Crunch is a powerful wordlist generator that creates custom password lists based on specified criteria. It's pre-installed on Kali Linux and commonly used in penetration testing for brute-force attacks and password cracking.
Installation
# Kali Linux (pre-installed)
crunch
# Ubuntu/Debian
sudo apt install crunch
# From source
git clone https://github.com/crunchsec/crunch.git
cd crunch
make
sudo make install
Basic Syntax
crunch <min-len> <max-len> [options]
Essential Commands
Generate Simple Wordlist
# Generate all combinations from 4 to 6 characters (lowercase)
crunch 4 6
# Generate 8-character passwords with lowercase only
crunch 8 8 -o wordlist.txt
Custom Character Sets
# Use specific characters (lowercase + numbers)
crunch 6 6 abcdef123456
# Uppercase letters only
crunch 5 5 ABCDEFGHIJKLMNOPQRSTUVWXYZ
# Mixed case and numbers
crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric
Pattern-Based Generation
# @ = lowercase letters
# , = uppercase letters
# % = numbers
# ^ = special characters
# Generate: Pass#### (Pass followed by 4 digits)
crunch 8 8 -t Pass%%%%
# Generate: Admin@@## (Admin + 2 lowercase + 2 digits)
crunch 10 10 -t Admin@@%%
# Generate: user_#### (user_ followed by 4 numbers)
crunch 9 9 -t user_%%%%
Practical Examples
Phone Number Wordlist
# Generate all possible 10-digit phone numbers starting with 555
crunch 10 10 -t 555%%%%%%% -o phones.txt
PIN Codes
# Generate all 4-digit PINs
crunch 4 4 0123456789 -o pins.txt
# Generate 6-digit PINs
crunch 6 6 0123456789 -o pins6.txt
Birthday-Based Passwords
# Format: MMDDYYYY (e.g., 01151990)
crunch 8 8 0123456789 -t @@@@%%%% -o birthdays.txt
Company-Specific Passwords
# Pattern: CompanyName + year
crunch 11 11 -t Company%%%% -o company_passwords.txt
# Pattern: username + special char + numbers
crunch 10 10 -t john^%%% -o john_passwords.txt
Output Options
Save to File
# Basic output
crunch 6 6 abc123 -o wordlist.txt
# Split into multiple files (100MB each)
crunch 8 8 -o START -b 100mb -t pass%%%%
Pipe to Other Tools
# Pipe directly to Aircrack-ng
crunch 8 8 | aircrack-ng -w - -b 00:11:22:33:44:55 capture.cap
# Pipe to John the Ripper
crunch 6 8 | john --stdin --format=raw-md5 hashes.txt
# Pipe to Hydra for SSH brute force
crunch 6 8 abc123 | hydra -l admin -P - ssh://192.168.1.10
Advanced Options
Limit Output Size
# Generate only first 1000 passwords
crunch 6 6 -c 1000 -o wordlist.txt
# Start from specific word
crunch 4 4 -s aaaa -o wordlist.txt
# End at specific word
crunch 4 4 -e zzzz -o wordlist.txt
Duplicate Handling
# Suppress duplicate characters
crunch 4 4 abc123 -d 2 -o wordlist.txt
# Won't generate: aabc, aab1, etc.
Invert Output
# Generate all combinations EXCEPT specified pattern
crunch 5 5 -t @@@%% -i
Using Charset Files
# View available charsets
cat /usr/share/crunch/charset.lst
# Use predefined charset
crunch 8 8 -f /usr/share/crunch/charset.lst mixalpha-numeric-all
# Common charsets:
# lalpha = lowercase
# ualpha = uppercase
# numeric = numbers 0-9
# mixalpha = lower + upper
# mixalpha-numeric = lower + upper + numbers
Performance Tips
Estimate Size Before Generation
# Check wordlist size without generating
crunch 8 8 abc123 -c 0
# Output shows:
# Crunch will now generate approximately X entries
# Crunch will now generate approximately XMB of data
Compress Output
# Compress while generating
crunch 7 7 | gzip > wordlist.txt.gz
# Use with tools supporting compressed input
Real-World Scenarios
Wi-Fi Password Cracking
# 8-13 character WPA passwords (common length)
crunch 8 13 abcdefghijklmnopqrstuvwxyz0123456789 | \
aircrack-ng -w - -b [BSSID] capture.cap
ZIP File Password Recovery
# Generate 6-digit numeric passwords
crunch 6 6 0123456789 | \
fcrackzip -u -D - protected.zip
Database Hash Cracking
# Generate wordlist and crack MD5 hashes
crunch 6 10 -f /usr/share/crunch/charset.lst mixalpha-numeric | \
john --stdin --format=raw-md5 database_hashes.txt
Security Considerations
⚠️ Legal Warning: Only use Crunch for authorized penetration testing or on systems you own. Unauthorized password cracking is illegal.
Best Practices:
- Always obtain written authorization before testing
- Use on isolated test environments
- Be aware of disk space requirements
- Consider computation time for large wordlists
- Combine with other OSINT data for better results
Useful Combinations
# Small targeted list (company name variations)
crunch 8 12 -t Company@% -o company_list.txt
# Common password patterns
crunch 8 8 -t @@@@@%%% -o common_pattern.txt
# Date-based (YYYYMMDD)
crunch 8 8 0123456789 -o dates.txt
# License plates (state + numbers)
crunch 7 7 -t CA%%%%% -o plates.txt
Quick Reference
| Pattern | Meaning | Example |
|---|---|---|
| @ | Lowercase | a-z |
| , | Uppercase | A-Z |
| % | Numbers | 0-9 |
| ^ | Symbols | !@#$%^&* |
| -t | Use pattern | -t Pass@@@% |
| -o | Output file | -o list.txt |
| -b | Split by size | -b 100mb |
| -c | Limit count | -c 10000 |
| -d | Limit duplicates | -d 2 |
| -s | Start string | -s aaaa |
| -e | End string | -e zzzz |
Conclusion
Crunch is an essential tool for penetration testers needing custom wordlists. Its flexibility in pattern generation and integration with other security tools makes it invaluable for password auditing and security assessments.
Always use responsibly and within legal boundaries.