纯c代码https://sourceforge.net/projects/crunch-wordlist
kali介绍 https://tools.kali.org/password-attacks/crunch
通用规则:后面加个点
账号密码可能包含:admin 域名 目录名 手机号(后6位)
最有用的学习方法是看man crunch
语法格式
crunch -t – o
#crunch 最小字符个数 最大字符个数 字符集合 -t 模式 -o 导出文件
解释:
charset string
You may specify character sets for crunch to use on the command line or if you leave it blank crunch will use the default character sets.
The order MUST BE lower case characters, upper case characters, numbers, and then symbols. If you don't follow this order you will not get
the results you want. You MUST specify either values for the character type or a plus sign. NOTE: If you want to include the space charac-
ter in your character set you must escape it using the \ character or enclose your character set in quotes i.e. "abc ". See the examples 3,
11, 12, and 13 for examples.
字符集必须是大小写字母、数字、符号。不指定字符集则用默认字符集(26个小写字母)
这样包含空格"123 abc"
-t pattern@,%^
@插入小写字母
,插入大写字母
%插入数字
^ 插入符号
使用-t参数 指定pattern:必须保证min-length等于max-length
举例
localhost:cheetah lin$ crunch 1 1 -t ^
Crunch will now generate the following amount of data: 66 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 33
!
@
#
$
%
^
&
*
(
)
-
_
+
=
~
`
[
]
{
}
|
\
:
;
"
'
<
>
,
.
?
/
crunch 2 2 -t a,
Crunch will now generate the following amount of data: 78 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 26
aA
aB
aC
aD
aE
aF
aG
aH
aI
aJ
aK
aL
aM
aN
aO
aP
aQ
aR
aS
aT
aU
aV
aW
aX
aY
aZ
举例 - 指定了charset string 并使用-t 指定了pattern
注意:指定charset string即"abcd1234",此时@代表"abcd1234" 而不再代表小写字母字符集。
不写charset string 使用-t @依然代表小写字母字符集。
crunch 4 4 abcd1234 -t abc@
Crunch will now generate the following amount of data: 40 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 8
abca
abcb
abcc
abcd
abc1
abc2
abc3
abc4
crunch 5 5 abcd1234 -t abc@@
Crunch will now generate the following amount of data: 384 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 64
abcaa
abcab
abcac
abcad
abca1
abca2
abca3
abca4
abcba
abcbb
abcbc
abcbd
abcb1
abcb2
abcb3
abcb4
abcca
abccb
abccc
abccd
abcc1
abcc2
abcc3
abcc4
abcda
abcdb
abcdc
abcdd
abcd1
abcd2
abcd3
abcd4
abc1a
abc1b
abc1c
abc1d
abc11
abc12
abc13
abc14
abc2a
abc2b
abc2c
abc2d
abc21
abc22
abc23
abc24
abc3a
abc3b
abc3c
abc3d
abc31
abc32
abc33
abc34
abc4a
abc4b
abc4c
abc4d
abc41
abc42
abc43
其他生成例子
crunch 1 8
#生成最小1位,最大8位,由26个小写字母为元素的所有组合
crunch 1 6 abcdefg
#生成 最小为1,最大为6.由abcdefg为元素的所有组合
crunch 1 6 abcdefg\
#生成 最小为1,最大为6.由abcdefg和空格为元素的所有组合(空格符被转义)
crunch 1 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt
#调用密码库 charset.lst, 生成最小为1,最大为8,元素为密码库 charset.lst中 mixalpha-numeric-all-space的项目,并保存为 wordlist.txt;其中 charset.lst在kali_linux的目录为 /usr/share/crunch/charset.lst, charset.lst中 mixalpha-numeric-all-space项目包含最常见的元素组合(即大小写字母+数字+常见符号)
crunch 8 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt -t @@dog @@@ -s cbdogaaa
#调用密码库 charset.lst,生成8位密码;其中元素为 密码库 charset.lst中 mixalpha-numeric-all-space的项;格式为“两个小写字母+dog+三个小写字母”,并以cbdogaaa开始枚举(@代表小写字母)
crunch 2 3 -f charset.lst ualpha -s BB
#调用密码库charset.lst,生成2位和3位密码;其中元素为密码库charset.lst中ualpha的项;并且以BB开头
crunch 4 5 -p abc
#crunch将会生成abc, acb, bac, bca, cab, cba,虽然数字4和5这里没用,但必须有
crunch 4 5 -p dog cat bird
#crunch将生成以“dog”“cat”“bird”为元素的所有密码组合:birdcatdog,birddogcat,catbirddog, catdogbird, dogbirdcat, dogcatbird
crunch 1 5 -o START -c 6000 -z bzip2
# 生成最小为1位,最大为5位元素为所有小写字母的密码字典,其中每一个字典文件包含6000个密码,并将密码文件保存为bz2文件,文件名将以 "第一个密码" + " - " + "最后一个密码" + " .txt.bz2 " 保存(比如000-999.txt.bz2);下面是生成几种格式的压缩文件所用的时间和体积大小对比:
crunch 4 5 -b 20mib -o START
# 生成最小为4位,最大为5位元素为所有小写字母的密码字典,并以20M进行分割;这时会生成4个文件:aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt, wcydu-zzzzz.txt:其中前三个大概每个20M,最后一个10M左右(因为总共70M)
crunch 4 4 + + 123 + -t %%@^
#生成4位密码,其中格式为“两个数字”+“一个小写字母”+“常见符号”(其中数字这里被指定只能为123组成的所有2位数字组合)。比如12f# 32j^ 13t$ ......
crunch 3 3 abc + 123 @#! -t @%^
#生成3位密码,其中第一位由“a,b,c”中的一个;第二位为“1,2,3”中的一个;第三位为“!,@,#”中的一个。比如1a! 2a# 3b@ ......
crunch 3 3 abc + 123 @#! -t ^%@
#生成3位密码,其中格式为“字符+数字+字母”,这里字符范围为!@# ,数字范围为 1 2 3 , 字母范围为a b c比如!1c @3b @2a ......
crunch 5 5 -t ddd@@ -p dog cat bird
#生成5个元素组成的密码,其中前三个为 dog cat bird任意组合,后两个为两个小写字母的任意组合。比如birddogcatuz catdogbirdab birdcatdogff ......
crunch 7 7 -t p@ss,%^ -l a@aaaaa
#生成7位密码,格式为“字符p@ss”+大写字母+数字+符号 比如 p@ssZ9> ......
crunch 5 5 -s @4#S2 -t @%^,% -e @8 Q2 -l @dddd -b 10KB -o START
#生成5位密码,格式为小写字母+数字+符号+大写字母+数字,并以 @4#S2开始,分割为10k大小。。。
crunch 5 5 -d 2@ -t @@@%%
#生成5位密码,格式为三个字母+两个数字,并限制每个密码最少出现2种字母
crunch 10 10 -t @@@^%%%%^^ -d 2@ -d 3% -b 20mb -o START
#生成10位密码,格式为三个小写字母+一个符号+四个数字+两个符号,限制每个密码至少2种字母和至少3种数字
crunch 8 8 -d 2@
#生成8位密码,每个密码至少出现两种字母
crunch 4 4 -f unicode_test.lst the-greeks -t @@%% -l @xdd
#调用密码库 unicode_test.lst中的 the-greeks项目字符,生成4位密码,其中格式为两小写字母+两数字,同样kali_linux中 unicode_test.lst 在/usr/share/crunch目录
-b #体积大小,比如后跟20mib
-c #密码个数(行数),比如8000
-d #限制出现相同元素的个数(至少出现元素个数),-d 3就不会出现zzf ffffgggg之类的
-e #定义停止生成密码 ,比如-e 222222:到222222停止生成密码
-f #调用密码库文件,比如/usr/share/crunch/charset.lst
-i #改变输出格式
-l #与-t搭配使用
-m #与-p搭配使用
-o #保存为
-p #定义密码元素
-q #读取字典
-r #定义从某一个地方重新开始
-s #第一个密码,从xxx开始
-t #定义输出格式
@代表小写字母
,代表大写字母
%代表数字
^代表符号
-z #打包压缩,格式支持 gzip, bzip2, lzma, 7z
man crunch
CRUNCH(1) CRUNCH(1)
NAME
crunch - generate wordlists from a character set
SYNOPSIS
crunch [] [options]
DESCRIPTION
Crunch can create a wordlist based on criteria you specify. The outout from crunch can be sent to the screen, file, or to another program. The
required parameters are:
min-len
The minimum length string you want crunch to start at. This option is required even for parameters that won't use the value.
max-len
The maximum length string you want crunch to end at. This option is required even for parameters that won't use the value.
charset string
You may specify character sets for crunch to use on the command line or if you leave it blank crunch will use the default character sets.
The order MUST BE lower case characters, upper case characters, numbers, and then symbols. If you don't follow this order you will not get
the results you want. You MUST specify either values for the character type or a plus sign. NOTE: If you want to include the space charac-
ter in your character set you must escape it using the \ character or enclose your character set in quotes i.e. "abc ". See the examples 3,
11, 12, and 13 for examples.
OPTIONS
-b number[type]
Specifies the size of the output file, only works if -o START is used, i.e.: 60MB The output files will be in the format of starting let-
ter-ending letter for example: ./crunch 4 5 -b 20mib -o START will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt,
wcydu-zzzzz.txt valid values for type are kb, mb, gb, kib, mib, and gib. The first three types are based on 1000 while the last three types
are based on 1024. NOTE There is no space between the number and type. For example 500mb is correct 500 mb is NOT correct.
-c number
Specifies the number of lines to write to output file, only works if -o START is used, i.e.: 60 The output files will be in the format of
starting letter-ending letter for example: ./crunch 1 1 -f /pentest/password/crunch/charset.lst mixalpha-numeric-all-space -o START -c 60
will result in 2 files: a-7.txt and 8-\ .txt The reason for the slash in the second filename is the ending character is space and ls has
to escape it to print it. Yes you will need to put in the \ when specifying the filename because the last character is a space.
-d numbersymbol
Limits the number of duplicate characters. -d 2@ limits the lower case alphabet to output like aab and aac. aaa would not be generated as
that is 3 consecutive letters of a. The format is number then symbol where number is the maximum number of consecutive characters and sym-
bol is the symbol of the the character set you want to limit i.e. @,%^ See examples 17-19.
-e string
Specifies when crunch should stop early
-f /path/to/charset.lst charset-name
Specifies a character set from the charset.lst
-i Inverts the output so instead of aaa,aab,aac,aad, etc you get aaa,baa,caa,daa,aba,bba, etc
-l When you use the -t option this option tells crunch which symbols should be treated as literals. This will allow you to use the placeholders as
letters in the pattern. The -l option should be the same length as the -t option. See example 15.
-m Merged with -p. Please use -p instead.
-o wordlist.txt
Specifies the file to write the output to, eg: wordlist.txt
-p charset OR -p word1 word2 ...
Tells crunch to generate words that don't have repeating characters. By default crunch will generate a wordlist size of
#of_chars_in_charset ^ max_length. This option will instead generate #of_chars_in_charset!. The ! stands for factorial. For example say
the charset is abc and max length is 4.. Crunch will by default generate 3^4 = 81 words. This option will instead generate 3! = 3x2x1 = 6
words (abc, acb, bac, bca, cab, cba). THIS MUST BE THE LAST OPTION! This option CANNOT be used with -s and it ignores min and max length
however you must still specify two numbers.
-q filename.txt
Tells crunch to read filename.txt and permute what is read. This is like the -p option except it gets the input from filename.txt.
-r Tells crunch to resume generate words from where it left off. -r only works if you use -o. You must use the same command as the original com-
mand used to generate the words. The only exception to this is the -s option. If your original command used the -s option you MUST remove
it before you resume the session. Just add -r to the end of the original command.
-s startblock
Specifies a starting string, eg: 03god22fs
-t @,%^
Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change.
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols
-u
The -u option disables the printpercentage thread. This should be the last option.
-z gzip, bzip2, lzma, and 7z
Compresses the output from the -o option. Valid parameters are gzip, bzip2, lzma, and 7z.
gzip is the fastest but the compression is minimal. bzip2 is a little slower than gzip but has better compression. 7z is slowest but has
the best compression.
EXAMPLES
Example 1
crunch 1 8
crunch will display a wordlist that starts at a and ends at zzzzzzzz
Example 2
crunch 1 6 abcdefg
crunch will display a wordlist using the character set abcdefg that starts at a and ends at gggggg
Example 3
crunch 1 6 abcdefg\
there is a space at the end of the character string. In order for crunch to use the space you will need to escape it using the \ character. In
this example you could also put quotes around the letters and not need the \, i.e. "abcdefg ". Crunch will display a wordlist using the character
set abcdefg that starts at a and ends at (6 spaces)
Example 4
crunch 1 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt
crunch will use the mixalpha-numeric-all-space character set from charset.lst and will write the wordlist to a file named wordlist.txt. The file
will start with a and end with " "
Example 5
crunch 8 8 -f charset.lst mixalpha-numeric-all-space -o wordlist.txt -t @@dog@@@ -s cbdogaaa
crunch should generate a 8 character wordlist using the mixalpha-number-all-space character set from charset.lst and will write the wordlist to a
file named wordlist.txt. The file will start at cbdogaaa and end at " dog "
Example 6
crunch 2 3 -f charset.lst ualpha -s BB
crunch with start generating a wordlist at BB and end with ZZZ. This is useful if you have to stop generating a wordlist in the middle. Just do a
tail wordlist.txt and set the -s parameter to the next word in the sequence. Be sure to rename the original wordlist BEFORE you begin as crunch
will overwrite the existing wordlist.
Example 7
crunch 4 5 -p abc
The numbers aren't processed but are needed.
crunch will generate abc, acb, bac, bca, cab, cba.
Example 8
crunch 4 5 -p dog cat bird
The numbers aren't processed but are needed.
crunch will generate birdcatdog, birddogcat, catbirddog, catdogbird, dogbirdcat, dogcatbird.
Example 9
crunch 1 5 -o START -c 6000 -z bzip2
crunch will generate bzip2 compressed files with each file containing 6000 words. The filenames of the compressed files will be first_word-
last_word.txt.bz2
# time ./crunch 1 4 -o START -c 6000 -z gzip
real 0m2.729s
user 0m2.216s
sys 0m0.360s
# time ./crunch 1 4 -o START -c 6000 -z bzip2
real 0m3.414s
user 0m2.620s
sys 0m0.580s
# time ./crunch 1 4 -o START -c 6000 -z lzma
real 0m43.060s
user 0m9.965s
sys 0m32.634s
size filename
30K aaaa-aiwt.txt
12K aaaa-aiwt.txt.gz
3.8K aaaa-aiwt.txt.bz2
1.1K aaaa-aiwt.txt.lzma
Example 10
crunch 4 5 -b 20mib -o START
will generate 4 files: aaaa-gvfed.txt, gvfee-ombqy.txt, ombqz-wcydt.txt, wcydu-zzzzz.txt
the first three files are 20MBs (real power of 2 MegaBytes) and the last file is 11MB.
Example 11
crunch 3 3 abc + 123 !@# -t @%^
will generate a 3 character long word with a character as the first character, and number as the second character, and a symbol for the third char-
acter. The order in which you specify the characters you want is important. You must specify the order as lower case character, upper case char-
acter, number, and symbol. If you aren't going to use a particular character set you use a plus sign as a placeholder. As you can see I am not
using the upper case character set so I am using the plus sign placeholder. The above will start at a1! and end at c3#
Example 12
crunch 3 3 abc + 123 !@# -t ^%@
will generate 3 character words starting with !1a and ending with #3c
Example 13
crunch 4 4 + + 123 + -t %%@^
the plus sign (+) is a place holder so you can specify a character set for the character type. crunch will use the default character set for the
character type when crunch encounters a + (plus sign) on the command line. You must either specify values for each character type or use the plus
sign. I.E. if you have two characters types you MUST either specify values for each type or use a plus sign. So in this example the character
sets will be:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
123
!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/
there is a space at the end of the above string
the output will start at 11a! and end at "33z ". The quotes show the space at the end of the string.
Example 14
crunch 5 5 -t ddd@@ -o j -p dog cat bird
any character other than one of the following: @,%^
is the placeholder for the words to permute. The @,%^ symbols have the same function as -t.
If you want to use @,%^ in your output you can use the -l option to specify which character you want crunch to treat as a literal.
So the results are
birdcatdogaa
birdcatdogab
birdcatdogac
dogcatbirdzy
dogcatbirdzz
Example 15
crunch 7 7 -t p@ss,%^ -l a@aaaaa
crunch will now treat the @ symbol as a literal character and not replace the character with a uppercase letter.
this will generate
p@ssA0!
p@ssA0@
p@ssA0#
p@ssA0$
p@ssZ9
Example 16
crunch 5 5 -s @4#S2 -t @%^,2 -e @8 Q2 -l @dddd -b 10KB -o START
crunch will generate 5 character strings starting with @4#S2 and ending at @8 Q2. The output will be broken into 10KB sized files named for the
files starting and ending strings.
Example 17
crunch 5 5 -d 2@ -t @@@%%
crunch will generate 5 character strings staring with aab00 and ending at zzy99. Notice that aaa and zzz are not present.
Example 18
crunch 10 10 -t @@@^%%%%^^ -d 2@ -d 3% -b 20mb -o START
crunch will generate 10 character strings starting with aab!0001!! and ending at zzy 9998 The output will be written to 20mb files.
Example 19
crunch 8 8 -d 2@
crunch will gernerate 8 characters that limit the same number of lower case characters to 2. Crunch will start at aabaabaa and end at zzyzzyzz.
Example 20
crunch 4 4 -f unicode_test.lst japanese -t @@%% -l @xdd
crunch will load some japanese characters from the unicode_test character set file. The output will start at @aeY00 and end at @ea99.
REDIRECTION
You can use crunch's output and pipe it into other programs. The two most popular programs to pipe crunch into are: aircrack-ng and airolib-ng.
The syntax is as follows:
crunch 2 4 abcdefghijklmnopqrstuvwxyz | aircrack-ng /root/Mycapfile.cap -e MyESSID -w-
crunch 10 10 12345 --stdout | airolib-ng testdb -import passwd -
NOTES
1. Starting in version 2.6 crunch will display how much data is about to be generated. In 2.7 it will also display how many lines will be gener-
ated. Crunch will now wait 3 seconds BEFORE it begins generating data to give you time to press Ctrl-C to abort crunch if you find the values are
too large for your application.
2. I have added hex-lower (0123456789abcdef) and hex-upper (0123456789ABCDEF) to charset.lst.
3. Several people have requested that I add support for the space character to crunch. crunch has always supported the space character on the com-
mand line and in the charset.lst. To add a space on the command line you must escape it using the / character. See example 3 for the syntax. You
may need to escape other characters like ! or # depending on your operating system.
4. Starting in 2.7 if you are generating a file then every 10 seconds you will receive the % done.
5. Starting in 3.0 I had to change the -t * character to a , as the * is a reserved character. You could still use it if you put a \ in front of
the *. Yes it breaks crunch's syntax and I do my best to avoid doing that, but in this instance it is easier to make the change for long term sup-
port.
6. Some output is missing. A file didn't get generated.
The mostly explaination is you ran out of disk space. If you have verified you have plenty of disk space then the problem is most likely the file-
name begins with a period. In Linux filenames that begin with a period are hidden. To view them do a ls -l .*
7. Crunch says The maximum and minimum length should be the same size as the pattern you specified, however the length is set correctly.
This usually means your pattern contains a character that needs to be escaped. In bash you need to escape the followings: &, *, space, \, (, ), |,
', ", ;, <, >.
The escape character in bash is a \. So a pattern that has a & and a * in it would look like this:
crunch 4 4 -t \&\*d@
An alternative to escaping characters is to wrap your string with quotes. For example:
crunch 4 4 -t "&*d@"
If you want to use the " in your pattern you will need to escape it like this: crunch 4 4 -t "&*\"@"
Please note that different terminals have different escape characters and probably have different characters that will need escaping. Please check
the manpage of your terminal for the escape characters and characters that need escaping.
8. When using the -z 7z option, 7z does not delete the original file. You will have to delete those files by hand.
AUTHOR
This manual page was written by [email protected]
Crunch version 1.0 was written by [email protected]
all later versions of crunch have been updated by [email protected]
FILES
None.
BUGS
If you find any please email bofh28 or post to http://www.backtrack-linux.org
COPYRIGHT
Copyright (c) 2009-2013 bofh28
This file is a part of Crunch.
Crunch is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Soft-
ware Foundation, version 2 only of the License.
Crunch is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Crunch. If not, see