Red-Team Wordlists ⛪
Wordlists are files with one item per line, usually, a word.
They are mainly used to automate tasks. For instance, to perform a password attack, we will most likely use a wordlist will a list of usernames to test, and a password wordlist with common passwords.
- 🏝️ Find common (+hidden) directories on a web server
- 🔑 Test common passwords
- 🥷 Find hidden form parameters, headers, etc.
- ...
CTFs are usually using the infamous rockout.txt
for passwords (from the data breach of rockyou.com in 2009).
SecLists (50.6k ⭐) is the most popular place to find wordlists.
$ sudo apt-get install seclists
/usr/share/seclists/Passwords/darkweb2017-top10000.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
...
On Kali, we can install the package wordlists (0.1k ⭐) to access the most common wordlists excluding SecLists wordlists.
$ sudo apt-get install wordlists
$ wordlists # extract rockyou.txt, press Y
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/others/best1050.txt
/usr/share/wordlists/dirb/others/best110.txt
...
Finally, payloadsallthethings
contains some wordlists.
Custom Wordlists
Simple wordlists
$ seq 0 99 > 0_to_99.lst
$ echo {A..Z} | tr ' ' '\n' > AZ.lst
$ echo user{0..9} | tr ' ' '\n' > user_0_to_9.lst
$ echo {admin,adm,user} | tr ' ' '\n' > simple_list.lst
You can also use: JohnTheReaper or hashcat!
CeWL wordlist generation
Users may generate a password based on the environment they are in. CeWL (1.6k ⭐) will scrap their website to generate a list of words.
$ cewl -w output.lst -d depth -m word_size URL
$ cewl -w output.lst -d depth -m word_size -e URL
$ cewl -w output.lst -m5 --lowercase URL
crunch wordlist generation
crunch is a tool on debian to generate wordlists.
$ crunch minlength maxlength charset -o crunch.txt # BIG
$ crunch [...] -t pattern
$ crunch [...] -d 1 # "aa" "aaa" etc. are not allowed
cook wordlist generation
cook (0.7k ⭐) is a tool/engine to create wordlists, sort of like a recipe.
$ cook [...]
CUPP wordlist generation
cupp (4.0k ⭐, 2020 🪦) is a python script that generates a wordlist based on the information you gathered about the target.
$ sudo apt-get install cupp
$ cupp -i
Even if you gathered a lot of information, you may want to start with small wordlist first.
Linkedin2Username
linkedin2username (1.1k ⭐) uses your Linkedin account to explore the target Linkedin pages and generate a wordlist of usernames.
hashcat utilities
hashcat has a few utilities that it uses to generate wordlists:
- maskprocessor: generate wordlists from a mask
- kwprocessor: generate wordlists with keyboard walks
- princeprocessor: generate wordlists using the PRINCE algorithm
Random Tools
Tune wordlists
If the minimum length for a password is 6 characters, we may want to remove shorter passwords. This is something we can easily do using regexes. For instance, to only keep four letters passwords:
$ egrep '^.{4}$' /usr/share/wordlists/rockyou.txt > /tmp/4rock.lst
We can also merge, remove duplicates, or sort words:
$ cat wordlist1 wordlist2 wordlist3 > wordlist123
$ sort wordlist123 > swordlist # sort
$ uniq -u swordlist > uwordlist # duplicates
⚠️ To remove duplicates, you must sort the list first.
If worth mentioning again that tools such as JohnTheReaper or hashcat may have the capabilities to perform these operations.
Enumeration Wordlists Index
Forced Browsing
Sorted by recommended order of usage.
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/quickhits.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
➡️ See also: Extension Wordlists.
Subdomains
Sorted by recommended order of usage.
/usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/namelist.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
/usr/share/wordlists/amass/*
Accounts
Usernames
admin, administrator, wpadmin, root, adm
/usr/share/seclists/Usernames/Names/names.txt
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
Passwords
/usr/share/seclists/Passwords/Common-Credentials/best110.txt
/usr/share/wordlists/fasttrack.txt
/usr/share/wordlists/rockyou.txt
📚 You may also use the cracked passwords to create a wordlist.
Default credentials (=Credential Stuffing)
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
/usr/share/metasploit-framework/data/wordlists/http_default_pass.txt
$ ll /usr/share/seclists/Passwords/Default-Credentials/*passlist.txt
$ # see also: short username/password wordlists
📚 You might want to check out cirt, default-password, and data recovery. See also: Default Credentials Cheat Sheet (5.1k ⭐).
Exploitation Wordlists Index
File Upload
MIME type/Content Type
/usr/share/seclists/Miscellaneous/web/content-type.txt
➡️ See also: Extension Wordlists.
Minor Wordlists Index
Extensions
Mostly bad extensions (no .jpeg
or normal extensions)
/usr/share/wordlists/dirb/extensions_common.txt
/usr/share/seclists/Discovery/Web-Content/web-extensions.txt
/usr/share/seclists/Discovery/Web-Content/web-extensions-big.txt
Characters
Random wordlists about characters.
/usr/share/seclists/Fuzzing/alphanum-case.txt
Parameters
Common wordlists to find hidden query/body parameters:
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
👻 To-do 👻
Stuff that I found, but never read/used yet.
- Auto_Wordlists
- big-list-of-naughty-strings (45.5k ⭐)
- fuzzdb (7.8k ⭐, 2020 🪦)
- username-anarchy
- Security-Wordlist
Mangling