Wordlist Reference

Quick reference guide to essential wordlists for penetration testing.

Primary Resources

SecLists

The most comprehensive collection of security testing wordlists.

# Installation
git clone https://github.com/danielmiessler/SecLists.git

# Or via package manager
apt install seclists

Key Paths:

Use Case

Path

Web directories

Discovery/Web-Content/raft-large-directories.txt

Web files

Discovery/Web-Content/raft-large-files.txt

Common passwords

Passwords/Common-Credentials/10-million-password-list-top-1000000.txt

Default credentials

Passwords/Default-Credentials/

Usernames

Usernames/Names/names.txt

Subdomains

Discovery/DNS/subdomains-top1million-110000.txt

Parameters

Discovery/Web-Content/burp-parameter-names.txt

API paths

Discovery/Web-Content/api/api-endpoints.txt

SQL injection

Fuzzing/SQLi/

XSS

Fuzzing/XSS/

LFI

Fuzzing/LFI/

Assetnote Wordlists

High-quality, constantly updated wordlists from bug bounty research.

# Download
https://wordlists.assetnote.io/

Key Lists:

List

Use Case

httparchive_directories_1m.txt

Directories from real websites

httparchive_parameters_top_1m.txt

Parameters from real traffic

httparchive_subdomains_1m.txt

Subdomains from certificate transparency

technologies/

Technology-specific wordlists

n0kovo Subdomains

Curated subdomain wordlist with high discovery rate.

git clone https://github.com/n0kovo/n0kovo_subdomains.git

By Use Case

Directory/File Discovery

# Quick scan (fast)
/usr/share/seclists/Discovery/Web-Content/common.txt  # 4,700 entries

# Standard scan
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt  # 30,000
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt  # 17,000

# Thorough scan (slower)
/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt  # 62,000
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt  # 1,273,000

# Technology-specific
/usr/share/seclists/Discovery/Web-Content/CMS/wordpress.txt
/usr/share/seclists/Discovery/Web-Content/CMS/drupal.txt
/usr/share/seclists/Discovery/Web-Content/apache.txt
/usr/share/seclists/Discovery/Web-Content/nginx.txt
/usr/share/seclists/Discovery/Web-Content/IIS.txt

Subdomain Enumeration

# Quick scan
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Standard
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# Thorough
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

# Alternative: n0kovo (high quality)
n0kovo_subdomains/n0kovo_subdomains_huge.txt  # 3,000,000+

Password Attacks

# Top passwords (quick)
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

# Larger list
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt

# rockyou (classic)
/usr/share/wordlists/rockyou.txt  # 14 million

# Service-specific
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt

API Testing

# API endpoints
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints-res.txt

# API documentation paths
/usr/share/seclists/Discovery/Web-Content/swagger.txt

# GraphQL
/usr/share/seclists/Discovery/Web-Content/graphql.txt

Parameter Discovery

# GET/POST parameters
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt

# Larger list from Assetnote
httparchive_parameters_top_1m.txt

Fuzzing/Injection

# SQL Injection
/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
/usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt

# XSS
/usr/share/seclists/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt
/usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt  # Comprehensive

# LFI/Path Traversal
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

# Command Injection
/usr/share/seclists/Fuzzing/command-injection-commix.txt

# SSTI
/usr/share/seclists/Fuzzing/template-engines-special-vars.txt

Custom Wordlist Generation

CeWL (Website Crawler)

# Extract words from target website
cewl https://target.com -d 2 -m 5 -w custom_wordlist.txt

# Include email addresses
cewl https://target.com -e -w wordlist.txt

# With authentication
cewl https://target.com --auth_type basic --auth_user admin --auth_pass pass

Username Generation

# From first/last names
# Tools: username-anarchy, namemash

# username-anarchy
./username-anarchy --input-file names.txt --select-format first,flast,firstl

# Common patterns:
# john.smith
# jsmith
# smithj
# john_smith
# john.s

Password Mutations

# Hashcat rules
hashcat -r /usr/share/hashcat/rules/best64.rule wordlist.txt --stdout > mutated.txt

# John rules
john --wordlist=wordlist.txt --rules --stdout > mutated.txt

# Common mutations:
# - Add years (2023, 2024, 2025)
# - Add special chars (!@#$)
# - Leetspeak (a→@, e→3, o→0)
# - Capitalize first letter
# - Add company name

Wordlist Manipulation

# Remove duplicates
sort wordlist.txt | uniq > sorted.txt

# Remove entries shorter than 6 chars
awk 'length >= 6' wordlist.txt > filtered.txt

# Combine wordlists
cat list1.txt list2.txt | sort -u > combined.txt

# Remove blank lines
sed '/^$/d' wordlist.txt > clean.txt

# Lowercase everything
tr '[:upper:]' '[:lower:]' < wordlist.txt > lowercase.txt

DNS Resolvers

# Trusted resolvers for subdomain enumeration
# https://github.com/trickest/resolvers

# Quick download
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt

# Validate resolvers (remove dead ones)
dnsvalidator -tL resolvers.txt -threads 100 -o valid_resolvers.txt

Quick Reference Table

Task

Wordlist

Size

Quick dir scan

common.txt

4.7K

Standard dir scan

raft-medium-directories.txt

30K

Thorough dir scan

directory-list-2.3-big.txt

1.2M

Quick subdomain

subdomains-top1million-5000.txt

Standard subdomain

subdomains-top1million-20000.txt

20K

Password spray

10k-most-common.txt

10K

Password crack

rockyou.txt

14M

Parameter fuzz

burp-parameter-names.txt

XSS fuzz

XSS-Jhaddix.txt

SQLi fuzz

Generic-SQLi.txt

267

LFI fuzz

LFI-Jhaddix.txt

929

Resources

PreviousAttack Index NextLearning Path

Last updated 8 days ago

Was this helpful?

hashtagPrimary Resources

hashtagSecLists

hashtagAssetnote Wordlists

hashtagn0kovo Subdomains

hashtagBy Use Case

hashtagDirectory/File Discovery

hashtagSubdomain Enumeration

hashtagPassword Attacks

hashtagAPI Testing

hashtagParameter Discovery

hashtagFuzzing/Injection

hashtagCustom Wordlist Generation

hashtagCeWL (Website Crawler)

hashtagUsername Generation

hashtagPassword Mutations

hashtagWordlist Manipulation

hashtagDNS Resolvers

hashtagQuick Reference Table

hashtagResources