wordlists

---

wordlists are essential for many security tasks such as brute-force attacks, password cracking, fuzzing, and wordlist-based discovery. Popular operating systems and toolkits include built-in wordlists, and others can be downloaded or customized to suit specific penetration testing needs.

Common Wordlists by Operating System

Here are the default locations for popular wordlists included in various operating systems:

Kali Linux:

• /usr/share/wordlists/
  • rockyou.txt: A well-known password list commonly used in brute-force attacks.
  • dirb/common.txt: Used for directory brute-forcing.

Parrot OS:

• /usr/share/wordlists/
  • Includes rockyou.txt and other wordlists like darkc0de.txt.

SecLists (if installed manually):

• /opt/seclists/
  • SecLists: A comprehensive collection of wordlists for usernames, passwords, URLs, fuzzing, web shells, and more.

BlackArch Linux:

• /usr/share/wordlists/
  • Extensive list of wordlists for different purposes like password cracking, subdomain enumeration, and more.

Popular Downloadable Wordlists

Some wordlists are not part of any OS but are widely used in cybersecurity tasks. These can be downloaded from repositories or official sources.

SecLists:

• SecLists is one of the most comprehensive collections of security wordlists, including usernames, passwords, URLs, fuzzing payloads, web shells, and more.
  • Download from GitHub

FuzzDB:

• FuzzDB provides a collection of attack patterns, predictable resource locations, and more for fuzzing and brute-forcing web applications.
  • Download from GitHub

CrackStation Wordlist:

• A large password-cracking wordlist built for tools like John the Ripper.
  • Download from CrackStation

Common Crawl:

• Wordlists extracted from web data, useful for web discovery tasks.
  • Download from CommonCrawl

Examples of Using Wordlists

Here are examples of commands that utilize wordlists in various security tools:

• John the Ripper (password cracking):
  • john --wordlist=/path/to/wordlist.txt --rules --format=raw-md5 hash.txt
• Hydra (password brute-forcing):
  • hydra -l admin -P /path/to/wordlist.txt 192.168.0.1 ssh
• Dirbuster (directory brute-forcing):
  • dirb http://target/ /path/to/wordlist.txt

Recommendations

• Always keep wordlists up-to-date, especially for password cracking. Lists like rockyou.txt get new variations regularly.
• For customized attacks, create your own wordlists using tools like CeWL, which can generate lists based on the contents of a web page.