Wordlists Every Pentester Must Have !!

Abhishek pawar
InfoSec Write-ups
Published in
2 min readDec 16, 2024

Essential wordlists and tools that power password cracking, brute force attacks, and directory enumeration

What Are Wordlists?

A wordlist is a collection of words or strings used to guess passwords, usernames, or directory paths during penetration testing. It forms the backbone of various security testing techniques like brute force attacks and hash cracking.

Pre-Installed Wordlists in Kali Linux

Kali Linux comes equipped with a treasure trove of wordlists located at /usr/share/wordlists. Key examples include:

  • Rockyou : Over 14 million potential passwords.
  • Dirb Wordlists: Ideal for directory brute-forcing.
  • Wfuzz Wordlists: Tailored for web application fuzzing.

Popular Wordlists and Repositories

  1. Seclists
    A versatile collection containing usernames, passwords, fuzzing payloads, and more.
    Location: /usr/share/seclists.
  2. Github Wordlists
    Find the latest, niche wordlists for zero-day vulnerabilities or unique testing scenarios.
    https://github.com/kkrypt0nn/wordlists
    https://github.com/gmelodie/awesome-wordlists
    https://github.com/xajkep/wordlists
    https://github.com/jeanphorn/wordlist
    https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials
  3. Assetnote Wordlists
    Regularly updated and optimized for subdomain discovery and artifact enumeration.
    Website: Assetnote Wordlists

Create your own Dictionaries with

Cewl

Extracts potential passwords from website text.
Command Example:
cewl http://example.com -w wordlist.txt

cewl https://example.com -d 2 -w wordlist.txt
# https://example.com: The target website URL.
# -d 2: Depth of spidering.
# -w wordlist.txt: Specifies the output file to save.

Crunch

Generates wordlists with defined character sets and lengths.
Command Example:

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)

@ Lower case alpha characters
, Upper case alpha characters
% Numeric characters
^ Special characters including spac
crunch 6 8 -t ,@@^^%%

CUPP (Common User Passwords Profiler)

Creates personalized wordlists based on user details.
GitHub: CUPP Repository

cupp -i
# The -i flag starts the interactive mode.
[+] First name: John
[+] Last name: Doe
[+] Nickname: Johnny
[+] Birthdate: 01011990
[+] Partner's name: Jane
[+] Pet's name: Max
[+] Company name: Acme

Pydictor

A flexible dictionary builder with advanced options.
GitHub: Pydictor Repository

pydictor.py -base custom -custom 'abcd1234!' -len 4 
# Uses only a, b, c, d, 1, 2, 3, 4, and !.
# Outputs words of length 4.

pydictor.py -base upperlowerdigit -len 8 -pattern "XxNNxx"
#XxNNxx creates words in a pattern: uppercase, lowercase, two digits, then lowercase twice.

pydictor.py -base lowerupperdigit -len 6
#The -base option specifies the character

Wister

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.
— From Hacktricks
GitHub: Wister

Cleaning and Merging Wordlists

  • Cleaning Wordlists: Use tools like clean_wordlists.sh to remove duplicates and noisy entries.
  • Merging Wordlists: Tools like DyMerge combine multiple lists dynamically.
    Command Example:
    dymerge list1.txt list2.txt -o merged_list.txt

Conclusion

Wordlists are indispensable in cybersecurity. With the right resources and tools, you can efficiently craft and utilize wordlists tailored to specific tasks. Always use these tools responsibly, adhering to ethical hacking guidelines.

Happy hacking!

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Abhishek pawar

Entrepreneur, Cybersecurity Enthusiast and engineer

No responses yet

What are your thoughts?