RAR password retrieving with cRARk

cRARk is a .rar archive password retriever, but unlike rarcrack, can be customised to a far greater extent to allow partial passwords, wordlists, complementing wordlists with characters and more.
Also this programme is CUDA enabled which allows for a vast increase in testing speed.
This of course only if you have a capable graphics card.

cRARk is not installed by default on BT5 Final, a shame really as it is more versatile than rarcrark in my opinion. To install it though is a piece of cake ;

apt-get install crark

! During the install, the program tried to install the CUDA dependacies as well, in order for this to work properly you will need to exit 'X'. To do this press Ctrl + Del + Backspace to get back into Command Line only.
So seems best way to install is to get online, then quit X with Ctrl + Del + Backspace, and then run the apt-get install from the command line interface.


The machine I installed it onto does not have any CUDA capabilities, so this post will only go through some of the functions of cRARk without testing the CUDA improvements on crarking speed.
I may later try to do a full HDD install on my desktop to see if I can get my 8800GTS to work.


So after installing cRARk, lets fire it up through either the menu;

Start/Dragon --> Backtrack --> Privilage Escalation --> Password Attacks --> OfflineAttacks --> Crark

or command line ;

cd /pentest/passwords/crark/

Lets check out the files the readme's and what general options are advised;

ls

./crark

BRUTEFORCE ATTACKS

================

To start off we need to create the password.def file. To do this simply copy either the english.def file or the crackme.def file to password.def ;

cp crackme.def password.def

Then to modify the password.def file to reflect the options we want to use.

Here I will be working with simple password protected files stored on my flashdrive (mounted on /media/8GB/)

Testing password protected test100.rar file with password 100 ;

nano password.def

Under the double hash enter the testing methods desired, in this case as only numbers ;

[$1] *

Save and exit

As my system cannot use CUDA I will disable it with the -c command when testing.

./crark -c /media/8GB/test100.rar

For checking password protected testabc.rar file with lowercase letters only ;

nano password.def

[$a] *

Save and exit.

./crark -c /media/8GB/testabc.rar

For checking a password protected test-ABC.rar with uppercase characters only ;

nano password.def

[$A] *

Save and exit

./crark -c /media/8GB/test-ABC.rar

To check all of the above on password protected testaB1.rar ;

nano password.def

[$a $A $1] *

Save and exit

./crark -c /media/8GB/testaB1.rar

!! It is important to note that cRARk will start checking based on the same sequence as the characters are entered in the definition file.

So in the above example entering the character information in the definition file as $1 $a $A would take a lot longer to find the password then if using $a $A $1 .

The end result will be the same, cRARk will find the password, but the time needed for checking will be severely affected.

(I thought I had messed up somewhere earlier on when I changed character sequence in definition file and it took longer than previous attempts).

To go all out and also include special characters ;

nano password.def

[$a $A $1 $!] *

Save and exit.

To test the password.def file and see whether the commands are going to work OK, the programme can test run the definitions using the -v option ;

./crark -c -v /media/8GB/test100.rar

This wont actually start the cracking process, but will print the characters on screen so you can check whether its doing what you want it to.



To specify the number of  characters, the options -l & -g can be used.
So to specify a minimum of 3 characters and a maximum of 5 characters;

./crark -c -l3 -g5 /media/8GB/testabc.rar

The bruteforce attempts resulted in an average of around 60 pass/sec on my netbook and around 160 pass/sec on my desktop (windows version of cRARk).
With CUDA this will be greatly enhanced, but have to see if/when I can get that going.

WORDLIST/DICTIONARY ATTACKS

======================

cRARk also has the option to check passwords from a wordlist file.
To do this the password.def file needs to be adjusted to specify the location of the wordlist with $w, in this case I have copied a small english wordlist called english.dic into cRARk's directory.
(You can of course also specify an alternative location where the wordlist is)

  
Then we need to specify that cRARk will use a wordlist in password.def ;

nano password.def

$w = "english.dic"

##

$w

Save and exit.

./crark -c /media/8GB/testAmsterdam.rar

The dictionary attacks averaged around 20 pass/sec on my netbook and I understand that there is no CUDA support for the dictionary attacks..
So having a focussed wordlist is a must !


To allow an easier choice of options, it is also possible to prepare some definition files and then specify these with the -p option.
For instance you can prepare a .def file which will use a wordlist file as follows and then keep there for future use ;

cp password.def wordlist.def


Then to specify to use the newly created wordlist.def file, the -p option is included ;

./crark -c -pwordlist.def /media/8GB/testAmsterdam.rar

There are a huge number of options to play with when it comes to the wordlist usage, extra options can be included to capitalize / invert / mashup / add numbers etc etc etc

I may update the post to show some of these options on a test wordlist.

It will be interesting to see how far I can get with the CUDA side of things, however that would mean a full HDD install on the desktop (doesnt work in VMware).



ADVANCED DICTIONARY OPTIONS

Following some queries in the comments I got to checking how the wordlist and the wordlist
manipulations work.
It truly is fantastically (and terrifyingly) customizable..

If for instance you have a list of words and you know that the password is a combination
of a couple of these words, then you can tell crark to do that in the .def file as follows;
For 2 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w



For 3 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w $w

If you have 2 wordlists and you know that the password will be a combination of
words of the 2 lists (only 1 way, so words from 2nd list appended to words from 1st list for instance)
then you can identify the 2nd wordlist with the $u function ;

wordlist.def
$u = "wordlist1.txt"
$w = "wordlist2.txt"
##
$u $w

So in the above all words from wordlist2.txt will be suffixed/appended to each word in wordlist1.

And of course any number of combinations of the above can be made.

In the below example ;
wordlist.def
$w = "test1.txt"
$u = "test2.txt"
##
$u$w$u

Hope you enjoyed this tutorial...

An A-Z Index of the Bash command line for Linux.

 An A-Z Index of the Bash command line for Linux.

a

  alias    Create an alias •
  apropos  Search Help manual pages (man -k)
  apt-get  Search for and install software packages (Debian/Ubuntu)
  aptitude Search for and install software packages (Debian/Ubuntu)
  aspell   Spell Checker
  awk      Find and Replace text, database sort/validate/index
b
  basename Strip directory and suffix from filenames
  bash     GNU Bourne-Again SHell 
  bc       Arbitrary precision calculator language 
  bg       Send to background
  break    Exit from a loop •
  builtin  Run a shell builtin
  bzip2    Compress or decompress named file(s)
c
  cal      Display a calendar
  case     Conditionally perform a command
  cat      Concatenate and print (display) the content of files
  cd       Change Directory
  cfdisk   Partition table manipulator for Linux
  chgrp    Change group ownership
  chmod    Change access permissions
  chown    Change file owner and group
  chroot   Run a command with a different root directory
  chkconfig System services (runlevel)
  cksum    Print CRC checksum and byte counts
  clear    Clear terminal screen
  cmp      Compare two files
  comm     Compare two sorted files line by line
  command  Run a command - ignoring shell functions •
  continue Resume the next iteration of a loop •
  cp       Copy one or more files to another location
  cron     Daemon to execute scheduled commands
  crontab  Schedule a command to run at a later time
  csplit   Split a file into context-determined pieces
  cut      Divide a file into several parts
d
  date     Display or change the date & time
  dc       Desk Calculator
  dd       Convert and copy a file, write disk headers, boot records
  ddrescue Data recovery tool
  declare  Declare variables and give them attributes •
  df       Display free disk space
  diff     Display the differences between two files
  diff3    Show differences among three files
  dig      DNS lookup
  dir      Briefly list directory contents
  dircolors Colour setup for `ls'
  dirname  Convert a full pathname to just a path
  dirs     Display list of remembered directories
  dmesg    Print kernel & driver messages 
  du       Estimate file space usage
e
  echo     Display message on screen •
  egrep    Search file(s) for lines that match an extended expression
  eject    Eject removable media
  enable   Enable and disable builtin shell commands •
  env      Environment variables
  ethtool  Ethernet card settings
  eval     Evaluate several commands/arguments
  exec     Execute a command
  exit     Exit the shell
  expect   Automate arbitrary applications accessed over a terminal
  expand   Convert tabs to spaces
  export   Set an environment variable
  expr     Evaluate expressions
f
  false    Do nothing, unsuccessfully
  fdformat Low-level format a floppy disk
  fdisk    Partition table manipulator for Linux
  fg       Send job to foreground 
  fgrep    Search file(s) for lines that match a fixed string
  file     Determine file type
  find     Search for files that meet a desired criteria
  fmt      Reformat paragraph text
  fold     Wrap text to fit a specified width.
  for      Expand words, and execute commands
  format   Format disks or tapes
  free     Display memory usage
  fsck     File system consistency check and repair
  ftp      File Transfer Protocol
  function Define Function Macros
  fuser    Identify/kill the process that is accessing a file
g
  gawk     Find and Replace text within file(s)
  getopts  Parse positional parameters
  grep     Search file(s) for lines that match a given pattern
  groupadd Add a user security group
  groupdel Delete a group
  groupmod Modify a group
  groups   Print group names a user is in
  gzip     Compress or decompress named file(s)
h
  hash     Remember the full pathname of a name argument
  head     Output the first part of file(s)
  help     Display help for a built-in command •
  history  Command History
  hostname Print or set system name
i
  iconv    Convert the character set of a file
  id       Print user and group id's
  if       Conditionally perform a command
  ifconfig Configure a network interface
  ifdown   Stop a network interface 
  ifup     Start a network interface up
  import   Capture an X server screen and save the image to file
  install  Copy files and set attributes
j
  jobs     List active jobs •
  join     Join lines on a common field
k
  kill     Stop a process from running
  killall  Kill processes by name
l
  less     Display output one screen at a time
  let      Perform arithmetic on shell variables •
  link     Create a link to a file 
  ln       Create a symbolic link to a file
  local    Create variables •
  locate   Find files
  logname  Print current login name
  logout   Exit a login shell •
  look     Display lines beginning with a given string
  lpc      Line printer control program
  lpr      Off line print
  lprint   Print a file
  lprintd  Abort a print job
  lprintq  List the print queue
  lprm     Remove jobs from the print queue
  ls       List information about file(s)
  lsof     List open files
m
  make     Recompile a group of programs
  man      Help manual
  mkdir    Create new folder(s)
  mkfifo   Make FIFOs (named pipes)
  mkisofs  Create an hybrid ISO9660/JOLIET/HFS filesystem
  mknod    Make block or character special files
  more     Display output one screen at a time
  mount    Mount a file system
  mtools   Manipulate MS-DOS files
  mtr      Network diagnostics (traceroute/ping)
  mv       Move or rename files or directories
  mmv      Mass Move and rename (files)
n
  netstat  Networking information
  nice     Set the priority of a command or job
  nl       Number lines and write files
  nohup    Run a command immune to hangups
  notify-send  Send desktop notifications
  nslookup Query Internet name servers interactively
o
  open     Open a file in its default application
  op       Operator access 
p
  passwd   Modify a user password
  paste    Merge lines of files
  pathchk  Check file name portability
  ping     Test a network connection
  pkill    Stop processes from running
  popd     Restore the previous value of the current directory
  pr       Prepare files for printing
  printcap Printer capability database
  printenv Print environment variables
  printf   Format and print data •
  ps       Process status
  pushd    Save and then change the current directory
  pv       Monitor the progress of data through a pipe 
  pwd      Print Working Directory
q
  quota    Display disk usage and limits
  quotacheck Scan a file system for disk usage
  quotactl Set disk quotas
r
  ram      ram disk device
  rcp      Copy files between two machines
  read     Read a line from standard input •
  readarray Read from stdin into an array variable •
  readonly Mark variables/functions as readonly
  reboot   Reboot the system
  rename   Rename files
  renice   Alter priority of running processes 
  remsync  Synchronize remote files via email
  return   Exit a shell function
  rev      Reverse lines of a file
  rm       Remove files
  rmdir    Remove folder(s)
  rsync    Remote file copy (Synchronize file trees)
s
  screen   Multiplex terminal, run remote shells via ssh
  scp      Secure copy (remote file copy)
  sdiff    Merge two files interactively
  sed      Stream Editor
  select   Accept keyboard input
  seq      Print numeric sequences
  set      Manipulate shell variables and functions
  sftp     Secure File Transfer Program
  shift    Shift positional parameters
  shopt    Shell Options
  shutdown Shutdown or restart linux
  sleep    Delay for a specified time
  slocate  Find files
  sort     Sort text files
  source   Run commands from a file '.'
  split    Split a file into fixed-size pieces
  ssh      Secure Shell client (remote login program)
  strace   Trace system calls and signals
  su       Substitute user identity
  sudo     Execute a command as another user
  sum      Print a checksum for a file
  suspend  Suspend execution of this shell •
  sync     Synchronize data on disk with memory
t
  tail     Output the last part of file
  tar      Store, list or extract files in an archive
  tee      Redirect output to multiple files
  test     Evaluate a conditional expression
  time     Measure Program running time
  timeout  Run a command with a time limit
  times    User and system times
  touch    Change file timestamps
  top      List processes running on the system
  traceroute Trace Route to Host
  trap     Run a command when a signal is set(bourne)
  tr       Translate, squeeze, and/or delete characters
  true     Do nothing, successfully
  tsort    Topological sort
  tty      Print filename of terminal on stdin
  type     Describe a command •
u
  ulimit   Limit user resources •
  umask    Users file creation mask
  umount   Unmount a device
  unalias  Remove an alias •
  uname    Print system information
  unexpand Convert spaces to tabs
  uniq     Uniquify files
  units    Convert units from one scale to another
  unset    Remove variable or function names
  unshar   Unpack shell archive scripts
  until    Execute commands (until error)
  uptime   Show uptime
  useradd  Create new user account
  userdel  Delete a user account
  usermod  Modify user account
  users    List users currently logged in
  uuencode Encode a binary file 
  uudecode Decode a file created by uuencode
v
  v        Verbosely list directory contents (`ls -l -b')
  vdir     Verbosely list directory contents (`ls -l -b')
  vi       Text Editor
  vmstat   Report virtual memory statistics
w
  wait     Wait for a process to complete •
  watch    Execute/display a program periodically
  wc       Print byte, word, and line counts
  whereis  Search the user's $path, man pages and source files for a program
  which    Search the user's $path for a program file
  while    Execute commands
  who      Print all usernames currently logged in
  whoami   Print the current user id and name (`id -un')
  wget     Retrieve web pages or files via HTTP, HTTPS or FTP
  write    Send a message to another user 
x
  xargs    Execute utility, passing constructed argument list(s)
  xdg-open Open a file or URL in the user's preferred application.
  yes      Print a string until interrupted
  zip      Package and compress (archive) files.
  .        Run a command script in the current shell
  !!       Run the last command again
  ###      Comment / Remark

Crunch v3.0 and its use

Creating wordlists with crunch v3.0

CRUNCH v3.0

PRE-INTRO

Since the post on Creating wordlists with crunch v2.4 made in April last year, crunch has gone through
quite a few changes and improvements and bofh28 has now released v3.0 ! (on 16-05-2011)
To make sure that the information on this blog is staying upto date, its time for a new and improved post.
There will be a lot of duplication from my previous post on crunch, but it should then at least
be a more or less full and complete post.

I have tried to follow the alphabetical order of the options and have done a chapter per option/switch.

Please leave comments should the post be lacking information on anything you feel should be included.


INTRODUCTION

crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.
The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.

The full range of options is as follows ;
-b  Maximum bytes to write per file, so using this option the wordlist to be created can be split into various
      sizes such as KB / MB / GB (must be used in combination with "-o START" switch)
-c  Number of lines to write to output file, must be used together with "-o START"
-d  Limits the number of consecutive identical characters (crunch v3.2)
-e Specifies when crunch should stop early (crunch v3.1)
-f  Path to the charset.lst file to use, standard location is '/pentest/passwords/crunch/charset.lst
    to be used in conjunction with the name of the desired charset list, such as 'mixalpha-numeric-space'
-i  Inverts the output sequence from left-to-right  to  right-to-left
    (So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)
-l  When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters
    should be taken as a literal character instead of a place holder ( @,%^ )
-o  Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt
-p  Prints permutations of the words or characters provided in the command line.
-q  Prints permutation of the words or characters found in a specified file
-r  Resumes from a previous session, exact same syntax to be used followed by -r
-s  Allows you to specify the starting string for your wordlist.
-t  Allows you to specify a specific pattern to use. Probably one of the most important functions !
     Place holders for fixed character sets are ;
     @   --  lower case alpha characters
     ,    --   upper case alhpa characters
     %   --  numeric characters
    ^    --  special characters (including space)
-u  Supresses the output of wordlist size & linecount prior starting wordlist generation.
-z  Adds support to compress the generation output, supports gzip, bzip & lzma


All the below is done on backtrack 5, only tested on the 32bit versions.
crunch is not installed by default on BT5 and as yet (22-05-2011) not yet in the repo's.
(When it does hit the repo's I will amend this post to reflect installing from repo's)

so download from the source at ;
http://sourceforge.net/projects/crunch-wordlist/
Edit; 29-01-2012
and install as follows;

tar -xvf crunch-3.2.tgz

cd crunch3.2/

make && make install

Edit 12-06-2011
crunch is now available in the BT repositories,
so can download and install on backtrack5 simply by doing a ;

apt-get update
apt-get install crunch

BASIC USAGE AND CHARACTER SETS

The default installation directory / path for crunch in backtrack 5 is

/pentest/passwords/crunch/

All the below examples are based on being in the crunch directory /pentest/passwords/crunch/
To run crunch from outside of crunch's own directory use ;
/pentest/passwords/crunch/crunch [min length] [max length] [ character set] [options]
example from root directory;

/pentest/passwords/crunch/crunch 8 8 abc + + \!\@\# -t  TEST^%,@ -o test.txt

Basic usage is as follows to print to screen

./crunch [min length] [max length] [character set] [options]

To write to file use the -o switch ;

./crunch [min length] [max length] [character set] [options] -o filename.txt

If no character set is defined, then crunch will default to using the lower case alpha character set;

./crunch 4 4

Also any desired character set can be enterered manually in the command line ;
./crunch 6 6 0123456789ABCDEF

Certain characters will need escaping with a backslash \  ;

./crunch 6 6 ABC\!\@\#\$

CREATING WORDLISTS IN BLOCKS OF A CERTAIN SIZE

Using the -b switch, we can tell crunch to create a wordlist which is split into multiple files
of user-specified sizes.
This must be done in conjunction with -o START.

The size definition can be;  kb, mb, gb  or  kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

The output files will be named after the first and last entry in the wordlists.

To create a wordlist split into files of not more than 1mb;

./crunch 6 6 0123456789 -b 1mb -o START

To create a wordlist split in files of no more than 100mb;

./crunch 8 8 abcDEF123 -b 100mb -o START

To create a  wordlist split into files of no more that 10kb;

./crunch 4 4 0123456789 -b  10kb -o START

To create a wordlist split into files of no more than 2gb;

./crunch 8 8 0123456789ABCDEF -b 2gb -o START

etc.
etc.

CREATING WORDLISTS IN BLOCKS OF A CERTAIN LINECOUNT

(ie. number of passphrases per file)

Using the -c switch you can have crunch create wordlists which do not contain more than the
specified number of lines.
This must be used in conjunction with -o START.

To create files containing no more than 200000 (200 thousand) lines (passphrases);
./crunch 6 6 0123456789 -c 200000 -o START

To create files containing no more that 150000 (150 thousand) lines (passphrases);

./crunch 6 6 abcDEF123 -c 150000 -o START

The output files will be named after the first and last entry in the wordlists.


STOPPING CRUNCH WORDLIST GENERATION AT A PRE-DETERMINED TIME

Crunch v3.1 is now also released (20-07-2011) and with it comes the new -e switch.

This option allows you to specify when you want the wordlist generation to stop.

So the below example will start creating the 6 character numeric wordlist, but will stop at 333333 ;
./crunch 6 6 -t %%%%%% -e 333333

USING FIXED CHARACTER SETS

Crunch also comes with fixed character sets in charset.lst which is included in the installation.
(also found in directory /pentest/passwords/crunch/ )

This saves on the typing (and typoes) when dealing with standard character sets.

To use the fixed characters sets, instead of typing in character sets manually in the command line,
you can use the -f switch to specify which character set we want to use ;

To use only upper case alpha characters;

./crunch 6 6 -f charset.lst ualpha

To use only numeric characters ;

./crunch 6 6 -f charset.lst numeric

To use hexidecimal characters (with uppercase alpha values) ;

./crunch 8 8 -f charset.lst hex-upper

To use lower case, uppercase, numeric & special characters (beware of the size ! Don't try to save..lol..) ;

./crunch 8 8 -f charset.lst mixalpha-numeric-all-space

etc.
etc.

Since v2.7 additional Swedish character support has also been added for our Swedish brethren, nicely contributed by Niclas Kroon.

It should be noted that you can easily create your own custom charset by simply including a line in the same format.
If you for instance know that your target has a certain medical condition known as 133tsp34k, and you have an idea of which letters/numbers are usually used (forum posts etc. etc.) , you could simply include an extra line such as ;
1337 = [4bcd3f9hijk1mn0pqr$7uvwxyz]
Doubt the above is authentic enough, but I'm sure you get the idea.
Then just run in crunch as you would any other charset;
./crunch 4 4 -f charset.lst 1337

See /pentest/passwords/crunch/charset.lst for all possibilities  / charsets currently included.

INVERTING THE OUTPUT DIRECTION

Using the -i option will invert the direction in which the wordlist is created, from left-to-right  to  right-to-left.
Note that this does not change the content of the created wordlist, it only changes the intial direction in which it is created.

./crunch 4 4 -i

The -i option can also be used when character sets have been specified, either manually or using the pre-defined charsets.

./crunch 4 4 -f charset.lst ualpha -i

or for instance for creating numeric wordlists in an alternative direction ;

./crunch 8 8 0123456789 -i

If you actually want the wordlist creation to start from the last letter in the alphabet and work backwards, or
work backwards from the last digit in a 10 digit numeric sequence, then you would have to enter the charset manually ;

./crunch 4 4 zyxwvutsrqponmlkjihgfedcba

 ./crunch 4 4 ZYXWVUTSRQPONMLKJIHGFEDCBA

./crunch 8 8 9876543210

CREATING PERMUTATIONS

 

Crunch can also  be used to create permutations for either ;
> characters / words entered in the command line with the -p switch.
> lines in a wordlist with the -q switch

Although there is no min/max character setting, this still needs to be entered for both
the -p and -q switch.

Using the -p switch you can create permutations of characters or of all words entered in the command line.
Creating permutations of letters (fun for anograms) ;

./crunch 1 1 -p abcd

Creating permutations of lists of words;
./crunch 1 1 -p bird cat dog

As the -p switch can read the input on command line as being letters or words, it MUST be the last option used;
If for instance trying to suppress the size output message using the -u switch and placing the -u switch last,
crunch will see 2 words (abcd + -u) and so will only print out the 2 permutation possibilities as well as actually recognizing the -u switch ;
./crunch 1 1 -p abcd -u

So to ensure the output is as expected, the -p switch MUST always be the last option, and the correct syntax
with the above example would be ;

./crunch 1 1 -u -p abcd

Using the -q switch, you can create all possible permutations of words in a text file ;
(as always, beware of the possible size ! This best done on a 'focussed' wordlist)

As an example, create a small text file with 3 lines and then run crunch over it with the -q option;

echo "bird" > test.txt && echo "cat" >> test.txt && echo "dog" >> test.txt

./crunch 1 1 -q test.txt

RESUMING WORDLIST CREATION AFTER CANCELLATION

crunch allows a wordlist creation to be stopped and restarted, to do this we use the -r (resume) switch.
For this to work we must type the exact same line followed with the -r switch ;

./crunch 8 8 0123456789 -o test.txt

Stop the creation with a Ctrl C, then restart with ;

./crunch 8 8 0123456789 -o test.txt -r

If the wordlist was started from a specific position (see below chapter) then
when resuming the -s switch as well as input must be removed ;

When using this method, the notification on %% complete will not be accurate.
Also, when resuming, crunch will advise that it is generating xx amount of data and xx number of lines.
This information will not be correct as the calculation process thinks it is resuming from a creation of an entire wordlist, whereas it is of course resuming from a wordlist with a certain startblock.
The below picture probably explains it better..

./crunch 8 8 0123456789 -s 59999999 -o test.txt

After cancelling with a Ctrl C, resume would then be done with ;
./crunch 8 8 0123456789 -o test.txt -r

STARTING FROM A SPECIFIC POSITION

If we want to start crunch from a specific position in the wordlist we want to create, we can use the -s
switch to use a specific startblock as starting position for the wordlist.

For instance, if you started creating a wordlist, but had to cancel and resume on a different disk or HDD space ran out.
The temporary file that crunch uses for the wordlist creation is "START" located in the crunch directory

/pentest/passwords/crunch/

You can check this temporary file for the last couple of entries to allow you to move/rename the temp file START
and restart the wordlist creation without losing the work already done.

example ;

./crunch 7 7 0123456789 -o test.txt

> Ctrl + C stopping the wordlist creation,
> check the last couple of entries in the START temporary file ;

tail -n 2 START

> copy or rename the temporary file to a name of your liking;

cp START file1.txt

> restart the wordlist creation from the last noted entry in the temporary file;

./crunch 7 7 0123456789 -s 9670549 -o test.txt

NOTE! crunch will overwrite START when it starts a new wordlist creation process, so be sure to rename START into whatever you want to ensure you don't lose the work already done !

Of course using the starting block can be used for whatever reason, for instance if you are sure that you don't need any list with numbers starting before 59999999 ;

./crunch 8 8 0123456789 -s 59999999 -o test.txt

CREATING CUSTOM PATTERNS

This is where crunch really shines, and in my humble opinion, the most powerful capability that crunch has to offer.

With a minimum amount of information on known or expected patterns and/or possible characters in the passphrase, custom patterns can be created allowing to specify what to place where in the created passhprases.
In doing so the size of the wordlist can be reduced significantly and the wordlist can be tailored to the target in a much more efficient way, which is always to be endeavoured !

To fix a pattern, we use the -t switch in crunch.

There are fixed symbols used for certain character sets ;
@ --> Lower case alpha values (or @ will read and print from a specified character set, see further down in post)
,  --> Upper case alpha values
% --> Numeric values
^ --> Special characters including 'space'

So if we want to create a 6 character, lower alpha wordlist and with a pre-fix of 'dog';

./crunch 6 6 -t dog@@@

 or if we want 'dog' to be appended ;

./crunch 6 6 -t @@@dog

or have 'dog' bang in the middle ;

./crunch 7 7 -t @@dog@@

Or 'dog' followed by an upper case alpha, number and symbol;

./crunch 6 6 -t dog,%^

Miscellaneous patterns
We can also combine the various fixed character sets, for instance, if we want to create an 8 character
wordlist with alpha, numeric and special characters in fixed positions;

./crunch 8 8 -t ,,^^@@%%

Using the fixed character sets you can quickly and easily make 'quick' wordlists for a single character set..

Creating a wordlist with only lower case;
./crunch 4 4 -t @@@@

only numeric;
./crunch 4 4 -t %%%%

or only uppercase;
./crunch 4 4 -t ,,,,

only special characters;

./crunch 4 4 -t ^^^^

And of course if certain positions and characters are known, it can all be mixed up ;
 ./crunch 9 9 -t %%DOG^^@@

We can also even go a step further and specify which range of characters should be used for each character type.
In the below example ;
lower alpha values to only be ;  abcdef
upper alpha values to only be ;  ABCDEF
numeric values to only be      ;  12345
special characters to only be  ;  @#$%

We can then specify same by entering these values manually in the command line ;

Note that it is required to enter the custom values in the order ;

lower alpha -- upper alpha -- numeric -- special characters

./crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^

If there is no specific character range to be used for the character set, then that position should be
completed with a '+' placeholder sign which signifies the usage of the complete standard character set for that set positon. (lower alpha -- upper alpha -- numeric -- special characters)

The below example is using 'abcdef' as lower alpha charset, the full upper case charset, '12345'as numeric charset and the full special character charset.

./crunch 8 8 abcdef + 12345 + -t @@,,%%^^

Although in the above examples @ is used as fixed character set for lower case values, we can also use it to specify a manually chosen single set of all types of characters ;

./crunch 8 8 123abcDEF -t TEST@@@@

./crunch 10 10 123abc+-= -t @@@test@@@

Remember that certain characters on some occasion require escaping, if in doubt, better to just do it.

./crunch 10 10 123abcDEF\!\@\# -t TESTING@@@

If you want to include a space in the charset, then enclose the charset in quotes ;
(space at end of charset below)

./crunch "123abcDEF " -t TEST@@@@

Creating telephone lists
You can also use the -t switch to easily make lists of telephone numbers, so if for instance the telephone number
is usually noted as for instance;  0131-321654, then you could easily create a wordlist of telephone numbers following that same example ;

./crunch  11 11 -t 0131-%%%%%%

Or if the layout is different, for instance including a space such as "(01201) 111111" this is achieved by putting quotes on the -t pattern as follows (this to ensure that the space is included);

./crunch 14 14 -t "(01201) %%%%%%"

Endless variations are possible.

The possiblities crunch offers to create patterns with such detail give you many options to really fine-tune what you want placed where in your passphrase wordlist and thus reduce the size of your final wordlist.

ESCAPING / FIXING SPECIAL CHARACTERS FOR USE IN PATTERNS

When you start manually defining what to place where with special characters, you will on some occasions need to to 'escape' characters to allow crunch to read them correctly.

This is the case for for instance an exclamation mark ! ;

./crunch 4 4 -t 12!@

will result in an error.
In order to make it work correctly you must 'escape'  the exclamation mark ;

./crunch 4 4 -t 12\!@

As some special characters are used to define character sets, this can cause some limitations when trying to fix positions of certain special characters. Such as wanting to use @ as a fixed character ;
./crunch 4 4 -t 012@
or
./crunch 4 4 -t 012\@
This will not fix the character '@' but use it to provide lower case alpha values.

To remedy this to some extent, since crunch v3.0, the new -l switch can be used to fix the literal character instead of having it refer to a place holder for a specific character set.

This would now be accomplished by doing ;

./crunch 6 6 -t b@d%%% -l @

Other possibilities;

./crunch 8 8 -t P@SS%%%% -l @

./crunch 8 8 -t P@\$\$,,,, -l @

etc. etc.

./crunch 8 8 -f charset.lst mixalpha -t pass^^@@ -l ^

Also, more than 1 placeholder character can be fixed as a literal character;

./crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^

Of course this in itself also has limitations as you are not able to to check for all possible lower case alpha
values or passthrough a user defined charset with a fixed setting of the @ character.
The below 2 examples will obviously only return 1 result as all the instances of the @ character will be fixed
as a literal character.

./crunch 8 8 -t p@ss@@@@ -l @

./crunch 8 8 -f charset.lst mixalpha-numeric -t p@ss@@@@ -l @

This is an issue that is being looked into and possibly a following update of crunch will have an answer.

Of course there are workarounds for some part; if for instance you wanted a password list to start with "p@ss"
followed by 4 characters of all possible lower case values, you could create a list of 4 characters;

./crunch 4 4 -o test.txt

And then use 'sed' or 'awk' to place the word 'p@ss' in front of each line ;
Using sed ;

sed 's/^/p\@ss/' test.txt > file1.txt

Using awk ;

awk '{print "p@ss" $0}' test.txt > file1.txt

So with a bit of imagination and a couple of oneliners with sed or awk, you should still
be able to create more or less what you want.

edit 25-05-2011
bofh28 has informed me of another workaround which can be used.

You can override the standard characters per placeholder setting by entering a different type of
charset in a different position and then using the placeholder character for that position.

Normally the 3rd position is for numeric values, however if you specify lower case values, it will use these
characters, however you then do need to use the place holder for that position, in this example %.

Confused ? You won't be after this episode of .. ;)

./crunch 8 8 + + abcdefghijklmnopqrstuvwxyz + -t p@ss%%%% -l @

PIPING CRUNCH THROUGH TO OTHER PROGRAMS

Crunch can be used to pipe passwords through to programs such as aircrack / pyrit / cowpatty etc.

Considering that crunch is now advising the estimated size of wordlists to be created following the command given as well as the wordcount, to have a seamless integration with piping, it is recommended to use the -u option to supress that information on size, wordcount etc.;
Without using the -u command, it is possible that unexpected errors occur with some programs.

Using the -u option will result in the creating of the wordlist directly instead of giving the 3 second delay during which the estimated wordlist size and wordcount is shown ;

In examples only testing for 8 character numeric passwords ;
aircrack
./crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap

cowpatty
./crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID

pyrit
./crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough

COMPRESSING OUTPUT FILES

Output files can be compressed with crunch using the -z switch.

Supported formats are;
> gzip
> bzip
> lzma

Crunch will first create the wordlist and will then compress the wordlist.
Upon the finalisation of the wordlist creation, you will see the 100% being reached
and the 100% denomination will continue to be printed until the compression is complete.

So if you see a continuous 'stream' of 100%, don't worry, the program is not hanging,
the output file is simply being compressed.
It had me guessing when I was testing a compression of a couple of gigabytes.. but I assure you it is the case.

The best level of compression and thus the slowest is obtained with lzma.
The quickest compression, with the lowest level of compression, is obtained with gzip.

./crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip

To unzip the created file ;
gunzip test.txt.gz

./crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2

To decompress the created file ;

bunzip2 test.txt.bz2

./crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma

To decompress the created file ;

unlzma test.txt.lzma

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Hope you enjoyed this basic tutorial..!!