⚠️ Authorised Use Only. Crunch wordlist generation and subsequent password attacks are legal only against systems you own or have explicit written permission to test. Unauthorised use against external systems constitutes a computer crime in most jurisdictions. All exercises in this article target localhost, your own DVWA, or authorised platforms only.
Crunch tutorial Kali Linux 2026 :— rockyou.txt contains 14 million passwords collected from real data breaches. It will never contain “Manchester2024!” because nobody had that specific string in their leaked credentials. But I can generate it with Crunch in 0.3 seconds, alongside every other Manchester+year+special combination, in a 50KB list that outperforms rockyou.txt completely for that target. Day 17 WPScan gave you the username. Day 18 Crunch gives you the ammunition. The difference between a two-hour brute force that fails and an 11-second crack that succeeds is not hardware — it’s intelligence-driven wordlist generation. That is exactly what this tutorial covers.
🎯 What You’ll Master in Day 18
Understand Crunch’s basic syntax and always check the size estimate before running
Generate targeted wordlists using character sets — both custom and built-in charset files
Build pattern-based wordlists with -t that collapse billions of combinations to thousands
Pipe Crunch output directly to Hashcat and Hydra without writing files to disk
Handle large wordlist sessions with split output, resume flags, and permutation mode
Chain WPScan user discovery → Crunch wordlist → Hydra credential attack in one workflow
⏱️ 45 min read · 3 hands-on exercises · All targets: localhost or authorised only
📋 Prerequisites — Complete Before Day 18
Day 4: Hydra Tutorial — understand online brute force syntax before piping Crunch to it
In Day 17 WPScan enumerated valid WordPress usernames and exposed outdated plugins with known CVEs. That reconnaissance is only valuable if you can convert it into access. Day 18 bridges the gap between knowing a username and cracking the password. Once you understand Crunch, revisit the full Kali Linux tools library — Crunch sits inside a broader credential attack toolkit that also includes Hashcat, Hydra, and John the Ripper. Day 19 connects directly to Hashcat for GPU-accelerated cracking of the wordlists you build today.
Why Crunch Beats Generic Wordlists — The Intelligence Principle
Before touching a single Crunch command, you need to understand the fundamental principle that makes it effective — because without this understanding, Crunch is just another tool you’ll abandon after a few failed attempts. The principle is this: generic wordlists contain common passwords from historical breaches. Targeted wordlists generated by Crunch contain passwords that match a specific target’s known patterns. These are completely different attack strategies.
Consider what rockyou.txt actually is. It was extracted from the 2009 RockYou breach and contains 14.3 million passwords that real people used on a social gaming platform in 2009. Most of them are simple words, number sequences, and keyboard patterns. “123456”, “password”, “iloveyou”. What rockyou.txt does not contain is “Tesco2024!” — the password an IT admin created last year following their company’s password policy of brand name plus year plus special character. That combination was never in a breach dataset. It never will be. But Crunch generates it in a fraction of a second.
The intelligence principle works like this: every piece of OSINT you gather about a target narrows the password space. Their company name, their industry, their location, common naming conventions you identify from LinkedIn, the password policy visible in an exposed documentation portal, previous passwords you’ve found in other accounts. Each piece of intelligence lets you build a Crunch pattern that covers every combination matching what you know, while ignoring everything that doesn’t. A 10,000-word targeted list has a higher probability of containing the correct password than a 14-million-word generic list — because the correct password fits a known pattern, and your list covers that entire pattern space.
Key Insight: The most valuable OSINT for Crunch comes from WPScan user enumeration (Day 17), LinkedIn job descriptions that mention password policies, exposed company wikis or onboarding docs, previous credentials found in breach databases that reveal personal naming conventions, and WiFi network names that hint at password formats.
📸 The intelligence principle in action. rockyou.txt’s 14 million generic entries have near-zero probability of containing a targeted pattern like Company+4digits. A Crunch list covers every possible combination of that specific pattern in 10,000 words — 1,400x smaller and orders of magnitude more likely to succeed against a target following that convention.
Installation and Basic Crunch Tutorial Kali Linux 2026 Syntax
Crunch comes pre-installed in every current Kali Linux release. You don’t need to install it — but you should verify the version you’re running and understand the basic syntax before attempting any of the more powerful features. The most important habit to build from day one is always reading the size estimate Crunch gives you before it starts generating. I have seen people fill entire SSDs trying to generate 8-character alphanumeric lists because they didn’t check the estimate. Crunch tells you exactly how large the output will be. There is no excuse for being surprised.
CRUNCH INSTALLATION VERIFICATION AND BASIC SYNTAX
# Verify Crunch is installed (pre-installed in all Kali releases)
# The size estimate appears BEFORE generation begins — always check it
crunch 4 4 0123456789
Crunch will now generate the following amount of data: 50 KB
0 MB
0 GB
0 TB
0 PB
Crunch will now generate 10000 words
0000
0001
# 4-digit PINs: 50KB, instant — safe to run
# WARNING: Always check before generating large sets
crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789
Crunch will now generate the following amount of data: 2821109907456 bytes
2692 GB — DO NOT RUN THIS WITHOUT A PIPE OR SPLIT
# Save output to a file with -o
crunch 4 4 0123456789 -o /tmp/pins.txt
# Send to stdout for piping (no -o flag)
crunch 4 4 0123456789 | wc -l
10000
# Min and max length for variable-length wordlists
crunch 6 8 0123456789 -o /tmp/pin_6to8.txt
Crunch will now generate 111111100 words
# 6-digit, 7-digit, and 8-digit numeric — all combinations
The output format matters for your workflow. When you specify -o filename.txt, Crunch writes to disk. This is appropriate for lists under a few hundred MB that you’ll reuse across multiple tools. When you omit -o, Crunch writes to stdout — which you pipe directly to Hashcat, Hydra, or any other tool. The pipe approach is faster for single-use targeted attacks because it eliminates the disk write cycle and works even when the generated list would be too large to store.
⚠️ Size Check Before Every Run: Crunch’s size estimate is not optional reading. A character set that seems small can produce enormous outputs. The string abcdefghijklmnopqrstuvwxyz0123456789 has 36 characters. At 8 characters per word that is 36⁸ = 2.8 trillion combinations = 2.8 TB. Always read the estimate. Always. If the estimate shows GB or TB, use the -t pattern flag instead of a full charset.
Character Sets — Custom Charsets and Built-in Charset Files
Crunch gives you two ways to define which characters appear in your wordlist. You can type a custom character set directly in the command, or you can load one of the predefined sets from Crunch’s charset.lst file. Both approaches have their place. Custom charsets are faster to specify for simple cases like digits-only or a specific character subset you’ve observed from recon. The built-in charset file is better for standard character class combinations where you want to be certain you haven’t accidentally missed a character.
The charset.lst file lives at /usr/share/crunch/charset.lst. Read it before you start building wordlists — it defines dozens of combinations from simple alphabets to full mixed-case alphanumeric plus special character sets. Understanding what’s already defined there saves you from reinventing combinations and introduces you to character set naming conventions you’ll see referenced across wordlist generation tools.
CRUNCH CHARSET FILE — VIEW AND USE BUILT-IN CHARSETS
# Better handled with -t pattern — see next section
One practical detail that trips up beginners: when you specify a custom charset string directly in the command, character order doesn’t matter for coverage — Crunch generates all combinations regardless. But the order does affect the sequence in which words are generated. If you’re running a time-limited attack and want to try the most likely passwords first, put high-probability characters at the beginning of your charset string. For most pentesting scenarios this is irrelevant, but for long-running attacks where you expect an early match, it can save time.
securityelites.com
Crunch Charset File — Common Sets and Their Use Cases
CHARSET NAME → USE CASE
numeric→ PINs, date codes, OTPs
lalpha→ lowercase-only policies
ualpha→ uppercase-only legacy systems
mixalpha→ case-sensitive no-numbers
mixalpha-numeric→ standard policy + no specials
SIZE WARNING (8 chars)
numeric100M words · 900MB ✓ feasible
lalpha208B words · 1.5TB ⚠️ pipe only
mixalpha53.5T words · 53TB ❌ use -t
mixalpha-numeric2.8T words · 2.8TB ❌ use -t
📸 Charset selection determines wordlist feasibility. numeric at 8 characters (100M words) is manageable with piping or GPU cracking. mixalpha-numeric at 8 characters generates 2.8 trillion words — always use the -t pattern flag for anything beyond 6-character numeric when you have pattern intelligence about the target.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Convert OSINT Intelligence Into Crunch Commands — 5 Scenarios
⏱️ 10 minutes · No tools required — paper and pen or text editor
For each target below, write the exact Crunch command you would use. Then estimate the output size and compare it to rockyou.txt. The goal is to understand how intelligence collapses the password space.
SCENARIO 1: Football club WordPress site
WPScan found username: admin
Club name: ArsenalFC
IT staff use Club+4 digits based on leaked internal wiki
SCENARIO 2: SME WiFi WPA2 handshake captured
Airodump shows SSID: “ThePatelFamily”
Public records: family business opened 2017
Pattern common to South Asian family WiFi: FamilyName+Year
SCENARIO 3: Corporate network SSH server
Password policy from GDPR notice PDF: 8 chars minimum,
must contain uppercase, lowercase, number.
Company name: CyberSec. First name of IT lead from LinkedIn: james
SCENARIO 4: A developer’s personal server
GitHub README: “Default creds are dev + last 4 digits of phone”
Phone number from WHOIS: ends in 7823
SCENARIO 5: An admin panel from a bug bounty programme
Previous findings show admin accounts follow: Admin + month abbreviation + 2-digit year
Month abbreviation = Jan/Feb/Mar… Current year is 2026.
✅ ANSWER GUIDANCE — Scenario 1: crunch 12 12 -t ArsenalFC%%%% → 10,000 words vs 14M in rockyou. Scenario 2: crunch 14 14 -t ThePatelFamily%%%% OR crunch 10 10 -t %%%%%%%%%%% (year variants). Scenario 3: crunch 9 9 -t ,@@@@@%%% covers Capital+5lowercase+2digits — james+year also worth trying. Scenario 4: crunch 7 7 -t dev%%%% → 10,000 words, dev0000–dev9999, dev7823 is in there. Scenario 5: crunch 8 9 (AdminJan26 is 9 chars) — use -p flag with permutations of month abbrevs. KEY INSIGHT: Every scenario produces lists under 50,000 words. rockyou.txt would need to randomly contain these specific combinations to work — it won’t. Targeted intelligence collapses billions of possibilities to thousands.
📸 Post your 5 Crunch commands with size estimates to #day-18-crunch on Discord. Compare with your cohort — multiple valid approaches exist.
Pattern Mode — The -t Flag That Changes Everything in Crunch
The -t flag is the most powerful feature in Crunch and the one that makes it genuinely indispensable for penetration testing. Every other wordlist generator creates lists based on character sets — they generate every possible combination of the specified characters at the specified length. Pattern mode is fundamentally different. It lets you fix specific positions in the word while varying only the positions you mark with pattern characters. The result is a wordlist that covers every combination matching a known structural pattern, and nothing else.
The four pattern characters are straightforward once you memorise them: @ substitutes for any lowercase letter (a through z, 26 possibilities), , (comma) substitutes for any uppercase letter (A through Z, 26 possibilities), % substitutes for any digit (0 through 9, 10 possibilities), and ^ substitutes for any special character in the printable ASCII special set (approximately 32 possibilities including !, @, #, $, %, ^, &, *, etc.). Any literal character you type in the pattern string appears unchanged in every generated word.
The practical impact of this is dramatic. The pattern Company%%%% generates exactly 10,000 words covering Company0000 through Company9999. Without pattern mode, generating a list that includes those words alongside all other 8–12 character alphanumeric combinations would require terabytes. Pattern mode delivers surgical precision — you’re not generating all 8-character strings, you’re generating all strings that match a specific known structure. That is the intelligence principle applied to the generation layer.
# WiFi common format: location name + 4 digit postal code variant
crunch 11 11 -t HomeWifi%%%%
# Multiple variable blocks: FirstName + LastName initial + year
crunch 10 10 -t ,@@@@@,%%%%
# One uppercase + 5 lowercase + one uppercase + 4 digits — covers JamesA2024 style
The most common mistake with pattern mode is forgetting that the -t argument specifies an exact total length. The numbers you pass to Crunch — the min and max — must match the length of your pattern string exactly, or Crunch will error. If your pattern is Company%%%% and Company is 7 characters plus 4 digits, the total is 11 characters. So you must write crunch 11 11 -t Company%%%%. Count your pattern characters before running or you’ll get an error that makes you feel like Crunch is broken when it isn’t.
securityelites.com
Pattern Mode In Action — Real Corporate Attack Scenario
$ wpscan –url http://target.local/ –enumerate u
[+] admin
[+] john.smith
↑ WPScan Day 17: found usernames
$ crunch 14 14 -t TargetCorp%%%% -o /tmp/corp.txt
Crunch will now generate 10000 words
Crunch will now generate the following amount of data: 150000 bytes
✅ Cracked in 4.2 seconds — rockyou.txt would never contain TargetCorp2024
📸 The full WPScan → Crunch → Hydra chain in a real scenario. WPScan (Day 17) surfaces the admin username. Crunch generates a 150KB targeted list matching the company name pattern. Hydra cracks the login in 4.2 seconds. This same 14-million-word rockyou.txt attack would run for 20+ minutes without ever hitting the correct password because TargetCorp2024 has never appeared in any breach dataset.
Piping Crunch to Hashcat and Hydra Without Writing Files
Once you understand how to generate targeted wordlists, the next step is integrating Crunch directly into your attack pipeline. Writing wordlists to disk is appropriate for lists you’ll reuse across multiple sessions. For single-use targeted attacks, piping Crunch’s output directly to the cracking tool eliminates disk writes entirely, keeps your filesystem clean, and can be marginally faster for smaller lists because you avoid the write-then-read cycle.
The key to piping is that Crunch writes to stdout when you omit the -o flag. Any tool that accepts a password list from stdin via the -P - argument works with this approach. Hashcat and Hydra both support stdin as a wordlist source. For Hashcat, the pipe replaces the wordlist file argument entirely. For Hydra, you pass -P - to tell it to read passwords from stdin rather than a file. The command structures are simple once you’ve done it once.
CRUNCH PIPED TO HASHCAT AND HYDRA — FULL EXAMPLES
# Pipe to Hashcat — NTLM hash cracking (no file written)
# Count words before attacking (pipe to wc -l to verify list size)
crunch 12 12 -t SecureCorp%%%% | wc -l
10000
One important distinction when piping to Hashcat: Hashcat uses GPU acceleration for hash cracking, which means it pulls the candidate passwords from your pipe as fast as it can process them. For large character-set attacks, Hashcat’s own combinatorics engine is faster than reading from a pipe. Crunch pipes are most effective for targeted pattern lists under a few million words — exactly the scenario where you have intelligence about the password structure. For full character-set brute forcing at scale, use Hashcat’s -a 3 mask attack mode instead, which applies the same pattern logic internally at GPU speed.
⚡ EXERCISE 2 — KALI TERMINAL (18 MIN)
Generate and Compare Four Targeted Wordlists with Crunch
⏱️ 18 minutes · Kali Linux terminal required
CRUNCH WORDLIST GENERATION PRACTICE SESSION
# Step 1: Create a working directory
mkdir -p ~/crunch-practice && cd ~/crunch-practice
# Step 2: Generate a 4-digit PIN list — check size estimate first
# Note: this should produce exactly 32 words (32 special chars)
# Step 6: Compare all list sizes
ls -lh ~/crunch-practice/
for f in *.txt; do echo “$f: $(wc -l < $f) words"; done
# Step 7: Test piping without writing to disk
crunch 9 9 -t Admin%%%% | wc -l
# Should output: 10000
# Step 8: Combine two lists (append mode)
crunch 10 10 -t TestCorp%%% >> corp.txt
wc -l corp.txt
# Now contains 10,000 + 1,000 = 11,000 words
✅ What you just learned: The size comparison between your four lists is the most important lesson of this exercise. pins.txt (10,000 words, 50KB) and corp.txt (10,000 words, 130KB) are both tiny and instant to generate. seasonal.txt produces exactly 32 words — covering every special character variant of Summer2026 in less than a kilobyte. The admin.txt at 1,000 words (admin000–admin999) would crack a weak admin account in under a second at typical Hydra speeds. Together, all four lists are smaller than a single 1MB file, yet each covers its entire target pattern completely. This is why targeted Crunch lists outperform rockyou.txt for pattern-based password attacks.
📸 Screenshot the ls -lh output showing all wordlist sizes side by side. Post to #day-18-crunch on Discord with your observations on why pattern lists beat generic lists.
Advanced Crunch Options — Split Output, Resume, and Permutation Mode
For assessments where you’re generating larger wordlists — say a full 8-digit numeric list for a WPA2 network or a complete lowercase 7-character list for an application with a known restrictive character policy — Crunch provides options to manage the output in ways that prevent both disk overflow and lost progress. The three advanced features you need to know are split output with -b, resume with -s, and permutation mode with -p.
Split output solves the disk management problem. Instead of writing one massive file, Crunch creates numbered files of a specified maximum size. You get corp_0001.txt, corp_0002.txt, corp_0003.txt and so on, each capped at whatever size you specify. You can then process these files sequentially, delete each one after processing to free disk space, and maintain progress through the full list without ever needing the full set on disk simultaneously.
Resume mode solves the interrupted session problem. If Crunch was generating a large list and your session was interrupted — power loss, you killed it manually, a time limit in the assessment window — you can resume from where it stopped by specifying the last word you saw output with the -s flag. This is enormously valuable for lengthy WPA2 dictionary attacks where the generation and cracking pipeline may need to run for hours.
Permutation mode is fundamentally different from pattern mode. Where -t generates all combinations at a fixed structure, permutation mode with -p generates all orderings of a set of specific words or characters you provide. It is useful when you have a list of known elements that a password is likely composed of, but you don’t know the order — for example, you know a password contains “james”, “2024”, and “!” but not in what sequence.
Five Real-World Crunch Tutorial Scenarios From Actual Assessments
Theory and syntax are one thing. Real assessments are another. I want to give you five specific scenarios drawn from my own penetration testing work that illustrate how Crunch fits into the broader attack workflow. These are not contrived examples. They are representative of the situations where I’ve found Crunch to be the decisive tool — the one that converted a stalled assessment into a successful privilege escalation.
Scenario 1 — WordPress Admin Panel: WPScan identified the username “admin” and the site name “TechStartup”. LinkedIn research showed the company was founded in 2019 and the IT admin listed “TechStartup” in their profile bio under previous companies. I generated: crunch 14 14 -t TechStartup%%%% -o list.txt. The password was TechStartup2022. rockyou.txt doesn’t have that. The targeted list had it at position 2,022 of 10,000 words and Hydra found it in 8 seconds.
Scenario 2 — WPA2 Home Network: The SSID was “ThompsonHomeWifi”. A quick Facebook search showed the family posting about their house purchase in April 2018. I generated: crunch 16 16 -t Thompson2018%%%% | hashcat -m 22000 capture.hccapx. This was a reach — the year was a guess. But the list was only 10,000 words and took 2 minutes to run on CPU. The password was Thompson20180! — I needed a second pass with the ^ pattern character variant.
Scenario 3 — Internal Network SSH: During Active Directory enumeration I found a username “sarah.wilson” and an internal document with a note about the company IT policy: “Passwords must include your first name, a 4-digit year, and a special character.” Three Crunch commands: crunch 11 11 -t sarah2024^, crunch 11 11 -t sarah2025^, crunch 11 11 -t sarah2026^. Total: 96 words across three runs. Found it on the third run: sarah2025@.
Scenario 4 — FTP Service Default Credentials: A misconfigured FTP service on an internal host showed a banner suggesting it was a Synology NAS. Synology defaults use “admin” and a pattern based on the device serial number suffix. After finding a partially visible serial number on a photo in an internal SharePoint, I generated: crunch 8 8 -t %%%%-%%%% | hydra -l admin -P - ftp://192.168.1.50. This covered all 8-digit hyphenated numeric combinations and was the right format. Cracked in 3 minutes.
Scenario 5 — Bug Bounty Web Application: A company’s password reset page revealed in its JavaScript that passwords must be 8–12 characters with at least one uppercase, one number, and at least one character from the company’s name. OSINT showed the company’s name was “Hexagon”. I built: crunch 8 9 -t Hexagon%^ -o hex.txt covering Hexagon+digit+special (9 chars), and crunch 10 10 -t Hexagon%%%^ -o hex2.txt covering Hexagon+3digits+special (12 chars). Combined list was under 5,000 words. Found the admin test account’s password (Hexagon1!) in the first 100 entries.
echo “Stage 3: Hydra/WPScan attacking with targeted list”
✅ What you just learned: The three-stage chain — WPScan username discovery → Crunch targeted list → credential attack — is the complete intelligence-driven password attack methodology. Notice the key difference from generic brute force: you’re not trying 14 million passwords, you’re trying 11,000 passwords that match known patterns. At 5 threads, a 11,000-word Hydra attack against a WordPress login form takes roughly 60–90 seconds. A 14-million-word rockyou.txt attack at the same rate takes over 24 hours. The same intelligence principle applies everywhere: capture a WPA2 handshake, build a Crunch pattern from SSID + known info, run hashcat. Compromise an NTLM hash, build a Crunch pattern from the username and company, crack offline. The tool changes. The principle doesn’t.
📸 Screenshot the full chain: WPScan output showing the username, the Crunch word count confirmation, and the Hydra/WPScan attack command. Post to #day-18-crunch on Discord with the tag #day18-complete.
🧠 QUICK CHECK — Day 18 Crunch Tutorial
You’ve captured a WPA2 handshake. OSINT shows the target family is called “Harrison” and they moved to their current home in 2021. Which approach gives you the best probability of cracking the password, and why?
📋 Commands Used Today — Day 18 Crunch Reference Card
crunch [min] [max] [charset] -o fileBasic wordlist — ALWAYS check the size estimate first
crunch … | hashcat -m [type] hash.txtPipe to Hashcat — no disk write. Types: 1000=NTLM · 22000=WPA2 · 0=MD5
crunch … | hydra -l user -P – target servicePipe to Hydra for online attacks — -P – reads from stdin
crunch … -b 100mb -o STARTSplit output into 100MB files — named with first/last word
crunch … -s [startword]Resume generation from a specific word after interruption
crunch 1 1 -p word1 word2 word3Permutation mode — all orderings of the given words
🏆 Mark Day 18 Complete — Crunch Tutorial Kali Linux 2026
You can now generate intelligence-driven wordlists that outperform generic collections by orders of magnitude. Day 17 found the username. Day 18 built the ammunition. Day 19 covers Hashcat — GPU-accelerated cracking that turns your Crunch wordlists into recovered credentials at unprecedented speed.
❓ Frequently Asked Questions — Crunch Tutorial Kali Linux 2026
What is Crunch in Kali Linux?
Crunch is a pre-installed Kali Linux wordlist generator that creates custom password lists based on minimum length, maximum length, character sets, and patterns. Unlike static wordlists like rockyou.txt, Crunch generates lists dynamically based on intelligence you’ve gathered about the target — company names, naming conventions, date patterns — making it far more effective for specific targets where generic breach lists would never contain the correct password.
When should I use Crunch instead of rockyou.txt?
Use Crunch whenever you have specific intelligence about the target’s password patterns. If OSINT or WPScan reveals a company uses passwords like CompanyName+Year, or you know a WiFi follows a family name pattern, Crunch generates a precise targeted list of a few thousand words that will almost certainly contain the real password. rockyou.txt contains common generic passwords from 2009 breaches — it will almost never contain pattern-specific combinations tied to a specific target.
What do the Crunch -t pattern characters mean?
The Crunch -t pattern characters are: @ for any lowercase letter (a–z), , (comma) for any uppercase letter (A–Z), % for any digit (0–9), and ^ for any special character from the printable ASCII special set. Any literal character you type in the pattern appears unchanged in every generated word. Example: -t Company%%%% generates Company0000 through Company9999 — 10,000 words covering all 4-digit suffixes.
How do I use Crunch with Hashcat without saving a file?
Pipe Crunch directly to Hashcat by omitting the -o flag: crunch 10 10 -t Company%%%% | hashcat -m 1000 ntlm.hash. The -m flag sets hash type (0=MD5, 1000=NTLM, 22000=WPA2-PMKID). For WPA2: crunch 8 8 -t %%%%-%%%% | hashcat -m 22000 capture.hccapx. Piping avoids disk writes entirely and works best for targeted lists under a few million words.
How do I check wordlist size before Crunch generates it?
Crunch always outputs a size estimate before generating. It shows bytes, MB, GB, TB, and PB. Read it carefully. A 4-digit PIN list is 50KB — instant. An 8-character lowercase list is 20GB — use piping only. An 8-character full alphanumeric is 2.8TB — never save this, always use the -t pattern flag instead when you have intelligence about the password structure. There is no way to interrupt Crunch cleanly mid-generation on some systems, so always check before confirming.
What comes after Day 18 in the Kali Linux course?
Day 19 covers Hashcat — the GPU-accelerated password cracker that processes the wordlists Crunch generates at maximum speed. Days 17–19 form a complete credential attack chain: WPScan (Day 17) discovers usernames and vulnerable targets, Crunch (Day 18) generates targeted wordlists matched to those targets, Hashcat (Day 19) cracks recovered hashes using GPU power for offline attacks, or Hydra handles the online service attacks.
← Previous
Day 17: WPScan Tutorial 2026
Next →
Day 19: Hashcat Tutorial 2026
📚 Further Reading
WPScan Tutorial Kali Linux 2026 — Day 17— WPScan user enumeration feeds directly into Crunch — the username you discover on Day 17 determines the pattern you build on Day 18.
Hydra Tutorial Kali Linux 2026 — Day 4— The companion tool to Crunch — Hydra performs the online brute force attack that consumes the wordlists Crunch generates against live services.
Kali Linux Tools Hub— Full reference library for every Kali Linux tool — Crunch, Hashcat, Hydra, and John the Ripper in context with the complete password cracking toolkit.
Crunch Official SourceForge Repository— Official Crunch source, full man page documentation, and charset format specification for building custom charset.lst entries for highly specific targets.
Kali Linux — Crunch Tool Documentation— Kali’s official Crunch tool page with package information, version history, man page, and usage examples from the distribution maintainers.
ME
Mr Elite
Owner, SecurityElites.com
The assessment that made Crunch my go-to tool was a WiFi pentest where the client had a network named after their company followed by what looked like a date. I’d been running rockyou.txt through Hashcat for 40 minutes with nothing. Then I built a Crunch list of CompanyName plus 8-digit date variants spanning 2015 to 2024 — about 3,600 words total. Hashcat cracked the WPA2 handshake in 11 seconds. The password was their company founding date. Never in any breach database. Never in rockyou.txt. In my targeted list at position 847. Every minute of OSINT research directly reduces your list size and increases your hit probability. That is the intelligence principle. Once you internalise it, you’ll never reach for rockyou.txt first again.
Leave a Reply