Introduction
Crunch is a powerful and flexible command-line tool used for generating custom wordlists. These wordlists are essential in the field of cybersecurity, particularly for penetration testers and security professionals who perform password strength audits and brute-force attacks. Unlike static, pre-made wordlists, Crunch allows you to create highly specific lists based on known patterns, character sets, and length requirements, significantly increasing the efficiency of an attack.
In this lab, you will learn the fundamentals of Crunch. You will start by understanding its basic syntax, then move on to generating simple wordlists, using custom character sets, creating pattern-based lists, and finally, piping its output directly into other command-line tools.
Understand the Syntax of the Crunch Tool
In this step, you will learn the basic syntax of the crunch command and how to access its help menu. Understanding the fundamental structure of the command is the first step to mastering its capabilities.
The basic syntax for crunch is:
crunch <min-len> <max-len> [characterset] [options]
<min-len>: The minimum length of the words to be generated.<max-len>: The maximum length of the words to be generated.[characterset]: (Optional) The set of characters to use for generating words. If not specified,crunchdefaults to lowercase letters.[options]: (Optional) Various flags to control the output, such as saving to a file or using patterns.
To see all available options and get a comprehensive overview of the tool, you can use the --help flag. Let's view the help menu. All operations in this lab will be performed in the default ~/project directory.
Execute the following command in your terminal:
crunch --help
You will see a detailed output listing all the flags and their descriptions. Take a moment to look through them. This is a great reference for when you want to explore more advanced features.
crunch version 3.6
Crunch can create a wordlist based on criteria you specify. The output from
crunch can be sent to the screen, a file, or to another program.
Usage: crunch <min-len> <max-len> [options]
where min-len and max-len are numbers
... (output truncated) ...
Now that you are familiar with the basic syntax and how to find help, you are ready to generate your first wordlist.
Generate a Simple Wordlist of a Fixed Length
In this step, you will generate your first wordlist with a fixed length. This is one of the most common uses of crunch. When the minimum and maximum lengths are the same, crunch will generate all possible combinations for that specific length.
By default, crunch prints the wordlist to the standard output (your terminal screen). For large lists, this can be overwhelming and not very useful. A better practice is to save the output to a file using the -o option.
Let's generate all possible 3-character words using the default lowercase alphabet and save them to a file named 3char.txt.
Run the following command:
crunch 3 3 -o 3char.txt
This command tells crunch to generate words with a minimum length of 3 and a maximum length of 3, and to output the result to 3char.txt. You will see some statistics about the generated list in your terminal.
Crunch will now generate the following amount of data: 20280 bytes, 19 KB, 0 MB, 0 GB
Crunch will now generate the following number of lines: 17576
To verify that the file was created correctly, you can use the head command to view the first few lines of the file.
head -n 5 3char.txt
You should see the beginning of the alphabetical list.
aaa
aab
aac
aad
aae
You have successfully generated and saved your first wordlist.
Generate a Wordlist with a Specific Character Set
In this step, you will learn how to specify a custom character set for your wordlist. This is extremely useful when you have information about the possible characters in a password (e.g., it only contains numbers, or only specific letters).
To specify a character set, you simply add the string of characters you want to use at the end of the command, after the length arguments.
Let's generate a 4-digit PIN code list, using only the numbers 0, 1, 2, and 3. We will save this list to a file named 4digit.txt.
Execute this command:
crunch 4 4 0123 -o 4digit.txt
Here, 4 4 sets the length to exactly four characters, 0123 provides the custom character set, and -o 4digit.txt saves the output.
Let's inspect the beginning of the generated file to confirm the output.
head -n 5 4digit.txt
The output will show the first five combinations using only the specified digits.
0000
0001
0002
0003
0010
As you can see, crunch is now using only the characters you provided, giving you much more control over the generated wordlist.
Use the -t Flag to Generate Pattern-Based Words
In this step, you will use the -t flag to generate wordlists based on a specific pattern. This is one of Crunch's most powerful features, allowing you to create highly targeted wordlists if you know part of the password's structure.
The -t flag uses special placeholders to represent different character types:
@will be replaced by lowercase letters.,will be replaced by uppercase letters.%will be replaced by numbers.^will be replaced by symbols.
Let's imagine you know a password starts with the word "user", is followed by two numbers, and ends with a single uppercase letter. The pattern would be user%%,. The total length is 7 characters (4 for "user", 2 for %%, 1 for ,).
Let's generate a wordlist based on this pattern and save it to pattern.txt.
crunch 7 7 -t user%%, -o pattern.txt
This command tells crunch to generate words of exactly 7 characters, following the pattern user%%,.
Now, let's look at the first few lines of the output file.
head -n 5 pattern.txt
The output will match the pattern you defined.
user00A
user00B
user00C
user00D
user00E
This method dramatically reduces the size of the wordlist and the time required for a brute-force attack by focusing only on plausible password candidates.
Pipe Crunch Output Directly into Hashcat
In this step, you will learn a powerful technique: piping the output of crunch directly into another tool. This is highly efficient because it avoids writing a potentially massive wordlist to your disk, saving space and time. The words are generated and "piped" (sent) to the next program in real-time.
While crunch is often used with password cracking tools like Hashcat or John the Ripper, we will simulate this process using a simple grep command. grep is a tool for searching text, and it will serve to demonstrate the concept of piping.
Imagine we are trying to find the password labex23. We suspect the password starts with "labex" and is followed by two digits.
We can generate words matching this pattern and pipe them directly to grep to see if our target password is in the generated list. The pipe symbol | is used to connect the output of one command to the input of another.
Execute the following command:
crunch 7 7 -t labex%% | grep "labex23"
This command does two things:
crunch 7 7 -t labex%%generates all 7-character words starting with "labex" followed by two numbers (e.g.,labex00,labex01, ...).- The
|pipe sends each generated word to thegrep "labex23"command, which checks if the word matches "labex23".
If a match is found, grep will print it to the terminal.
labex23
You have successfully generated a wordlist on-the-fly and processed it with another tool, a core skill for efficient security testing.
Summary
Congratulations on completing this lab! You have acquired fundamental skills in using crunch, a versatile tool for generating custom wordlists.
In this lab, you learned how to:
- Understand the basic syntax of the
crunchcommand. - Generate simple wordlists of a fixed length and save them to a file.
- Specify a custom character set to create more targeted wordlists.
- Use the
-tflag to generate words based on a known pattern. - Pipe the output of
crunchdirectly into other command-line tools likegrepto perform real-time processing without saving to a file.
These skills are foundational for many tasks in cybersecurity, especially in password auditing and penetration testing. By creating tailored wordlists, you can significantly improve the efficiency and success rate of your security assessments.
