Password Wordlists & Tools
This page summarizes common password and username wordlists, as well as tools and tips for password cracking and brute force attacks during penetration testing.
Common Wordlists
Password Lists
- Top 100 passwords:
/usr/share/metasploit-framework/data/wordlists/adobe_top100_pass.txt
- 3,500 passwords:
/usr/share/john/password.lst
- 14 million passwords:
/usr/share/wordlists/rockyou.txt
Tip: Try
john/password.lstfirst, thenrockyou.txt. Ifrockyou.txtdoesn't work, brute force is probably not the intended solution.
Username Lists
- Top 17 usernames:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
- 835 default usernames:
/usr/share/seclists/Usernames/cirt-default-usernames.txt
- 624,000 usernames:
/usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
Default Credentials
- Default username/password lists:
/usr/share/seclists/Passwords/Default-Credentials/
Password Cracking & Decryption
Online Services
- CrackStation: Supports LM, NTLM, MD2, MD4, MD5, SHA1, SHA256, SHA512, and more.
John the Ripper
john --format=krb5tgs hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Hashcat
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
Web Directory Wordlists
- 3,000 entries:
/usr/share/wfuzz/wordlist/general/big.txt - 20,000 entries:
/usr/share/dirb/wordlists/big.txt
Wordlist Generation
- Generate a wordlist from a website:
cewl -w cewl_passlist.txt 10.11.1.1/index.html
html2dic index.html | sort -u > index.dict