Hack Like a Pro:

Hack Like a Pro: How to Crack Passwords, Part 4 (Creating a Custom Wordlist with Crunch)

Welcome back, my apprentice hackers!

In this series on password cracking, I have been attempting to develop your skills in the age-old art of password cracking. Although it might seem like a simple and straightforward exercise, those of you who have attempted password cracking know that there are many subtleties to this art.

In many of our password cracking disciplines, we often need to use a wordlist that will essentially attempt thousands of potential passwords per second. This is often referred to as a dictionary attack, even though we need not rely solely on dictionary words. These wordlists may have any combination of characters and words in an attempt to crack a complex password offline.

Sometimes we may have indications of the target's choice password or password components which may come from our knowledge of the target, e.g. girlfriend, neighbor, friend, etc. It could be their name, children's names, a pet's name, birthday, or job. We may also know the organization's password policy (e.g. minimum 8 characters, uppercase and lowercase, etc.).

In these cases, we may be able to generate a custom wordlist that reflects our knowledge of the target or the organization's password policy.

Kali Linux has built into it a tool called "crunch" that enables us to create a custom password-cracking wordlist that we can use with such tools like Hashcat, Cain and Abel, John the Ripper, Aircrack-ng, and others. This custom wordlist might be able to save us hours or days in password cracking if we can craft it properly.

Let's get started with crunch and generate some custom wordlists to crack passwords in our favorite password cracking tool.

Step 1: Fire Up Kali & Open Crunch

Let's start by firing up Kali and opening crunch by going to Applications -> Kali Linux -> Password Attacks -> Offline Attacks -> crunch.

This will open the crunch screen like that below.

Unlike many other hacking applications, crunch doesn't provide us with much info in its opening screen. I believe that's because crunch, although relatively simple to work with initially, has so many sophisticated options that the developer has put much of the information in man pages.

Step 2: The Crunch Syntax

The basic syntax for crunch looks like this:

kali > crunch <min> max<max> <characterset> -t <pattern> -o <output filename>

Now, let's go over what's included in the syntax above.

  • min = The minimum password length.
  • max = The maximum password length.
  • characterset = The character set to be used in generating the passwords.
  • -t <pattern> = The specified pattern of the generated passwords. For instance, if you knew that the target's birthday was 0728 (July 28th) and you suspected they used their birthday in their password (people often do), you could generate a password list that ended with 0728 by giving crunch the pattern @@@@@@@0728. This word generate passwords up to 11 characters (7 variable and 4 fixed) long that all ended with 0728.
  • -o <outputfile> = This is the file you want your wordlist written to.

Step 3: The Crunch Manual

Let's go to the man pages for crunch by typing:

kali > man crunch

This should open the manual pages for crunch like that below. The developers of crunch have packed these pages with a lot of info on how to get the most out of crunch.

If we page down a bit in these man pages, we will come to this page (notice at the bottom, it says we are at line 70).

At the top we see the -f switch. This switch allows us to choose the character set we want to use to generate our wordlist. The syntax is:

-f /path/to/charset.lst <charactersetname>

Here we tell crunch where the charset.lst is with the full path and then select a particular character set from that list. In Kali, the charset.lst is at:

/usr/share/rainbowcrack/charset.lst

Step 4: Create Some Simple Wordlists

Let's start by generating some simple wordlists for password cracking. Let's assume that we know the company has passwords between 4 and 8 characters. We can generate all the possibilities in crunch by typing:

kali > crunch 4 8

Where the first number (4) is the shortest word length and the second (8) is the longest word length.

When we execute this statement, crunch estimates how large the file will be (1812 GB) and then begins to generate the list.

What if we knew that the target always used number passwords between 6 and 8 characters? We could generate a complete list of password possibilities meeting this criteria and send them to a file in the root user's directory called numericwordlist.lst by typing:

kali > crunch 6 8 1234567890 -o /root/numericwordlist.lst

If we knew that the target's birthday was July 28 and they likely used that date (people often use their birthdates in their passwords to make it easier to remember) at the end of a ten character password? We could generate all the possibilities of ten-character passwords that end with 0728 and send the output to a file in the root user's directory named birthdaywordlist.lst, by typing:

kali > crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst

The @ sign is use to represent a wildcard of all possibilities, while the literals "0728" represent the fixed values.

Step 5: Complex Wordlists with Crunch

One of the beauties of crunch is the ability to select a specific character set or create your own character set for generating your password list. If we know the likely character set the target is using for their password, we can select the character set to generate our password list. We can find the choice of character sets at:

/usr/share/rainbowcrack/charset.txt

Now, if we know that our target is using an eight character password with only alphabetic characters, we can generate a list of all the possibilities in crunch with the command:

kali > crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst

This will generate all the 8-character passwords using only the alphabetic characters (no numbers or special characters) and storing them in a file called alphawordlist.lst in the root user's directory.

When cracking passwords, there are multiple methods of cracking unknown passwords. These include dictionary, rainbow table, brute force and others. If we know that parameters of the password or know something about the target and their possible passwords (birthday, pet names, spouse, etc.), crunch can be a very useful tool for generating specific wordlists to be used in a dictionary-like attack.

That's it for this lesson; stay tuned to this series on password cracking for more guides in the near future.

Cover image via Shutterstock

33 Comments

Hey OTW! im following very intrested your posts now quite a long time, really really nice work there!!!

i remember a day where i needed crunch essentially to create a specific wordlist, but i failed..... wildcards were my parameter but i thought they were not enough. maybe you can give me a hint in my case?

to be specific, i've got a string, eg WODKA and numbers x. i want now to teach crunch to add continuously numbers, left of it. then i want to add the numbers on the right side of the string. last but not least i want to merge them, no problem. i got now xxxxxWODKA and WODKAxxxxx merged in a list.

but how could i get something like
WODKAxxxxxx
xWODKAxxxxx
xxWODKAxxxx
xxxWODKAxxx
xxxxWODKAxx
xxxxxWODKAx
xxxxxxWODKA

the string should slip from left to right with a fixed max length. how would you master this or did i got a brainfuck? :D

Peter:

I don't know of any automated feature in crunch that would enable you to do this, but I would write a simple script to do it with 7 passes. Simply write a script with the seven commands for each selected output and have each one append its output to the previous file with the >> symbol.

OTW

very simple, true!! thx for the hint :)

I use crunch a lot, and this is a great intro. There's a lot that crunch can do. Even just to play around with.

But this (to me) is the definitive crunch guide:

http://adaywithtape.blogspot.com.au/2011/05/creating-wordlists-with-crunch-v30.html

I'm posting it because I'd initially forgot to bookmark it, and when I tried to find it again, it is IMPOSSIBLE to find in Google search results. I'm guessing he has something to prevent indexing.

One of my favorite things is that you can create a custom character set to use with the -t switch (which I couldn't figure out until that blog post pointed out how to do it).

There are a few similar tools out there (hashcat's maskprocessor utility -- which is supposed to be very fast, which might be important if you're piping to another program. But crunch seems plenty fast to me). And none of them have any special features that aren't already in crunch.

So accidentally i run the command "crunch 4 8" and know i need to know where is the file it created and if it was even created.

Thanks, Dorin
Waiting for feedback

Is it usually that the only thing in my " /root/ " is my desktop?

i booted from a usb and because it doesnt suported the windows 8.1 stupid UEFI system i needed to change a lot of things and now its all a bit confussin but i dont know about its meant to be that way i have never tried kali before, butt i knew that when i entered the backtrack /root a lot of things came up.

I just want to know about its usually?

In Kali, it is usual.

Newbie;

I recommend you go through my "Linux for the Aspiring Hacker" series to become more familiar with Linux.

The issue you are having is confusion between the root directory / and the root users directory /root.

OTW

otw

i read the 4 first parts of "Linux for the aspiring hacker" and understood it. so i just wanted to start with a easy password crack.

i wanted to use xhydra with a wordlist to hack a password.

i started to choose my http website and pinged it to get the ip adress, then i made my wordlist with crunch as you did in this tutorial and wrote my correct password into it to make sure it would succes.

(and this time i could safe it and find it cause of the knowlegde i got
from the first 4 parts of your tutorials otw)

but anyway i opened up xhydra
and pasted the ip i got and the port who was 80
choosed http-get
and choosed my wordlist (with the correct password in it)
and then pressed start.
but then the wierd thing happened it said password found:
username: admin312 password: a

but my real password was z86pa45mk7! how the fck can i tell me that i found the correct password when it isnt the right now? and please dont tell me I not is prepared for hacking yet.... thank you

OK. I won't tell you that you don't have enough background to begin hacking. I won't tell you that you need to walk before you run. I won't tell you not to use profanity on these pages if you want help. I won't tell you that 4 units of Linux is far from enough knowledge to use Kali (there are 21 units).. I won't tell you that if you not given me or anyone enough info to help you.

sorry for the profanity i wont do that again, how far do you suggest me to read in the benningers guide before trying it?

think about i also need to try somethings by myself, if i not should forget the half of what i have read, before i even is finnish reading the guides.

I think you should go through ALL of the Linux series and then go to the "Hacking for Newbies".

What I see in you is someone who doesn't want to invest the time into becoming a hacker, but wants everyone else to invest time in your becoming a hacker. You are looking to be spoon fed, rather than investing the time and trouble to learn.

you're making me sound like a bad person :(
it's not wrong to ask for help in my opinion, maybe you think so.

like my name tells, im pretty new to this, so it can time to time sound pretty dump what im asking about, or like your saying a guy who just want other people to "spoon fed me."

i simple just asking for help because i got this wierd problem, im sorry if i didnt got enough details for you to solve it, im new to this i dont know what i else should tell you, that would make it easier for you to solve it.

and dude i have used some time on it, i have search for in nearly every side for finding the answear with no luck...

There is nothing wrong with asking questions. My objection is that most of your answers are already on this site, but you are unwilling to look and study. Take for example your earlier question about the /root directory. If you had taken the time to study my Linux tutorials (which I have invested a lot of time developing) as I suggested, you would have you answer. There is no substitute to study and honing your problem solving skills.

alright i can see your point :/

how to make crunch generate the wordlists which include uncommon letters like G, Ü, Ö, S, Ç, I?

im living in turkey now and they have such a letter in their words. I think it will be good to make wordlist which include those letters but i wonder how to :D

Hello i use crunch and i make some wordlist for testing and email crack with hydra and it tell it was succesfull but password which i get is wrong,can someone give me explanation please

i find answer by myself only need little more reading

i want to create a wordlist of 9 characters in which first five characters "INDIA" always remain same but remaining charcters change to numbers. like india1234,india1235,india1236 .......................... ANy Help Please ?? What command should i use in crunch???

It looks like you want something like this :

crunch 9 9 0123456789 -t india%%%%

Just so you know that's 10000 combinations (from india0000 to india9999). in If you know it doesn't have a '0' in it then take it out of the command.

How about
crunch 9 9 -t india%%%%

saves you some typing :)

How to generate fixed wordlist for example ,first 3 word is numeric(any number) and middle 2 word is alphabetic (a to z) and last 3 word is numeric(any number 0 to 9)

Please help me

You are going to build a massive word list but you could start with a command like:
root@Kali:~# crunch 8 8 -t %%%@@%%%
It may not really be what you are looking for.

Hi i need to create a numeric word list with crunch with only repeating characters. For example :
10101010,20202020
11112222,77778888
12131415,

I only found how to prevent repeating but exactly that's what I want :)

Pretty much the command above your comment. Just change the middle 2 @'s to %
Should get you a nice PB size list. Then optimize the chaos down to what you want.

I may be wrong, maybe. I wish crunch would work right so I could bang these 26 digit master lists out. Don't have a ZB of free space though.

Hi guys i wanted to creat a worlist for cracking WAP2.

And the most restrict word list i can think is (crunch 10 10 1234567890QWERTYUIOPASDFGHJKLZXCVBNM -d 2 ) because here all PWs standart PWs have 10 numbers/charaters anyone knows more stuff to make a smaller wordlist because this is to big

Hi sir. I want to ask you how to create a wordlist with range 2 to 8 characters with alphabet, numbers and characters like - : ")%? I tryed it but the wordlist is massively big ( over 10 PB) ?

I was wondering if it`s possible to make a custom word list and for example get hydra to try all combinations.

For example I have the persons date of birth, pet name, hobby, favourite car etc... How can I get something like hydra to try all possible combinations with those words in the list? Or how do I create a list with all possible combinations of the known information of the persons account?

As hydra uses a username and password lists, you will need to generate that password list first and then use it with THC_Hydra.

thanks for the reply, but what i`m really trying to figure out is lets say I make my own list and it contains these words

cat, dog, 1981, 01,car, truck, john,smith,black,australia,yes,no etc...

How can I create a word list using all these words in every single combination possible? I mean I don`t want to sit down and manually do a list with every single combination of these words, is there an auto generate kind of program or command?

By the way, this is an excellent site very informative,love it :)

Hi,

Im trying to add 2 letters to my text list but i can't get it working.

like aa@@@@
@@@= data in text file

so that i can add 2 variables to my text file
something like:

crunch 1 1 -t @@ + '/textfile.txt'

is this possible?

Hope to hearing from you soon.

I created a crunch file of 10digit possibilities of unknown password with the pattern of 9%%%%%%%%% ;where my first digit will be 9 only. I done firing the command in the terminal like

crunch 10 10 1234567890 -t 9%%%%%%%%% -o /root/Desktop/file.txt
Its making a file of 10gb..

Now the question is i wanna make this file of 5gb with half of lines and further continue the half to the another file... how do i do this? Please help out..

Would it be possible to guess an email with this? I have an email (eg hello*1@gmail.com) but i dont know the stars so could i make it guess the 2 stars and create a wordlist of all the email combinations? And how?

Share Your Thoughts

  • Hot
  • Latest