1
00:00:00,240 --> 00:00:05,350
Welcome to part three of this module in the prior module.

2
00:00:05,350 --> 00:00:08,390
We went over the word list creation utility.

3
00:00:08,410 --> 00:00:09,850
Cool.

4
00:00:09,920 --> 00:00:14,140
Now it's time to take a look at its cousin crunch.

5
00:00:14,140 --> 00:00:22,480
I have to state up front that crunch is a little weird in terms of its application and its usefulness

6
00:00:22,750 --> 00:00:25,460
may be highly situational.

7
00:00:25,480 --> 00:00:32,490
Crunch is another word list creation tool that comes prepackaged with Kelly Linux 2.0.

8
00:00:32,800 --> 00:00:38,110
Since the process of creation is rather slow we'll jump right into it.

9
00:00:38,140 --> 00:00:41,740
Crunch can be loaded by going to applications.

10
00:00:41,920 --> 00:00:45,220
Password attacks and selecting crunch

11
00:00:50,790 --> 00:00:55,490
but since this is really a terminal only application we're gonna go ahead and load load it from the

12
00:00:55,490 --> 00:00:56,180
terminal

13
00:00:59,050 --> 00:01:08,410
we'll type crunch Tack Tack each for help right away we can see that this program is basically a one

14
00:01:08,410 --> 00:01:09,790
trick pony.

15
00:01:10,000 --> 00:01:17,710
It doesn't come with a wide range of options but what options are available can be viewed by looking

16
00:01:17,710 --> 00:01:25,220
at the man page for crunch.

17
00:01:25,290 --> 00:01:28,010
I'm not really going to go through all of these.

18
00:01:28,170 --> 00:01:31,670
You can read through them at your leisure and then is bait.

19
00:01:31,680 --> 00:01:39,240
Basically because despite having several switches this program really only does just one thing.

20
00:01:40,380 --> 00:01:45,390
So to start out we're going to make a directory called Crunch

21
00:01:47,870 --> 00:01:55,610
output and we'll see you right into its.

22
00:01:55,710 --> 00:01:57,140
There we go.

23
00:01:57,140 --> 00:01:59,210
And we'll get this started.

24
00:02:10,630 --> 00:02:15,970
I wanted to get this running before I start talking about it because it's going to be a rather slow

25
00:02:15,970 --> 00:02:25,360
process to finish crunch generates word lists based on whatever criteria you set for it.

26
00:02:25,430 --> 00:02:29,300
It is excellent for generating character string combinations.

27
00:02:29,300 --> 00:02:37,130
However calling it a word list generator might be slightly misleading and when this process finishes

28
00:02:37,190 --> 00:02:45,830
you'll see what I mean when we initiated crunch we specified a minimum number of characters and a maximum

29
00:02:45,830 --> 00:02:47,690
number of characters.

30
00:02:47,720 --> 00:02:56,120
We also used the tack o option to specify an output file which is always placed into whatever directory

31
00:02:56,150 --> 00:02:59,690
you happen to be in when you launch.

32
00:02:59,690 --> 00:03:08,790
Crunch if we did not use the TAC o option to specify a file name crunch would display its word list

33
00:03:08,790 --> 00:03:14,190
combinations in the terminal window and this would probably be a very little used to us.

34
00:03:14,610 --> 00:03:21,940
So in case this isn't clear what I mean is that the first number we specified was three.

35
00:03:21,960 --> 00:03:28,770
This means that crunch will only create words or more accurately character strings that are a minimum

36
00:03:28,830 --> 00:03:31,230
of three characters long.

37
00:03:31,230 --> 00:03:37,710
The second number which in this case was 6 is the maximum length for those strings.

38
00:03:37,710 --> 00:03:44,820
In other words crunch will only create strings between three to six characters long.

39
00:03:44,820 --> 00:03:50,850
This is handy for situations where you know certain things about your target.

40
00:03:50,850 --> 00:03:58,470
For example if you know that the service your attacking has a password policy that calls for a minimum

41
00:03:58,470 --> 00:04:05,950
number of characters to be accepted you wouldn't necessarily want anything below that minimum.

42
00:04:06,210 --> 00:04:11,700
By the same token if you know that the target has a maximum character limit to the passwords that it

43
00:04:11,700 --> 00:04:16,800
will accept you obviously wouldn't want anything above that maximum.

44
00:04:16,800 --> 00:04:24,510
That being said I didn't mention in the cool tutorial that this does not cover situations where a user

45
00:04:24,930 --> 00:04:33,210
uses a particularly short word and then adds numbers or characters to that string in the hopes of making

46
00:04:33,210 --> 00:04:34,350
it more secure.

47
00:04:35,160 --> 00:04:42,300
Then again if you know the exact length of the specific user's password for instance you've seen the

48
00:04:42,300 --> 00:04:46,060
password typed and you counted the number of asterisks.

49
00:04:46,230 --> 00:04:48,520
Crunch can really come into its own.

50
00:04:48,570 --> 00:04:55,830
So while this is running I wish to call your attention to the powerful word lists that do in fact come

51
00:04:55,830 --> 00:04:59,910
prepackaged with Cali Linux to find them.

52
00:04:59,910 --> 00:05:05,190
Just go in to your computer look at other locations.

53
00:05:05,190 --> 00:05:12,570
User share and then we'll use the search feature to look for word lists

54
00:05:19,130 --> 00:05:21,200
once you get that open.

55
00:05:21,470 --> 00:05:27,140
You can see all of the word lists that come pre installed with Cali Linux.

56
00:05:27,260 --> 00:05:35,070
I mentioned in another module that the word lists included in the Metis Floyd folder are quite nice

57
00:05:35,940 --> 00:05:42,420
and the great thing about these is that they are not only very powerful but they are based on different

58
00:05:42,420 --> 00:05:44,390
kinds of attacks.

59
00:05:44,400 --> 00:05:48,220
For instance we have our rescue element text file.

60
00:05:48,330 --> 00:05:55,230
We have an end map word list and we even have what some consider to be the most popular word list in

61
00:05:55,230 --> 00:05:56,070
the world.

62
00:05:57,150 --> 00:06:06,330
The rock you word list rock u contains several leaked or stolen credentials which are actually passwords

63
00:06:06,330 --> 00:06:13,440
from Web sites that were distributed after famous hacks such as for example the Ashley Madison hack

64
00:06:13,470 --> 00:06:16,650
that I believe I mentioned in the last video.

65
00:06:16,650 --> 00:06:24,150
Since these are actual password combinations that real human beings tend to use these word lists are

66
00:06:24,150 --> 00:06:32,430
considered more powerful than anything that is randomly computer generated you're more likely to get

67
00:06:32,460 --> 00:06:40,050
a positive result quicker if you make use of them by default using something like crunch is a bit like

68
00:06:40,050 --> 00:06:42,060
taking a shot in the dark.

69
00:06:42,150 --> 00:06:48,870
That's because you might be able to crack a log in but you're just as likely to devote tremendous amounts

70
00:06:48,870 --> 00:06:55,200
of time and then end up with a failed exploit or an unsuccessful brute force attack.

71
00:06:55,200 --> 00:07:02,610
I'm not saying this to bash crunch it's just important to keep in mind that a program like this is very

72
00:07:02,610 --> 00:07:05,990
much a roll of the dice in terms of its effectiveness.

73
00:07:07,510 --> 00:07:14,830
In any case these will all come in very handy whenever you do not wish to generate your own list and

74
00:07:14,830 --> 00:07:21,230
you can always combined an existing list with one that you create for extra coverage.

75
00:07:21,370 --> 00:07:27,790
The inclusion of these lists is one of the big steps forward in terms of Carly's development and ease

76
00:07:27,790 --> 00:07:34,120
of use because in the old days of backtrack you were pretty much stuck either creating your own lists

77
00:07:34,120 --> 00:07:40,220
with the limited applications that were available or downloading them off the Internet from shady Web

78
00:07:40,220 --> 00:07:42,240
sites and hoping for the best.

79
00:07:42,250 --> 00:07:47,920
Now with so many Reddit readily available lists users have a great starting point to just jump into

80
00:07:47,920 --> 00:07:54,770
any application that requires them so foot flipping back to crunch here may be done.

81
00:07:54,770 --> 00:08:02,600
So again make sure that you are working in whatever directory you wish to store your word list when

82
00:08:02,600 --> 00:08:04,840
you run crunch.

83
00:08:04,850 --> 00:08:12,440
This is very important because unlike cool there really isn't any other way to specify where you want

84
00:08:12,440 --> 00:08:18,110
the file to be saved and the file created by crunch tends to be very large.

85
00:08:19,280 --> 00:08:22,510
In this case I created a folder specifically for this purpose.

86
00:08:22,520 --> 00:08:26,620
You might just prefer to save yours on the desktop.

87
00:08:26,660 --> 00:08:31,800
It is also possible to specify a character set when running crunch.

88
00:08:31,820 --> 00:08:38,240
This would limit crunch to only using certain characters when it generates the list.

89
00:08:38,240 --> 00:08:44,930
Of course this is getting into highly situational territory as I said you could after giving it the

90
00:08:44,930 --> 00:08:52,400
minimum and maximum character length type out a string of characters such as the alphabet in lower case

91
00:08:52,850 --> 00:08:56,410
than in uppercase and then a sequence of numbers.

92
00:08:56,600 --> 00:09:00,480
Or you could type out the alphabet from Ada G.

93
00:09:00,500 --> 00:09:08,510
Doing this would cause crunch to only use the characters that you specifically input so that would look

94
00:09:08,510 --> 00:09:24,590
like this crunch minimum length 3 maximum length 6 ATC D E F G one two three four five and then crunch

95
00:09:24,650 --> 00:09:29,360
output text and this is what it might look like.

96
00:09:29,510 --> 00:09:37,370
This would be a very specialized situation of course and not something you'd ever do just by default.

97
00:09:37,370 --> 00:09:43,910
Were right to hit enter and I'm not going to because it would take more time crunch would create a word

98
00:09:43,910 --> 00:09:49,680
list that would only contain various combinations of the characters that we entered.

99
00:09:49,700 --> 00:09:56,800
So in this case A to G and 1 2 5 is this route.

100
00:09:56,830 --> 00:09:59,140
Is this feature really useful.

101
00:09:59,170 --> 00:10:00,540
I'll let you be the judge

102
00:10:05,790 --> 00:10:13,790
so scrolling up for a minute here do notice that the amount of data crunch generates is relative to

103
00:10:13,790 --> 00:10:17,310
the character sets that you provide.

104
00:10:17,510 --> 00:10:24,410
In this case by default it only went up to 2 gigabytes but it's possible to create word lists in the

105
00:10:24,410 --> 00:10:34,390
terabyte or even petabytes range and just in case you are new to brute forcing it's worth pointing out

106
00:10:34,420 --> 00:10:41,710
that trying to use a word list in the petabytes range to brute force a password particularly on any

107
00:10:41,710 --> 00:10:49,030
kind of normal personal computer made in the last decade is likely going to take you several million

108
00:10:49,030 --> 00:10:50,500
years.

109
00:10:50,500 --> 00:10:53,180
Bigger is not always better.

110
00:10:53,260 --> 00:11:00,420
Programs like cool and crunch both allow you to tailor your word lists for your target.

111
00:11:00,430 --> 00:11:07,630
Cool is more about creating lists using things like social media profiles and the like to tailor your

112
00:11:07,630 --> 00:11:09,770
word list for your target.

113
00:11:10,000 --> 00:11:17,440
Crunch is about tailoring the length of the random character strings and using specific character sets

114
00:11:17,470 --> 00:11:24,490
when you know only the limitations of a log in or simply the password lengths involved.

115
00:11:24,490 --> 00:11:29,530
So now let's open up and take a look at the file that crunch created by the way.

116
00:11:29,530 --> 00:11:36,280
I strongly recommend that you not attempt to cap this file for reasons that will be obvious in a moment.

117
00:11:41,770 --> 00:11:48,040
This is going to take a moment to load and by a moment I mean for more than a moment because as you

118
00:11:48,040 --> 00:11:58,120
can see this is a very very long file and I'm not going to let it load all the way because these are

119
00:11:58,120 --> 00:12:06,640
just strings of letter and number combinations starting in sequences of 3 and going all the way up to

120
00:12:06,640 --> 00:12:07,360
6

121
00:12:10,280 --> 00:12:17,630
every possible character combination for character set used is printed here and the odds of one of them

122
00:12:17,630 --> 00:12:22,470
being a valid password probably pretty low.

123
00:12:24,440 --> 00:12:30,860
Knowing when to use a tool like cool or crunch is really the trick.

124
00:12:31,910 --> 00:12:34,970
And it's a question that only you can answer.

125
00:12:35,030 --> 00:12:42,500
It's worth keeping in mind how they go about creating word lists and what their strengths and weaknesses

126
00:12:42,500 --> 00:12:43,580
are.

127
00:12:43,580 --> 00:12:50,360
Remember that brute forcing a target is almost always a last resort when better more subtle methods

128
00:12:50,360 --> 00:12:52,160
have already failed.

129
00:12:52,160 --> 00:12:55,020
At least that is how I personally look at it.

130
00:12:55,940 --> 00:13:01,520
If you've been following along with these modules in order you've already seen some examples of how

131
00:13:01,520 --> 00:13:05,830
brute forcing can indeed yield some good results.

132
00:13:05,840 --> 00:13:09,920
I would never suggest that this method is not effective.

133
00:13:09,950 --> 00:13:16,010
However what you really need to keep in mind is the amount of time that this sort of approach takes

134
00:13:16,040 --> 00:13:18,550
against real targets out in the wild.

135
00:13:19,610 --> 00:13:26,570
It really is like shooting in the dark and unless you take steps to narrow the scope of your attack

136
00:13:27,050 --> 00:13:35,270
with cool and crunch and other such utilities or unless you use a word list like rock you with real

137
00:13:35,270 --> 00:13:41,990
world examples rather than endless combinations of nonsense characters you probably aren't going to

138
00:13:41,990 --> 00:13:44,710
get very far or very fast.

139
00:13:44,750 --> 00:13:51,050
Full disclosure while I've personally enjoyed a considerable amount of success with cool I can't think

140
00:13:51,050 --> 00:13:56,180
of a single instance where crunch ever gave me a successful result.

141
00:13:56,210 --> 00:14:02,690
Then again a good example of using it might be for something like an encrypted file that you wish to

142
00:14:02,690 --> 00:14:10,070
crack where you know due to weak precautions the exact number of characters that were used in the password

143
00:14:11,610 --> 00:14:17,610
and you know that the person using the encryption was smart enough to use characters and numbers that

144
00:14:17,610 --> 00:14:26,210
don't equate to real words certain techniques involving collision can reveal this information on older

145
00:14:26,210 --> 00:14:30,590
forms of encryption such such as SHA 1.

146
00:14:30,590 --> 00:14:38,780
Essentially in this case you would try every letter in no sequence that is what say maybe seven characters

147
00:14:38,780 --> 00:14:39,890
long.

148
00:14:39,890 --> 00:14:45,530
If that were the known length the password and sooner or later you'd probably hit the right combination.

149
00:14:46,520 --> 00:14:54,140
So to conclude crunch is a useful and powerful tool but only in the right situation and it really is

150
00:14:54,140 --> 00:15:00,630
on you to find the right moment to use this particular tool.

151
00:15:00,890 --> 00:15:01,760
And as always.

152
00:15:01,760 --> 00:15:07,670
Never use any word list to brute force a target that you do not personally own or have written permission

153
00:15:07,670 --> 00:15:10,430
from the owner to penetration test.

154
00:15:10,430 --> 00:15:12,490
Or you could be breaking the law.

155
00:15:12,500 --> 00:15:13,070
Thank you.