Friday, 2 April 2010

Creating wordlists with crunch v2.4

Edit 12-06-2011
crunch v3.0 is now included in the BT repositories, 
v3.0 has many big fixes and additional functionality, some items/switches have however been altered.
Therefor, this post is superceded by  ;

crunch is an invaluable tool for quickly (well.. depending on the size of wordlist..) creating bruteforce wordlists.

The latest version released recently is v2.4 and compared with the release currently installed with backtrack 4 (v2.0) comes with some very cool additions.
The version of crunch in backtrack 4 repositories is expected to be updated within a few days to crunch v2.4
Edit dd 03-07-2010 -- Crunch 2.4 is finally included in latest updates !

crunch is one of the first tools that come to mind when needing to create a bruteforce wordlist and since it has been modified so heavily since I first stumbled on it with backtrack 3, I figured it was time for a full and comprehensive testing,  to be able get to grips with all the latest goodness in it !

The default path for crunch v2.4 in backtrack 4 is;

crunch's output is printed to screen when no -o option is given to write to file, so you can easily check to see if it is doing what you wanted.
It can also be piped through to additional programs such as aircrack or cowpatty.

general usage is ;

./crunch [minlength] [maxlength] [charset] -o wordlist.txt

It is close to impossible to stop crunch to still show the command given, so the below pics are images of part of the output from the given command..


 If no character set is defined, crunch defaults to using lower case alpha only ;

./crunch 4 4

The charset can be entered manually in the command line ;


The output can also be inverted using the -i option.

So as opposed to ;

./crunch 4 4 ABCDEFG

Using the -i option will invert the direction when making the wordlist from left-to-right to right-to-left ;
./crunch 4 4 ABCDEFG -i

Or a charset can be chosen from the charset.lst file which saves on the typing (and typoes..) when dealing with normal ranges of letters, numbers and symbols.
charset.lst (included in the crunch installation package) ;

./crunch 4 4 -f charset.lst mixalpha-numeric

The output using charsets can also be inverted using the -i option.


The great thing about crunch is the ability to create patterns with the -t option, this function has been greatly improved with crunch v2.3 and now offers many more possibilities than before.

To create a wordlist with a prefix of 'dog' followed by the characters in a chosen charset ;
./crunch 6 6 -f charset.lst lalpha -t dog@@@

Or having 'dog' appended to the end of the chosen charset ;
./crunch 6 6 -f charset.lst lalpha -t @@@dog

Or to have 'dog' bang in the middle ;
./crunch 7 7 -f charset.lst lalpha -t @@dog@@

In this latest version of crunch it is also possible to create a pattern, specifying where you want
characters / numbers / symbols
which can really be handy in reducing the overall size of the wordlist if you know there is a certain pattern involved;

./crunch 6 6 -f charset.lst mixalpha -t @dog%^
In the above example ;
@ --> will read and print from the specified character set only.
% --> will print numeric values only.
^ --> will print symbols/special characters only, including space.

This feature opens up easier and powerful options for creating lists with certain patterns of special characters or numbers;

For a 4 character wordlist containing only special characters.
./crunch 4 4 -t ^^^^

For a 4 character wordlist containing numbers and special characters in the sequence; 1$1$
./crunch 4 4 -t %^%^

For a 4 letter wordlist containing characters and numbers in the sequence; a1a1
./crunch 4 4 -t @%@%
Note that if no character set is defined, crunch defaults to lower case alpha character set when using @

For a 4 letter wordlist containing characters from a character set and special characters in the sequence A$A$

./crunch 4 4 -f charset.lst mixalpha-numeric-space -t @^@^

Character sets to use for the -t option can also be specified ;

To use ;
ABCD as characters
1234 as numeric values
@#$% as symbols

./crunch 6 6 -t @dog%^ ABCD 1234 @#$%


./crunch 7 7 -t ^@dog%@ ABCD 1234 @#$%

Note that when specifying character sets like this for use with the -t option, the sequence of the character set specification must be;
alpha -- numeric -- symbols

Some special characters need escaping, to do this make sure a backslash \ is placed before the character to escape, so for instance using the above example, but requiring a symbol charset of ;

./crunch 6 6 -t @dog%^ ABCD 1234 \!\(\)\&


Crunch also now has the possibility to generate permutations instead of combinations on either strings of characters or words.

To generate permutations on characters, specify with the -p option, fun for anagrams !
(although crunch then ignores min and max length, you do still need to enter them)

./crunch 1 1 -p dog

To generate permutations on words/strings, specify same with the -m option,
(again, although the min and max length is ignored, it does need to be entered)
The -m option does not (yet) have the capability to read from file, this however, has been placed in the author's to-do list.

./crunch 1 1 -m cat dog pig


Resulting output from crunch can also be split in various sizes, based on either line count or on actual size and can also be compressed.

To split the output based on line count, use the -c option combined with -o START ; 

./crunch 4 4 -f charset.lst lalpha -o START -c 100000
The above will result in files being created containing no more than 100000 words (lines).

Output files can be split into files of a certain maximum size using the -b option combined with -o START.
The size definition can be;  kb, mb, gb  or  kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

Creating files no larger than 500kb :
./crunch 4 4 -f charset.lst lalpha -o START -b 500kb

Creating files no larger than 1mb :
./crunch 4 4 -f charset.lst lalpha -o START -b 1mb

Output files can also be compressed with the -z option, using either bzip, gzip or lzma

./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip

A resume function is also built-in with the -r option;
After cancelling the build of the wordlist, the exact same syntax must be used again followed with the -r option ;

./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt 
./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt -r

There are many options and it truly is a great tool.

Thanks to bofh28 for reading my ramblings and thanks for this awesome tool !

The latest build can be downloaded at ;


  1. I am trying to create a password dictionary list based on 9 phrases. I know the pieces of the password but cannot remember how to assemble it. If anyone can help me I'd appreciate it. I downloaded crunch into Vista but it just sits there and asks me what program I wanna use to open it.

    1. backtrack is linux's program, you can open in the virtual machine on the Windows,help my bad english.

  2. crunch is meant for linux, not Windows.

    If only 9 phrases, do not see why you would really need crunch anyway.

  3. I want to create a password list with phone number like

    4162000000 to 4169999999

    where 416 is the area code

    I tried different formulas but no luck

    1. ./crunch 10 10 1234567890 -t 416@@@@@@@ -o phone.txt

  4. The correct code to use could be one as follows ;

    ./crunch 10 10 -f charset.lst numeric -t 416@@@@@@@ -o tel.txt

    Give it a shot !

  5. Tape, I like your website, your articles and appreciate the time you spend maintaining it.

    On your last post about making a crunch number list,

    ./crunch 10 10 -f charset.lst numeric -t 416@@@@@@@ -o tel.txt

    I was trying to make a similar list, but making it inverted. I wanted to start at 4169999999 and work backwards to 4160000000.

    I tried using the -s and -i switches, but could not get it to work.

    Any suggestions??


  6. Tape, found a general way to do the inverted list.

    Get crunch to make a number list first (as the above post)and save it.

    Open a terminal, type in:

    sort -r -o

    The new file will create the inverted list.

    However, I would still like to do this with Crunch...

  7. Well, hello anonymous ;)

    First off, thanks for your interest in my blog, it helps to have people comment to give an incentive to continue the posts !

    Regarding crunch, the way it works is with character sets, so in the case of using the numeric character set included (0123456789) it starts the sequence as it is entered in the charset list.

    If you want to invert the way the characters are used, you should input it manually as follows ;

    ./crunch 10 10 9876543210 -t 416@@@@@@@ -o tel.txt

    You can always input the characters to be used manually, so the numeric sequence can be as you like, but the above should do what you want.

    By the way, thanks for the sorting option ;) I was looking for it earlier after I read your post !
    Comments on how to do / fix things are what make the world go round :D

  8. Thanks,

    Your above post about the inverted list worked exactly as I wanted it to:

    ./crunch 10 10 9876543210 -t 416@@@@@@@ -o tel.txt

    I can't believe that I couldn't figure it out...

    Looking forward to your next article...

    1. Hi there, I was trying to do the same thing for the 416 area code. I followed the same format and it worked beautifully to create the telephone numbers.

      I was reading about the phone exchange and there are several numbers that could be removed from the list ( i.e. any numbers below 416-200 or any of the defined business exchanges. I was going to use Sed and extract these exchanges, but I ran into a problem extracting lines with a prefix of 416199 and below because it may also include valid numbers like 4169416199, 4168416199, 4167416199.

  9. Hello TAPE,
    I want to make an word list that contains lowcase letters from a to z with 10 letters on each line. But i do not want more than two of the same letter after each other. Making an list with all possible combinations from a-z with 10 letters would make one huge word file.

    Would that be possible?

  10. Hey Tropican,
    I think I understand what you want to do, however am not sure whether crunch is whatyou want.

    Even if trying the permutation option with lower case and cutting 16 characters off with cut for instance, not sure if its what you want and would still result in a huge list.
    (be patient ;)

    You could give it a shot I suppose ;

    ./crunch 1 1 -p abcdefghijklmnopqrstuvwxyz -o test_full.txt
    cat test_full.txt | cut -c -16 > test_10.txt

    Let me know how you get on :)

  11. Hey TAPE
    thanks for quick reply, i tryed some to do a demo of this but it seems like its not doing what i want it to.


    Looks like it's shuffling the letters, and not making combinations with letters
    Seems to me the same letters go at the end of the lines just in different combos, that will make the A letter never appear two times on the same line.
    When i ran the cat after a test file was made it where 2000 lines with the same letters on it. OFC that would be different when its finished but the first letters would still be the same up to the shuffle was finished.

    Probably have to write some perl script for this i guess :( But thanks for the try and quick help! :)

  12. Ah, I misread your first comment, didnt realise you wanted letters to appear twice in the list.

    If I have a sudden brain-wave I will mention it, however unlikely at this time I have to admit !

  13. Great tool, If i want to creat a wordlist with following word "BiscottE" what is the most easy and fast way?
    The first and the last letter is upercase. Is there a fourth symbol to upercase letters?

  14. By the way to achive that word i use ./crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -o @@@@@@@@ but of course I supposedly did not know the word.

  15. LOL, you got me stumped.. sorry but no, crunch cannot help you do that in one go.

    What you could try is to create the wordlist in crunch based on all lowercase.
    ./crunch 8 8 -f charset.lst lalpha

    Then use awk/sed to replace the 1st and last characters with the upper case equivelant.

    Have had a quick look on how best to do that, but nothing jumped out and bit me !
    I am not so familiar with sed / awk so some more googling your side required !

    Remember that the size of such a wordlist is large to put it mildly.

  16. Thanks for the tip. ;-)
    I am using crunch for generate password, and i pipe to aircrack-ng but the pass that i want have the first and the last letter upercase.

    why crunch dont have a symbol for upercase letter? it is very usefull!

    eg ./crunch 8 8 mixalpha -t #@@@@@@#

    @ = lowercase
    # = upercase

  17. Well, bofh28 has done a hell of a job making it what it is today and kudos to him for continuing developing this tool !
    I just made a right-up of his hard work.
    Must admit I like the idea though, why don't you submit it to him ?
    He is active on the Backtrack4 forums.

    However, I looked a bit closer into it using sed and think I have found your solution :)

    ./crunch 8 8 -f charset.lst lalpha | sed 's/^./\U&/; s/.$/\U&/' > output.txt

    That will hopefully do exactly what you wanted ;)

    Again though, be prepared for a friggin big list..

    1. i wanna make a word list without repeating the same character twice in a line, can you help me please?

    2. Please post new queries at THE END OF THE COMMENTS
      and also on the new crunch 3.0 post.

      Give an example so I have something to work with.

    3. Also look at my post on Wordlist Manipulation

  18. For years i was a windows user, but recently i moved to linux and i became a big fan.
    About backtrack and the tools that are available as crunch i just want to say one thing... HAIL to their creators and developers.
    Ok, i will submit the idea to him.
    TAPE thanks for help. :-D yes it was exactly what i needed.

  19. It's amazing isn't it, there are so many people putting so much time
    into creating free applications, its a fantastic community.

    And glad I could be of help ;)

  20. i use the program and i really like it well i have 1 Q ?
    how i can make password list start from 0123456789 to 9999999999
    great work thx alot

  21. Hey SiLeNt,

    BOFH28 has made this program into a real gem hasnt he !

    The code you would need is the code to only choose numeric characters, so either using the numeric charset, or entering the charset manually.

    Some examples;
    ./crunch 10 10 -f charset.lst numeric -o numbers.txt

    ./crunch 10 10 -t %%%%%%%%%% -o numbers.txt

    ./crunch 10 10 0123456789 -o numbers.txt

  22. thxxx TAPE for the fast replay
    really its a good work 100% keep goin man
    ill use the command u give me now
    i really like the program i can make any worldlist i want

  23. Just to make sure you fully understand ;)

    crunch has evolved thanks to the work of bofh28, I have done nothing other than check it out and do a write up of the version 2.4 :)

    But anyway glad you like the write up and that it helps !

  24. TAPE i keep it for 2 hrs and nothing happen just keep freezing i copy the code like the way u give it to me
    i dont know whats wrong
    most of my friend ask me for the 10 numbers i cant make it sorry man
    do u have any other code i can try it

  25. The code is fine :)

    Your patience not so much.

    Try the code with max length 4 so you can see it works.

    10 digits is going to take forever and the size of the list would be huge..

  26. oh ok man i think its not gonna take long time like this code i use it its fast
    ./crunch 10 10 -f charset.lst numeric -t 0788@@@@@@ -o tel.txt
    ill do it and go to sleep i hope when i wake its ready
    thxxx again my folt :P

  27. i remember i see cowpatty here but i cant found it i have an idea its like new update for cowpatty
    i use Grinwepa
    is there anyway to make for a cowpatty a java program so i can add the file.cap and the pass list , thanks alot i really like ur work man and i post ur link in manny website you the best

  28. There is a post here on using cowpatty;

    You can use crunch to pipe the output through to cowpatty as described in the above post.

  29. Hi,
    I want to generate a wordlist because i forgot a important password (Yes I've learned now) What i know about the password is that it has 8 char, and i know it don't start on 2 or more similar chars after each other . It's more looking like this: x5DkOLtw. When generating with crunch it will start like this aaaaaaaa,aaaaaaab, i want to generate with out 2 or more similar chars at start to save space and time. How can i accomplish this? And about the space issue, maybe i can first generate a wordlist starting with a and all the combinations and if not the password is found there i continue with b,c,d? Is this possible?

  30. If the password is starting with a space, then you can specify same manually.

    All the answers you desire are covered in the above post !

    Use the filtering options to cover which characters are used at certain postitions.

    Also I would recommend using the latest crunch v2.6 which is available for download at

  31. Thank you for quick reply.

    Well i don't understand it, i can't use -t a@@@@@@@ since that will only give lower case, i don't know the 2. char and so on. I just want it to start from a and make every possible combination with mixalpha-numeric charset. And skip with similar char after each other if you understand.

  32. Hey there Roy !

    Sorry I was a bit short on the previous post.

    I am still not entirely sure I understand what you want to do..

    For a full wordlist you can use ;

    ./crunch 8 8 -f charset.lst mixalpha-numeric-all -o big-friggin-wordlist.txt

    for a complete list.

    But that is going to be a size you really can't handle..

    Perhaps you could write some examples of what you are trying to achieve as I cannot figure out what you need exactly..

  33. Ok, sorry for my English, I'll show you examples. Running ./crunch 8 8 -f charset.lst mixalpha-numeric-all -o big-friggin-wordlist.txt will give me:
    aaaaaaaa aaaaaaab aaaaaaac aaaaaaad aaaaaaae aaaaaaaf
    aaaaaaag aaaaaaah aaaaaaai and so on. Since i know my password does not start on equal chars i want to skip that to save space. My password looks like: kVAgN3ha Another way to solve this is to make a wordlist-a.txt list, witch has all combination for the starting letter a. Then i test that wordlist and if i get no hits, I'll make wordlist-b.txt with starting letter b. But i don't know how to accomplish that. since using -t a@@@@@@@ will do only lower case and i have a mix and does not know where they are positioned in the password.

  34. Don't worry abt the English, its good :)

    If I understand you correctly, you dont want the wordlist to contain the same characters twice in a row.
    Crunch is not able to do that, unless you specify which character should be placed where in the word (with the -t option).

    I think you may not fully understand how crunch works (If you do, please do not take offense).

    So I would suggest you try using the various options as mentioned in my blogpost and base on 4-5 characters so you can fully understand what crunch CAN do and what it CANNOT do.

    If you do know the characters which are in the password, but dont know the exact order, you can greatly reduce the size of the wordlist by choosing only the characters you need, and choosing the order in which you want them in the passphrase.

    I would like to help you further, however am not sure that crunch is what you require.

    remember that crunch is basically to be used to create a bruteforce wordlist.
    However, if you know sequences and characters in the passphrase you reduce the size considerably by specifying that.

    Sorry if I cant be of any help to you with this.

  35. Well, yes you answered one of my questions, know let me ask you this, is it possible to make wordlist-a.txt, wordlist-b.txt and so one? What i want to do is to generate 8 length password starting with a, then see if the password is there, if not make I'll make wordlist-b.txt where the starting char is b and so one. You are right i don't understand it that good i think. Since making a bruteforce list of starting char a should be easy, eh? Thank you for your time.

  36. Yes that it easy, you can use the -t option to specify a character in a certain position;

    ./crunch 8 8 -f charset.lst mixalpha-numeric-all -t a@@@@@@@ -o big-list.txt

    Play around with the -t option so you can fully understand what the possibilities are with crunch.
    Also, if using Backtrack 4, make sure you do an apt-get update && apt-get upgrade
    so that you get the latest version of crunch (v2.6) which shows you what size you are looking at when starting to create the wordlist.

  37. I know what the command is to create an min and max 8 char' string all uppercase is but that is too big.
    What would the command be if i wanted to split it up?
    I mean A to Z like this AAAAAAAA
    etc to
    So I could run the A's then the B's etc.

  38. Try a bit more testing ;)
    Use the charset.lst to specify the upper alpha character set only and then fix the first character to the letter you want.
    For instance ;
    ./crunch 8 8 -f charset.lst ualpha -t A@@@@@@@ -o upperA.txt

  39. Thank you for the reply.
    I tried fixing The first letter A but the @@@ variables are all lower case?
    I copied your command and its the same thing?
    Thanks for the help.

  40. My bad. Just gone through the man pages I see what I was missing.
    Thanks for your help mate.

  41. Hey Mark, glad you found your answer !
    as you probably found ;

    when using the -t option, the @@@'s take input from the charset, if no charset is given it takes the default of
    lower case alpha. So you have to provide the correct charset or enter it manually.

  42. Hi TAPE,
    love the informative write-up,just one question,how do you work out how big a file is going to be if its 10 characters long and uses all the alphabet and 0 thru 9,i know its huuge as because i already tried and ran out disk space at 870gb for the file size,just wondering how i couldve saved time and worked it out beforehand.

  43. sorry TAPE that was me,Ash,in the above post,just worked out how to add my name,also one more question i'm having trouble splitting up the file size using:/pentest/passwords/crunch# ./crunch 7 7 -f charset.lst ualpha-numeric -o START-b 10000mb,i tried using the gb tag instead of mb but when i used 10gb the file still turned out bigger than 10gb?any clues,id say im making a silly mistake but its got me stumped

  44. Hey there Ash, glad you liked the post !

    For checking the size of wordlists to be created, have a look at this post ;

    Also note that the latest version of crunch (v2.6) will now show you what size the wordlist will be.

    As for your query on the size discrepancy, surprising, I tested with small sizes and it worked fine.
    Have you tried with smaller sizes ?

  45. Hey Tape, I was trying to do a phone # list with the dashes but the output file jumps around what i am trying to get. Using this command:

    ./crunch 12 12 -f charset.lst numeric -o text.txt -t 000-000-@@@@

    i get 000-000-00000 and so on.

    If i change the length to 11 12 i get
    000-000-000 to 000-000-00000
    skipping what i want which is 000-000-0000

    i changed the length to 11 13 and i did get it but my output file is much bigger than i would like.
    Any ideas on this? Thank you in advance and great post btw.

  46. Hey Steve,

    I have a feeling that you must have made an input error..
    If you still have a problem, revert mentioning the exact command you tried and I will have a look.

    Laters -

  47. Tape, is there any way to rescript crunch in order for it to produce something that looks like this.
    A A _ _ _ _ _ _
    A _ A _ _ _ _ _
    A _ A _ _ _ _ _
    A _ _ _ A _ _ _
    A _ _ _ A _ _ _
    A _ _ _ _ A _ _
    A _ _ _ _ _ A _
    A _ _ _ _ _ _ A
    _ A A _ _ _ _ _
    _ A _ A _ _ _ _
    _ A _ _ A _ _ _
    _ A _ _ _ A _ _
    _ A _ _ _ _ A _
    _ A _ _ _ _ _ A
    _ _ A A _ _ _ _
    _ _ A _ A _ _ _
    _ _ A _ _ A _ _
    _ _ A _ _ _ A _
    _ _ A _ _ _ _ A
    _ _ _ A A _ _ _
    _ _ _ A _ A _ _
    _ _ _ A _ _ A _
    _ _ _ A _ _ _ A
    _ _ _ _ A A _ _
    _ _ _ _ A _ A _
    _ _ _ _ A _ _ A
    _ _ _ _ _ A A _
    _ _ _ _ _ A _ A
    _ _ _ _ _ _ A A

    I think I am correct in saying that in most eight digit keys the same letter rarely shows up more than twice. If we can substitute A=letter and do this with all the letters in the alphabet, the password file will be reduced in size vastly.

  48. Well it would need a lot of work I think to actually do that and I am not sure if it is in the scope of what the current author of crunch intends.

    In any case crunch in its current form is not able to do the above.

  49. I just copy-paste your command
    ./crunch 6 6 -t @dog%^ ABCD 1234 @#$%
    But instead using @#$% symbols it uses all symbols. And all letters. Using crunch 2.6.

  50. Another example of my own:
    ./crunch 5 5 0123456789#* -o /home/origin/Desktop/wordlist -t ^cat%

    Symbols #* from charset are getting ignored. And instead all list is used.

    Maybe something got messed up in between 2.4-2.6 releases?

  51. Hey Sculder,

    Your first comment appears to be correct, crunch is no longer only taking the given special chararacters but taking the full range.
    Strange, I will test a bit more and forward findings to bofh28.

    Regarding your second comment, you are not using the -t option correctly..
    If you want crunch to use your own defined characters, you have to use @ with the -t option..

  52. Hi there. I can't sleep until this is resolved:) Another command cp-paste from this page.

    ./crunch 6 6 -t @dog%^ ABCD 1234 @#$%

    @'s should change with lowercase letters. Crunch have "*" for uppercase. So why output starts Adog1@ with capital A? I know there is no lowercase letters specified so the correct output should be "...length should be the same size as the pattern you specified". Or I am missing something again.

  53. If you specify characters as per the above (not sure why you would actually, there are better ways) and you want lower case, why write upper case ? ;)
    @ will follow the alpha user input, which in the above example was entered as upper case..

    the symbols @ % ^ * symnbols are only meant to be used
    within the -t option..

    If you need further clarification, give a shout.

  54. Actually I said there are better ways but of course it completely depends on what you are aiming at !
    Of course it is a perfect way to use it for a more refined user input.

  55. Hi Tape,

    This is a really cool guide and I appreciate you writing it. I was wondering if there was a way to modify the output, but also change the location where the file will be saved. I am trying to create a wordlist of 10 digit numbers, and I want to save files no larger than 2gb to my external hard drive. Thanks again!

  56. Hey Andrew, glad you liked the post, it seems to be a favourite !

    I am assuming that you will be working on a BackTrack installation..

    1. Make sure the external HDD is mounted and recognized. You can do this in Konqueror.
    (Konqueror -- Storage Media -- Click your external HDD)

    2. Head to crunch directory ;
    cd /pentest/passwords/crunch/

    3. Tell crunch to make a wordlist of ;
    - 10 digits with numeric values only
    - Split in parts of no more than 2 gig
    - Output to your external HDD (lets call it 'Ext1' for example only)

    ./crunch 10 10 -f charset.lst numeric -o /media/Ext1/START -b 2gb

    You may see some confusing %% ddd, however do some testing with smaller lists to verify correct output.

    I have tried with ;
    ./crunch 4 4 -f charset.lst numeric -o /media/Ext1/START -b 10kb

    and seems to be working OK..

    Let me know if it does ! and thanks for the request as it shows a bug in the screen output

    Laters - TAPE

  57. By the way, be aware that you of course need to refresh the page in Konqueror -- Storage Media, to see all drives.

    Also, the output is going to be over 102GB ...


  58. Thanks for the quick reply! 102 GB...yikes indeed :P

    I think I'll start out with numbers beginning with 9 and go from there. Thanks again for the assistance!!

  59. What are the commands to pipe crunch to aircrack? The numbers should be 10 digits starting with 213

  60. Hey there,
    should be something like the below ;

    ./crunch 10 10 -t 213%%%%%%% | aircrack-ng -w- -e ESSID /path/to/capfile.cap

  61. i was thinking is there anyway to make crunch compresson the password list so when i use it in aircrack-ng my pass scan can be highter i use pyrit + essid to make the hash file but it take long time really , or if there a way to make crunch make database maybe u can help me with that thx man really u do a good and nice work

  62. I THINK I understand what you mean ;) but unfortunately carrying out the WPA crack is always going to be a long proces.

    I am thinking about writing a post on Pyrit, using pyrit you can also use compressed wordlist files, and crunch can make compressed wordists files.. so that could be combined, but haven't checked it all out yet.

  63. hi tape.......i appreciate ur dedication for crunch topic............
    i've a problem for making 14 digits word list in crunch (backtrack 4). whenever i try to make a big list it displays a msg about less space or no space.....wat should i do??....plzz help me for making a big dictionary file....thanx in advance.

  64. Hey there Anonymous ;)

    I can say without a doubt that crunch has been my favourite proggie, as it is awesome and its something I managed to get my teeth into :)

    If you want to make a wordlist with 14 digits (meaning numbers from 0 - 9) then you are never going to have enough space..

    Check out my post on wordlist sizes and do the test.
    I checked it, and if you want a 14 digit wordlist with only numbers from 0-9, as in following code ;
    ./crunch 14 14 0123456789 -o toobiglist.txt

    the size would be LEGEN.. wait for it.. DARY..

    Number of passphrases: 100000000000000
    Size in GB : 1396983.861
    Size in Terabytes : 1364.242

    So I guess now you should understand why your comp with a few hundred GB is complaining about space ;)

    Dont even try to create wordlist that big, without cluster / cloud computing you will NEVER use it.

  65. i hope we gonna see new amazing update from u man really ur programs help me alot and im thanksfull to u

  66. unbelievable........any wayz thanx TAPE 4 ur quick reply..if i try 14 digits word list including country code such as ...... 00971@@@@@@@@@...... 00971 is country code.... it possible?

  67. @ SiLeNt
    Well bofh28 just released crunch v2.9 So I am planning on checking it out and probably making a new post when crunch reaches v3.0 to include the new goodness :)

    @ Anonymous
    Sure, the space required would be much less ;

    With your first 5 digits fixed ;
    ./crunch 14 14 0123456789 -t 00971@@@@@@@@@ -o uae-tel.txt

    The size would be aprx. 13GB

    Still not too small though..

    You can check all this yourself of course by simply running the command with the latest version of crunch.

    The new versions now also show the size you are looking at.

  68. hi TAPE........i've a question....
    "how to split 10 GB WPA ASCII file into 500 MB file?

  69. Hey there,

    I assume you are talking about a wordlist you already have, and not one you want to create.

    Have a look at pureh@te's wordlist menu tool ;

    That has a lot of good wordlist options and also the option to split a wordlist based on linecount.

  70. Also, have a look at the command 'split'

  71. THANX TAPE ..... I'LL TRY IT

  72. Hi, Can crunch create phrases with spaces inside?
    I can't get it.

    e.g: my name is john

  73. Heya Anonymous ;)

    Sure, crunch can utilize spaces within the given criteria using the -t switch for instance.

    The trick is to then put the criteria in quotes.

    ./crunch 4 4 -t "a cd"

    Laters - TAPE

  74. Hi again Tape but this doesn't run for me. The output is the same string:

  75. Hey there, I think you misunderstood..the example given will actually provide the reponse as you said. This is the correct outcome.

    Try with different combinations and patterns ;
    ./crunch 4 4 -t "@ % "

    Just to show that to be able to include spaces in patterns you have to use quotes.

  76. Thanks Tape, but I don't want a pattern, I just want crunch takes 'space' like another character.

  77. Ahh ;) Now I get you.

    The same applies, put the characters you want to use for your wordlist in quotes directly in the command ;

    ./crunch 4 4 "01234556789 abcdef" -o hex_with_space.txt

    Hope the above example is clear, otherwise let me know what you are trying to accomplish so I can have a closer look.


  78. Yeeeeeeeees, a lot of thanks. I had tried that yesterday but I must be blind.

  79. ;) Glad you found the solution, knowing its possible but not knowing how to do it is a brain melter..

  80. Hello TAPE, i am trying to make 10 10 numeric only wordlist but with this patternt:
    x1:numbers between 65-99
    x2:numbers between 01-12
    x3:numbers between 01-31

    Is it possible?

  81. Hey, no unfortunately crunch cannot do that,

    But basically you want a date list followed by numbers ?

    If you look at the comments in my post on wordlist sizes you will see I wrote a bit of code to create a date list.

    You can modify that code slightly to alter the way the output is made.
    Then you would have to figure out how to append numeric values, if that is what you want, to get the 10 characters.

  82. Had a look and there is a way, which looks terrible though ;) couldnt get 'date' to accept years as in '65' instead of '1965'

    > First copy / paste the below and save as 'datelist'

    #!/bin/bash -e
    #Starting and stopping dates
    echo "Enter the starting date"
    echo "must be in the format yyyy-mm-dd"
    (tput bold && tput setaf 1)
    read START_DATE
    (tput sgr 0)
    echo "Enter the ending date"
    echo "must be in the format yyyy-mm-dd"
    (tput bold && tput setaf 1)
    read END_DATE
    (tput sgr 0)
    # List all dates in between the chosen dates in the format yyyymmdd
    echo $START_DATE | tee r_dates.txt
    while true
    START_DATE=$( date +%Y-%m-%d -d "$START_DATE -d 1day" )
    echo $START_DATE | tee -a r_dates.txt
    if [ "$START_DATE" == "$END_DATE" ]
    awk -F- '{print $1 $2 $3}' r_dates.txt > datelist.txt
    rm r_dates.txt
    (tput bold && tput setaf 1)
    echo "wordlist 'datelist.txt' created"
    (tput sgr 0)
    echo ""

    > Then make the file executable ;
    chmod 755 datelist

    > Run the file and create the datelist with the dates you want;

    > Then remove the 1st 2 digits from each line ;
    sed 's/^..//' datelist.txt > datelist1.txt

    > Then append the numbers to each line ;
    for i in $(cat datelist1.txt); do seq -f "%04.0f$i" 0 9999; done > datelist2.txt

    Doing it the above way will take aaaagees.. (its very messy) and the file will be pretty big..
    But hey its a way (I think ;) )

  83. You are great i think that is the way but there's a problem with last part, when last 4 numbers are added they goes first not last....

  84. sorry i've found it
    for i in $(cat datelist1.txt); do seq -f "$i%04.0f" 0 9999; done > datelist2.txt

    just had to change the place ot "$i"

  85. :D messed up with that one then, but glad to be of help.

    Have a look at the latest post I made on creating a wordlist based on dates.
    I wrote a quick tool that should make it easier for you.

  86. Finally I find great blog and amazing blogger,
    Thanks TAPE for your great article

    Actually before i see this article i create my 8 digit (00000000 - 99999999 ) wordlist dictionary with "DICTMAKE.EXE" now I want to add some charters like "a" at the end of each line,
    which tools can I use for this scenario ? ( it better to be windows program but if it doesn't exist i use backtrack too )
    I have another Question you said :
    crunch is one of the first tools that come to mind when needing to create a bruteforce wordlist
    What is the another programs for bruteforce ?

  87. Hey Saeed Y,
    Glad you like the blog ;)

    The tool you want to use is crunch, its the best one for the scenario you are looking at.

    Read through this tutorial and you will see that your solution is very easy ;

    ./crunch 9 9 -t %%%%%%%%a -o wordlist.txt

    Yep.. that easy.. ;)
    Or you could have all possible lower case letters appended ;

    ./crunch 9 9 -t %%%%%%%%@ -o wordlist.txt

    I have not covered any other wordlist generators, but you could think of JTR for instance as well.

    My preference (and familiarity) is with crunch though.

  88. Hi again Tape
    I can't return back to your blog :)
    I have suggestion about your next article
    your covered how we can create our own password list in this article, why you not cover how we can use our password dictionary list with airolib-ng and ... to make pre-calculated hash file for easier WPA/WPA2 cracking ? ( it's really useful, isn't it? )

  89. Hey Saeed,
    Actually that request has come up a few times,

    I considered it to be a bit too basic to dedicate a post to it,

    However, now I may just do it for clarity's sake :D

  90. Hi TAP
    First of all thanks for reply,
    My recent Experience may help you
    a few days ago i decided test airolib-ng to create pre-calculated hash ( for all of 8 digit numbers ) after 6 hours the completed progress was 1% !! it really bad for me so i decided to test Pyrit .
    my experience with pyrit show me this program is really better than airolib because it did this scenario in 20 hours
    P.S : My CPU is Core I7 920
    RAM : 6 GB DDR3
    & and i didn't have GPU Power !

  91. questn..
    i got the WPA handshake file and I saved it in my PEN DRIVE....So can i use this WPA handshake file next time directly from "aircrack-ng" command, for cracking the password..

  92. Please try to keep the comments relevant to the blogpost topic...

    Sure thats possible, when you save the .cap file to a pendrive, you just use the location of the that in aircrack ;

    aircrack-ng -w password.lst -e essid /path/to/pendrive/wpa.cap

  93. Hi men,
    I would like to know if it's possible to "start" o "end" crunch from a determined point, cause i've stopped a search almost when it was at half of progress so i would like to start from this..
    For example, i would like to start from 56782345 so it will be:

    And so on.. so I can also split the work on one or more computer..


  94. Hey there,

    You should be able to do that by starting from a startblock using the -s switch (I see I neglected to cover that in my post... whoops :D )

    ./crunch 8 8 -t %%%%%%%% -s 56782345 -o numbers_continued.txt

  95. Hi Tape, when using the -p option in Crunch it just seems to write to the screen, and the -o option doesn't seem to work when specifying an output file (it just takes that text and adds it to the word being worked on - eg "./crunch 1 1 -p FAST-SLOW -o test" produces an odd result). Is there an easy answer to generate a file? Thanks.

  96. hi tape..
    when'll we be able to hack WPA/WPA2 password without dictionary/password list??????

  97. Hey, regarding the -p option;
    The -p option needs to be the very last option entered in he command line ;

    ./crunch 1 1 -o test -p fast slow hyper
    should work as expected.

    Hope it helps !


    As for the WPA question, what does this have to do with crunch ? Keep the comments relevant to the blogpost please.

  98. Hi ... thanks for every help you give to everyone =)

    So after I wanted to generate a list of 8 letters all in down case ... it was around 1750Giga !! that's really too much I mean it's just 8 letters and only down cases not like 16 or 26 ... is there any other solution .... ?

    Thank you. I'm William (:

  99. Hey William,

    Well, the size is what it is, cannot change it !

    You are looking at creating a list of 8 characters
    in each and every combination using 26 letters.. thats a lot of data..

    If you dont know a pattern which you could use to reduce wordlist size, then no other alternative !

  100. hahaha thanks a lot dude !!
    actually I do know something all the words are in down case ^^ ... kidding ...

    so the password is this "afyadvtc" yes I know it already I just wanted to see if I generate a list with all the random 8 letters in downstairs how would it look ...

    Well Thank you for the time and the answer. =)

  101. How long would it take to generate a wordlist with mixalpha-numeric-all and min of 8 and max of 10? I am getting a RIDICULOUS amount of data like in the trillions of gigabytes.. is that correct?

  102. I don't kow the exact figure, but it is too much for you pc to handle for sure :)

  103. So are you saying that if I wanted to generate a wordlist with let's say.. "./crunch 8 8 -f wordlist.lst mixalpha-numeric-all" is that even practical?

  104. No its not practical at all.

    Using ;
    ./crunch 8 8 -f charset.lst mixalpha-numeric-all-space
    Would result in a file of 55607258 GigaBytes...

    How on earth can you use that ?

    A couple of gigabyte.. OK, that many.. no sir..

  105. HI, TAPE...

  106. Hey Kasoori,

    I would suggest you look into using the 'split' command, splitting the file based on line count (to avoid any splits harming words)

    Try the following ;

    split -d -l 3000000 wordlist.txt newfile

    The above will split the wordlist into files with a a prefx of 'newfile' followed by numbers.

    Each new file will not contain more than 3000000 lines.
    (actual size will vary depending on the length of passphrases)

    Hope the above helps.

  107. hello tape,
    i'm trying to show my friends how insecure a common way our local internet provider makes our passwords. i have a list of top 1000 names in the USA. basically here they put the first initial of the customer then the last name and a 4 digit number
    I'm trying to find a way to pipe the password list i have threw to make the new list. even if i have to do it twice it would still be faster then typing each password of the 1000. thanks for you time!!!

  108. Heey TAPE,

    Good tutorial about Crunch. It was very easy to follow. Sorry for my English 2. I´m from the Netherlands, haha.:)

  109. Hey Nico,

    Glad you liked it !

    Please note that best to follow the latest post on crunch v3.0 which is more upto date.

    Laters ! - TAPE

  110. What if i think the password is a concatenation of some words. Not more than 3 deep. I hope you understand what I mean.

    Let's say i think the password is made up from these words:


    I want a program to create these words:


    When I use crunch it always makes very large passwords. I can't use them.

    cupp is better I think. It generates short passwords and longer passwords but I am not sure if it makes ALL combinations i require.

    Someone an idea how to get my list which uses about 10 words as input and generate passwords from 8 length up to any size as long as the password does not consist of a concatenation of more than 3 words ...

  111. This is what I am looking for!

    Is a tool available which can do this?

  112. For both the above anonymous posters..

    Do a google on combining wordlists.

    Also, please note that this post is obsolete.

    Crunch has evolved to v3.1 by now, best check out the latest post.
    I will have a look later, but you are simply looking at combining 1 wordlist with another.

  113. For info or requests on manipulating wordlists I would request that you post your queries in the post ;

    That's where I would like to have these types of queries posted.

  114. hello,if you cant help me with this problem...When I minimize a window and disappeared from the bar, i do not know what to do if you know anything please tell my a solution if you now,bye bye

  115. ALT + TAB ?

    Also dont really see how this is related to crunch...

  116. I posted here because I saw that you are professional in this operating system. "alt + tab" function, but still do not understand wher is going why give away "minimize window". do not know where everything disappears.: (thx for the answer respect

  117. Haha :D

    I am flattered, however I am VERY much a beginner with linux and the OS BackTrack..

    To be honest I cannot understand why the window would minimize or disappear without user interaction.. it makes no sense to me.

    Without knowing your specific OS / type difficult to provide an informed answer.

    Further, I really do want to try to keep the comments related to the post in question, not on general OS information.

  118. You rock! Thanks for this!

  119. hi guys, how can generate this wordlis
    charset = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@#%*()-_+=~[]{}\:;<>,.?/]

    Passwords must contain at least 6 characters and max 10.
    All passwords must start with a letter.
    Passwords must contain at least one numerical character.
    Passwords must contain at least one special character.

    Thanks in advance

  120. crunch v2.4 has been superceded by a couple ofversions and as such please refer to the post on crunch v3.0.

    When you post your comment there, also mention;
    > whether the words should start with upper, lower or either case.
    > if there is any fixed position for the number and special character.

  121. excyse me if i dont know that with how many characters use wifi password is there some tricks that can i check it? i dont know password lenght and i wanna to make password list i cant try all combinations:)

    1. Hey,

      There is no trick to figure out password length..

  122. Hallo Tape,

    Would like to ask if it’s possible to make list of 13 characters containing letters and numbers but the lines should contain no more than 2 same characters next to each other and no more than 5 same characters in the whole line.

    Thank you,

  123. I'm trying to figure out how to create a numeric list of all possible dates for, say, the last 50 years. Examples 12302011, 12312011, 01012012, 01022012 etc. Any idea how to do this? Thanks!

    1. I wrote a script called datelist, which you can find in a later
      blogpost here on the log.

      That will do exactly what you want.


  124. hey...i like ur article
    but i want to create the list of 8 digits and 16 digits containing (uper case, lowercase alpha + numeric + special char. !,@,#,$,%,^,& ) with randomly all possible combinations....


    1. You dont have enough storage to handle that.

  125. how much storage needed for that and me out this is very important to me to create these combinations

    1. lowercase+uppercase+numeric+special chars == 95 characters (on normal US keyboard)

      Total number of possibilities on a 8 character passphrase using all 95 characters ;
      55607258.170 GB

      For 16 character passphrase you would need 696829833749683281578342.075 GB storage .. so yeah..

  126. ohh..noo...?
    then tell me if u knw about any method faster than brute force attck..
    and also if u knw anything about FTP hack...


  127. Hi Is this possible
    ./crunch 10 10 -f charset.lst numeric -t shroot@@@@

    I only want to generate all possible combinations of years after shroot from 1900 to 2013

    what should I do to get this to happen in crunch please

    1. First of all make sure you are running the latest version of crunch.
      (the -e switch only came into play as from v3.1)

      ./crunch 10 10 -t shroot%%%% -s shroot1900 -e shroot2013

    2. And checkout the later post on crunch I made ;

  128. Hi,
    I'm running BT5r3-KDE-32bits and Windows 8.

    I'm looking for a way to generate an alphanumeric sequence in BT containing letter-number combinations up to 10 characters long without having the same letters or numbers appearing side-by-side - and save it to a text file or lst file.

    when I use crunch wordlist genrator it generates alphanumeric sequences containing all possible combinations of letters and numbers from a given a character set - great if you want all possible combinations - bad if you don't want a lot of CCCCDDDDD or TTTTEEEEE.

    I only want to produce an alphanumeric sequence containing different letters and numbers side-by-side.

    For example,
    BADELF26 - Acceptable
    3H8E5E81 - Acceptable
    CTFFF29E - Not Acceptable
    CLE3C77N - Not Acceptable

    Any help with this matter would be greatly appreciated.

    1. Have a look at the more recent post on crunch I made here ;

      And look at the new -d option.

      This switch limits the number of consecutive repeated characters and should do what you want.

    2. Hmm, actually I see I didnt include any instructions or advice on the new -d switch, but if you read the manpage of the latest crunch you will find examples of how to use the -d switch.

    3. hi tape i would like to know how to use crunch code to crack a really long password containing a to z alpha mixed with numbers and i know for sure it has more than 30 charachters, ive been looking for a code on google but i cant find any. help please

    4. Bruteforcing a thirty character alpha-numeric password ?!

      I think you need to read more of my posts, specifically the one on wordlist sizes...

  129. I was wondering. My router password has 12 lowercase-alpha characters. It is just a single word comprised of 4 letters repeated 3 times. How can I direct crunch to make a word list of words repeating any given amount of times. I am aware of the size it would take. However, I want to learn how this can be done. Thank you for your time. Example of password: looklooklook

    1. Hi there,
      well you cant really use crunch directly for that, however it is easily accomplished with a line in bash.

      Say you have a wordlist with all 4 characters words called words4.txt

      In bash you could then do :

      for i in $(cat words4.txt) ; do echo $i$i$i ; done > words12.txt

      Now you would have a wordlist called words12.txt containing;

      Hope that helps.

      Laters - TAPE

  130. Hi,
    I was wanting to generate passwords for a router that has 10 characters. These characters are a mixture of uppercase letters and numbers. For example possible passwords could be:A155279C57 or 9J654GU82F


    1. And the above post in all its glory did not show you how to do exactly that ?!

      ./crunch 10 10 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -o BIG_List.txt

      The list output will likely be to big to be practical.

  131. hi, i'm piping crunch into aircack-ng and was wondering if there was an option to shorten the bruteforce to more practical passphrases? for example a 14 character passphrase isn't likely gonna be 00000000000001, 00000000000002, etc. so is there a command to exclude passphrases that has more than 2 of the same characters side by side?

  132. In the latest crunch you can specify the number of consecutive characters you want to allow.

  133. if iwant to create 6 digit number but i want to fix the first number with 1,5,7,9 how can i do example 1@@@@@,
    please help me

  134. What about when you want combinations of a string but in the order the characters of the string appear, eg combinations 3 of ABCD : ABC ABD ACD BCD . In math if i'm not mistaken, this is called combination and when you have mixed order permutation.Can it be done in crunch?

  135. hi gays how to make alpha-num worldlist but fix last four numbers
    plz how to fix 1E00


Google Analytics Alternative