6.4.Wordlist-Guide.md

Wordlist Guide

Table of Contents

• Wordlist Locations
• Password Wordlists
• Username Wordlists
• Directory Wordlists
• Subdomain Wordlists
• Service-Specific Wordlists
• Custom Wordlist Generation
• Username Generation Tools

---

Wordlist Locations

Quick Check (One-liner)

# Quick wordlist availability check
ls -la /usr/share/wordlists/rockyou.txt /usr/share/seclists/Passwords/Common-Credentials/ 2>/dev/null && wc -l /usr/share/wordlists/rockyou.txt

Kali Linux Default Paths

Path	Description
/usr/share/wordlists/	Main wordlist directory
/usr/share/wordlists/rockyou.txt	Most popular password list (14M)
/usr/share/wordlists/dirb/	DIRB directory wordlists
/usr/share/wordlists/dirbuster/	DirBuster wordlists
/usr/share/wordlists/wfuzz/	WFuzz wordlists
/usr/share/wordlists/seclists/	SecLists collection
/usr/share/wordlists/fasttrack.txt	Fast track common passwords
/usr/share/wordlists/metasploit/	Metasploit wordlists

SecLists Paths

# Install SecLists
apt install seclists

# Location
/usr/share/seclists/
├── Discovery/
│   ├── DNS/
│   ├── Web-Content/
│   └── Infrastructure/
├── Fuzzing/
├── Passwords/
│   ├── Common-Credentials/
│   ├── Leaked-Databases/
│   └── Default-Credentials/
├── Usernames/
└── Miscellaneous/

---

Password Wordlists

General Purpose

Wordlist	Path	Size	Use Case
rockyou.txt	/usr/share/wordlists/rockyou.txt	14M	General password cracking
fasttrack.txt	/usr/share/wordlists/fasttrack.txt	222	Quick common passwords
common-passwords	/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt	10K	Fast initial attempt
best1050	/usr/share/seclists/Passwords/Common-Credentials/best1050.txt	1050	Very common passwords

By Complexity

# Top 100 passwords (fast)
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt

# Top 1000 passwords
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt

# Top 10000 passwords
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt

# Top 100000 passwords
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt

# Top 1 million passwords
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt

Default Credentials

# Default usernames/passwords
/usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/mysql-betterdefaultpasslist.txt

Leaked Database Passwords

# Hashcat leaked passwords
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
/usr/share/seclists/Passwords/Leaked-Databases/phpbb.txt
/usr/share/seclists/Passwords/Leaked-Databases/myspace.txt
/usr/share/seclists/Passwords/Leaked-Databases/ashley-madison.txt

---

Username Wordlists

General Usernames

# Common usernames
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/Names/names.txt
/usr/share/seclists/Usernames/cirt-default-usernames.txt

# Unix users
/usr/share/seclists/Usernames/unix-users.txt

# Service-specific
/usr/share/metasploit-framework/data/wordlists/unix_users.txt
/usr/share/metasploit-framework/data/wordlists/default_users_for_services_unhash.txt

By First/Last Name

# Names for username generation
/usr/share/seclists/Usernames/Names/familynames-usa-top1000.txt
/usr/share/seclists/Usernames/Names/femalenames-usa-top1000.txt
/usr/share/seclists/Usernames/Names/malenames-usa-top1000.txt

---

Directory Wordlists

Web Directories

# DIRB wordlists
/usr/share/wordlists/dirb/common.txt           # 4614 words
/usr/share/wordlists/dirb/big.txt              # 20469 words
/usr/share/wordlists/dirb/small.txt            # 959 words

# DirBuster wordlists
/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt    # 87K
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   # 220K
/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

# SecLists Web Content
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt

Specific Technologies

# Apache
/usr/share/seclists/Discovery/Web-Content/Apache.fuzz.txt

# IIS
/usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt

# Tomcat
/usr/share/seclists/Discovery/Web-Content/tomcat.txt

# PHP
/usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt

# API
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints-res.txt

# CMS
/usr/share/seclists/Discovery/Web-Content/CMS/wordpress.fuzz.txt
/usr/share/seclists/Discovery/Web-Content/CMS/drupal.txt
/usr/share/seclists/Discovery/Web-Content/CMS/joomla-plugins.txt

---

Subdomain Wordlists

# DNS subdomain enumeration
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/DNS/namelist.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt   # 2M+ (comprehensive)

---

Service-Specific Wordlists

SSH

# Hydra SSH brute force
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
      ssh://$rhost

FTP

# Hydra FTP brute force
hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt \
      -P /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt \
      ftp://$rhost

SMB

# NetExec SMB
nxc smb $rhost -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
                   -p /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

HTTP Basic Auth

# Hydra HTTP Basic
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/wordlists/rockyou.txt \
      $rhost http-get /admin

WordPress

# WPScan
wpscan --url http://$rhost --passwords /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt \
       --usernames admin

Kerberos

# Kerbrute user enum
kerbrute userenum -d $domain \
         /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
         --dc $dc_ip

# ASREPRoast
impacket-GetNPUsers $domain/ -usersfile /usr/share/seclists/Usernames/Names/names.txt \
                    -dc-ip $dc_ip -format hashcat

Database

# MySQL
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/seclists/Passwords/Default-Credentials/mysql-betterdefaultpasslist.txt \
      mysql://$rhost

# MSSQL
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/seclists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt \
      mssql://$rhost

# PostgreSQL
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt \
      postgres://$rhost

---

Custom Wordlist Generation

CeWL - Custom Word List Generator

# Generate wordlist from website
cewl http://$rhost -d 3 -m 5 -w custom_wordlist.txt

# Include email addresses
cewl http://$rhost -d 3 -m 5 -e --email_file emails.txt -w custom_wordlist.txt

# With authentication
cewl http://$rhost -d 3 -m 5 --auth_type basic --auth_user admin --auth_pass password -w wordlist.txt

Crunch - Wordlist Generator

# Generate 4-6 char passwords with numbers
crunch 4 6 0123456789 -o numeric.txt

# Generate passwords with pattern
crunch 8 8 -t @@@@%%%% -o pattern.txt   # 4 lowercase + 4 digits

# Using charset
crunch 4 8 -f /usr/share/crunch/charset.lst mixalpha-numeric -o mixed.txt

Username Wordlist Generation

# From names to usernames
# John Smith -> jsmith, john.smith, smithj, etc.

# Using username-anarchy
git clone https://github.com/urbanadventurer/username-anarchy.git
./username-anarchy John Smith > usernames.txt

# Manual patterns
echo -e "jsmith\njohn.smith\nsmithj\njohns\nj.smith" > usernames.txt

Combine Wordlists

# Merge and deduplicate
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

# Remove short passwords
awk 'length >= 8' /usr/share/wordlists/rockyou.txt > rockyou_8plus.txt

---

Username Generation Tools

username-anarchy

Generate username variations from first/last names

# Install
git clone https://github.com/urbanadventurer/username-anarchy.git
cd username-anarchy

# Generate from single name
./username-anarchy John Smith
# Output: jsmith, john.smith, smithj, john_smith, etc.

# From file of names
./username-anarchy -i names.txt > usernames.txt

# Input format for names.txt:
# FirstName LastName
# John Smith
# Jane Doe

Common Patterns Generated

Pattern	Example
first.last	john.smith
f.last	j.smith
first_last	john_smith
firstlast	johnsmith
lastfirst	smithjohn
flast	jsmith
lastf	smithj
first	john
last	smith

Generate from CSV/Excel Data

# From CSV with FirstName;LastName format
awk -F';' '{printf("%s%s\n", tolower(substr($1,1,1)), tolower($2))}' Users.csv > userlist.txt

# Multiple patterns from CSV
awk -F';' '{
  first=tolower($1)
  last=tolower($2)
  print first"."last
  print substr(first,1,1)"."last
  print first"_"last
  print substr(first,1,1)last
  print last substr(first,1,1)
}' Users.csv | sort -u > userlist.txt

Namemash.py

Another username generator

# Install
git clone https://github.com/superkojiman/namemash.git
cd namemash

# Generate usernames
python namemash.py names.txt > usernames.txt

# Input format:
# First Last

Manual Username Generation

# Quick script to generate variations
#!/bin/bash
while read line; do
  first=$(echo $line | cut -d' ' -f1 | tr '[:upper:]' '[:lower:]')
  last=$(echo $line | cut -d' ' -f2 | tr '[:upper:]' '[:lower:]')
  f=${first:0:1}
  l=${last:0:1}
  
  echo "$first.$last"
  echo "$f.$last"
  echo "$first$last"
  echo "$f$last"
  echo "$last$f"
  echo "$first"
  echo "$last"
done < names.txt | sort -u > usernames.txt

Extract Names from Metadata

# Extract author names from documents
exiftool -Creator -Author -LastModifiedBy *.pdf *.docx *.xlsx 2>/dev/null | \
  grep -v "^$" | cut -d':' -f2 | sort -u > names.txt

# Then generate usernames
./username-anarchy -i names.txt > usernames.txt

---

Quick Reference Table

Use Case	Recommended Wordlist
Quick password spray	/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
Full password crack	/usr/share/wordlists/rockyou.txt
Web directory fuzzing	/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
Subdomain enumeration	/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
Username enumeration	/usr/share/seclists/Usernames/top-usernames-shortlist.txt
Default credentials	/usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv
API fuzzing	/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
AD usernames	/usr/share/seclists/Usernames/Names/names.txt

---

See Also

• Password Attacks - hashcat, John, credential cracking
• Kerberos Attacks - Use wordlists for ASREPRoast/Kerberoasting
• Web Application Analysis - Directory fuzzing, parameter brute force