Wordlists are text files containing a sequence of commonly used words. This can be lists of common user names, passwords, web site directories, typical files on a web site, etc.
You will mostly use wordlists for fuzzing purposes (enumerating web directories and files), using tools such as Dirb, FFUF or Burp Suite. You will also use wordlists for offline password cracking using tools like John the Ripper. This is called dictionary based attacks.
Using the right wordlist in the right situation will make a huge difference in the success of your fuzzing or cracking ventures. To emphasize: if your fuzzing tool is the engine, the wordlist is the fuel. So getting access to good wordlists is essential.
Most fuzzing or password cracking tools come with default wordlists. But you generally want to go beyond that.
For high quality wordlists, the place to start is Daniel Miessler’s SecLists (if you’re using Kali Linux, depending on the build you installed from, you will either have SecLists pre-installed or, if not, just run sudo apt install seclists).
Daniel maintains this great community project, that brings together contributions from all over the world. There you will find wordlists for a whole variety of needs:
– common files and directories found on web sites,
– files and directories with variations for foreign languages,
– common file extensions,
– frequently used user names,
– frequently used passwords,
– username:password combinations,
– Base64 encoded passwords,
– even default passwords on ASIC cryptomining devices,
– etc.
Different sizes of wordlists are even provided, so you can strike the right balance between how extensive you want your scan to be and how long you can allow it to run.
Once installed, the different wordlist categories will be in:
/usr/share/seclists
If you’re fuzzing web sites, go into:
/usr/share/seclists/Discovery/Web-Content
For your first practice environments, this list should be enough:
/usr/share/seclists/Discovery/Web-Content/common.txt
If you want to go deeper into directories or files, try these:
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
However, do know that Daniel Miessler’s SecLists have fallen victim of their own success. They are so good that everyone is using them! So you will basically be getting the same results as everybody else. Once you build experience, you will probably want to customise and develop you own wordlists to gain a competitive edge.
Before you go, take a minute to check this post. This is an overview of fuzzing and some important recommendations before you start fuzzing away. Have fun!
