A Detailed Guide on Crunch Tool

Introduction

Certainly! Here’s an enhanced version including “A Detailed Guide on Crunch Tool”:

“In many cases, attackers must create a wordlist that meets certain criteria for pentest scenarios such as password spraying and brute-forcing. Other times it could be a trivial situation like directory enumeration. Crunch, a tool developed in C by bofh28, creates custom, highly modifiable wordlists that can help attackers in the scenarios mentioned above. It takes in min size, max size, and alphanumeric character sets as input and generates any possible combination of words with or without meaning and writes it out in a text file. In this article, we’ll demonstrate Crunch filters in detail. Discover A Detailed Guide on Crunch Tool for mastering this powerful utility in penetration testing.”

Installation and first run

Crunch comes pre-installed on Kali Linux, but you can also install it on other systems using the apt package manager with

apt install crunch

Once installed, you can run Crunch Tool to generate a wordlist. By entering the minimum and maximum word size and the output file, Crunch automatically uses lowercase alphabets as the character set. For example, it generates words with 1 to 3 lowercase characters.
and stored in file dict.txt

crunch 1 3 -o dict.txt
Install Crunch

Defined Alphanumeric Characters


A user can define the specific characters to use when generating a wordlist. Using the characters ‘p, a, s, s, 1, 2, and 3’ as input, this process generates words that vary in length from 5 to 7 characters. Hence the dictionary starts with “ppppp, ppppa ….” And ends with “3333333” and contains combinations like pass213, pass1 etc.

crunch 5 7 pass123 -o dict.txt
Defined Alphanumeric Characters in Crunch Tool

Space character wordlist

One neat trick is to include space in the wordlist. Often times we need spaces in scenarios for passwords and many generic wordlists or tools don’t have this feature. Crunch permits the inclusion of space as a character by placing it after the specified character set. For 1 to 3 characters per word including space we can do this:

crunch 1 3 "vivek" -o space.txt
Space character wordlist in Crunch Tool

View character sets available

In the /usr/share/crunch directory, one may find a list file (charset.lst) mentioning all the different character sets supported by crunch. This is highly useful as a ready reference. One may manually specify character sets or can even use the codenames written on the left. It is quite simple to understand though. Here is a description of each charset:

View character sets available in Crunch Tool

To view the charset file:

cat /usr/share/crunch/charset.lst
To view the charset file

Using codename character sets

These codenames are applicable for creating dictionary files. For example, to create a wordlist of 4 characters per word using a mixture of alphabets, numeric and special characters, one can specify the charset.lst file using the “-f” option and then specify code word “mixalpha-numeric-all”

crunch 4 4 -f charset.lst mixalpha-numeric-all -o wordlist.txt
Using codename character sets

Startblock in wordlists

A startblock can be defined using the “-s” filter. By using this, we can define from where a wordlist should start generating. This is helpful in discarding unwanted combinations. For example, to start a wordlist from abc1, and having 4 characters per word including alphanumeric and special characters can be created like below. This way, the dictionary starts with “abc1, abc2,..abd1, abd2…” and ends at “////”

crunch 4 4 -f charset.lst mixalpha-numeric-all -o wordlist.txt -s 
abc1
Startblock in wordlists

Creating Dictionary with various patterns

Please note that the following symbols when defined as input in character sets mean
the following:

@ will insert lower case characters

, will insert upper case characters

% will insert numbers

^ will insert symbols

Now, if a user wants to create a word with 3 characters with first character lowercase, number as second character and symbol as third, he can specify this:

crunch -t @%^ -o dict.txt

With “-t” as the flag to provide the symbols. If you aren’t going to use a particular character set you use a plus sign as a placeholder.

+operator positioning: The + operator can be used where no specific character sets are used and any value can be replaced for the same. But this is in the following order:

Lowercase alphabets, uppercase alphabets, numbers, symbols

For example,

crunch 3 3 + + 123 +

This would take in the following input:
Lowercase: abcdefghijklmnopqrstuvwxyz
Uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers: 123
Symbols: !@#$%^&*()-_+=~`[]{}|\:;”‘<>,.?/

Case 1: Fixed word + 3 numbers

Lets say if we want to fix first 3 letters as “vivek” and insert random combinations of digits at the last 3 places in a 6 character per word wordlist, it can be done by specifying the pattern without the use of commas like above in “-t” filter.

crunch 8 8 -t vivek%%% -o num.txt
Fixed word + 3 numbers

Case 2: Fixed word + 3 uppercase alphabets

Let’s say if we want to fix first 3 letters as “vivek” and insert random combinations of uppercase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by

crunch 8 8 -t vivek,,, -o upper.txt
Fixed word + 3 uppercase alphabets

Case 3: Fixed word + 3 lowercase alphabets

Let’s say if we want to fix first 3 letters as “vivek” and insert random combinations of smallcase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by

crunch 8 8 -t vivek@@@ -o lower.txt
Fixed word + 3 lowercase alphabets

Case 4: Fixed word + 3 symbols

Let’s say if we want to fix first 3 letters as “vivek” and insert random combinations of special characters at the last 3 places in a 6 character per word wordlist, it can be done by

crunch 8 8 -t vivek^^^ -o symbol.txt
Fixed word + 3 symbols

Case 5: Placeholder fixed pattern

Let’s say in place of the lowercase placeholder we input abc12 and with “-t” we supply in @ then the pattern shall also contain 1 and 2 even though we just gave “@” indicator. See the following example:

crunch 5 5 abc12 -t @@@@@ -o dict.txt
Placeholder fixed pattern

Case 6: Lowercase alphabet (a,b or c) + number (1,2 or 3) + symbol (ANY)

Now, a user can also provide a character set from which a pattern is to be created. In the following example, abc and 123 have been used. A ‘+’ operator is also used indicating that the pattern indicator for which the character set is not supplied shall be treated as ‘ANY’ value. So, if a user wants to create a dictionary with the first character lowercase, the second character as a number, and a symbol as the third character but only ‘a, b, or c’ as characters, ‘1, 2, or 3’ as numbers, and any random symbol in the last position respectively, he can do the following: Discover A Detailed Guide on Crunch Tool to explore more examples and understand the pattern creation functionality in depth.

crunch 3 3 abc + 123 -t @%^ -o pattern.txt
Lowercase alphabet (a,b or c) + number (1,2 or 3) + symbol (ANY)

Case 7: Two number (1,2 or 3) + lowercase alphabet (ANY) + symbol (ANY)

Similarly, to create a 4 character per word pattern of 2 digits (containing only 1,2, or 3)+lowercase alpha+symbol we can do this:

crunch 4 4 + + 123 + -t %%@^ -O pattern2.txt
Two number (1,2 or 3) + lowercase alphabet (ANY) + symbol (ANY)

Case 8: Treating symbols as literals

When “-l” is used in accordance with the “-t” filter, it tells crunch which symbols should be treated as literals. For example, we know that @ is used to denote a lowercase letter. So, if we want to generate a 7 character per word wordlist using the word “p@ss” fixed, it will consider @ as a pattern indicator of a lowercase alphabets. Thereafter, -l filter can be used to define which character is to be treated as literal and not converted as pattern. This can be done like:

crunch 7 7 -t p@ss,%^ > dict.txt
crunch 7 7 -t p@ss,%^ -l a@aaaaa > 1.txt
Treating symbols as literals in Crunch Tool

Inverting Wordlist

A generated wordlist fixes, by default, first characters and creates combinations on the
last character. For example, a wordlist containing “a,b and c” has

aaa
aab
aac
aba
abb
abc
aca

To invert this, use the ‘-i’ option. Crunch would fix the last letter first and make combinations out of first letters. For example, a dictionary of 5 characters per word having 3 alphabets,2digits and inverted looks like following:

crunch 5 5 abc12 -t @@@%% -o dict.txt
crunch 5 5 abc12 -t @@@%% -i -o invert.txt
Inverting Wordlist in Crunch Tool

Limit duplicate patterns

A user can place a limit on the number of characters that can occur together. For example, to create a wordlist of 5 characters per word using 3 lowercase alphabets, 1 number, and 1 symbol can be done like the first command. But if a user wants to limit the occurrence of duplicate characters together to only 2 places, he can use the ‘-d’ operator. Note how in the first command 3 ‘a’s occurred, but in the second command duplicates are limited to only 2, and so only 2 ‘a’s have occurred. Discover A Detailed Guide on Crunch Tool to understand these functionalities and more in detail.

crunch 5 5 abc + 123 -t @@@%^ -o 1.txt
crunch 5 5 abc + 123 -t @@@%^ -o 2.txt -d 2@

Putting early stops on wordlists

As per user requirements, there may also be a possibility when a user wants to cut short a list to certain combination. For example, if a user wants to create 3 characters per word wordlist using “a,b and c” as characters but wants to cut it as soon as wordlist generates combination ”acc” it can be done like so:

crunch 3 3 abc -o 1.txt
crunch 3 3 abc -e acc -o 2.txt
Putting early stops on wordlists in Crunch Tool

Word permutations

In mathematics, permutations stand for non-repeating combinations of certain events. So, to generate non-repeating wordlists by permutations we can use the “-p” filter. Here, we supply 3 words as input none of which shall repeat even if the maximum size of the wordlist is 6.

crunch 3 6 -p vivek gautam ns3edu
Word permutations in Crunch Tool

Wordlist Permutations

Just like words can be permuted, wordlists can be permuted. Using the “-q” option, crunch tool can take input from a wordlist and do permutations on what is read in the file. For example, if the file list is:
A
B
C
Then, crunch -q list.txt would output:
ABC
ACB
BAC
BCA
CAB
CBA
Similarly, we can do permutations on 3 char per word wordlist like so:

crunch 3 3 abc -e acc -o 2.txt
crunch 3 3 abc -q 2.txt -o 3.txt
Wordlist Permutations in Crunch Tool

Splitting wordlist based on word count

Apply the ‘-c’ option to shorten a wordlist. A file with 94 words is created. Next, split it into multiple files, each with a maximum of 60 words, like this. Note, that this only works with “-o START” which will autoname the files in the format: Starting character – Ending character.txt Here, start and ending are a,7 and for next file, 8 and /(space)

crunch 1 1 -f charset.lst mixalpha-numeric-all-space -o file.txt
crunch 1 1 -f charset.lst mixalpha-numeric-all-space -o START -c 60
Splitting wordlist based on word count in Crunch Tool

Splitting wordlist based on size

To cut short a file based on the size, we can use “-b” filter. For example, to split a wordlist into multiple files each of a maximum 1 MB we can do:

crunch 4 7 Pass123 -b 1mb -o START

Remember, -o START is compulsory as it will automatically split the file in the format:

Starting character – Ending character.txt

Splitting wordlist based on size in Crunch Tool

Compressing wordlist

Oftentimes, wordlists are too large in size while in text format and gzip can be used to compress them to over 60-70%. For example, to compress a file of max 7 mixalphanumeric charset and autoname using START we can do this:

crunch 4 7 Pass123 -z gzip -o START
gunzip PPPP-3333333.txt.gz
Compressing wordlist in Crunch Tool

Conclusion

The article is meant to be considered as a ready reference for quick and dirty wordlist generation using Crunch, A Detailed Guide on Crunch Tool. Crunch is a powerful and very fast tool written in C which is available by default in Kali Linux and is allowed to be used in competitive security certification exams. Hope you liked the article and thanks for reading it.

Leave a Reply

Your email address will not be published. Required fields are marked *