Forum Thread: Help Needed with Crunch...

Hi there! I am somewhat new to crunch however not WPA2 cracking. I have never successfully cracked a WPA2 password and I can be sure this is due to my wordlists. And thus I need some help generating some..

Living in the UK, many people choose to use BT as their ISP's, and many do not change the default WPA2 password. I have logged into a few friends networks and have noticed similarities in the keys. They all are 10 characters long, and have at least 4 numbers with a maximum of 6 numbers and have the at least 4 lowercase letters with at max 6 lowercase letters (a-z). They also do not repeat consecutively. I have tried generating a wordlist with the command

crunch 10 10 -d 1 abcdefghijklmnopqrstuvwxyz -d 1 0123456789

Which I am sure will generate all the required passes, however they begin with 10 letters and will end with 10 numbers, which is just unnecessary and will slow down my crack. How can I adapt crunch so that it makes sure that there are at minimum 4 letters at maximum 6 letters and the same with numbers? I hope I have explained this all well enough, please ask if not :)

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

8 Responses

That's tough. I can't think of a way to pipe it, but I can think of a way to write up a crude script that would generate a (likely massive) word list file.

That was my thoughts too. However I'm not sure how I would go about that. I whipped one up in python before, however not sure how to limit it to 4-6 letters and numbers... I'll probably end up doing that!

The only way I could think to do it was by generating a line for each possible pattern (about 1100 possible, I think) and then i used sed commands to eliminate ones with more than 6 numbers or letters.

That leaves about 670 patterns/commands, and each pattern makes a 20 GB wordlist :(

So I think what you can do is create a .hcmask file for hashcat with the 670 patterns, and just run hashcat on the mask file -- it's the only way to do it without generating terabytes of word lists.

(I was obsessed with cracking this one WiFi password last year and spent soooooo many hours on it, so I feel your pain. )

Look at hashcat. In particular using masks. Plus it can be used to directly crack caps from airmon. Luckly sky broadband is just 8 letters all caps ;P


Ahh! Seems a little bit like a hack, but eh if it works awesome! And 8 letters all caps? Thats a really nice pattern :) Cheers!

What do you mean by it seems like a hack??? Wasn't that the purpose??? I mean hashcat was made to crack hashes, and I'm assuming that is why you needed the dictionary. I'm just thinking whether there is another tool. I mean with hashcat you won't need to make a dictionary, potentially saving space on your hard drive.


Aha I mean it didn't exactly seem like an elegant solution. A truly elegant solution would be one where it works efficiently, and works quickly. However you are right in the fact it was made for cracking hashes :P

Share Your Thoughts

  • Hot
  • Active