well many more examples.



Want to be a real hacker? Sign Up!



go to top