# Wordlist Reference Quick reference guide to essential wordlists for penetration testing. ## Primary Resources ### SecLists The most comprehensive collection of security testing wordlists. ```bash # Installation git clone https://github.com/danielmiessler/SecLists.git # Or via package manager apt install seclists ``` **Key Paths:** | Use Case | Path | | ------------------- | ----------------------------------------------------------------------- | | Web directories | `Discovery/Web-Content/raft-large-directories.txt` | | Web files | `Discovery/Web-Content/raft-large-files.txt` | | Common passwords | `Passwords/Common-Credentials/10-million-password-list-top-1000000.txt` | | Default credentials | `Passwords/Default-Credentials/` | | Usernames | `Usernames/Names/names.txt` | | Subdomains | `Discovery/DNS/subdomains-top1million-110000.txt` | | Parameters | `Discovery/Web-Content/burp-parameter-names.txt` | | API paths | `Discovery/Web-Content/api/api-endpoints.txt` | | SQL injection | `Fuzzing/SQLi/` | | XSS | `Fuzzing/XSS/` | | LFI | `Fuzzing/LFI/` | ### Assetnote Wordlists High-quality, constantly updated wordlists from bug bounty research. ```bash # Download https://wordlists.assetnote.io/ ``` **Key Lists:** | List | Use Case | | ----------------------------------- | ---------------------------------------- | | `httparchive_directories_1m.txt` | Directories from real websites | | `httparchive_parameters_top_1m.txt` | Parameters from real traffic | | `httparchive_subdomains_1m.txt` | Subdomains from certificate transparency | | `technologies/` | Technology-specific wordlists | ### n0kovo Subdomains Curated subdomain wordlist with high discovery rate. ```bash git clone https://github.com/n0kovo/n0kovo_subdomains.git ``` ## By Use Case ### Directory/File Discovery ```bash # Quick scan (fast) /usr/share/seclists/Discovery/Web-Content/common.txt # 4,700 entries # Standard scan /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # 30,000 /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt # 17,000 # Thorough scan (slower) /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt # 62,000 /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt # 1,273,000 # Technology-specific /usr/share/seclists/Discovery/Web-Content/CMS/wordpress.txt /usr/share/seclists/Discovery/Web-Content/CMS/drupal.txt /usr/share/seclists/Discovery/Web-Content/apache.txt /usr/share/seclists/Discovery/Web-Content/nginx.txt /usr/share/seclists/Discovery/Web-Content/IIS.txt ``` ### Subdomain Enumeration ```bash # Quick scan /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Standard /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # Thorough /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt # Alternative: n0kovo (high quality) n0kovo_subdomains/n0kovo_subdomains_huge.txt # 3,000,000+ ``` ### Password Attacks ```bash # Top passwords (quick) /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt # Larger list /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt # rockyou (classic) /usr/share/wordlists/rockyou.txt # 14 million # Service-specific /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt /usr/share/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt ``` ### API Testing ```bash # API endpoints /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt /usr/share/seclists/Discovery/Web-Content/api/api-endpoints-res.txt # API documentation paths /usr/share/seclists/Discovery/Web-Content/swagger.txt # GraphQL /usr/share/seclists/Discovery/Web-Content/graphql.txt ``` ### Parameter Discovery ```bash # GET/POST parameters /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt # Larger list from Assetnote httparchive_parameters_top_1m.txt ``` ### Fuzzing/Injection ```bash # SQL Injection /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt /usr/share/seclists/Fuzzing/SQLi/Generic-BlindSQLi.fuzzdb.txt # XSS /usr/share/seclists/Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt /usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt # Comprehensive # LFI/Path Traversal /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt # Command Injection /usr/share/seclists/Fuzzing/command-injection-commix.txt # SSTI /usr/share/seclists/Fuzzing/template-engines-special-vars.txt ``` ## Custom Wordlist Generation ### CeWL (Website Crawler) ```bash # Extract words from target website cewl https://target.com -d 2 -m 5 -w custom_wordlist.txt # Include email addresses cewl https://target.com -e -w wordlist.txt # With authentication cewl https://target.com --auth_type basic --auth_user admin --auth_pass pass ``` ### Username Generation ```bash # From first/last names # Tools: username-anarchy, namemash # username-anarchy ./username-anarchy --input-file names.txt --select-format first,flast,firstl # Common patterns: # john.smith # jsmith # smithj # john_smith # john.s ``` ### Password Mutations ```bash # Hashcat rules hashcat -r /usr/share/hashcat/rules/best64.rule wordlist.txt --stdout > mutated.txt # John rules john --wordlist=wordlist.txt --rules --stdout > mutated.txt # Common mutations: # - Add years (2023, 2024, 2025) # - Add special chars (!@#$) # - Leetspeak (a→@, e→3, o→0) # - Capitalize first letter # - Add company name ``` ### Wordlist Manipulation ```bash # Remove duplicates sort wordlist.txt | uniq > sorted.txt # Remove entries shorter than 6 chars awk 'length >= 6' wordlist.txt > filtered.txt # Combine wordlists cat list1.txt list2.txt | sort -u > combined.txt # Remove blank lines sed '/^$/d' wordlist.txt > clean.txt # Lowercase everything tr '[:upper:]' '[:lower:]' < wordlist.txt > lowercase.txt ``` ## DNS Resolvers ```bash # Trusted resolvers for subdomain enumeration # https://github.com/trickest/resolvers # Quick download wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt # Validate resolvers (remove dead ones) dnsvalidator -tL resolvers.txt -threads 100 -o valid_resolvers.txt ``` ## Quick Reference Table | Task | Wordlist | Size | | ------------------ | -------------------------------- | ---- | | Quick dir scan | common.txt | 4.7K | | Standard dir scan | raft-medium-directories.txt | 30K | | Thorough dir scan | directory-list-2.3-big.txt | 1.2M | | Quick subdomain | subdomains-top1million-5000.txt | 5K | | Standard subdomain | subdomains-top1million-20000.txt | 20K | | Password spray | 10k-most-common.txt | 10K | | Password crack | rockyou.txt | 14M | | Parameter fuzz | burp-parameter-names.txt | 6K | | XSS fuzz | XSS-Jhaddix.txt | 8K | | SQLi fuzz | Generic-SQLi.txt | 267 | | LFI fuzz | LFI-Jhaddix.txt | 929 | ## Resources * [SecLists](https://github.com/danielmiessler/SecLists) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) * [Assetnote Wordlists](https://wordlists.assetnote.io/) * [fuzzdb](https://github.com/fuzzdb-project/fuzzdb) * [n0kovo\_subdomains](https://github.com/n0kovo/n0kovo_subdomains) * [OneListForAll](https://github.com/six2dez/OneListForAll) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/others/wordlist-reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.