- by x32x01 ||
Often times attackers have the need to generate a wordlist based on certain criteria which are required for pentest scenarios like password spraying/brute-forcing. Other times it could be a trivial situation like directory enumeration. Crunch is a tool developed in C by bofh28 that can create custom, highly modifiable wordlists that may aid an attacker in the situations mentioned above. It takes in min size, max size and alphanumeric character sets as input and generates any possible combination of words with or without meaning and writes it out in a text file. In this article, we’ll demonstrate crunch filters in detail.
Table of Content
Crunch is installed by default on Kali Linux but can be installed using apt package manager using
After it is installed, we can run crunch to generate a wordlist. When we input the min and max size of the word to be generated and just the output file, it automatically takes in small case alphabets as character sets and generates words.
For example, here 1 character to 3 characters per word is being generated in smallcase and stored in file dict.txt
To view the charset file:
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols
Now, if a user wants to create a word with 3 characters with first character lowercase, number as second character and symbol as third, he can specify this:
With “-t” as the flag to provide the symbols. If you aren’t going to use a particular character set you use a plus sign as a placeholder.
+ operator positioning: The + operator can be used where no specific character sets are used and any value can be replaced for the same. But this is in the following order:
Lowercase alphabets, uppercase alphabets, numbers, symbols
For example,
This would take in the following input:
Lowercase: abcdefghijklmnopqrstuvwxyz
Uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers: 123
Symbols: !@#$%^&*()-_+=~`[]{}|\:;”‘<>,.?/
Case 1: Fixed word + 3 numbers
Lets say if we want to fix first 3 letters as “raj” and insert random combinations of digits at the last 3 places in a 6 character per word wordlist, it can be done by specifying the pattern without the use of commas like above in “-t” filter.
Case 2: Fixed word + 3 uppercase alphabets
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of uppercase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by
Case 3: Fixed word + 3 lowercase alphabets
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of smallcase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by
Case 4: Fixed word + 3 symbols
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of special characters at the last 3 places in a 6 character per word wordlist, it can be done by
Case 5: Placeholder fixed pattern
Let’s say in place of the lowercase placeholder we input abc12 and with “-t” we supply in @ then the pattern shall also contain 1 and 2 even though we just gave “@” indicator. See the following example:
Case 6: Lowercase alphabet (a,b or c) + number (1,2 or 3) + symbol (ANY)
Now, a user can also provide character set from which a pattern is to be created. In the following example, abc and 123 have been used. A “+” operator is also used indicating that the pattern indicator for which charset is not supplied, shall be treated as “ANY” value.
So, if a user wants to create a dictionary with first character lowercase, number as second character and symbol as third but only “a,b or c” as characters, “1,2 or 3” as numbers and any random symbol on last position respectively, he can do the following:
Case 7: Two number (1,2 or 3) + lowercase alphabet (ANY) + symbol (ANY)
Similarly, to create a 4 character per word pattern of 2 digits (containing only 1,2, or 3)+lowercase alpha+symbol we can do this:
Case 8: Treating symbols as literals
When “-l” is used in accordance with the “-t” filter, it tells crunch which symbols should be treated as literals. For example, we know that @ is used to denote a lowercase letter. So, if we want to generate a 7 character per word wordlist using the word “p@ss” fixed, it will consider @ as a pattern indicator of a lowercase alphabets. Thereafter, -l filter can be used to define which character is to be treated as literal and not converted as pattern. This can be done like:
aaa
aab
aac
aba
abb
abc
aca
…
But this can be inverted using the “-i” option. Crunch would fix the last letter first and make combinations out of first letters. For example, a dictionary of 5 characters per word having 3 alphabets,2digits and inverted looks like following:
A
B
C
Then, crunch -q list.txt would output:
ABC
ACB
BAC
BCA
CAB
CBA
Similarly, we can do permutations on 3 char per word wordlist like so:
Starting character – Ending character.txt
Here, start and ending are a,7 and for next file, 8 and /(space)
Remember, -o START is compulsory as it will automatically split the file in the format:
Starting character – Ending character.txt
Conclusion
The post is meant to be considered as a ready reference for quick and dirty wordlist generation using crunch. Crunch is a powerful and very fast tool written in C which is available by default in Kali Linux and is allowed to be used in competitive security certification exams. Hope you liked the post and thanks for reading it.
Table of Content
- Installation and first run
- Different character sets
- Default alphanumeric wordlist
- Defined alphanumeric wordlist
- Space character wordlist
- View character sets available
- Using codename character sets
- Startblock in wordlists
- Creating patterns
- Case 1: Fixed word + 3 numbers
- Case 2: Fixed word + 3 uppercase alphabets
- Case 3: Fixed word + 3 lowercase alphabets
- Case 4: Fixed word + 3 symbols
- Case 5: Placeholder fixed pattern
- Case 6: Lowercase alphabet (a,b or c) + number (1,2 or 3) + symbol (ANY)
- Case 7: Two number (1,2 or 3) + lowercase alphabet (ANY) + symbol (ANY)
- Case 8: Treating symbols as literals
- Inverting wordlist
- Limit duplicate patterns
- Putting early stop on wordlists
- Word permutations
- Splitting wordlist based on word count
- Splitting wordlist based on size
- Compressing wordlist
- Conclusion
Crunch is installed by default on Kali Linux but can be installed using apt package manager using
After it is installed, we can run crunch to generate a wordlist. When we input the min and max size of the word to be generated and just the output file, it automatically takes in small case alphabets as character sets and generates words.
For example, here 1 character to 3 characters per word is being generated in smallcase and stored in file dict.txt
Defined Alphanumeric Characters
A user can also define the selected characters to be used while generating a wordlist. Here, min size 5 and max size 7 characters per words is being generated while using the characters “p, a, s, s, 1, 2, and 3” as input. Hence the dictionary starts with “ppppp, ppppa ….” And ends with “3333333” and contains combinations like pass213, pass1 etc.Space character wordlist
One neat trick is to include space in the wordlist. Often times we need spaces in scenarios for passwords and many generic wordlists or tools don’t have this feature. In crunch, we can define space as a character by putting space after the characterset to be used. For 1 to 3 characters per word including space we can do this:View character sets available
In the /usr/share/crunch directory, one may find a list file (charset.lst) mentioning all the different character sets supported by crunch. This is highly useful as a ready reference. One may manually specify character sets or can even use the codenames written on the left. It is quite simple to understand though. Description of each charset is given below:Using codename character sets
These codenames can be used while creating dictionary files. For example, to create a wordlist of 4 characters per word using a mixture of alphabets, numeric and special characters, one can specify the charset.lst file using the “-f” option and then specify code word “mixalpha-numeric-all”Startblock in wordlists
A startblock can be defined using the “-s” filter. By using this, we can define from where a wordlist should start generating. This is helpful in discarding unwanted combinations. For example, to start a wordlist from abc1, and having 4 characters per word including alphanumeric and special characters can be created like below. This way, the dictionary starts with “abc1, abc2,..abd1, abd2…” and ends at “////”Creating Dictionary with various patterns
Please note that the following symbols when defined as input in character sets mean the following:@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols
Now, if a user wants to create a word with 3 characters with first character lowercase, number as second character and symbol as third, he can specify this:
With “-t” as the flag to provide the symbols. If you aren’t going to use a particular character set you use a plus sign as a placeholder.
+ operator positioning: The + operator can be used where no specific character sets are used and any value can be replaced for the same. But this is in the following order:
Lowercase alphabets, uppercase alphabets, numbers, symbols
For example,
This would take in the following input:
Lowercase: abcdefghijklmnopqrstuvwxyz
Uppercase: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers: 123
Symbols: !@#$%^&*()-_+=~`[]{}|\:;”‘<>,.?/
Case 1: Fixed word + 3 numbers
Lets say if we want to fix first 3 letters as “raj” and insert random combinations of digits at the last 3 places in a 6 character per word wordlist, it can be done by specifying the pattern without the use of commas like above in “-t” filter.
Case 2: Fixed word + 3 uppercase alphabets
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of uppercase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by
Case 3: Fixed word + 3 lowercase alphabets
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of smallcase alphabets at the last 3 places in a 6 character per word wordlist, it can be done by
Case 4: Fixed word + 3 symbols
Let’s say if we want to fix first 3 letters as “raj” and insert random combinations of special characters at the last 3 places in a 6 character per word wordlist, it can be done by
Case 5: Placeholder fixed pattern
Let’s say in place of the lowercase placeholder we input abc12 and with “-t” we supply in @ then the pattern shall also contain 1 and 2 even though we just gave “@” indicator. See the following example:
Case 6: Lowercase alphabet (a,b or c) + number (1,2 or 3) + symbol (ANY)
Now, a user can also provide character set from which a pattern is to be created. In the following example, abc and 123 have been used. A “+” operator is also used indicating that the pattern indicator for which charset is not supplied, shall be treated as “ANY” value.
So, if a user wants to create a dictionary with first character lowercase, number as second character and symbol as third but only “a,b or c” as characters, “1,2 or 3” as numbers and any random symbol on last position respectively, he can do the following:
Case 7: Two number (1,2 or 3) + lowercase alphabet (ANY) + symbol (ANY)
Similarly, to create a 4 character per word pattern of 2 digits (containing only 1,2, or 3)+lowercase alpha+symbol we can do this:
Case 8: Treating symbols as literals
When “-l” is used in accordance with the “-t” filter, it tells crunch which symbols should be treated as literals. For example, we know that @ is used to denote a lowercase letter. So, if we want to generate a 7 character per word wordlist using the word “p@ss” fixed, it will consider @ as a pattern indicator of a lowercase alphabets. Thereafter, -l filter can be used to define which character is to be treated as literal and not converted as pattern. This can be done like:
Inverting Wordlist
A generated wordlist fixes, by default, first characters and creates combinations on the last character. For example, a wordlist containing “a,b and c” hasaaa
aab
aac
aba
abb
abc
aca
…
But this can be inverted using the “-i” option. Crunch would fix the last letter first and make combinations out of first letters. For example, a dictionary of 5 characters per word having 3 alphabets,2digits and inverted looks like following:
Limit duplicate patterns
A user can place a limit on the number of characters that can occur together. For example, to create a wordlist of 5 characters per word using 3 lowercase alphabets,1 number and 1 symbol can be done like the first command. But if a user wants to limit the occurrence of duplicate characters together to only 2 places he can use the “-d” operator. Note how in the first command 3 “a” occurred but in the second command duplicates are limited to only 2 and so only 2 “a”s have occurred.Putting early stops on wordlists
As per user requirements, there may also be a possibility when a user wants to cut short a list to certain combination. For example, if a user wants to create 3 characters per word wordlist using “a,b and c” as characters but wants to cut it as soon as wordlist generates combination ”acc” it can be done like so:Word permutations
In mathematics, permutations stand for non-repeating combinations of certain events. So, to generate non-repeating wordlists by permutations we can use the “-p” filter. Here, we supply 3 words as input none of which shall repeat even if the maximum size of the wordlist is 6.Wordlist Permutations
Just like words can be permuted, wordlists can be permuted. Using the “-q” option, crunch can take input from a wordlist and do permutations on what is read in the file. For example, if the file list is:A
B
C
Then, crunch -q list.txt would output:
ABC
ACB
BAC
BCA
CAB
CBA
Similarly, we can do permutations on 3 char per word wordlist like so:
Splitting wordlist based on word count
A wordlist can be cut short using the “-c” option. Here, a file with 94 words has been generated. Now, to split that into multiple files each containing 60 words maximum can be done like so. Note, that this only works with “-o START” which will autoname the files in the format:Starting character – Ending character.txt
Here, start and ending are a,7 and for next file, 8 and /(space)
Splitting wordlist based on size
To cut short a file based on the size, we can use “-b” filter. For example, to split a wordlist into multiple files each of a maximum 1 MB we can do:Remember, -o START is compulsory as it will automatically split the file in the format:
Starting character – Ending character.txt
Compressing wordlist
Oftentimes, wordlists are too large in size while in text format and gzip can be used to compress them to over 60-70%. For example, to compress a file of max 7 mixalpha-numeric charset and autoname using START we can do this:The post is meant to be considered as a ready reference for quick and dirty wordlist generation using crunch. Crunch is a powerful and very fast tool written in C which is available by default in Kali Linux and is allowed to be used in competitive security certification exams. Hope you liked the post and thanks for reading it.