In this guide, I try to develop my skills in the age-old art of password cracking. Although it may seem like a simple and straightforward process, those of you who have attempted to crack passwords know that there are many delicate balances involved in this technique.
In many of our password cracking procedures, we need to use a word list that will essentially read thousands of possible passwords per second. This is often referred to as a Dictionary Attack, even though we don't need to rely solely on words in a dictionary. These word lists can have any combination of characters and words in an attempt to crack a complex password offline.
Sometimes we may have clues about the password or password elements the target chooses, which may come from our knowledge of the target, e.g. girlfriend, neighbor, friend, etc. It could be their name, their children's names, a pet's name, their birthday or their job. We may also know an organization's password policy (eg at least 8 characters, upper and lower case letters, etc.).
In these cases, we may be able to create a custom wordlist that reflects our knowledge of the organization's password policy or goal.
Kali Linux has a built-in tool called “crunch” and allows us to create a custom password cracking wordlist that we can use with tools like Hashcat, Cain and Abel, John the Ripper, Aircrack-ng, and more. This custom word list can save us hours or days of password cracking if we can get it right.
Let's start with crunch and create some custom word lists to crack passwords with crunch.
Step 1: Start Kali and open Crunch
Let's start by activating Kali and opening crunch by going to Applications -> Kali Linux -> Password Attacks -> Offline Attacks -> crunch.
This will open the crunch screen as shown below.
Unlike many other hacking apps, crunch doesn't give us much information on its home screen. I believe this is because crunch, although relatively simple to use, has so many sophisticated options that its developer has placed much of its information in man.
Step 2: Writing the Crunch
The basic syntax for crunch looks like this:
kali > crunch max -t -o <output filename>
Now, let's see what is included in the above sentence.
min = The minimum length of the password.
max = The maximum length of the password.
characterset = The character set to use to generate the passwords.
-t = The specified pattern of generated passwords. For example, if you knew that the target's birthday was 0728 (July 28) and you suspected that he was using his birthday in his password (people often do), you could create a list of passwords ending in 0728, giving in crunch the pattern @@@@@@@0728. This word would generate passwords of up to 11 characters (7 variable and 4 constant) all ending with 0728.
-o = This is the output file that will give us the crunch.
Step 3: The Crunch Manual
Let's go to the man pages for crunch by typing:
kali > Mon crunch
This should open the manual pages for crunch like the one below. The crunch developers have filled these pages with lots of information on how to get the most out of crunch.
At the top we see the Switch -f. This allows us to select the character set we want to use to create the word list. The syntax is as follows:
Here we tell crunch where the charset.lst file is with the full path and then select a specific character set from that list. In Kali, charset.lst is located at:
Step 4: Create some simple ones Wordlists
Let's start by creating some simple password cracking word lists. Let's say we know the company has passwords between 4 and 8 characters. We can create all possible combinations with crunch by typing:
kali > crunch 4 8
Where the first number (4) is the shortest word length and the second (8) is the longest word length.
When we run this command, crunch estimates how big the file will be (1812 GB) and then starts building the list.
What if we knew the target always used numeric passwords between 6 and 8 characters long?
We could generate a complete list of passwords that meet this criteria and send it to a file in root's directory named numericwordlist.lst by typing:
kali>crunch 6 8 1234567890 -o /root/numericwordlist.lst
If we knew that the target's birthday was July 28th and that he probably used that date (people often use their birth dates in their passwords to make them easier to remember) at the end of a ten-character password?
We could generate all ten-character passwords ending with 0728 and send the output file to the root user's directory named birthdaywordlist.lst by typing:
kali > crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst
The @ symbol is used to represent a wildcard of all characters, while the “0728” elements represent the constant values.
Step 5: Complicated Wordlists with Crunch
One of the beauties of crunch is the ability to choose a specific character set or create your own character set to create your password list. If we know the likely character set that the target uses for its password, we can choose the character set to build the password list. We can find the selection of character sets at:
Now, if we know that our target uses an eight-character password with only alphabetic characters, we can generate a list of all possible passwords with the following command:
kali > crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
This will generate all 8-character passwords using only alphabetic characters (no numbers or special characters) and store them in a file named alphawordlist.lst in the root user's directory.
Decrypting passwords involves many methods. These are the dictionary, the rainbow table, the technique Brute Force and others. If we know the parameters of the password or know something about the target and possible passwords (birthday, pet names, spouse, etc.), crunch can be a very useful tool for creating specific lists that will be used in an attack dictionary.