Friday 2 April 2010

Creating wordlists with crunch v2.4

Edit 12-06-2011
crunch v3.0 is now included in the BT repositories, 
v3.0 has many big fixes and additional functionality, some items/switches have however been altered.
Therefor, this post is superceded by  ; 
http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html


crunch is an invaluable tool for quickly (well.. depending on the size of wordlist..) creating bruteforce wordlists.

The latest version released recently is v2.4 and compared with the release currently installed with backtrack 4 (v2.0) comes with some very cool additions.
The version of crunch in backtrack 4 repositories is expected to be updated within a few days to crunch v2.4
Edit dd 03-07-2010 -- Crunch 2.4 is finally included in latest updates !

crunch is one of the first tools that come to mind when needing to create a bruteforce wordlist and since it has been modified so heavily since I first stumbled on it with backtrack 3, I figured it was time for a full and comprehensive testing,  to be able get to grips with all the latest goodness in it !

The default path for crunch v2.4 in backtrack 4 is;
/pentest/passwords/crunch/


crunch's output is printed to screen when no -o option is given to write to file, so you can easily check to see if it is doing what you wanted.
It can also be piped through to additional programs such as aircrack or cowpatty.

general usage is ;

./crunch [minlength] [maxlength] [charset] -o wordlist.txt

NOTE:
It is close to impossible to stop crunch to still show the command given, so the below pics are images of part of the output from the given command..

BASIC USAGE & CHARACTER SETS
==============================

 If no character set is defined, crunch defaults to using lower case alpha only ;

./crunch 4 4


The charset can be entered manually in the command line ;

./crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789




The output can also be inverted using the -i option.

So as opposed to ;

./crunch 4 4 ABCDEFG




Using the -i option will invert the direction when making the wordlist from left-to-right to right-to-left ;
./crunch 4 4 ABCDEFG -i




Or a charset can be chosen from the charset.lst file which saves on the typing (and typoes..) when dealing with normal ranges of letters, numbers and symbols.
charset.lst (included in the crunch installation package) ;

















./crunch 4 4 -f charset.lst mixalpha-numeric

The output using charsets can also be inverted using the -i option.



CREATING CUSTOM PATTERNS
==========================

The great thing about crunch is the ability to create patterns with the -t option, this function has been greatly improved with crunch v2.3 and now offers many more possibilities than before.


To create a wordlist with a prefix of 'dog' followed by the characters in a chosen charset ;
./crunch 6 6 -f charset.lst lalpha -t dog@@@




Or having 'dog' appended to the end of the chosen charset ;
./crunch 6 6 -f charset.lst lalpha -t @@@dog




Or to have 'dog' bang in the middle ;
./crunch 7 7 -f charset.lst lalpha -t @@dog@@















In this latest version of crunch it is also possible to create a pattern, specifying where you want
characters / numbers / symbols
which can really be handy in reducing the overall size of the wordlist if you know there is a certain pattern involved;

./crunch 6 6 -f charset.lst mixalpha -t @dog%^
In the above example ;
@ --> will read and print from the specified character set only.
% --> will print numeric values only.
^ --> will print symbols/special characters only, including space.




This feature opens up easier and powerful options for creating lists with certain patterns of special characters or numbers;

For a 4 character wordlist containing only special characters.
./crunch 4 4 -t ^^^^




For a 4 character wordlist containing numbers and special characters in the sequence; 1$1$
./crunch 4 4 -t %^%^




For a 4 letter wordlist containing characters and numbers in the sequence; a1a1
./crunch 4 4 -t @%@%
Note that if no character set is defined, crunch defaults to lower case alpha character set when using @



For a 4 letter wordlist containing characters from a character set and special characters in the sequence A$A$

./crunch 4 4 -f charset.lst mixalpha-numeric-space -t @^@^


Character sets to use for the -t option can also be specified ;

To use ;
ABCD as characters
1234 as numeric values
@#$% as symbols

./crunch 6 6 -t @dog%^ ABCD 1234 @#$%

or

./crunch 7 7 -t ^@dog%@ ABCD 1234 @#$%



Note that when specifying character sets like this for use with the -t option, the sequence of the character set specification must be;
alpha -- numeric -- symbols

Some special characters need escaping, to do this make sure a backslash \ is placed before the character to escape, so for instance using the above example, but requiring a symbol charset of ;
!()&

./crunch 6 6 -t @dog%^ ABCD 1234 \!\(\)\&






STRING PERMUTATIONS
====================

Crunch also now has the possibility to generate permutations instead of combinations on either strings of characters or words.

To generate permutations on characters, specify with the -p option, fun for anagrams !
(although crunch then ignores min and max length, you do still need to enter them)

./crunch 1 1 -p dog



To generate permutations on words/strings, specify same with the -m option,
(again, although the min and max length is ignored, it does need to be entered)
The -m option does not (yet) have the capability to read from file, this however, has been placed in the author's to-do list.

./crunch 1 1 -m cat dog pig















OUTPUT OPTIONS
===============

Resulting output from crunch can also be split in various sizes, based on either line count or on actual size and can also be compressed.


To split the output based on line count, use the -c option combined with -o START ; 

./crunch 4 4 -f charset.lst lalpha -o START -c 100000
The above will result in files being created containing no more than 100000 words (lines).




Output files can be split into files of a certain maximum size using the -b option combined with -o START.
The size definition can be;  kb, mb, gb  or  kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

Creating files no larger than 500kb :
./crunch 4 4 -f charset.lst lalpha -o START -b 500kb




Creating files no larger than 1mb :
./crunch 4 4 -f charset.lst lalpha -o START -b 1mb





Output files can also be compressed with the -z option, using either bzip, gzip or lzma

./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip



A resume function is also built-in with the -r option;
After cancelling the build of the wordlist, the exact same syntax must be used again followed with the -r option ;

./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt 
./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt -r




There are many options and it truly is a great tool.


Thanks to bofh28 for reading my ramblings and thanks for this awesome tool !


The latest build can be downloaded at ;

http://sourceforge.net/projects/crunch-wordlist/
 
Google Analytics Alternative