Crunch

What is Crunch?

Crunch is a wordlist generator that creates custom password lists based on a defined character set, minimum length, and maximum length. Unlike static wordlists such as rockyou.txt, Crunch generates every possible combination for a given pattern — making it ideal when you know something about the target password structure, such as its length, prefix, or character types. The output can be piped directly into tools like Hashcat or Aircrack-ng.

Installation

# Update packages
sudo apt update

# Install (pre-installed on Kali, otherwise:)
sudo apt install crunch -y

# Verify installation
crunch --help

Basic Usage

# Basic syntax
crunch [min-length] [max-length] [charset] [options]

# Generate all 4-character lowercase combinations
crunch 4 4 abcdefghijklmnopqrstuvwxyz

# Generate 6–8 character alphanumeric wordlist and save to file
crunch 6 8 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt

# Use a pattern — @ = lowercase, , = uppercase, % = digit, ^ = special
crunch 8 8 -t admin%%% -o output.txt

# Generate and pipe directly into aircrack-ng (no file saved)
crunch 8 8 0123456789 | aircrack-ng -b AA:BB:CC:DD:EE:FF -w - capture.cap

# Generate and pipe directly into hashcat
crunch 6 6 abcdef0123456789 | hashcat -m 0 hashes.txt -

# Limit output size to 1GB per file
crunch 8 10 abc123 -o START -b 1gb

Charset Placeholders (-t flag)

• @ — lowercase letters (a–z)
• , — uppercase letters (A–Z)
• % — digits (0–9)
• ^ — special characters (!@#$...)
• Any literal character in the pattern is kept as-is (e.g. admin%%% → admin + 3 digits)

Common Use Cases

• Generating targeted wordlists for authorized password attacks
• Piping into Hashcat, Aircrack-ng, or Hydra for live cracking
• CTF (Capture The Flag) password attack challenges
• Internal security audits testing password policy strength

Further Reading

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.