Creating Wordlists with Crunch on Kali Linux

crunch kali brute force password attack


Wordlists are a key part of brute force password attacks. For those readers that aren’t familiar, a brute force password attack is an attack in which an attacker uses a script to repeatedly attempt to log into an account until they receive a positive result. Brute force attacks are fairly overt and can cause a properly configured server to lock out an attacker or their IP.

This is the point of testing the security of log in systems this way. Your server should ban attackers that attempt these attacks, and should report the increased traffic. On the user end, passwords should be more secure. It’s important to understand how the attack is carried out to create and enforce a strong password policy.

Kali Linux comes with a powerful tool for creating wordlists of any length. It’s a simple command line utility called Crunch. It has simple syntax and can easily be adjusted to suit your needs. Beware, though, these lists can be very large and can easily fill an entire hard drive.

Generating a List

To get started, open up a terminal. Crunch is already installed and ready to go on Kali, so you can just run it. For the first list, start with something small, like the one below.

# crunch 1 3 0123456789

Alright, so the line above will create a list of every possible combination of the numbers zero through nine with one two and three characters. To reiterate, the first number is the smallest combination of characters. In this case, it’s a single character. This is a bit unrealistic, since no one should have a one character password, and not site should allow it.

The second number is the longest combination of characters. This time, it’s three. So, Crunch will generate every possible combination of three of the characters provided.

The last part there is the list of all characters that Crunch will use to make the combinations. This list is relatively small, so feel free to run it, but as soon as you start adding more characters or increasing the maximum combination size, the overall size of the list will explode.

The scenario above isn’t all that realistic, though it might be applied to the pin combination to unlock a phone or something of the sort. A more realistic list could be generated with the following linux command.

# crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz

That command will generate all possible three, four, and five character combinations of the numbers zero through nine and the alphabet using lower case characters. Even though the passwords generated will be short, the list will be absolutely massive.

Now, if you had the hardware and resources to really try to test the security of passwords, you may run something like the command below.

# crunch 3 10 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

BEWARE! Do not try to run that. It will generate a file that will easily fill your entire hard drive and be virtually unusable with normal hardware. However, if someone were able to use it, it could test every password with every combination of three to ten characters using all numbers and both the lower and upper case alphabet.

Capturing the Output

What you’ve seen so far is just outputting numbers onto the screen. That’s obviously not very useful. After all, you’re supposed to be generating a text file to use with another program. Crunch as a built-in flag for generating output in the form of a text file.

# crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz -o Documents/pass.txt

Just by adding the -o flag and specifying a destination, you can create your wordlist in the form of a properly formatted text file.

There is another way to handle this, though. Say you already have a good word list with popular bad passwords. There’s actually one installed on Kali by default at /usr/share/wordlists called rockyou.txt. You just have to decompress it. What if you wanted to add your generated wordlist onto rockyou.txt to test additional possibilities in one shot. You can. Just redirect the output of Crunch into the file.

# crunch 3 5 0123456789abcdefghijklmnopqrstuvwxyz >> /usr/share/wordlists/rockyou.txt

The file will be very large, so make sure you have space and actually want to test that many possibilities.

Closing Toughts

There isn’t much else to say. Crunch is an excellent tool for creating wordlists. Like any security tool, it should be used intelligently and with discretion. In the case of really bad passwords, Crunch can create a short list quickly for other programs like Hydra to test. Future guides will explore the other tools that can use the wordlists created by Crunch to test for vulnerable passwords.