Hack Like a Pro: How to Crack Passwords, Part 4 (Creating a Custom Wordlist with Crunch)

How to Crack Passwords, Part 4 (Creating a Custom Wordlist with Crunch)

Welcome back, my apprentice hackers!

In this series on password cracking, I have been attempting to develop your skills in the age-old art of password cracking. Although it might seem like a simple and straightforward exercise, those of you who have attempted password cracking know that there are many subtleties to this art.

In many of our password cracking disciplines, we often need to use a wordlist that will essentially attempt thousands of potential passwords per second. This is often referred to as a dictionary attack, even though we need not rely solely on dictionary words. These wordlists may have any combination of characters and words in an attempt to crack a complex password offline.

Sometimes we may have indications of the target's choice password or password components which may come from our knowledge of the target, e.g. girlfriend, neighbor, friend, etc. It could be their name, children's names, a pet's name, birthday, or job. We may also know the organization's password policy (e.g. minimum 8 characters, uppercase and lowercase, etc.).

In these cases, we may be able to generate a custom wordlist that reflects our knowledge of the target or the organization's password policy.

Kali Linux has built into it a tool called "crunch" that enables us to create a custom password-cracking wordlist that we can use with such tools like Hashcat, Cain and Abel, John the Ripper, Aircrack-ng, and others. This custom wordlist might be able to save us hours or days in password cracking if we can craft it properly.

Let's get started with crunch and generate some custom wordlists to crack passwords in our favorite password cracking tool.

Step 1: Fire Up Kali & Open Crunch

Let's start by firing up Kali and opening crunch by going to Applications -> Kali Linux -> Password Attacks -> Offline Attacks -> crunch.

This will open the crunch screen like that below.

Unlike many other hacking applications, crunch doesn't provide us with much info in its opening screen. I believe that's because crunch, although relatively simple to work with initially, has so many sophisticated options that the developer has put much of the information in man pages.

Step 2: The Crunch Syntax

The basic syntax for crunch looks like this:

kali > crunch <min> max<max> <characterset> -t <pattern> -o <output filename>

Now, let's go over what's included in the syntax above.

  • min = The minimum password length.
  • max = The maximum password length.
  • characterset = The character set to be used in generating the passwords.
  • -t <pattern> = The specified pattern of the generated passwords. For instance, if you knew that the target's birthday was 0728 (July 28th) and you suspected they used their birthday in their password (people often do), you could generate a password list that ended with 0728 by giving crunch the pattern @@@@@@@0728. This word generate passwords up to 11 characters (7 variable and 4 fixed) long that all ended with 0728.
  • -o <outputfile> = This is the file you want your wordlist written to.

Step 3: The Crunch Manual

Let's go to the man pages for crunch by typing:

kali > man crunch

This should open the manual pages for crunch like that below. The developers of crunch have packed these pages with a lot of info on how to get the most out of crunch.

If we page down a bit in these man pages, we will come to this page (notice at the bottom, it says we are at line 70).

At the top we see the -f switch. This switch allows us to choose the character set we want to use to generate our wordlist. The syntax is:

-f /path/to/charset.lst <charactersetname>

Here we tell crunch where the charset.lst is with the full path and then select a particular character set from that list. In Kali, the charset.lst is at:


Step 4: Create Some Simple Wordlists

Let's start by generating some simple wordlists for password cracking. Let's assume that we know the company has passwords between 4 and 8 characters. We can generate all the possibilities in crunch by typing:

kali > crunch 4 8

Where the first number (4) is the shortest word length and the second (8) is the longest word length.

When we execute this statement, crunch estimates how large the file will be (1812 GB) and then begins to generate the list.

What if we knew that the target always used number passwords between 6 and 8 characters? We could generate a complete list of password possibilities meeting this criteria and send them to a file in the root user's directory called numericwordlist.lst by typing:

kali > crunch 6 8 1234567890 -o /root/numericwordlist.lst

If we knew that the target's birthday was July 28 and they likely used that date (people often use their birthdates in their passwords to make it easier to remember) at the end of a ten character password? We could generate all the possibilities of ten-character passwords that end with 0728 and send the output to a file in the root user's directory named birthdaywordlist.lst, by typing:

kali > crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst

The @ sign is use to represent a wildcard of all possibilities, while the literals "0728" represent the fixed values.

Step 5: Complex Wordlists with Crunch

One of the beauties of crunch is the ability to select a specific character set or create your own character set for generating your password list. If we know the likely character set the target is using for their password, we can select the character set to generate our password list. We can find the choice of character sets at:


Now, if we know that our target is using an eight character password with only alphabetic characters, we can generate a list of all the possibilities in crunch with the command:

kali > crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst

This will generate all the 8-character passwords using only the alphabetic characters (no numbers or special characters) and storing them in a file called alphawordlist.lst in the root user's directory.

When cracking passwords, there are multiple methods of cracking unknown passwords. These include dictionary, rainbow table, brute force and others. If we know that parameters of the password or know something about the target and their possible passwords (birthday, pet names, spouse, etc.), crunch can be a very useful tool for generating specific wordlists to be used in a dictionary-like attack.

That's it for this lesson; stay tuned to this series on password cracking for more guides in the near future.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Cover image via Shutterstock


Hey OTW! im following very intrested your posts now quite a long time, really really nice work there!!!

i remember a day where i needed crunch essentially to create a specific wordlist, but i failed..... wildcards were my parameter but i thought they were not enough. maybe you can give me a hint in my case?

to be specific, i've got a string, eg WODKA and numbers x. i want now to teach crunch to add continuously numbers, left of it. then i want to add the numbers on the right side of the string. last but not least i want to merge them, no problem. i got now xxxxxWODKA and WODKAxxxxx merged in a list.

but how could i get something like

the string should slip from left to right with a fixed max length. how would you master this or did i got a brainfuck? :D


I don't know of any automated feature in crunch that would enable you to do this, but I would write a simple script to do it with 7 passes. Simply write a script with the seven commands for each selected output and have each one append its output to the previous file with the >> symbol.


very simple, true!! thx for the hint :)

I use crunch a lot, and this is a great intro. There's a lot that crunch can do. Even just to play around with.

But this (to me) is the definitive crunch guide:


I'm posting it because I'd initially forgot to bookmark it, and when I tried to find it again, it is IMPOSSIBLE to find in Google search results. I'm guessing he has something to prevent indexing.

One of my favorite things is that you can create a custom character set to use with the -t switch (which I couldn't figure out until that blog post pointed out how to do it).

There are a few similar tools out there (hashcat's maskprocessor utility -- which is supposed to be very fast, which might be important if you're piping to another program. But crunch seems plenty fast to me). And none of them have any special features that aren't already in crunch.

Hy, its can use for mobile termux?

So accidentally i run the command "crunch 4 8" and know i need to know where is the file it created and if it was even created.

Thanks, Dorin
Waiting for feedback

Is it usually that the only thing in my " /root/ " is my desktop?

i booted from a usb and because it doesnt suported the windows 8.1 stupid UEFI system i needed to change a lot of things and now its all a bit confussin but i dont know about its meant to be that way i have never tried kali before, butt i knew that when i entered the backtrack /root a lot of things came up.

I just want to know about its usually?

In Kali, it is usual.


I recommend you go through my "Linux for the Aspiring Hacker" series to become more familiar with Linux.

The issue you are having is confusion between the root directory / and the root users directory /root.



i read the 4 first parts of "Linux for the aspiring hacker" and understood it. so i just wanted to start with a easy password crack.

i wanted to use xhydra with a wordlist to hack a password.

i started to choose my http website and pinged it to get the ip adress, then i made my wordlist with crunch as you did in this tutorial and wrote my correct password into it to make sure it would succes.

(and this time i could safe it and find it cause of the knowlegde i got
from the first 4 parts of your tutorials otw)

but anyway i opened up xhydra
and pasted the ip i got and the port who was 80
choosed http-get
and choosed my wordlist (with the correct password in it)
and then pressed start.
but then the wierd thing happened it said password found:
username: admin312 password: a

but my real password was z86pa45mk7! how the fck can i tell me that i found the correct password when it isnt the right now? and please dont tell me I not is prepared for hacking yet.... thank you

OK. I won't tell you that you don't have enough background to begin hacking. I won't tell you that you need to walk before you run. I won't tell you not to use profanity on these pages if you want help. I won't tell you that 4 units of Linux is far from enough knowledge to use Kali (there are 21 units).. I won't tell you that if you not given me or anyone enough info to help you.

sorry for the profanity i wont do that again, how far do you suggest me to read in the benningers guide before trying it?

think about i also need to try somethings by myself, if i not should forget the half of what i have read, before i even is finnish reading the guides.

I think you should go through ALL of the Linux series and then go to the "Hacking for Newbies".

What I see in you is someone who doesn't want to invest the time into becoming a hacker, but wants everyone else to invest time in your becoming a hacker. You are looking to be spoon fed, rather than investing the time and trouble to learn.

Hello iam a newbie,

I really want to crack the handshake files but the wordlists generated will be alteast a 10 tb file which is impossible for my computer to handle, so if we can write a java program(or any language) can we check the word generated with the handshake file simultaneously and free the space so that a new word can be placed in its position and check with handshake file so on.

Any suggestions, please help.

you're making me sound like a bad person :(
it's not wrong to ask for help in my opinion, maybe you think so.

like my name tells, im pretty new to this, so it can time to time sound pretty dump what im asking about, or like your saying a guy who just want other people to "spoon fed me."

i simple just asking for help because i got this wierd problem, im sorry if i didnt got enough details for you to solve it, im new to this i dont know what i else should tell you, that would make it easier for you to solve it.

and dude i have used some time on it, i have search for in nearly every side for finding the answear with no luck...

There is nothing wrong with asking questions. My objection is that most of your answers are already on this site, but you are unwilling to look and study. Take for example your earlier question about the /root directory. If you had taken the time to study my Linux tutorials (which I have invested a lot of time developing) as I suggested, you would have you answer. There is no substitute to study and honing your problem solving skills.

alright i can see your point :/

how to make crunch generate the wordlists which include uncommon letters like G, Ü, Ö, S, Ç, I?

im living in turkey now and they have such a letter in their words. I think it will be good to make wordlist which include those letters but i wonder how to :D

Hello i use crunch and i make some wordlist for testing and email crack with hydra and it tell it was succesfull but password which i get is wrong,can someone give me explanation please

i find answer by myself only need little more reading

i want to create a wordlist of 9 characters in which first five characters "INDIA" always remain same but remaining charcters change to numbers. like india1234,india1235,india1236 .......................... ANy Help Please ?? What command should i use in crunch???

It looks like you want something like this :

crunch 9 9 0123456789 -t india%%%%

Just so you know that's 10000 combinations (from india0000 to india9999). in If you know it doesn't have a '0' in it then take it out of the command.

How about
crunch 9 9 -t india%%%%

saves you some typing :)

How to generate fixed wordlist for example ,first 3 word is numeric(any number) and middle 2 word is alphabetic (a to z) and last 3 word is numeric(any number 0 to 9)

Please help me

You are going to build a massive word list but you could start with a command like:
root@Kali:~# crunch 8 8 -t %%%@@%%%
It may not really be what you are looking for.

Any luck finding your answer??, I have exactly the same issue
Let me know if you happen to get an a satisfying answer.


Hi i need to create a numeric word list with crunch with only repeating characters. For example :

I only found how to prevent repeating but exactly that's what I want :)

Pretty much the command above your comment. Just change the middle 2 @'s to %
Should get you a nice PB size list. Then optimize the chaos down to what you want.

I may be wrong, maybe. I wish crunch would work right so I could bang these 26 digit master lists out. Don't have a ZB of free space though.

Hi guys i wanted to creat a worlist for cracking WAP2.

And the most restrict word list i can think is (crunch 10 10 1234567890QWERTYUIOPASDFGHJKLZXCVBNM -d 2 ) because here all PWs standart PWs have 10 numbers/charaters anyone knows more stuff to make a smaller wordlist because this is to big

Hi sir. I want to ask you how to create a wordlist with range 2 to 8 characters with alphabet, numbers and characters like - : ")%? I tryed it but the wordlist is massively big ( over 10 PB) ?

I was wondering if it`s possible to make a custom word list and for example get hydra to try all combinations.

For example I have the persons date of birth, pet name, hobby, favourite car etc... How can I get something like hydra to try all possible combinations with those words in the list? Or how do I create a list with all possible combinations of the known information of the persons account?

As hydra uses a username and password lists, you will need to generate that password list first and then use it with THC_Hydra.

thanks for the reply, but what i`m really trying to figure out is lets say I make my own list and it contains these words

cat, dog, 1981, 01,car, truck, john,smith,black,australia,yes,no etc...

How can I create a word list using all these words in every single combination possible? I mean I don`t want to sit down and manually do a list with every single combination of these words, is there an auto generate kind of program or command?

By the way, this is an excellent site very informative,love it :)

This is EXACTLY what I'm looking for. I know all possible bits of the password I would have made years ago, but not sure which order or options.

Did you ever find a way to do this?


Im trying to add 2 letters to my text list but i can't get it working.

like aa@@@@
@@@= data in text file

so that i can add 2 variables to my text file
something like:

crunch 1 1 -t @@ + '/textfile.txt'

is this possible?

Hope to hearing from you soon.

I created a crunch file of 10digit possibilities of unknown password with the pattern of 9%%%%%%%%% ;where my first digit will be 9 only. I done firing the command in the terminal like

crunch 10 10 1234567890 -t 9%%%%%%%%% -o /root/Desktop/file.txt
Its making a file of 10gb..

Now the question is i wanna make this file of 5gb with half of lines and further continue the half to the another file... how do i do this? Please help out..

Would it be possible to guess an email with this? I have an email (eg hello*1@gmail.com) but i dont know the stars so could i make it guess the 2 stars and create a wordlist of all the email combinations? And how?

Hey nice Website i really Like and thanks a lot..
I have a Question Please how can i make a wordlist that use combination with those words
hello,love,ninja,123,lol etc.... ?
I was wondering if it`s possible to make a custom word list and for example get hydra to try all combinations.

or how to make a wordlist who try all possible combinations with those words in the list? Or how do I create a list with all possible combinations of the known information of the persons account? .. in Mr robot serie eliot did the same thing in the first episode..

please help...

hi. so my question is: I want to create a wordlist, let's use for example, with the words Fish, dog, cat, 14, 04, 05. However, I don't want Crunch to mess with the letters orders of which word, but just like do something like this, (with characters between 6 and 15):


and not:

Is there a way to do that? sorry if it wasnt very clear, i don't know the right words to use in english. thank u!

Hey guys! So i created a custom wordlist with Crunch following the how to's on this page, specifically a numeric word list of numbers 0123456789 with 10 as minimum length and 10 as maximum. I then opened the wordlist file to make sure the combination of numbers "crunched" ; ) are there and I was able to find/verify that the password for the AP I'm testing the list on is there, but when i provide Aircrack-ng with the wordlist after about 3 hours aircrack says the passphrase is not in the wordlist and does not crack it.

I have attempted to crack my AP with the wordlist 3 times with the same results "passphrase not in dictionary" and it stops at 97.22% I have verified that the password/phrase is in the wordlist for sure. oh and the custom list already has the first 3 numbers provided for the AP passcode in order for aircrack-ng to find the password faster but that also did not seem to work. Any ideas?

I need a list with 13 digits, in the format @@@@@@@@@@%%%

but I want it to be 2 five letter words followed by 3 numbers
* so like ( night watch 677 )

Hi I m using parrot os and trying to crack a wps(wpa) network.i have a doubt that is crunch 8 8 0123456789 enough to crack the wifi or else I need to add alphabets to the wordlist

Hey i need to create a wordlist with numbers following a specific word like
and so forth and it will total to about 11k lines
is there any way for this to happen because i can not figure it out for the life of me. the last line should be like

Have you had any luck finding the answer? I want something similar to yours, an alphanumerical wordlist with a specific word and 4 numbers, a total of 8 characters, so it'll be like:


If you found out how that can be done on crunch or any other tool in Wifislax, please share.
Thank you

Hi Guys
I have a question about charakters of wordlist programm crunch.
If I combine a list with letters and numbers with crunch, for example:
Crunch 12 12 -d 1@
Crunch create a word list with approximatly 103 thousand there byte
does anyone know a command for crunch, that at the beginning not so many unnecessary same letters occur.
example: abababababa1, abababababa2, .......
the comand -d 1@ is very helpful.
How can I work even more efficiently.
Regards Sam

Hi guys

I was trying to generate a password list for the following type of passwords:


No symbols are included, but only mixalpha-numeric characters and the max - min length is always 12. When I tried using crunch, the result was around 4000PB if I remember correct, so it's impossible to crack the handshake? Or am I just being a noob?

Any suggestions?

Share Your Thoughts

  • Hot
  • Latest