Many times in penetration testing engagements you will discover authentication forms that you will need to bypass in order to gain access to an application or to a remote system.Having a big and a good wordlists always help but as a penetration tester you must be able to create your own custom wordlists depending on the situation.There are a variety of tools that can assist you on this but here we will focus on Crunch.

Create a Sample Wordlist

The first thing that you need to do is to open terminal and write cd /pentest/passwords/crunch

Next we execute the following command

./crunch 5 5 admin -o pentestlab.txt

Create a sample wordlist


This will instruct crunch to create a wordlist that will have minimum length of characters 5,maximum length of characters 5 with the characters of admin and it will save it on a .txt file called pentestlab as you can see it and in the image below.

Output of a sample wordlist


Of course instead of just letters we can create a wordlist that will include only numbers with the command:

./crunch 5 5 12345 -o numbers.txt

The same method applies and if we want to create a wordlist mixed with letters and numbers.

./crunch 5 5 pentestlab123 -o numbersletters.txt

Special Characters

For special characters like !$% you will need to execute something like the following:

./crunch 5 5 pentestlab\%\@\!

This is because some special characters need escaping and the \ is used before the character.

Special Characters


String Permutations

Here there are two options.First options is when we will want to generate something based on the characters of a word.For example ./crunch 1 1 -p abc  will produce the following list:

String Permutation – Characters


The second option is when we will want to create a list based on different words.For example the words blue and red can be bluered or redblue.We can achieve this with the command ./crunch 1 1 -p pen test lab

String Permutation – Words


Splitting Wordlists

If we use the -b option we will instruct crunch to create a wordlist which will be divided into multiple files.Another option that we can combine with that command is to choose the size of our wordlist.For example:

./crunch 6 6 0123456789 -b 1mb -o START

This will generate wordlists which will be 1Mb each and with 6 characters size and it will include the characters 0123456789.

Splitting Wordlists


Specify the number of words

Crunch allows us to specify the number of words in each wordlist.This will create a wordlists that it will contain 20 words maximum by taken a specific charset of lalpha which is [abcdefghijklmnopqrstuvwxyz].

./crunch 3 3 -f charset.lst lalpha -o START -c 20

Alternatively you can use any other charset from the list that comes with crunch if you don’t want to use a custom charset.

Number of words


Prefix Wordlists

Now lets say that we want to create a wordlist that will contains the word pentestlab followed by 3 random characters.The command for that will be:

./crunch 13 13 -f charset.lst lalpha -t pentestlab@@@

which will produce the following output:

Prefix wordlists – Characters


Alternatively if we want the word admin to be in the middle we can modify the command like this:

./crunch 9 9 -f charset.lst -t @@admin@@

Prefix Wordlists based on words



You can compress your wordlist with the -z option using either bzip,gzip or lzma.

Example: ./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip

Compress the wordlist



Creating wordlists can facilitate your needs when performing a penetration test.Crunch of course offers a variety of options and combinations that a user can play with.Trying to brute force of course an application or a system with a wordlist can of course lock you out depending on the account lockout policy but it always helps if you can have your own custom wordlists that may be help you to obtain access.


  1. I’m just a beginner,
    Is it better to use full list with a lower case words, or all upper, or just leave it the way it is ?
    ( this is in case i created my list from a combined lists )

  2. how to create such a thing… crunch 10 10 12345 , so it would start not from 1111111111, 1111111112, but randomly from any number and the next number would be again random like that 5434315423, 1545552154. but all combinations have to be done ofcorse)

  3. I keep getting “chunk1: File START could not be opened
    The problem is = No such file or directory” when trying to use “-o”. can anyone tell me why?

  4. I have been trying to create a list using ! and a few others (see below), but as soon as I try and run the command it gives me a “bash: !@wsx]: event not found”. How do I include these characters in my wordlist?

  5. Hi what if I only want to add 4 random characters using letters from A to C and numbers 0 to 9 (with prefix ID)what command should I use to have an output like these:


  6. $ crunch 10 10 9875347821 -o /root/numericlist.txt
    Crunch will now generate the following amount of data: 11811160064 bytes
    11264 MB
    11 GB
    0 TB
    0 PB
    Crunch will now generate the following number of lines: 1073741824
    chunk1: File START could not be opened
    The problem is = Permission denied

  7. Can you please tell me if Crunch can do what I want it to do and if it can how ? I want to mere the eight characters of the password that I know into the word list I created like this 8charcterswordfromwordlist wordfromwordlist8charcters can Crunch do that and how ? I cant get an answer anywhere.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s