Every targeted password attack starts the same way: you have a few facts about a target — a name, a pet, a birth year, a company — and you need to turn them into the thousands of plausible passwords a person might actually pick. Doing that by hand is hopeless, and generic wordlists waste time on guesses that have nothing to do with your target.
mr-robot-crunch is built for exactly that gap. Give it a few words like text alice carol and it generates every combination and mutation of them — orderings, separators, case variants, leetspeak, and appended digits or years — and streams the result straight to disk so memory stays bounded even when the output is enormous.
It’s pure Python, installs in one line, runs on macOS and Linux, and pipes directly into hashcat.
Authorized use only. Password cracking is for systems you own or have explicit written permission to test — pentests, CTFs, and your own accounts. Using it against anyone else’s data is illegal.
The mutation pipeline
The core idea is a layered engine. Each input word passes through a sequence of transformations, and every layer multiplies the candidates from the one before it:
subsets + orderings → separators → case → leetspeak → prefixes / suffixes
For the input bob alice @ in exhaustive mode, that pipeline produces things like:
bob@alice
t3xt.4lic3
BOB@ALICE
alicE (per-character case)
BOB@alice (per-word case)
bob@alice_carol (a different separator per gap)
23bob@alicE (prefix + per-char case)
carol2024 (suffix)
The key design decision is that exhaustiveness is tunable per dimension. You rarely want the full Cartesian explosion — so each layer has levels you can dial in:
Separators — single (one separator everywhere), each (a different separator in every gap), or none.
Case — whole, word (per-word), char (per-character, which is 2^letters variants), or none.
Leetspeak — bounded, full (every letter, with multiple targets like a → 4 or @), or none.
Prefixes and suffixes — digits, years, and symbols, toggleable independently.
Digit-run insertion — drop 0–N digits between words and at the ends without listing tokens, so you get 10cat12Bob2024 automatically.
Pick each level in the interactive wizard, or hit the EXHAUSTIVE preset when you want all of it. The lighter levels skip the explosive variants so the wordlist stays manageable.
Quick start
Install straight from GitHub — no checkout needed:
pipx install git+https://github.com/rebazomar121/mr-robot-crunch.git
Then launch the interactive banner, menu, and wizard:
mr-robot-crunch
The wizard lets you pick each level and — importantly — shows an estimated output size before you start, flagging it in red once the estimate passes a billion candidates so you don’t accidentally fill a disk.
Mask mode for precise patterns
When you already know the shape of the password, the mutation engine is overkill. Mask mode lets you template it hashcat-style instead:
?d?d{word}?d?d{Word}2024 → 10cat12Bob2024
?d, ?l, ?u, ?s, and ?a are charsets; {word}, {Word}, {WORD}, and {w} are word slots; everything else is a literal. It’s the difference between guessing broadly and guessing surgically.
Built for runs that don’t finish in one sitting
Real wordlist generation can run for a long time, so the tool is built around that reality rather than against it:
Parallel — 1 to 1024 worker processes (16 by default) partition the work so no two workers ever produce the same candidate.
Bounded memory — output is streamed to disk as it’s generated, not held in RAM.
Pause anytime — hit P mid-run to choose continue or stop and save.
Resumable — stopped runs are saved under ~/.mr-robot-crunch/ and resume exactly where they left off via mr-robot-crunch resume.
Resource-aware — every five seconds it checks CPU and memory; if either crosses 95% it pauses and asks whether to keep going. (In non-interactive contexts like cron or a pipe, it logs the event and continues instead of hanging.)
Single deduplicated output — each per-worker shard is sorted in parallel and k-way merged with sort -m -u, so the final file contains no duplicate lines even across processes.
Pipe straight into a cracker
The fastest path to a result is never touching a temp file at all. --stdout streams candidates with bounded memory directly into your cracker:
mr-robot-crunch run --words "alice carol 1997" --leet full --stdout | hashcat -m 0 hash.txt
For attacks too large to materialize, there’s rule-file export — the way large attacks are actually run. Instead of writing every candidate, it emits a small base wordlist plus a hashcat/John rule file:
mr-robot-crunch run --words "alice carol" --case whole --leet full \
--rules-out base.txt:attack.rule
hashcat -a 0 -m 0 hash.txt base.txt -r attack.rule
Whole-string case, leetspeak, prefixes, and suffixes all map to real sXY / ^x / $x rules. (Separators bake into the base wordlist, and per-word or per-character casing collapses to whole-string rules — the tool prints a note when that happens.)
Filters and profiling tokens
Two features keep the output focused on candidates worth trying.
Policy filters discard anything that can’t match the target’s password policy before it’s written to disk, so you don’t waste the storage in the first place:
mr-robot-crunch run --words "alice carol" --exhaustive \
--min-len 8 --max-len 16 --require-digit --require-symbol \
--workers 32 -o wordlist.txt -y
CUPP-style personal-info tokens inject the things people actually base passwords on:
mr-robot-crunch run --words "cat bob" --keyboard-walks --date 1997-08-15 --stdout
--keyboard-walks adds patterns like qwerty, asdf, and 1qaz2wsx, while --date 1997-08-15 derives 1997, 97, 08, 15, 1508, 0815, 15081997, and so on as affixes.
End-to-end demo: crack a hash in seconds
Here’s a full loop you can run yourself. Make a hash from a password you already know (alice2024), then let the tool plus hashcat recover it — which proves the workflow without touching anyone else’s data:
# 1. Create a target hash from a known password (stands in for a captured hash)
printf '%s' "alice2024" | md5sum | cut -d' ' -f1 > hash.txt # Linux
# macOS: printf '%s' "alice2024" | md5 | awk '{print $NF}' > hash.txt
# 2. Generate guesses and pipe them straight into hashcat
mr-robot-crunch run --words "alice" --case whole --leet none --stdout \
| hashcat -m 0 -a 0 hash.txt
28db548ac69921eca66afe7de34f67f5:alice2024
Status...........: Cracked
The tool turned alice into alice, Alice, ALICE, alice2024, Alice!, and similar candidates; hashcat hashed each one and found the match. The -m 0 flag is the hash type (MD5) — swap it for your target, such as 1000 for NTLM or 1800 for sha512crypt.
If you don’t know the hash type, tools like hashid and name-that-hash will identify the likely format and the matching hashcat mode for you. Be aware that some formats are indistinguishable by shape alone — MD5 and NTLM are both 32 hex characters — so you may need to try a couple of -m values.
Why it’s pleasant to live with
A few details make it comfortable for day-to-day use: gzip output via --gzip, a --no-dedup plain-concat mode when you don’t need global deduplication, output files auto-named with the input words and a timestamp, and a single optional dependency (psutil — without it you simply lose the resource auto-pause). Nothing else to install, nothing to configure.
Get it
pipx install git+https://github.com/rebazomar121/mr-robot-crunch.git
Platforms: macOS and Linux
License & use: authorized testing only
If you run pentests or play CTFs, give it a target’s facts and let the pipeline do the boring part.