Sunday, 22 May 2011

Creating wordlists with crunch v3.0

CRUNCH v3.0

Warning... this is a looong post, grab a beverage.. ;) Also heavy on images..

PRE-INTRO

Since the post on Creating wordlists with crunch v2.4 made in April last year, crunch has gone through
quite a few changes and improvements and bofh28 has now released v3.0 ! (on 16-05-2011)
To make sure that the information on this blog is staying upto date, its time for a new and improved post.
There will be a lot of duplication from my previous post on crunch, but it should then at least
be a more or less full and complete post.

I have tried to follow the alphabetical order of the options and have done a chapter per option/switch.

Please leave comments should the post be lacking information on anything you feel should be included.


INTRODUCTION

crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.
The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.

The full range of options is as follows ;
-b  Maximum bytes to write per file, so using this option the wordlist to be created can be split into various
      sizes such as KB / MB / GB (must be used in combination with "-o START" switch)
-c  Number of lines to write to output file, must be used together with "-o START"
-d  Limits the number of consecutive identical characters (crunch v3.2)
-e Specifies when crunch should stop early (crunch v3.1)
-f  Path to the charset.lst file to use, standard location is '/pentest/passwords/crunch/charset.lst
    to be used in conjunction with the name of the desired charset list, such as 'mixalpha-numeric-space'
-i  Inverts the output sequence from left-to-right  to  right-to-left
    (So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)
-l  When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters
    should be taken as a literal character instead of a place holder ( @,%^ )
-o  Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt
-p  Prints permutations of the words or characters provided in the command line.
-q  Prints permutation of the words or characters found in a specified file
-r  Resumes from a previous session, exact same syntax to be used followed by -r
-s  Allows you to specify the starting string for your wordlist.
-t  Allows you to specify a specific pattern to use. Probably one of the most important functions !
     Place holders for fixed character sets are ;
     @   --  lower case alpha characters
        --   upper case alhpa characters
     %   --  numeric characters
    ^    --  special characters (including space)
-u  Supresses the output of wordlist size & linecount prior starting wordlist generation.
-z  Adds support to compress the generation output, supports gzip, bzip & lzma


All the below is done on backtrack 5, only tested on the 32bit versions.
crunch is not installed by default on BT5 and as yet (22-05-2011) not yet in the repo's.
(When it does hit the repo's I will amend this post to reflect installing from repo's)

so download from the source at ;
http://sourceforge.net/projects/crunch-wordlist/
Edit; 29-01-2012
and install as follows;
tar -xvf crunch-3.2.tgz
cd crunch3.2/
make && make install

Edit 12-06-2011
crunch is now available in the BT repositories,
so can download and install on backtrack5 simply by doing a ;
apt-get update
apt-get install crunch


BASIC USAGE AND CHARACTER SETS

The default installation directory / path for crunch in backtrack 5 is
/pentest/passwords/crunch/

All the below examples are based on being in the crunch directory /pentest/passwords/crunch/
To run crunch from outside of crunch's own directory use ;
/pentest/passwords/crunch/crunch [min length] [max length] [ character set] [options]
example from root directory;
/pentest/passwords/crunch/crunch 8 8 abc + + \!\@\# -t  TEST^%,@ -o test.txt



















Basic usage is as follows to print to screen
./crunch [min length] [max length] [character set] [options]

To write to file use the -o switch ;
./crunch [min length] [max length] [character set] [options] -o filename.txt

If no character set is defined, then crunch will default to using the lower case alpha character set;
./crunch 4 4



















Also any desired character set can be enterered manually in the command line ;
./crunch 6 6 0123456789ABCDEF



















Certain characters will need escaping with a backslash \  ;
./crunch 6 6 ABC\!\@\#\$





















CREATING WORDLISTS IN BLOCKS OF A CERTAIN SIZE

Using the -b switch, we can tell crunch to create a wordlist which is split into multiple files
of user-specified sizes.
This must be done in conjunction with -o START.

The size definition can be;  kb, mb, gb  or  kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

The output files will be named after the first and last entry in the wordlists.

To create a wordlist split into files of not more than 1mb;
./crunch 6 6 0123456789 -b 1mb -o START



















To create a wordlist split in files of no more than 100mb;
./crunch 8 8 abcDEF123 -b 100mb -o START



















To create a  wordlist split into files of no more that 10kb;
./crunch 4 4 0123456789 -b  10kb -o START



















To create a wordlist split into files of no more than 2gb;
./crunch 8 8 0123456789ABCDEF -b 2gb -o START
etc.
etc.


CREATING WORDLISTS IN BLOCKS OF A CERTAIN LINECOUNT
(ie. number of passphrases per file)

Using the -c switch you can have crunch create wordlists which do not contain more than the
specified number of lines.
This must be used in conjunction with -o START.

To create files containing no more than 200000 (200 thousand) lines (passphrases);
./crunch 6 6 0123456789 -c 200000 -o START



















To create files containing no more that 150000 (150 thousand) lines (passphrases);
./crunch 6 6 abcDEF123 -c 150000 -o START




















The output files will be named after the first and last entry in the wordlists.


STOPPING CRUNCH WORDLIST GENERATION AT A PRE-DETERMINED TIME

Crunch v3.1 is now also released (20-07-2011) and with it comes the new -e switch.

This option allows you to specify when you want the wordlist generation to stop.

So the below example will start creating the 6 character numeric wordlist, but will stop at 333333 ;
./crunch 6 6 -t %%%%%% -e 333333


USING FIXED CHARACTER SETS

Crunch also comes with fixed character sets in charset.lst which is included in the installation.
(also found in directory /pentest/passwords/crunch/ )



This saves on the typing (and typoes) when dealing with standard character sets.

To use the fixed characters sets, instead of typing in character sets manually in the command line,
you can use the -f switch to specify which character set we want to use ;

To use only upper case alpha characters;
./crunch 6 6 -f charset.lst ualpha



















To use only numeric characters ;
./crunch 6 6 -f charset.lst numeric



















To use hexidecimal characters (with uppercase alpha values) ;
./crunch 8 8 -f charset.lst hex-upper



















To use lower case, uppercase, numeric & special characters (beware of the size ! Don't try to save..lol..) ;
./crunch 8 8 -f charset.lst mixalpha-numeric-all-space



etc.
etc.

Since v2.7 additional Swedish character support has also been added for our Swedish brethren, nicely contributed by Niclas Kroon.



























It should be noted that you can easily create your own custom charset by simply including a line in the same format.
If you for instance know that your target has a certain medical condition known as 133tsp34k, and you have an idea of which letters/numbers are usually used (forum posts etc. etc.) , you could simply include an extra line such as ;
1337 = [4bcd3f9hijk1mn0pqr$7uvwxyz]
Doubt the above is authentic enough, but I'm sure you get the idea.
Then just run in crunch as you would any other charset;
./crunch 4 4 -f charset.lst 1337




















See /pentest/passwords/crunch/charset.lst for all possibilities  / charsets currently included.


INVERTING THE OUTPUT DIRECTION
Using the -i option will invert the direction in which the wordlist is created, from left-to-right  to  right-to-left.
Note that this does not change the content of the created wordlist, it only changes the intial direction in which it is created.

./crunch 4 4 -i



















The -i option can also be used when character sets have been specified, either manually or using the pre-defined charsets.
./crunch 4 4 -f charset.lst ualpha -i



















or for instance for creating numeric wordlists in an alternative direction ;
./crunch 8 8 0123456789 -i




















If you actually want the wordlist creation to start from the last letter in the alphabet and work backwards, or
work backwards from the last digit in a 10 digit numeric sequence, then you would have to enter the charset manually ;
./crunch 4 4 zyxwvutsrqponmlkjihgfedcba



















 ./crunch 4 4 ZYXWVUTSRQPONMLKJIHGFEDCBA



















./crunch 8 8 9876543210





















CREATING PERMUTATIONS
 

Crunch can also  be used to create permutations for either ;
> characters / words entered in the command line with the -p switch.
> lines in a wordlist with the -q switch

Although there is no min/max character setting, this still needs to be entered for both
the -p and -q switch.

Using the -p switch you can create permutations of characters or of all words entered in the command line.
Creating permutations of letters (fun for anograms) ;
./crunch 1 1 -p abcd



















Creating permutations of lists of words;
./crunch 1 1 -p bird cat dog




















As the -p switch can read the input on command line as being letters or words, it MUST be the last option used;
If for instance trying to suppress the size output message using the -u switch and placing the -u switch last,
crunch will see 2 words (abcd + -u) and so will only print out the 2 permutation possibilities as well as actually recognizing the -u switch ;
./crunch 1 1 -p abcd -u









So to ensure the output is as expected, the -p switch MUST always be the last option, and the correct syntax
with the above example would be ;
./crunch 1 1 -u -p abcd











Using the -q switch, you can create all possible permutations of words in a text file ;
(as always, beware of the possible size ! This best done on a 'focussed' wordlist)

As an example, create a small text file with 3 lines and then run crunch over it with the -q option;
echo "bird" > test.txt && echo "cat" >> test.txt && echo "dog" >> test.txt
./crunch 1 1 -q test.txt





















RESUMING WORDLIST CREATION AFTER CANCELLATION

crunch allows a wordlist creation to be stopped and restarted, to do this we use the -r (resume) switch.
For this to work we must type the exact same line followed with the -r switch ;
./crunch 8 8 0123456789 -o test.txt
Stop the creation with a Ctrl C, then restart with ;
./crunch 8 8 0123456789 -o test.txt -r




















If the wordlist was started from a specific position (see below chapter) then
when resuming the -s switch as well as input must be removed ;

When using this method, the notification on %% complete will not be accurate.
Also, when resuming, crunch will advise that it is generating xx amount of data and xx number of lines.
This information will not be correct as the calculation process thinks it is resuming from a creation of an entire wordlist, whereas it is of course resuming from a wordlist with a certain startblock.
The below picture probably explains it better..

./crunch 8 8 0123456789 -s 59999999 -o test.txt
After cancelling with a Ctrl C, resume would then be done with ;
./crunch 8 8 0123456789 -o test.txt -r





















STARTING FROM A SPECIFIC POSITION

If we want to start crunch from a specific position in the wordlist we want to create, we can use the -s
switch to use a specific startblock as starting position for the wordlist.

For instance, if you started creating a wordlist, but had to cancel and resume on a different disk or HDD space ran out.
The temporary file that crunch uses for the wordlist creation is "START" located in the crunch directory
/pentest/passwords/crunch/

You can check this temporary file for the last couple of entries to allow you to move/rename the temp file START
and restart the wordlist creation without losing the work already done.

example ;
./crunch 7 7 0123456789 -o test.txt
> Ctrl + C stopping the wordlist creation,
> check the last couple of entries in the START temporary file ;
tail -n 2 START
> copy or rename the temporary file to a name of your liking;
cp START file1.txt
> restart the wordlist creation from the last noted entry in the temporary file;
./crunch 7 7 0123456789 -s 9670549 -o test.txt










NOTE! crunch will overwrite START when it starts a new wordlist creation process, so be sure to rename START into whatever you want to ensure you don't lose the work already done !

Of course using the starting block can be used for whatever reason, for instance if you are sure that you don't need any list with numbers starting before 59999999 ;
./crunch 8 8 0123456789 -s 59999999 -o test.txt





















CREATING CUSTOM PATTERNS

This is where crunch really shines, and in my humble opinion, the most powerful capability that crunch has to offer.

With a minimum amount of information on known or expected patterns and/or possible characters in the passphrase, custom patterns can be created allowing to specify what to place where in the created passhprases.
In doing so the size of the wordlist can be reduced significantly and the wordlist can be tailored to the target in a much more efficient way, which is always to be endeavoured !

To fix a pattern, we use the -t switch in crunch.

There are fixed symbols used for certain character sets ;
@ --> Lower case alpha values (or @ will read and print from a specified character set, see further down in post)
,  --> Upper case alpha values
% --> Numeric values
^ --> Special characters including 'space'

So if we want to create a 6 character, lower alpha wordlist and with a pre-fix of 'dog';
./crunch 6 6 -t dog@@@



















 or if we want 'dog' to be appended ;
./crunch 6 6 -t @@@dog



















or have 'dog' bang in the middle ;
./crunch 7 7 -t @@dog@@



















Or 'dog' followed by an upper case alpha, number and symbol;
./crunch 6 6 -t dog,%^




















Miscellaneous patterns
We can also combine the various fixed character sets, for instance, if we want to create an 8 character
wordlist with alpha, numeric and special characters in fixed positions;
./crunch 8 8 -t ,,^^@@%%




















Using the fixed character sets you can quickly and easily make 'quick' wordlists for a single character set..

Creating a wordlist with only lower case;
./crunch 4 4 -t @@@@



















only numeric;
./crunch 4 4 -t %%%%



















or only uppercase;
./crunch 4 4 -t ,,,,



















only special characters;
./crunch 4 4 -t ^^^^



















And of course if certain positions and characters are known, it can all be mixed up ;
 ./crunch 9 9 -t %%DOG^^@@




















We can also even go a step further and specify which range of characters should be used for each character type.
In the below example ;
lower alpha values to only be ;  abcdef
upper alpha values to only be ;  ABCDEF
numeric values to only be      ;  12345
special characters to only be  ;  @#$%

We can then specify same by entering these values manually in the command line ;
Note that it is required to enter the custom values in the order ;
lower alpha -- upper alpha -- numeric -- special characters

./crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^




















If there is no specific character range to be used for the character set, then that position should be
completed with a '+' placeholder sign which signifies the usage of the complete standard character set for that set positon. (lower alpha -- upper alpha -- numeric -- special characters)

The below example is using 'abcdef' as lower alpha charset, the full upper case charset, '12345'as numeric charset and the full special character charset.
./crunch 8 8 abcdef + 12345 + -t @@,,%%^^




















Although in the above examples @ is used as fixed character set for lower case values, we can also use it to specify a manually chosen single set of all types of characters ;
./crunch 8 8 123abcDEF -t TEST@@@@



















./crunch 10 10 123abc+-= -t @@@test@@@



















Remember that certain characters on some occasion require escaping, if in doubt, better to just do it.
./crunch 10 10 123abcDEF\!\@\# -t TESTING@@@



















If you want to include a space in the charset, then enclose the charset in quotes ;
(space at end of charset below)
./crunch "123abcDEF " -t TEST@@@@




















Creating telephone lists
You can also use the -t switch to easily make lists of telephone numbers, so if for instance the telephone number
is usually noted as for instance;  0131-321654, then you could easily create a wordlist of telephone numbers following that same example ;
./crunch  11 11 -t 0131-%%%%%%



















Or if the layout is different, for instance including a space such as "(01201) 111111" this is achieved by putting quotes on the -t pattern as follows (this to ensure that the space is included);
./crunch 14 14 -t "(01201) %%%%%%"




















Endless variations are possible.

The possiblities crunch offers to create patterns with such detail give you many options to really fine-tune what you want placed where in your passphrase wordlist and thus reduce the size of your final wordlist.


ESCAPING / FIXING SPECIAL CHARACTERS FOR USE IN PATTERNS
When you start manually defining what to place where with special characters, you will on some occasions need to to 'escape' characters to allow crunch to read them correctly.

This is the case for for instance an exclamation mark ! ;
./crunch 4 4 -t 12!@
will result in an error.
In order to make it work correctly you must 'escape'  the exclamation mark ;
./crunch 4 4 -t 12\!@




















As some special characters are used to define character sets, this can cause some limitations when trying to fix positions of certain special characters. Such as wanting to use @ as a fixed character ;
./crunch 4 4 -t 012@
or
./crunch 4 4 -t 012\@
This will not fix the character '@' but use it to provide lower case alpha values.

To remedy this to some extent, since crunch v3.0, the new -l switch can be used to fix the literal character instead of having it refer to a place holder for a specific character set.

This would now be accomplished by doing ;
./crunch 6 6 -t b@d%%% -l @



















Other possibilities;
./crunch 8 8 -t P@SS%%%% -l @
./crunch 8 8 -t P@\$\$,,,, -l @
etc. etc.

./crunch 8 8 -f charset.lst mixalpha -t pass^^@@ -l ^



















Also, more than 1 placeholder character can be fixed as a literal character;
./crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^




















Of course this in itself also has limitations as you are not able to to check for all possible lower case alpha
values or passthrough a user defined charset with a fixed setting of the @ character.
The below 2 examples will obviously only return 1 result as all the instances of the @ character will be fixed
as a literal character.
./crunch 8 8 -t p@ss@@@@ -l @
./crunch 8 8 -f charset.lst mixalpha-numeric -t p@ss@@@@ -l @
This is an issue that is being looked into and possibly a following update of crunch will have an answer.

Of course there are workarounds for some part; if for instance you wanted a password list to start with "p@ss"
followed by 4 characters of all possible lower case values, you could create a list of 4 characters;
./crunch 4 4 -o test.txt

And then use 'sed' or 'awk' to place the word 'p@ss' in front of each line ;
Using sed ;
sed 's/^/p\@ss/' test.txt > file1.txt
Using awk ;
awk '{print "p@ss" $0}' test.txt > file1.txt




















So with a bit of imagination and a couple of oneliners with sed or awk, you should still
be able to create more or less what you want.

edit 25-05-2011
bofh28 has informed me of another workaround which can be used.

You can override the standard characters per placeholder setting by entering a different type of
charset in a different position and then using the placeholder character for that position.

Normally the 3rd position is for numeric values, however if you specify lower case values, it will use these
characters, however you then do need to use the place holder for that position, in this example %.

Confused ? You won't be after this episode of .. ;)

./crunch 8 8 + + abcdefghijklmnopqrstuvwxyz + -t p@ss%%%% -l @





















PIPING CRUNCH THROUGH TO OTHER PROGRAMS

Crunch can be used to pipe passwords through to programs such as aircrack / pyrit / cowpatty etc.

Considering that crunch is now advising the estimated size of wordlists to be created following the command given as well as the wordcount, to have a seamless integration with piping, it is recommended to use the -u option to supress that information on size, wordcount etc.;
Without using the -u command, it is possible that unexpected errors occur with some programs.

Using the -u option will result in the creating of the wordlist directly instead of giving the 3 second delay during which the estimated wordlist size and wordcount is shown ;

In examples only testing for 8 character numeric passwords ;
aircrack
./crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap

cowpatty
./crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID

pyrit
./crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough


COMPRESSING OUTPUT FILES

Output files can be compressed with crunch using the -z switch.

Supported formats are;
> gzip
> bzip
> lzma

Crunch will first create the wordlist and will then compress the wordlist.
Upon the finalisation of the wordlist creation, you will see the 100% being reached
and the 100% denomination will continue to be printed until the compression is complete.

So if you see a continuous 'stream' of 100%, don't worry, the program is not hanging,
the output file is simply being compressed.
It had me guessing when I was testing a compression of a couple of gigabytes.. but I assure you it is the case.

The best level of compression and thus the slowest is obtained with lzma.
The quickest compression, with the lowest level of compression, is obtained with gzip.

./crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip
To unzip the created file ;
gunzip test.txt.gz
















./crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2
To decompress the created file ;
bunzip2 test.txt.bz2
















./crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma
To decompress the created file ;
unlzma test.txt.lzma



















= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =



If you managed to come this far, well done, you are a patient / dedicated person :)
Hope it wasn't too boring to go through ;)


bofh28 has once again done a fantastic job in reaching the 3.0 milestone and
a little birdy tells me there is yet more to come :D
If and when revisions come out, I will try to keep this post updated to reflect the changes / additions.


Keep up the great work bofh28 !!




To actually manipulate an already created/existing wordlistm check out ; 
http://www.adaywithtape.blogspot.com/2011/07/wordlist-manipulation-revisited.html

301 comments:

  1. admin@ubuntu-laptop:~/Downloads/crunch3.0$ sudo make && make install
    make: Nothing to be done for `all'.
    Creating directories...
    /usr/bin/install -d -m 755 -o root -g root /pentest/passwords//crunch
    /usr/bin/install: cannot create directory `/pentest': Permission denied
    make: *** [install] Error 1

    ReplyDelete
  2. Yah...

    Doesn't look like you tried to install on backtrack..

    The above guide is for installing and using on backtrack.
    I have not tested crunch on any other platform.

    Have you tried simply ensuring to first create that directory ;

    /pentest/passwords/crunch/

    ?

    ReplyDelete
  3. Correct its ubuntu 11.04
    Hoped they as they are debian cousins it was worth a shot - will document any success.

    If i manually created the directories, the installation halt on a different error.


    /usr/bin/install: cannot change owner and permissions of `/usr/local/share/man/man1': No such file or directory
    make: *** [install] Error 1

    ReplyDelete
  4. To be honest I'm afraid I cant help you much with this, however I would be interested to hear your progress.

    I can't really suggest to try to create that directory as well, as don't know whether it may mess up any part of your installation..

    But anyways, let me know how you progress ;)

    ReplyDelete
  5. Ubuntu seems to use location
    /usr/share/man/man1

    Made a softlink to that location and then the install moved on.

    Also needed to create a crunch file
    /pentest/passwords/crunch$ sudo touch crunch

    It seems to install okay then
    Succesfully made the test file - only didn't get any fancy text output to the terminal with the results.

    root@ubuntu-laptop:~/Downloads/crunch3.0# /pentest/passwords/crunch/crunch 8 8 abc + + \!\@\# -t TEST^%,@ -o test.txt
    Crunch will now generate the following amount of data: 21060 bytes 0 MB 0 GB
    Crunch will now generate the following number of lines: 2340
    100%

    ReplyDelete
  6. When you tried to install, did you also try

    sudo make && sudo make install

    or only

    sude make && make install

    ?

    Seems strange that you would have to create a file called crunch...
    Seems like its working though, if you want printout to screen, just dont write to file with the -o switch.

    ./crunch 8 8 -t %%%%%%%%

    ReplyDelete
  7. Hi Tape (very nice post and sorry for my English :-)
    I want to create an hex word-list with 4 letters 4 numbers but with not fixed locations for example:
    ea475df8
    432abfd7
    is that possible?
    thnx in advance!

    ReplyDelete
  8. Hey there d.posnas,

    Glad you liked the post !

    There are a couple of ways to do that ;

    ./crunch 8 8 0123456789abcdef -t @@@@@@@@

    ./crunch 8 8 -f charset.lst hex-lower -t @@@@@@@@


    Remember the size will still be considerable...

    If you know certain fixed locations (such as first character being a number or letter) you could narrow the possibilities down a bit more.

    ReplyDelete
  9. EXCELLENT LEVEL OF DETAIL..HIGHLY IMPRESSED.
    by evan

    ReplyDelete
  10. Thanks for the kind words :)

    Glad you liked the post !

    ReplyDelete
  11. Yes that's the point. I know that the password is hex with 4 letters 4 numbers (8 total) but I don't know the exact location of each character. Could be 1547abcd or de45fa78. Is there any kind of technique to achieve the creation of that word-list?
    Using "./crunch 8 8 0123456789abcdef -t @@@@@@@@" will achieve all the possible combination
    and

    ./crunch 8 8 0123456789abcdef -t %%%%@@@@ will achieve fixed location.
    Any Suggestions?

    ReplyDelete
  12. Hey there d.posnas,

    I now get what you mean, no more than 4 digits, no more that 4 alpha values.

    Crunch cannot do that straight away as far as I can figure out, would probably require a script to be run over the file to remove lines that dont follow the criteria.

    Will have a look and see if I can come up with something later.

    ReplyDelete
  13. Not sure to be honest.. I suspect I may have used a different sudo command.

    Sudo -s not an expert on sudo but I think using the shell comand means it accesses a different set of default data.

    ReplyDelete
  14. Hi, just a side note for those new to Linux. If you get a "Couldn't find package" error when you try to install Crunch via apt-get, that means your apt-get package info is outdated, and you need to retrieve new lists of packages. Just enter this:

    apt-get update

    Then try to install Crunch again:

    apt-get install crunch

    ReplyDelete
  15. Thanks Chan,

    Of course you are correct to always to an "apt-get update" before checking.
    I will edit post to reflect this.

    Thanks !

    ReplyDelete
  16. HOW DO I CAN USE THE LETTER -r
    PLEASE I DON'T NOT HOW I CAN USE
    THANKS SO MUCH..

    ReplyDelete
  17. The -r switch is used when resuming wordlist creation.
    So if you start creating a wordlist, but have to stop the generation for whatever reason,
    you can resume the wordlist creation with the -r switch to continue from where your previously had stopped.

    So when normally creating a wordlist you would not need to use the -r switch.

    Hope the above makes it clearer, but the post above explains it all fairly well I would think..

    ReplyDelete
  18. anyone got this working on a Redhat box?

    ReplyDelete
  19. I have not heard of people trying it, however bofh28 was advising that as long as you
    can create the required directories (installing as root) that it should work on most distros.

    Give it a shot and let us know the outcome!

    ReplyDelete
  20. I have a quick question:

    I was wondering if it was possible to make a wordlist of 8 key length with all combinations of the alphabet but not having any of the same keys being next to each other.

    So instead of starting:

    aaaaaaaa,
    it would be abcdefgh and the same letters would never be next to each other???

    ReplyDelete
    Replies
    1. from crunch 3.2 with -d 0@ no duplicates of the same letter will be next each other

      Delete
  21. Hi there noslide,

    I am afraid to say that crunch is not able to do that.

    This question has come up in the past quite a few times, so I should probably really have a
    look into a bit of code to help do that, but I am aweful with the sed / awk stuff ;)

    ReplyDelete
  22. Hi TAPE,

    Would you please help me with this case:

    Password contain 10 digits: beginning with "09", next digit can only be "0", "1", "3", "4", "7", "8"; and the last 7 digits will be random.

    For example:

    090xxxxxxx
    091xxxxxxx
    093xxxxxxx
    etc...

    Is it possible to make a wordlist like that by using crunch ? Please help. Thank you a lot :)

    ReplyDelete
  23. Hey M150,
    Yes it is possible, but you have to 'trick' crunch by tweaking the charsets ;

    ./crunch 10 10 + + + 013478 -t 09^%%%%%%%

    So in the above, we have told crunch to use the charset '013478' as the charset for which normally special characters are used (the ^ position)

    Still will be a 629mb wordlist !

    Hope it works for you !

    ReplyDelete
  24. Hi d.posnas, the example you gave,

    ./crunch 8 8 0123456789abcdef -t %%%%@@@@

    would not produce the results you expect. Try this cut-down example and you will see that it produces more digits and letters than you expect:

    ./crunch 4 4 01ab -t %%@@

    You would be expecting only 16 passwords but instead you'll get thousands, including all-digits and all-letters.

    To get something closer to what you want, try this:

    ./crunch 4 4 01 + ab -t %%@@

    Search for "placeholder sign" in Tape's tutorial above for more info. So, to make your example work, it needs to be:

    ./crunch 8 8 0123456789 + abcdef -t %%%%@@@@

    I don't recommend you run this yet though! This will take a long time to execute and will produce millions of lines! Better to run your tests with cut-down examples first.

    Anyway, this is an interesting pattern, and I am working on a more complete solution for producing such a word list.

    ReplyDelete
  25. Id like to say great job... I have installed on opensuse 11.4 with no issues. I installed 2.9 which i ran this command
    ./crunch 10 10 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 -z gzip - START -b 2Gb

    This did as it says on the tin it creates zip gzip files fills up START then creates the specific compressed file.

    How ever when i run this same command using crunch 3 It never creates a zip i get this message

    gzip: aaaaaaaaaa-aaaaayLWAM: no such file in directory
    The text file is in the folder but for some reason its not compressing it... This is only in the latest version.

    keep up the good work I will try on BT5 once i have enough space...

    Thanks and keep up the good work

    ReplyDelete
  26. Oh dear, thanks for your comment Dave, perhaps a bug slipped through as the previous version had an issue with creating certain filenames as well.

    I will do some testing on larger files and see if I can replicate your problem so that can ask bofh28 to look into it.

    Thanks !

    ReplyDelete
  27. No Worries great tutorial as well...

    There is alot there i didn't know crunch could do :)

    As i said keep up the great work :)

    ReplyDelete
  28. Hey Guys!

    I would like to know if it's possible to kick directly some kind of keys?
    I mean (for example with : /crunch 05 05 abcde)
    I want to kick all keys with AT LEAST 2 same caracters one next to the other, like:

    aaxxx
    xbbxx
    xxccx
    xxxdd
    aaaxx
    bbbbx
    ccccc
    ect ...

    Thx for your help :)

    ReplyDelete
  29. Heya FoX, yes its possible ;
    sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' wordlist.txt

    I am trying to work on a new post which will show simple one liners to do the mostly used wordlist fine tuning.

    Stay tuned !

    ReplyDelete
  30. Hey TAPE,

    Thx!!!
    I would like to know if it can work something like that :

    /pentest/passwords/crunch/crunch 26 26 abcdef12346790 --stdout | aircrack-ng -0 -e "ESSID" -w - out-01.cap

    Because I find really boring to create and use a wordlist... When we can test directly word created :D

    Thx again for your help ;)

    ReplyDelete
  31. Sry for my double post but I simply done :

    /pentest/passwords/crunch/crunch 09 09 backtr --stdout | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' | aircrack-ng -0 -e "ESSID" -w - out-01.cap

    And it works great ! :D 45mins to 15 ^^ (bad proce...)

    Can you just tell me how works :

    sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d'

    I mean, if I do not want to kick at least 3 but 2 sames caracters one next to the other. Or if I want to add special caraters like ^<>/:.

    Once more time : Thanks !!!!! You saved me ! ;)

    ReplyDelete
  32. Heya FoX, dont worry, this is a blog, not a strictly administered forum.. double post all you want ;)


    That one-liner should also take care of more than 2 numbers / special characters..

    When I get to the post on wordlist manipulation I will try to dig into more detail to adjust to be more flexible.

    For the time being, you have your example, play with it :D

    By the way, you dont need to use the --stdout, you could simply include the -u switch instead and I have not actually experienced problems when not specifying that at all..

    ReplyDelete
  33. Hey TAPE,

    A blog yes, but I find more solutions in, than some kind of forum :D

    I have some more questions for you :$

    sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d'
    kicks me 3 same or more caracters, I have done that for 2 caracters:
    sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{1,\}/d'
    And it works! :D

    But I have a problem with this.
    If I try :
    /pentest/passwords/crunch/crunch 20 20 abcdefghijklmnopqrstuvwxyz -u
    All works, I see code lines running on the shell.

    But if I do :
    /pentest/passwords/crunch/crunch 20 20 abcdefghijklmnopqrstuvwxyz -u | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{1,\}/d'
    Nothing happens ... (even with {2,\})

    It only works if I do :
    /pentest/passwords/crunch/crunch 20 20 abcdefghijklmnopqrstuvwxyz -u | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{18,\}/d'
    It will kick all 19 same letters ( as aaaaaaaaaaaaaaaaaaab) and I will see code lines on shell.

    (It also works with :
    /pentest/passwords/crunch/crunch 03 03 abcdefghijklmnopqrstuvwxyz -u | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{1,\}/d')

    I have try to create a wordlist.txt for kicking lines later but ... 26^20 makes Billion of Go :D (or something like that ^^)

    What should I do to make it works with {1,\} and crunch 20 20?

    (do not tell me "change your computer" pls ^^)

    ReplyDelete
    Replies
    1. it is normal 'cause creates wordlist from aaaaaaaaaaaaaaaaaaaa: so all pw up to abababababababababababab will be never been displayed

      Delete
  34. Heya Fox, glad you liking the blog :)

    I am gonna have to ask you to wait until the next post is out so I can do more testing my side and
    come back with a working solution.
    (my next post will be covering this like this, I hope :D )

    I know that bofh28 is working on having this type of thing included in a future revision, so keep yr eyes peeled for new crunch releases.

    ReplyDelete
  35. Ok no problem :D thx for your help :)

    I ll wait the next post :)

    In fact, my goal is to simplify wordlists (and do not use wordlist by the way ^^). Because we rarely see keys with 2 sames caracters stuck, and never 3 :D

    And for me, test key when it is created is the more easy way (rather than create .txt of couple Gb ...).

    So my solution works great with keys around 6 caracters (but it's useless ^^), I want it to work with 20 caracters :D.

    Thx again :D
    I ll wait your post. I hope you ll be able to reacj my goal, even if it s by an other way :)

    ReplyDelete
  36. Ah.. I think I get what you were asking now..

    How to increase the speed / decrease the time of checking the passwords piped through crunch..

    Well, different methods of wordlist creation are not going to help you... you would have to look into the use of Pyrit together with CUDA or possibly the ATI alternative ATI stream.

    To be honest, cracking a 20 character random password.. good luck with that.. ;)

    ReplyDelete
  37. is there a way to take a pw list and do alfa set combined by 4 numbers after each password?

    example
    @smith@@@

    or would i have to do each task separately?

    ReplyDelete
  38. Ahh.. well I know its possible, but would need to do some testing.

    For the moment I think you will have to work on it manually while I try to get the little grey cells working again..

    I am in the process of making a new post on wordlist manipulation which will cover this kind of thing.

    stay tuned !

    ReplyDelete
  39. Hey TAPE,

    Do not think I am crazy :D

    Yes I wanna crack around 20 - 23 characters random password ... But I know the pattern of thats keys : Like 23 only Hex caracters or 20 with 19 min alpha + 1 number ect ...

    So for me, it's cleary possible to accelerate and be able to crack a random key by kicking the most of useless keys tested :) (because I know the pattern and I don't need to test all caracters possible!)

    I suppose
    /pentest/passwords/crunch/crunch 20 20 abcdefghijklmnopqrstuvwxyz -u | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{1,\}/d'
    doesn't work beacause crunch probably creates the list before apply "sed" ...

    I must find a way to generate keys wanted instantly...

    Is that possible with Pyrit and CUDA?

    ReplyDelete
  40. First of all, generating a crunch list of

    crunch 20 23 abcdef0123456789 -u

    Is going to do you better for hex than what you're trying to do with sed. If you know your pattern, why screw around. So first run, try it like that, you know your pattern, work with it.

    If you're trying to generate with a minimum of a number anywhere in the place, TAPE and I have tossed a couple of one-liners at each other for doing so, but out of the box crunch won't do it.

    However, when you pipe from crunch to a small sed/awk command you are not putting that much load on the system. Generating the entire crunch list takes time, but if you're not writing it to disk it takes significantly less time than you might think (just like printing it to screen takes more time than not). There are some things crunch is incapable of doing - things which should remain that way for it to hold its true programming form. Crunch to sed/awk to clean the list to aircrack/pyrit will still reduce your cracking time ridiculously large amounts.

    ReplyDelete
  41. The voice of reason returns :D

    Thanks for your comments and further explanations Gitsnik.

    ReplyDelete
  42. Hey guys,
    I`m looking way how to create UPPERCASE 8 8 charters with ZXCVBNMASDFGHJKLQWERTYUIOP letters, and don`t want also SAME letter on each line.
    Like AAAAAAAB AAAAAAAC and so on...
    OK i know that crunch cant do that.
    But if i will create (by my self, or maybe i can do that with crunch help) all 208 possibilities with 8 charters.
    Example: QWERTYUI WERTYUIO ERTYUIOP RTYUIOPA AND SO ON AND SO On whle i will get all possibilities with keyboard. (do you know what i mean? yes HARD WORK)
    Then use crunch 208 times (thats what i think..maybe i am wrong) and create 208 word lists without same letters on each line. using this command:
    ./crunch 1 1 -p QWERTYUI -o test_full.txt
    cat test_full.txt | cut -c -16 > test_10.txt
    and another
    ./crunch 1 1 -p WERTYUIO -o test_full2.txt
    cat test_full2.txt | cut -c -16 > test_10.txt

    AND 208 TIMES MORE :)

    maybe i`m wrong, correct me.
    Or just suggest HOW i can make that wordlist.
    Thatnk you and sorry for bad english

    ReplyDelete
  43. Hmm tricky one there Arthur. Lucky for you, as tape well knows, I like me a quick challenge.

    It may have been a bit lost in translation though, so tell me if this simple perl script does it for you or not.

    http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch.html

    ReplyDelete
  44. Hey Gitsnik ! Awesome work ;)

    You do realise of course I am gonna steal everything you write for a new post :D

    ReplyDelete
  45. Hahaha go nuts. So long as it's useful to someone.

    For reference to anyone who reads this, you could just as easily embed a bunch of for loops by hand to generate the list, and on something this small that would probably work out faster and more efficient, but if you want to use crunch then that's what the script is for. Yes, you can do it better/simpler. But we want to use the one tool for as many jobs as possible.

    ReplyDelete
  46. Hey TAPE, I really need your help! Im trying to install crunch to backtrack and when I write:
    apt-get install crunch-3.1
    Everything looks find untill:
    "E: Cannot find file or something"
    I downloaded it on windows xp and put it on usb then i put it on the desktop on bt 4 from my usb. PLEASE HELP! I AINT GOT A CLUE!!!

    ReplyDelete
  47. Using ;

    apt-get install crunch

    should work fine (as long as you are online in backtrack of course).

    otherwise the manual install instructions in the beginning of the post should work fine..

    ReplyDelete
  48. hi TAPE,
    your work on this blog is fantastic, and i really appreciate for what you doing for ppl, so big thank you and even i know thank you is not enaugh for what you doing, and the best of all it's free :-)

    i have been folowing your blogs all the way, i never had a chance to ask, so this is my first question, as they say, if you don't ask, you don't get :)

    i come cross this linck http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch.html psted by Gitsnik and many thanks to him for the code, but the problem is he likes the challenge but he is not a charity :-) well i respect he's thoughts of course that's why i couldn't bother to ask him how the code should be done with crunch, i love crunch and would love to know if Arthur question can be done with crunch and the code mentioned by Gitsnik can create UPPERCASE 8 8 characters like MDFHGZN ARDFTHKB NFRKNLET...ect not like AAAAAAAA AAAAAAAB AAAAAAAC...ect your help will be appreciated and thanking you in advance
    please don't mind my english :-)

    kind regurds Issac

    ReplyDelete
  49. Gitsnik has been and is still a great help to me on many occasions.

    My backtrack system is out of comission for a bit so cant here to show you and to ne honest I think a little more digging your side will be of a much greater benefit to you rather than me cutting and chewing your meat for you ;)

    ReplyDelete
  50. Impressive.
    Good job.

    ReplyDelete
  51. hello again, Thanks Gitsnik you very much for script, it WORKS! perfect!
    I tested it with small wordlist ./crunch 8 8 -f charset.lst ualpha -o skyuk.txt
    after used perl script ./name.pl skyuk.txt and its printed me that what i need. (i just tested, i dont know how to make list whitch i need ./crunch 8 8 -f charset.lst ualpha -o skyuk.txt without same letter on each line)

    Now please, Gitsnik, TAPE, anybody can you write me who i should type to get it?
    Or i should make 1750 GB wordlist and use you script after?
    Or how i can integrate all that into pyrit?
    Please guys, your work is awesome. please save me my time.
    I promise to create step by step guide to do all that, because i know many people need that, because many people started using backtrack to do wpa cracking.
    PLEASE :)
    Waiting for replay...

    ReplyDelete
  52. It`s me again. Miricle, i found way how to do that. But now is another problem, i hope some help still.
    if i type:
    ./crunch 8 8 ZXCVBNMLKJHGFDSAQWERTYUIOP | perl gen.pl >> '/media/Local Disk/skypass.txt' i`ll get:
    Out of memory!
    i have over 700GB free memory now, is that wordlist that big?
    Even if i try crunch 6 6 i`m out of memory, crunch 5 5 works fine.

    Another question:
    that works perfectly:
    ./crunch 8 8 ZXCVBNMLKJHGFDSAQWERTYUIOP -u | pyrit -i - -r/root/Desktop/talk-01.cap -e TALKTALK-6CD1FC attack_passthrough
    but that would be 1750 GB wordlist tested its a bit to long with 90 000 keys/sec.
    Any posibility to integrate that Perl script here? or should i add in script something?

    Example which of course dosnt work for me:

    ./crunch 8 8 ZXCVBNMLKJHGFDSAQWERTYUIOP | perl gen.pl -u | pyrit -i - -r/root/Desktop/talk-01.cap -e TALKTALK-6CD1FC attack_passthrough
    Can't open -u: No such file or directory at gen.pl line 3.
    Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3+

    Parsing file '/root/Desktop/talk-01.cap' (1/1)...
    Parsed 6 packets (6 802.11-packets), got 1 AP(s)

    Picked AccessPoint 00:e0:4d:6c:d1:fe automatically...
    Tried 0 PMKs so far; 0 PMKs per second.

    Password was not found.

    PLEASE :)

    ReplyDelete
  53. I`m idiot... i just now realize that you give me script to do:
    ./crunch 8 8 ABCDEFGH | perl gen.pl >> '/media/Local Disk-1/testsize.txt'

    BUT not all charters, Right? Just that 8 wich i will type by my self?

    ReplyDelete
  54. ./crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ will generate what, about 1750GB of data, so you have to figure that that much is getting used somewhere. If you run it as ./crunch blah -u | perl gen.pl | pyrit you should get every combination of 8 characters which are totally unique, including ABCDEFGH and ABCDEFGI and ABCDEFGJ and so on.

    I threw my i7 at it overnight and didn't have a memory leak, but then I didn't write them to file (via >>), just left them crack over a testcap file (which would never work because the password has a duplicate character in it).

    Also don't add -u to the script, no idea why you are doing that. ./crunch 8 8 charset -u | perl gen.pl | pyrit blah

    ReplyDelete
  55. Thanks Gitsnik, you are my last hope...
    Well that -u its my mistake, i removed it before, just copied wrong command.
    But it`s starnge i did what you just said:
    ./crunch 8 8 ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZ | perl script.pl | pyrit -i - -r/root/Desktop/talk-01.cap -e TALKTALK-6CD1FC attack_passthrough
    Then i get(desnt work):
    Tried 0 PMKs so far; 0 PMKs per second.
    Password was not found.
    BUT if i type:
    ./crunch 8 8 ABCDEFGH | perl script.pl | pyrit -i - -r/root/Desktop/talk-01.cap -e TALKTALK-6CD1FC attack_passthrough
    Then i will get (WORKS!):
    Tried 40320 PMKs so far; 29200 PMKs per second.
    Password was not found


    SO it works only with 8 8 and eight letters like ABCDEFGH QWERTYUI MNBVCXZL and so on...
    but if i type 7 or 5 or 9 or 3 (any) letters its not working, why?

    BUT if i will do that for example:
    ./crunch 3 3 ABC | perl script.pl >> list.txt
    It works! :
    ABC
    ACB
    BAC
    BCA
    CAB
    CBA

    If i type:
    ./crunch 6 6 ABCDEFGHIJKLMNOPQRSTUVWXYZ | perl script.pl >> list.txt
    it says Out Of Memory! How its could be? after 5 sec is out of memory??? It not even started...

    Same with even:
    ./crunch 8 8 ABCDEFGHI | perl script.pl
    Out of memory!
    ABCDEFGHI thats only 9 letters...and out of memory...
    Why?
    What i need to do? Witch memory i`m am out? :) I`m running BT5 KDE 64 with only 40 GB partition, but trying to export dictionary to another HDD with more that 700GB.
    How i make perl script:

    Created new txt file, saved as script.pl, edited, pasted you script. saved. Make executable by typing chmod u+x /pentest/passwords/crunch/script.pl

    Maybe I did something wrong? (and whats the diference #!/usr/bin/perl and #!/usr/bin/env perl ???)
    :) Or need to edit script, i do not really know.
    And asking for help.
    Thanks in advance!

    ReplyDelete
  56. Whatever it is, it's not the perl, it's not crunch and it's probably not pyrit. I'd be inclined to think that you are using a live cd or something else, or that it's hardware/disk space intensive but anyway:

    2GB RAM, 2.0GHz Intel Core 2 Duo, and a quick 13 second run to wc -l:

    bash-3.2$ cat doubles.pl
    #!/usr/bin/env perl

    foreach my $line (<>) {
    my %unique;
    my $size = grep { !$unique{$_}++ } split //, $line;
    print "$line" if length($line) == $size;
    }
    bash-3.2$ time ./crunch 8 8 ABCDEFGHIJKLM -u | perl doubles.pl | wc -l
    ^C
    real 0m13.428s
    user 0m7.573s
    sys 0m1.010s
    bash-3.2$

    No errors. If I leave it running longer, I still get no errors, but I'm not going to do that when I'm responding to a post.

    #!/usr/bin/env perl is strictly a better way of doing it (my perl isn't in /usr/bin/perl for example, so it wouldn't work.

    So again, you should be doing something like:

    cd /pentest/passwords/crunch
    ./crunch 8 8 ABCDEFGHI -u | perl script.pl | pyrit pyritargumentshere.

    If it's not working for you, but it works on this machine (which is not the machine I developed it on), I'd be leaning towards the OS or how it is booted. YMMV.

    ReplyDelete
  57. ...Thanks, Gitsnik, for everythink - time, patient great script!
    But its still not working:
    ./crunch 8 8 ABCDEFGHI |perl script.pl >> /root/Desktop/11111.txt
    [ 200.422042] Out of memory: Kill Process 1545 (perl) score 930 or scarifice child
    [ 200.427203] Killed process 1545 (perl) total-vm:6117460kB, anon-rss:5878068kb, file-rss@0kB
    Killed

    Looks like its using 6gb DDR3 memory and get Killed after memory out.
    Probaly you was right, i installed my BT5 KDE 64 on my HDD wrong. I remmember i didnt do swap space (maybe thats why).
    I have no idea, i will try your script with BT5 R1 end of the week i guess.

    I know its not n00bs forum, so i will try sort my problems my self.
    Cheers Gitsnik, you great! And thanks TAPE for your great job here.

    ReplyDelete
  58. Get new 500gb HDD, installed from live cd >> instal.sh >> full install BT4:
    /pentest/passwords/crunch# time ./crunch 8 8 ABCDEFGHJ -u | perl script.pl
    Out of memory!
    0

    real 1m50.710s
    user 0m8.706s
    sys 0m1.700s


    Give up!

    ReplyDelete
  59. Don't know what to tell you:

    bash-3.2$ time ./crunch 8 8 ABCDEFGHJ -u | perl doubles.pl
    ABCDEFGH
    ABCDEFGJ
    ABCDEFHG
    ABCDEFHJ
    ABCDEFJG
    ABCDEFJH
    ABCDEGFH
    ABCDEGFJ
    ABCDEGHF
    ABCDEGHJ
    ABCDEGJF
    ABCDEGJH
    ABCDEHFG
    ABCDEHFJ
    ABCDEHGF
    ABCDEHGJ
    ABCDEHJF
    ABCDEHJG
    ABCDEJFG
    ABCDEJFH
    ABCDEJGF
    ABCDEJGH
    ABCDEJHF
    ABCDEJHG
    ........
    AEDJHFGC
    AEDJHGBC
    AEDJHGBF
    AEDJHGCB
    AEDJHGCF
    AEDJHGFB
    AEDJHGFC
    ^C

    real 32m58.859s
    user 1m24.171s
    sys 0m23.512s
    bash-3.2$

    Hopefully useful to someone else. Or, now you can see how I did it, you can try to write your own version.

    ReplyDelete
  60. hi Gitsnik, thanks a lot, the script man, it's working :-)

    ReplyDelete
  61. Yes, its working. BUT...
    I instaled perl (activeperl) in my Win 7 x64. And i will try my 1.7 GB (only to test) list which i make in Backtrack.
    List is made in BT4: Crunch 8 8 ualpha
    Lets try to filter unique "words" from that list
    and in run cmd:
    C:\Perl64\bin>perl C:\Users\My\Desktop\script.pl C:\Users\My\Desktop\ALL 1.7.txt >> C:\Users\My\Desktop\unique.txt

    (in script.pl I removed first line to make it work (CAN I?))
    And now slowly watching: after 1h 15min i see how my RAM memory runing out, now from 6GB left only ¬950 mb free. And i`m sure proccess would be killed when my memmory ends.
    And i think in that 1.7GB word list where is no unique charters. so in unique.txt list would be empty.

    Is anybody made FULL wordlist? How many Gigs, LINES it is? I`ll buy it, becouse i`m run out of patient.
    Perl using now 4.25 GB RAM memory is that normal?
    I have extra 6gb, can run 12gb in total, but i dont think that would help me to filter 1750 GB list.

    Strange after 2 hours its still searching unique "words" in 1.7gb and using 5gb RAM memory, 1 gb RAM free. (i`m not out of memory)
    But its too long anyway, It would be faster to test all possibilities, without creating list in my case, I guess.

    ReplyDelete
  62. Hi Gitsnik! I found main problem of this perl script. If its short list of words 8 8 ABCDEFGH (144MB) its enough about 3 GB RAM memory to filter with perl script. But if its a bit bigger, 1gb 2gb, when its using swap memory very slow (even if its 20-30gb) and will take ages to finish filtering.
    Script works, but why its using RAM memory so much?

    I have another challange for you :)

    For example with:
    ./crunch 8 8 ABCDEFGH | perl script.pl we get:
    ABCDEFGH
    ABCDEFHG
    ABCDEGFH
    ABCDEGHF
    ABCDEHFG
    ABCDEHGF
    ABCDFEGH
    ABCDFEHG
    ABCDFGEH
    ...
    ..
    .
    HGFEDABC
    HGFEDACB
    HGFEDBAC
    HGFEDBCA
    HGFEDCAB
    HGFEDCBA

    With one ABCDEFGH we making 40320 lines (354.4Kbs) with all unique "words", Right?
    So how many ABCDEFGH (QWERTYUI BCDEFGHJ and so) i need to create to get all unique combinations using your perl script after?
    In another words i need from unique word list, unique words. Do you understand? :) i guess its not easy, but is that possible?
    So when i can make a lot small wordlists.
    Thanks in advance

    ReplyDelete
  63. Ok, maybe idea was stupid create a lot of small wordlist, because i guess word list would be about 440GB. So its not a solution.

    I counted that to get all unique lines from 1750GB word list using Gitsnik perl script, i need about 32 TB Ram or swap space. I need about 18 times more RAM or swap space then wordlist is.
    For example 100mb wordlist i need ¬1.7 gb RAM.
    What i`m doing wrong? or its should be like that?
    I can try use my 1.5 TB hdd only for swap space, to get unique lines with perl script, from 80 GB list. And do same 21 times like that. (1750/80=21.875)

    I`m not crazy, i just realy neeed that word list :)
    please suggest.

    ReplyDelete
  64. Can that help me somehow?
    http://daemoninc.com/SpeedyCGI/

    SpeedyCGI - Speed up perl scripts by running them persistently.

    ReplyDelete
  65. is it possible to run somehow Gitsnik perl script in PDL ("Perl Data Language") ? or its totaly diferient?

    ReplyDelete
  66. hello Arthur

    first of all i believe TalkTalk default WPA key not just 8 ualpha, it's a mix of ualpha and numbers, it's like this MH4G63GN OR JE4H2H8K OR DF9CM3AR and so on and mine something like this NGG6BDD7 however all SKY routers comes with default wpa key and all are 8 ualpha just for your info :-) please don't hack any network isn't yours, it's ilegel in the UK

    ReplyDelete
  67. Well I know about SKY and talktalk, i just was testing, looking how it works. Have and SKY and talk router at home ;) And yes, to tested my SKY password, it takes 27 days to get a password witch start Zxxxxxxx me.. :) Just want to filter with Gitsnik perl script 1750GB wordlist to 440GB and share with others. But its not easy now after 30h i did only A letter (67GB) so long way to go.. :)

    ReplyDelete
  68. Hi, thanks for excellent tutorial. I need to create a password between 5 to 15 letters using 10 words, the words must be combined to create one single password bettween 5 to 15.
    thanks

    ReplyDelete
  69. Arthur/ Brazil19 August 2011 19:25

    Hi, somebody can help me to create a wordlist using like 5 words and the length will me between 8 to 15. I don't remember the orders and I am not sure if all words will be in the password, so I need to create password with different lengths.

    ReplyDelete
    Replies
    1. it make no sense for me but this should help you:
      crunch 8 15 word1 word2 word3 word4 word5

      Delete
    2. there is no way at the mom

      Delete
  70. hi Arthur. well nothing is easy to be honest, Tape and Gitsnik doing their best to help us on here and they doing really really great, the info you can find lots of info on here about creating wordlist more then anywhere elles, trust me, you are in the right place :-) and if you wana to creat unique ualpah char the answer to that is sed, and i don't know what do you mean by creating wordlist start from 5 password or 5 charachters ? you know the key of wpa start from 8 to 63 don't you ? :-)

    ReplyDelete
  71. Arther why you trying to creat a wordlist of 440GB while you can pipe crunch to aicrack, cowpatty, and pyrit ? you could save a lots of memo and time by piping crunch :-)

    ReplyDelete
  72. Arthur / Brazil20 August 2011 04:23

    Hi, thanks for reply. Here we have two Arthur's , me from Brazil, and the other one witch I dont know where lives. My problem is, I have a encrypted DMG file, I used 256 encryption with password created by me using a combination of dates and words. Now I dont really know all words I already used, but I know all words possible, I just not remember witch one I used. I know my password have at least 5 characters ( possible 8) and the maximum is 15 characters. I dont Know the exact size in characters because I dont remember witch words I used from a list. Crunch can generate a password combining a list of words, but the password will be the length of all words in the list. For example: password created using words "car", "dog", "earth" always have 11 characters because combine words. I need to create like 6 to 11 characters so the program need to output a password like cardog (6 char), carearth (8 char) or dogcarearth ( 11 char). Underestand?
    Thanks again for support.

    ReplyDelete
  73. I`m not Arther, I`m Arthur, but any way thanks for replay. Well if you trying pipe it straight to pyrit, you still need lost of RAM memory. And testing speed is quite slow! Now i found a way how to get that list (~440GB) quick compare what i was doing before. I will write quick nOOb(same like me) quide, when i finish this work, what i was doing and how long it takes me to get that list.
    Thanks Gitsnik again, i know you dont tike double post ;) sorry man :)

    ReplyDelete
  74. UPDATE:
    The unique list from Ualpha (1750GB) using Gitsnik script would be ~520GB. For example from A letter 64GB (./crunch -t A,,,,,,, -o A.txt ; and after ./script.pl A.txt >> A1.txt) we get 20GB unique wordlist only with A letter, so 26 time do same = 520GB. Filter 67.3GB takes about ~7h with i7 920 o`clocked to 3.8Ghz + 6GB RAM memory 1600mhz.
    Now problem is that perl is using only one processors thread/core. I did some readings, testings, but my knowleadge is still poor.
    So Gitsnik is it possible to run your script at all multi-core proccessor speed?
    Thanks man!

    ReplyDelete
  75. This... this is because I like TAPE, because he actually googles his own crap before he asks me a question.

    http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch-redux.html

    ReplyDelete
  76. Arthur / Thanks24 August 2011 23:54

    BIG Thank you! Now it works like it should! Confirm that script works on BT5 KDE64.
    Now i can run it 4x (ok..3,5) faster!
    For you it was 3 minutes, but you cant imagine what i was trying to do...and how long it takes me :)) Every day after work from 10pm to 5-6am about a month was trying to speedup proccess. Formated all my HDD for swap space including SSD`s, add more RAM, more o`cloced, tried BT5, 4Final, R1, R2, on 2 computers and still it did`nt work like it should work.
    Please understand lammers like we are, I`m not stupid and not 18 y old. Just have never ever had BT/Ubuntu and any simpliest function was like a hell, a specially with BT5, so what to speak about perl and memory flow and so on..
    So Thanks for your knowleadge and for 3 minutes and great job again!!!

    ReplyDelete
  77. hello to all :-)

    smal chalenge to an expert but it's a big fat one for noob like me :-)

    i would like to creat a random word list with random charackter with no more then 3 alphabitic on a single line, for e.g like this

    AEOWHDW
    AOJEDOG
    HELSLFW
    JDLRUJD
    RJHFRLD
    KFIROEF and so on
    this is alowing only 2 charackters to be repeted on each line, but not like this,
    FLEFWFTO
    KRJKDWKZ
    GNENDNPE
    YHEHLDHR
    PSGSLEIS
    QJWDWUNW and so on, i just don't want more then 2 charachters repeted on a single line, i have been googling untill my brain was too googly, i couldn't fine an answer, i know crunch can't do that without sed or grep or perl, but i heard that can be done, so please if anyone knows how to do that it will be much apprecited, and thanking you in advance,

    by the way, this plog it's one of the best i have come cros on the net for word generating, so thanks to anyone who's helping and sharing the knowlege,
    so sorry for my english :-)

    ReplyDelete
  78. When you start to mess with the numbers it gets a bit tricky. Easy enough to do with a basic knowledge of perl (or whatever language). You can do it simpler, it's a simple bit of arithmetic on the print line, but your own source skews it:

    bash-3.2$ cat anon.txt
    AEOWHDW
    AOJEDOG
    HELSLFW
    JDLRUJD
    RJHFRLD
    KFIROEF
    bash-3.2$ perl newdoubles.pl < anon.txt
    AEOWHDW
    AOJEDOG
    HELSLFW
    RJHFRLD
    KFIROEF
    bash-3.2$

    If you do the arithmetic then the line: JDLRUJD doesn't check out because there are 2 J's and two D's. Checking for this case means splitting the line up, parsing it character by character and keeping counts (done by the %unique hash already) and then checking the size of the counts as you go.

    TO THE BOOKS!

    ReplyDelete
  79. Hi Gitsnik

    Thank you so much for your help, i really appreciate, thanks man :-) by the way i wish you the very best with your new life with the wife :-)

    ReplyDelete
  80. Crunch is brilliant!
    That is all.
    ;)

    ReplyDelete
  81. One short question :

    Is there any possibilty for Crunch to write only 2 words out of 3?

    Example : my password contains of the words "cat" "cow" and "pig" but i forgot in which order they were. Unfortunately i can only remember that the words were "cat" "cow" "ham" and "pig" - but i know that only 3 of them contain in my password.

    Is there any command that will use all 4 words but only 3 places for them?

    (example for a solution :
    cathampig
    pigcatham
    cowcatham....)

    ReplyDelete
  82. Hello, if I can help ... I want to get all possible combinations for a password of 14 characters in this form (0e33ykb7nia6p). please show me what command to give the crunch to get absolutely all the combinations (abcdefghjiklmnopqrstwxyz0123456789) password is 14 characters (letters and numbers )..... please help me thank you

    ReplyDelete
  83. For a full list;
    ./crunch 14 14 -f charset.lst lalpha-numeric -o BIG.txt

    If you know the order of characters, then
    you should specify it as it will be one friggin big list.

    ReplyDelete
  84. another thing I incecat option to. / crunch 10 10 -t HELLAS %%%%. passcode I know, but she change the last digit. haw i get the last 4 digits since 0000,0001,0002.....9999. the above command generates not me as I want, I want to be figures amestecate.va thank you respect

    ReplyDelete
  85. Your command appears to be correct, so not sure what problems you are having or why ;

    ./crunch 10 10 -t HELLAS%%%% -o hellas.txt

    ReplyDelete
  86. TAPE, tank you for your response but on command (. / Crunch 2:14 p.m.-f charset.lst a BIG.txt lalpha-numeric) does not generate anything really .... please not start another scan to get a password option 14 cifre.parola is like (4ok6dff4ywt4zl lower case) that's an example ... I needed a solution all the letters and numbers mixed obinand passwords 14 characters ... did you understand? if I can help please waitresponse tanke

    ReplyDelete
  87. Thank you tape.comanda. / crunch 10:10-t%%%% HELLAS a hellas.txt
    worked. I think I donn't gave a nume txt.thank respect

    ReplyDelete
  88. At anonymous post 16:04;

    Your command there seems to have some unnecessary characters, copy and paste the below ;

    ./crunch 14 14 -f charset.lst lalpha-numeric -o biglist.txt


    The above is the correct command to use for what you want to do, but the resulting wordlist will be FAR TOO LARGE for you to really use..

    ReplyDelete
  89. sorry again,but comand ./crunch 14 14 -f charset.lst lalpha-numeric -o biglist.txt......she is for small leters?or big,because i need for only for small leters,thank you again you ar the best

    ReplyDelete
  90. RTFM ...

    lalpha-numeric is for lower alpha (small letters) and numbers only.

    ReplyDelete
  91. You were right I took the 10GB already, thank you anyway i do not think there is another solution for what I need eu.thks

    ReplyDelete
  92. Thats because you are generating a list with linecount ;
    6140942214464815497216

    Expected size would be ;
    85787971706103.750 Gigs


    Check out my post on wordlist sizes.. you should check this before even starting something like that ;)

    ReplyDelete
  93. ./crunch 14 14 -f charset.lst lalpha-numeric -o biglist.txt.....that solutin for my is too big,but i need this.ples tell my another solution to small,mayby half to generate...if you whant to tell my more about crunch pls take my id messenger "pancu.boss" i need a solution for this cod with 14 digits.i wait response thx respect

    ReplyDelete
  94. Hi, Thanks for all your good work and sharing.

    I have a wee problem..

    When I run either:

    crunch 8 8 -f /pentest/passwords/crunch/crunch3.1/charset.lst ualpha -u | perl /root/no_triples.pl >> /media/disk1/passlist.txt


    crunch 8 8 -f /pentest/passwords/crunch/crunch3.1/charset.lst ualpha | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' /media/disk1/passlst.txt

    My passlist stops/completes at 4Gb ! With "sed" it states it's "out of memory."

    (The no_triples.py is Gitsnicks latest update script with dbls allowed, no more.)

    Tried to find Google help, but no luck. When passing the output of crunch we lose the ability to create size-limited files !?

    Not sure why it's 4Gb - happens on 2 separate laptops.. 1 with 2Gb Ram the other 3Gb.

    I could make the big list and then parse it down, (I did actually make the big ~1750Gb list before , but subsequently deleted it!) However it would be nicer to pipe it and end up with a smaller list!

    Any ideas ?

    Thanks in advance...

    ReplyDelete
  95. Sry... Missed a couple of >> out in the sed pipe...

    crunch 8 8 -f /pentest/passwords/crunch/crunch3.1/charset.lst ualpha | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' >> /media/disk1/passlst.txt

    ReplyDelete
  96. At Anonymous;
    If you want a 14 digit password list, there is no other way to make it 'smaller' unless you know a specific sequence being used..
    Thats why longer passwords are better.. instead 'only' taking up 36gigs to check (as with a hex password) it takes petabytes of data to check..



    At Zonk,

    Very interesting .. I have never tried that but will maybe try to recreate your error and see if I can.
    Usually that type of error would appear when your disk is running full, however considering your post, I can only imagine you have checked that your external drive is not filling up quicker than you thought ;)

    I will have a look and revert.

    ReplyDelete
  97. Heya Zonk,

    I experience the exact same thing when piping through from crunch.

    I hooked up a 16G external drive and in VMplayer started the exact same command as you did ;
    ./crunch 8 8 -f charset.lst ualpha | sed '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' >> /media/16G/passlist.txt

    After 4GB had been written to disk;
    "sed: couldn't write 8 items to stdout: File too large"
    Will have to dig into this... If you find anything out, please post back!

    ReplyDelete
  98. Hi,
    It was the filesystem. Max file size for Fat32 -> 4Gb.
    We live and learn 8)
    Thanks for reply.
    Z

    ReplyDelete
  99. Hey Zonk, thanks your reply, was coming to the same conclusion as well.
    Lesson learned :)

    ReplyDelete
  100. crunch + Tape = wonderful job :) this is the best place for info, a thank you to everyone shares the knowledge and special thanks to Tape, welldone

    ReplyDelete
  101. Thanks :) appreciate the kind words:D

    ReplyDelete
  102. How can I make a wordlist witch contains random chars only? I want to make a list whit 13 chars witch contains abcdefghijklmnopqrstuvwxyz0123456789. I used
    crunch 13 13 abcdefghijklmnopqrstuvwxyz0123456789 -b 1gb -o START but this isent random list at all

    I want something like this

    KOYD6HX4X0HJX
    PL97XBNNQdZTR
    PLXKD1KQE6BBZ
    and so on..

    ReplyDelete
  103. You need to RTFM..

    The command is correct, however what you want to create is not realistically feasible for us mortal humans..

    Check out my post on wordlist sizes, do the calculations yourself..

    ./crunch 13 13 abcdefghijklmnopqrstuvwxyz0123456789

    would result in ;
    170581728179578208256 possible passphrases

    Size of (total) wordlist ;
    2172004491.980 TB
    (Yes, that is TeraBytes)

    ReplyDelete
  104. Yes I know that is why I use option size. I want to make a wordlist what is only 100gb big. Then I make a database from it and use airolib-ng to crack. But how can I make a 13character random password in crunch?

    ReplyDelete
  105. You are not getting it...

    You are creating a wordlist with all possibilities.

    What use is a random 100gigs of randomness when this is only a fraction of the possibilities.

    I think you are not looking at it right.

    ReplyDelete
  106. Yeah I know it, but I'm willing to take a riks whit that 1% of chance to get right key in that 1%.

    ReplyDelete
  107. But how would you decide which lines not to include ?

    If you want something like not repeating characters more than X number of times in sequence, then check out my later post on wordlist manipulation.

    ReplyDelete
  108. How can I create birthdays? 01041966 or 20111982 ? First 2 digits the day, next 2 for the month, last 4 four the year.....

    ReplyDelete
  109. Check out my post on creating lists based on dates.

    I wrote a dirty script called "datelist" which does what you want.

    http://adaywithtape.blogspot.com/2011/03/creating-date-wordlist.html

    Hope it helps !

    ReplyDelete
  110. Hi ,

    Is there anyway to combine the multiple wordlist to a single file?

    ReplyDelete
  111. Sure, first check out my wordlist manipulation post ;
    http://adaywithtape.blogspot.com/2011/07/wordlist-manipulation-revisited.html

    To combine the wordlists "list1.txt, list2.txt, list3.txt" you can use cat ;

    cat list1.txt list2.txt list3.txt > combined.txt
    or
    cat *.txt > combined.txt
    or
    list*.* > combined.txt
    or
    for all files in a certain directory ;
    cat /directory/* > combined.txt

    ReplyDelete
  112. Tape,
    I have generated a ./crunch 4 4
    Where do I find the worlist.txt/
    It is not in my root file manager/ Places>Home folder

    I use Gnome with Backtrack5

    ReplyDelete
  113. Hi,
    how can i make numeric password list from 0500000000 to 0569999999 . plz help me.. thnx

    ReplyDelete
  114. Hey there,
    You have to specify to write to file with the -o switch.

    If you did that and created the wordlist from the crunch directory without specifying any other location,
    then you will find the wordlist in that same directory ;

    so try;
    cd /pentest/passwords/crunch
    ls

    This should show you all files and also your wordlist.txt


    To specify the location to root or whatever ;
    ./crunch 4 4 -o /root/wordlist.txt

    Hope clear.

    ReplyDelete
  115. For creating numerical password from 0500000000 until 0569999999 do ;

    ./crunch 10 10 -t 05%%%%%%%%%% -e 0569999999 -o wordlist.txt

    ReplyDelete
  116. thnx TAPE for your kind info. but i have backtrck 3 final.
    "./crunch 10 10 -t 05%%%%%%%%%% -e 0569999999 -o wordlist.txt" itz not working in BT3 final.

    ReplyDelete
  117. Hey there,

    Yeah, then you will have to remove the -e 0569999999 as this only works on the latest version of crunch, not sure what version of crunch is included in BT3, but the below should work ;
    ./crunch 10 10 -t 05%%%%%%%%%% -o wordlist.txt




    The -e option would have saved you quite a bit of space though, so my advice ;
    Download the latest version of crunch ;
    http://sourceforge.net/projects/crunch-wordlist/

    and install manually.

    Would also suggest you update to BT5..

    ReplyDelete
  118. Many many thanks...

    ReplyDelete
  119. Hello. I`m trying to make a wordlist but i need to look like ...

    10 digits 0 0 0 0 0 0 0 0 0 0
    and.... 1st to be between 5 and 9
    2nd to be between 0 - 9
    3rd + 4th to be between 01 - 12
    5th + 6th to be between 01 - 31
    and for last 4 to be full range 0000 - 9999
    any ideas? :D

    ReplyDelete
  120. Crikey... ;)

    What you would need to do is make a list of dates from 01010000 in the format "mmddyyyy" for the last 8 characters.

    Then prefix 0-9 to that list, and then prefix 5-9 to that resulting list.


    I am more or less ready to release v0.3 of WLM (see my post on wordlist manipulation revisited) which, with the included updated 'datelist' function, could help you with this.

    Have tested the datelist from 0000 - 9999 in format mmddyyyy and it works OK.

    Prefixing the other digits seems to be taking a loong time.

    Will have to revert after testing fully and maybe will include some more options to cover this query in WLM.

    Not quite ready to release it though, need some more testing.

    ReplyDelete
  121. LOL, its been going for around 30min and is only around 1/3 of the way
    on the prefixing of the 0-9 to the datelist, but
    seems to be working.

    I am running this on a VM to test, so if you have a HDD install it would probably be quite a lot faster.

    Also, I would seriously wonder about whether have 10 thousand years is really a requirement ?

    The final wordlist will probably be around 1,2GB, so if you can shave off a couple of thousand years on the dates it would help a lot with the time frame.

    Ah well, most interesting thing is that it appears to be possible following my initial ideas.

    ReplyDelete
  122. its not only for years :)

    format is yy/mm/dd/%%%% :) and i need it for over 60 yy :) and for % to be 0123456789
    I hope to be more clear now :) this will cut more of the lines i think...or if its too big ill make it for 80+ years

    ReplyDelete
  123. ahhh,

    haha, well my VM has been rockin it for about 3 hours and has just finished prefixing the 0-9.

    Yeah if you had told me that before I could have tested it tonight.
    Now will have to wait until tomorrow night as there may be a different way to make it.

    (I am thinking of creating a datelist based on yymmdd then simply suffixing 4 sets of numeric values as in my Wordlist Manipulation post, you can probably do what you want with the info on that post)

    Wordlist with the 1st % prefixed is about 287MB
    Format sofar ;
    %mmddyyyy (but of course the yyyy is same as %%%% as it was done from 0000 - 9999)

    Now just need to include the 5-9 to get the final ;
    %%mmddyyyy (or for you yymmdd%%%%)

    Will let it run overnight and see what pops out ;)

    ReplyDelete
  124. In the meantime you could try it yourself as follows ;

    Get my datelist program (you can find it if you go through the previous posts)
    Create a datelist as you want.

    Then either get my WLM program and use that to try to suffix 4 fixed numeric values in sequence to the datelist,
    or else use the code to do the same which you can also find on the post on Wordlist Manipulation Revisited.

    Let me know what works ;)

    ReplyDelete
  125. I`ll try it in next couple of days and "feed-you-back" :D

    ReplyDelete
  126. actually all u need is the datelist script, this also has the option to append numbers,
    forgot about that :)

    check out the video , it shows it all.

    ReplyDelete
  127. Hey again, my initial test failed ;
    making datewordlist, then prefixing 1 and then prefixing another, resulted in the last prefixing stage giving an error.
    (it disappears off screen too quickly, but I am assuming it has something to do with memory).
    Now knowing what you need, it is of course a terribly inefficient way of trying to make it anyway..

    So I tried with datelist, making a datelist from 1950 to 2010 ;

    ./datelist -b 1950-01-01 -e 2010-12-31 -f yymmdd -o test

    Then after that was created used datelist again to suffix 4 numeric values in sequence with the option ;
    ./datelist -A
    Choosing 'test' as input file
    Choosing to append 4 numeric values in sequence
    Choosing 'test_plus_numbers' as output file

    That worked fine and only took about 5 - 10 minutes, extract of final wordlist info from WLM ;


    Wordlist Manipulator v0.3
    File information
    ----------------
    Enter /path/to/wordlist: test_plus_numbers

    Gathering information on file, please be patient..

    File type: ASCII text
    Wordcount/number of lines: 222800000
    Maximum word/line length: 10

    File size
    ---------
    B (Bytes) = 2450800000
    KB (Kilobytes) = 2393359.37
    MB (Megabytes) = 2337.26
    GB (Gigabytes) = 2.28

    Example of file entries
    -----------------------
    5001010000
    5001010001
    5001010002
    ..
    1012319997
    1012319998
    1012319999



    Soo... give datelist a shot ;)

    ReplyDelete
  128. Also just released wlm_v0-3 which has all you
    would need included as well.

    Give it a shot ;
    http://adaywithtape.blogspot.com/2011/07/wordlist-manipulation-revisited.html

    http://www.mediafire.com/file/xhrb7e7iksrhfpk/wlm_v0-3

    ReplyDelete
  129. Thanks for your outstanding work on helping others, Tape and co!

    Here is my problem. I've been trying to accomplish scenario like d.posnas posted previously.

    I know that a password I need to figure out contains 13 characters, 3 of them are numbers and rest of them (10) are UPPERCASE letters, all in random order.

    I do have a python script going through a wordlist line by line and figuring if there are 3 numbers in that line and if so, writes that line to another text file. After wordlist is finished, I need to remove that wordlist file to free some space, generate next and start python script again. This seems to be fairly speedy way considering the amount of data, but I assume it would be much faster and would take so much less space if I could do some piping. I'm not that familiar with Perl to make something of my own. Any ideas?

    ReplyDelete
  130. Heya Esimerkki,

    Am gonna have to think about that ;)

    Reverting.. or waiting for a clever soul to give feedback !

    ReplyDelete
  131. OK, so may have found something for ya ;)
    backslash to break the line and keep it nice and tidy,
    otherwise I tend to get confused.. ;)

    ./crunch 13 13 -f charset.lst ualpha-numeric -u |\
    sed -n -e '/[0-9]\{4,\}/d' -e '/[0-9].*[0-9].*[0-9]/p' > file.txt

    or

    ./crunch 13 13 -f charset.lst ualpha-numeric -u |\
    nawk 'gsub("[0-9]","&",$0)==3' > file.txt


    I don't suppose I need to mention that the file size will be intimidating.. ;)


    Credit for the above to expertise from unix.com;
    http://www.unix.com/unix-dummies-questions-answers/174468-only-print-lines-3-numeric-values.html

    ReplyDelete
  132. I've got no question to ask here I just wanted to say thank you to both Tape and Gitsnik. I've learned far more reading these posts than the crunch documentation.
    Thanks :)
    Firecul

    ReplyDelete
  133. :)
    Thanks for the kind words !

    ReplyDelete
  134. Dude, amazing. Thank you so much. You definetly need a "Donate" button on your site!

    ReplyDelete
  135. HAHA :)
    The evil side of me is halfway considering that ;)

    ReplyDelete
  136. is there any benefit of piping crunch through pyrit over piping it through aircrack-ng?

    ReplyDelete
  137. or any benefit of using cowpatty over pyrit or aircrack?

    ReplyDelete
    Replies
    1. Depends on your setup and whether you have CUDA/Crossfire capabilities.

      Do a few tests on a test pcap file and check what speeds u get,
      u will see a difference between the different proggies.

      Delete
  138. thanks for the reply, TAPE!

    i do not believe i have any cuda capabilities in my lenovo x201t, because i dont think it has any nvdia components.

    right now i am getting ~1200 keys/second, and since i am trying to get a 10 digit numeric password (10 billion possibilities), its going to take roughly 100 days to try every combination (does this sound about right? or does this sound too slow?). Ive had my aircrack running all night, and i dont think i want to stop in the middle because I am not sure if i am savy enough to resume where i stop. is there way for me to run chrunch in multiple shells and pipe it to different proggies at the same time? maybe start one from 9999999999 and count down, and have another start at 0000000000 and count up?

    ReplyDelete
    Replies
    1. I would say that running multiple instances will slow it down quite a bit but on the other hand you are splitting your chances which may be beneficial in the end.

      So why not try as you suggested with one instance running up ;
      ./crunch 10 10 0123456789 -u | aircrack-ng blah blah

      and another instance running down ;
      ./crunch 10 10 9876543210 -u | aircrack-ng blah blah

      Delete
    2. A month late but you may want to give the following a try.

      ./crunch 10 10 0123456789 | aircrack-ng -e ESSIDNAME -w - ESSIDNAME-01.cap

      --Weeper

      Delete
    3. 1st
      ./crunch 10 10 -f numeric -u | aircrack-ng blah blah
      2nd
      ./crunch 10 10 -f numeric -i -u | aircrack-ng blah blah

      Delete
  139. hey tape, thought ud like to know that aircrack was doing 1200 k/s, cowpatty was doing 250 k/s and pyrit is doing 1650 k/s. i tried running chrunch via aircrack in one shell and then chrunch via pyrit in another, and it did slow down my pyrit to about 1200 k/s and my aircrack was going at 450 k/s, so there was no increase in performance.

    i was wondering do u think it would make a difference if i was piping crunch to pyrit, and then to cowpatty... i saw a video where someone else piped to two programs consecutively, but i wouldnt know how to write up that command.

    also, do u think an external video card for my laptop would help speed up the computing power? would such a device work on a usb booted BT4? (i am referring to something like this: http://www.notebookreview.com/default.asp?newsID=5846&review=how+to+upgrade+laptop+graphics+notebook ) if i could speed up my processing by a power of 10, it might be worthwhile investment to increase my GPU power.

    thanks for all the help TAPE!

    ReplyDelete
    Replies
    1. Heya,

      I think I remember the video you are talking about, but can't remember what
      it was actually doing.. (post link if you find it)

      To be honest, getting all kind of external equipment is going to get a bit messy and although additional GPU power (if compatible) will certainly help, unlikely that the increase in performance will bowl you over..

      I would still say its best to pipe crunch through pyrit with 1 instance going from 0 - 9 and another instance from 9 - 0 so that you are increasing your chances.

      But realistically.. you may wanna pick up an extra paper round and get a different system more suited to the number crunching stuff ;)

      Delete
    2. For your interest, with my setup with a nVidia GTX590 it would take
      me approx. 1day 20 hours to crack a 10 digit numeric value with oclHashcat-plus.

      If you have an ATI card of the same caliber it would probably be able
      to be done in under a day with oclHashcat.

      I stand fully correct, I am bowled over by the performance increase
      when using oclHashcat ;)

      Delete
  140. please i need help does someone know how to save the word list to my hard disk???? because every time it save in root 1.9 GB so please answer

    ReplyDelete
  141. Need more info.. you are not giving enough to
    merrit an answer.. but ;

    Use the -o switch to point the output file to the correct location then.
    It is not rocket science.
    Even if you have the file 'in root' then why not simply copy it to wherever ?

    ReplyDelete
    Replies
    1. i know but what should i write if i want to save it to C:?

      Delete
    2. Still insufficient information..


      You need to mount whatever your C drive is in backtrack, then specify that location with the -o switch in crunch.

      If you can't figure out how to mount your C drive from within
      BackTrack then I think you may be playing with the wrong OS..

      Delete
  142. Any help on doing a list with only 10 digits and starting with 812
    ??? Thanks for help
    ex: 8125336097
    812XXXXXXX etc etc

    ReplyDelete
    Replies
    1. Man, that is too easy...please make the effort to actually read the post
      if you are going to take the time to ask a question..

      ./crunch 10 10 -t 812%%%%%%% -o wordlist.txt

      Look in the post on how to create telephone number lists as it looks
      like that is what you are trying..

      Delete
    2. My Apologies, Thank you!

      Delete
    3. ;) anytime , sometimes it takes a while to get used to reading through
      a lot of cr@p and sifting out the relevant info..

      Delete
  143. very nice blog,,, my friends would ask. I want to make a wordlist of 10 digits but the memory is weak, how the release can be stored on my hard drive using bt4

    ReplyDelete
    Replies
    1. Well first you would need to ensure that your local harddrive is mounted.

      So go to Konqueror for instance and click on the harddrive where
      you have the space or where you want to save the wordlist.
      By clicking it, you should automatically mount it and open it.


      Make sure you take note of the name of the harddrive and then use
      the following command ;

      ./crunch 10 10 -t %%%%%%%%%% -o /media/hardrive-name/wordlist.txt


      Note that the size of such a wordlist is enormous (+- 102GB !)

      It may be a better idea to pipe that through crunch into aircrack or whatever.


      I will soon be making a post on the use of Maskprocessor and oclHashcat which is probably the best way to do this kind of thing ;


      In windows for instance in my case;
      mp64.exe -i --increment-min=8 --increment-max=10 ?d?d?d?d?d?d?d?d?d?d | cudaHashcat-plus64.exe -m 2500 capture.hccap

      Delete
  144. Replies
    1. Well I hope I answered you question OK ;)

      Play Nice with what you know !

      Delete
  145. hi i want to ask how the tape to make wordlist as the example below

    000
    000
    000
    000
    000
    000
    000
    000
    000

    . / crunch 7 7 000 but does not work

    ReplyDelete
    Replies
    1. This pleases the Tape :D


      I am sorry but I have no idea what you want to accomplish,
      a file filled with 3 character words existing solely out
      of zeroes .. ??

      You will have to provide a better example of what you want to
      have as final wordlist, 9 lines of 3 zeroes makes no sense to me.


      This pleases Technoviking

      Delete
    2. To obtain a wordlist of 3zero line the only way is
      ./crunch whatthef**knumber whatthef**knumber -p 000
      but it will generate only six lines
      Crunch will now generate the following number of lines: 6
      000
      000
      000
      000
      000
      000

      but there are no possibilities to have 7char password of zero directly.

      Delete
  146. I wanted to incorporate a combination attack like the example below

    000 0000001
    000 0000002
    000 0000003

    and so on

    ReplyDelete
  147. Ahh, now I understand ;)

    if that is the exact syntax and number of characters (perhaps for telephone list ?) then you could do

    ./crunch 10 10 -t "000 %%%%%%%" -o tel.txt

    In the above the "" are required to include the space in the output.

    If this isnt what you meant, and just want to prefix each word in a wordlisth '000' check out my post on wordlist manipulation revisited and download WLM_v0-3


    FURTHER, if it is what you meant, the above blogpost clearly shows how to make telephone lists... read up !

    ReplyDelete
  148. Thank you
    i want to create password list that Contains 10 characters that start with 9 numbers and the last characters is Letter like 736398888k & The first 2 numbers is 73

    ReplyDelete
    Replies
    1. Hey there,

      Really all the information you need is in the post... but anyway ;

      ./crunch 10 10 -t 73%%%%%%%@

      So with the above you are specifying ;

      > min / max 10 characters
      > -t switch to specify the placeholders ;
      first 2 characters '73'
      3rd to 9th character numbers from 0-9 (using the % placeholder)
      last character to be lower case alpha from a-z (using the @ placeholder)

      Delete
  149. Hey TAPE,
    I followed your link from the Backtrack forums, great guide! Well done indeed.
    I actually already knew how to use crunch, but I was looking for a solution to a problem I have and was hoping you could help;

    I've been trying to make phrases 8 chars all upper case letters (ualpha) but without two of the same letters next to each other (AAAAAAAB or ZZZAAAZZ for example), problem is using the -p option crunch always creates phrases 26 letters long.
    I've tried "cheating" crunch into doing what I want by using
    ./crunch 8 8 -t ,,,,,,,, -p ABCDEFGHIJKLMNOPQRSTUVWXYZ
    that just causes crunch to hang (no big surprize there!). The closest I've got here is using;
    ./crunch 8 8 -s ABABABAB -e ZYZYZYZY -f charset.lst ualpha
    But all that really does is cut the junk off of the begining and the end.

    Could you help me with a solution? Maybe using crunch to generate the phrases and pipe it to something else to filter out the unwanted phrases?
    Thanks in advance.

    ReplyDelete
    Replies
    1. Hey there,

      This was a request to be included in crunch for quite a while and bofh28 included this feature in crunch v3.2 with the -d switch.

      So first of all make sure you have the latest and greatest version of crunch and then try the following syntax (from crunch directory);

      ./crunch 8 8 -f charset.lst ualpha -d 2,


      That should do what you want.

      As an alternative on an existing wordlist, check out my post on wordlist manipulation revisited.
      There are some options mentioned there as well.

      Delete
    2. ./crunch 8 8 -f charset.lst ualpha -d 2,
      wrong solution!

      ./crunch 8 8 -f charset.lst ualpha -d 2@

      Delete
    3. ./crunch 8 8 -f charset.lst ualpha -d 0@
      This should be quickier

      Delete
  150. Hi Tape,

    Just wanted to say thank you for the great guide

    Sincerely,

    SS

    ReplyDelete
    Replies
    1. Glad you like the post and thanks for the thanks ;)

      Delete
  151. Hi Tape,

    You know that with LM hashes, the plaintext gets converted to uppercase before going through some DES operations. With LM rainbow tables, a password of, say, "Password123AbCdE" will be revealed as "PASSWORD123ABCDE". My question is thus, given the uppercase-d variant of the password, how do I generate a list of all possible passwords with the letters having an upper and lower-case variant?

    I was thinking if the charset or regex expression should be something like [pP][aA][sS][sS] etc.. but does that make sense? In this case, we (kind of) know the characters as well as the positions, so the resulting dictionary shouldn't be large at all. I hope there is an elegant solution for this. Thanks, and kudos for the great post! :)

    ReplyDelete
    Replies
    1. Hey there,

      Have a look at the post I made last year July "wordlist manipulation revisited"

      Possibly that will give you some ideas on how to progress further, if not then feel free to come back again (but please comment in that post as this is not really related to crunch)

      Laters - TAPE

      Delete
    2. Hi,

      I've looked though your "wordlist manipulation" post, and I don't quite see why my question isn't related to crunch. Firstly, crunch *is* for wordlist generation, and that is what I'm trying to do. Secondly, I'm presuming your post on wordlist generation is to enhance or filter existing wordlists. Coming back to my example of generating permuations of upper/lower case of all letters in the string "PASSWORD123ABCDE", I could possibly limit the charset to "pPaAsSwWoOrRdD123bBcCdDeE", and then use a regex to extract out the strings which match the character position required, but that seems a tad excessive. Any ideas, again, would be greatly appreciated. Thanks for the response!

      Delete
    3. Ahhh, now I think I better understand what you were looking for ;)
      My bad, wasnt clear on it before.

      So string length is known, as is the position and type of characters in the passphrase, correct ?

      I will have to think about it, will revert !

      Delete
    4. Just thinking about it a bit and I dont think crunch is going to be of much help in such a case in view of the number of variables.

      Even maskprocessor is only able to fix a maximum of 4 user defined charsets, so don't see an option there either.

      Basically I am thinking that a script would need to be made to
      take a passphrase as input and as output list all possibilities
      with Upper and Lower case of the letters at their given position.

      Fun project ! (the wife says thanks.. ;) )

      When some free time comes up will give it a shot as this sounds like quite a handy thing to have and shouldnt be too difficult.

      Possibly even a wordlist tool such as cewl may help ? am not able to dig into anything at the moment, but will revert.

      Laters - TAPE

      Delete
  152. I would like to generate a wordlist of 24 char (HUGE) lalpha-numeric with
    up to 8 aeiou
    up to 4 numbers
    presence of bcdfghjklmnpqrstvywz from 16 to 24
    no number followed by any other number
    and presence of single char as in the following sed script

    /bin/sed -nf
    /[aeiou]{8,}/d
    /[0-9]{4,}/d
    /[bcdfghjklmnpqrstvywz]{,15}/d
    /[0123456789][0123456789]{1,}/d
    /[a]{4,}/d
    /[e]{4,}/d
    /[i]{4,}/d
    /[o]{4,}/d
    /[u]{4,}/d
    /[0]{3,}/d
    /[1]{3,}/d
    /[2]{3,]/d
    /[3]{3,]/d
    /[4]{3,]/d
    /[5]{3,]/d
    /[6]{3,]/d
    /[7]{3,]/d
    /[8]{3,]/d
    /[9]{3,]/d
    /[b]{5,}/d
    /[c]{5,}/d
    /[d]{5,}/d
    /[f]{5,}/d
    /[g]{5,}/d
    /[h]{5,}/d
    /[k]{5,}/d
    /[j]{5,}/d
    /[l]{5,}/d
    /[m]{5,}/d
    /[n]{5,}/d
    /[p]{5,}/d
    /[q]{5,}/d
    /[r]{5,}/d
    /[s]{5,}/d
    /[t]{5,}/d
    /[v]{5,}/d
    /[y]{5,}/d
    /[w]{5,}/d
    /[z]{5,}/d
    /[a][a]{1,}/d
    /[e][e]{1,}/d
    /[i][i]{1,}/d
    /[o][o]{1,}/d
    /[u][u]{1,}/d
    /[b][b]{2,}/d
    /[c][c]{2,}/d
    /[d][d]{2,}/d
    /[f][f]{2,}/d
    /[g][g]{2,}/d
    /[h][h]{2,}/d
    /[l][l]{2,}/d
    /[k][k]{2,}/d
    /[j][j]{2,}/d
    /[m][m]{2,}/d
    /[n][n]{2,}/d
    /[p][p]{2,}/d
    /[q][q]{2,}/d
    /[r][r]{2,}/d
    /[s][s]{2,}/d
    /[t][t]{2,}/d
    /[v][v]{2,}/d
    /[y][y]{2,}/d
    /[w][w]{2,}/d
    /[z][z]{2,}/d

    /pentest/passwords/crunch/crunch 24 24 -f /pentest/passwords/crunch/charset.lst lalpha-numeric -u -d 0% -d 2@ -s abcdefghijklmnopqrstuvwx|sed -f sedscriptover


    but I could not be able to add

    ReplyDelete
    Replies
    1. ops...
      add the presence of consonats from 10 to 14. could you help me?

      Delete
  153. very very nice blog, and very Patient admin who is answering all question which already been answered or explained right on the top, anywas thanks Tape, lots of info and thanks to others who helped on here too, very good work,

    ReplyDelete
  154. i try use crunch but not successful, was trying to hack WPA.

    ReplyDelete
  155. Hi, thanx for this tutorial, it helped me a lot. But Im still stuck on one problem. Im trying to make wordlist that is combination of syllables like this (ba be bi bo bu by fa fe fi fo fu fy,... and so on.) to make 4 syllables passwords like:
    wabizotu
    kasemijo
    tucolawa
    semitajo
    etc..
    I allready wrote a wrordlist of these consonant/vowel combinations. Can you help me please with the command?

    ReplyDelete
    Replies
    1. You may want to have a look at Maskprocessor which allows the use of custom charsets to an extent.

      Delete
    2. thx, I'll take a look at it.

      Delete
  156. Awesome post!!By the way, crunch works fine on Ubuntu 12.04 x64.

    ReplyDelete
  157. hi i dont undestand how to save password.lst in computer. i wanna to make password.lst and save it i usb card. can someone help me?

    ReplyDelete
    Replies
    1. You really must have spent 0 minutes looking up your question...

      example;
      ./crunch 6 6 -f chartset.lst numeric -o password.lst


      You will have to put more effort into learning how this works.

      Delete
    2. For saving to usb drive;

      ./crunch 6 6 -f chartset.lst numeric -o /media/USB-Drive/password.lst

      Delete
  158. Hi tape , you do an awesome job man .... i m a noob so i read everything in your blog but i didnt find (i could be wrong ) what i needed ... i want to pipe crunch with aircrack and get a pass with a to z from 8 to 10 caracteres long without same letters beside each others ...( sorry about my english) i do that ..../pentest/passwords/crunch# ./crunch 8 10 abcdefghijklmnopqrstuvwxyz | aircrack-ng /root/Mycapfile.cap -e MyESSID -w ... i got passes with only 8 letters and i dont know how to get ride of double letters ... i dont want for exemple : *****aa* or *dd***** or bb**gg**** ... is that possible . thanks alot for your answers in advance ... i've learned alot by reading you but not enough to do what i want ... thanks again !!!!

    ReplyDelete
    Replies
    1. Have a peek at the later blogpost "wordlist manipulation revisited".
      There is quite a bit of info there that may help you.
      I also try to update it when I get interesting queries (and can give answers)
      to interesting manipulation options.

      Delete
    2. OK, I think I should have read your comment better..

      You can try using the -d switch in crunch, this will allow you to limit
      the number of consecutive letters in the word.

      Play around with a small wordlist first and then move on to the big ones.. ;)

      I have strangely being having a bit of trouble with ;
      ./crunch 8 8 -f charset lalpha -d 1@
      which should limit the produced wordlist to words with no double adjacent characters.. but doesnt seem to.

      Will test more.

      Delete
  159. thank you .... it s looks like you LOVE that stuff hey !!!! other question , to get 8 to 10 chars ... i have to do one with 8 8 a second with 9 9 etc ... i guess ? thanks alot again , you rock man !!!!!!

    ReplyDelete
    Replies
    1. Well actually to create the wordlists in increments from 8 to 10 characters with crunch, you would do as follows ;

      ./crunch 8 10 -f charset.lst lalpha

      Delete
  160. thanks again .... will it does 8 chars after 9 and 10 ? maybe i stopped to check to early and that was doing the 8 chars .... i cant test right now , my other comp is working :-) THANK YOU AGAIN AND AGAIN for your time ....

    ReplyDelete
    Replies
    1. Yes it will, so it will do
      aaaaaaaa
      ..
      zzzzzzzz
      aaaaaaaaa
      ..
      zzzzzzzzz
      aaaaaaaaaa
      ..
      zzzzzzzzzz

      Be aware of the size though !
      Creating lists like this is not always the best way to go, and doing it on the fly may be a better option depending on what you are trying to do.

      Delete
  161. hi TAPE, I don't know if there is a bug in crunch's estimation of output file size? try this to see the result:

    example 1
    crunch 8 63 -f charset.lst numeric

    example 2
    crunch 8 63 -f charset.lst mixalpha-numeric

    The estimated output in example 1 is GREATER than example 2! how come?

    regards,
    Jimpipe

    p.s. I'm using crunch to estimate how long it take to crack my WPA key, it works quite accurately in my experiments by using crunch 8 8 -f charset numeric

    ReplyDelete
  162. hey me again :-) I did this .....ot@root:~# /pentest/passwords/crunch/crunch 8 8 abcdefghijklmnopqrstuvwxyz -d 1@ -u | aircrack-ng blabla.cap -e blabla -w- .... and with a quick ctrl-c it stopped at ' aaebuffa ' I'm beginning to like it too !!!! :-)

    ReplyDelete

 
Google Analytics Alternative