Kali Linux has inbuit tool called “crunch” that empowers us to make a custom paasword cracking wordlist that we can use with such tools like Hashcat, Cain and Abel, John the Ripper, Aircrack-ng, and others. This custom wordlist might be able to save us hours or days in password cracking if we can craft it properly.
Let’s get started with crunch and generate some custom wordlists to crack passwords in your favorite password cracking tool.
- First of all open Terminal and type ‘ crunch ‘ . This will open the crunch screen like that below.
- The basic syntax for crunch looks like this:
kali > crunch <min> max<max> <characterset> -t <pattern> -o <output filename>
Now, let’s go over what’s included in the syntax above.
- min = The minimum password length.
- max = The maximum password length.
- characterset = The character set to be used in generating the passwords.
- -t <pattern> = The specified pattern of the generated passwords. For instance, if you knew that the target’s birthday was 0728 (July 28th) and you suspected they used their birthday in their password (people often do), you could generate a password list that ended with 0728 by giving crunch the pattern @@@@@@@0728. This word generate passwords up to 11 characters (7 variable and 4 fixed) long that all ended with 0728.
- -o <outputfile> = This is the file you want your wordlist written to.
- Let’s go to the man pages for crunch by typing:
This should open the manual pages for crunch like that below. The developers of crunch have packed these pages with a lot of info on how to get the most out of crunch.
If we page down a bit in these man pages, we will come to this page (notice at the bottom, it says we are at line 70).
At the top we see the -f switch. This switch allows us to choose the character set we want to use to generate our wordlist. The syntax is:
-f /path/to/charset.lst <charactersetname>
Here we tell crunch where the charset.lst is with the full path and then select a particular character set from that list. In Kali, the charset.lst is at:
- Let’s start by generating some simple wordlists for password cracking. Let’s assume that we know the company has passwords between 4 and 8 characters. We can generate all the possibilities in crunch by typing:kali > crunch 4 8
Where the first number (4) is the shortest word length and the second (8) is the longest word length.
When we execute this statement, crunch estimates how large the file will be (1812 GB) and then begins to generate the list.
What if we knew that the target always used number passwords between 6 and 8 characters? We could generate a complete list of password possibilities meeting this criteria and send them to a file in the root user’s directory called numericwordlist.lst by typing:
kali > crunch 6 8 1234567890 -o /root/numericwordlist.lst
If we knew that the target’s birthday was July 28 and they likely used that date (people often use their birthdates in their passwords to make it easier to remember) at the end of a ten character password? We could generate all the possibilities of ten-character passwords that end with 0728 and send the output to a file in the root user’s directory named birthdaywordlist.lst, by typing:
kali > crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst
The @ sign is use to represent a wildcard of all possibilities, while the literals “0728” represent the fixed values.
- One of the beauties of crunch is the ability to select a specific character set or create your own character set for generating your password list. If we know the likely character set the target is using for their password, we can select the character set to generate our password list. We can find the choice of character sets at:/usr/share/rainbowcrack/charset.txt
Now, if we know that our target is using an eight character password with only alphabetic characters, we can generate a list of all the possibilities in crunch with the command:
kali > crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
This will generate all the 8-character passwords using only the alphabetic characters (no numbers or special characters) and storing them in a file called alphawordlist.lst in the root user’s directory.
When cracking passwords, there are multiple methods of cracking unknown passwords. These include dictionary, rainbow table, brute force and others. If we know that parameters of the password or know something about the target and their possible passwords (birthday, pet names, spouse, etc.), crunch can be a very useful tool for generating specific wordlists to be used in a dictionary-like attack.