Advertisement

Responsive Advertisement

Recent in Technology

Wordlists for Hacking

Wordlists for Hacking

Basical Knowledge About Password Cracking

When logging into services like Facebook, we use usernames and passwords. If someone knows both, they can access your account. For example, if your password is aungaung123, an attacker might guess it through patterns like aungaung1, aungaung12, aungaung123, etc. This is called manual brute force. But with thousands or millions of possibilities, manual brute force is slow. That's why automated tools are used with prepared password files called wordlists.

What are Wordlists?

Wordlists are simple text files that contain a list of words or phrases. In the world of cybersecurity and ethical hacking, these "words" are typically possible passwords, usernames, URLs, or other strings that might be used in attacks like brute force or dictionary attacks.

Think of them like a cheat sheet for hackers — a ready-made list of guesses that can be fed into automated tools. These tools try each word in the list one by one, checking if any of them work as a password or reveal access to a system.

How Do Wordlists Work?

Wordlists are used with tools like Hydra, Burp Suite, John the Ripper, or Hashcat to perform automated attacks. These tools use the list to attempt logins, crack password hashes, or explore directories and subdomains.

Here's how it works in practice:

  • You point the tool to the login page or hashed password.
  • You attach a wordlist file that contains thousands (or even millions) of potential passwords.
  • The tool tries each word in the list — quickly and automatically.

This method is much faster and more efficient than typing in passwords manually. It’s often the first step attackers (and ethical hackers) use to test the strength of a system’s password security.

Why Do We Need to Use Wordlists?

Using wordlists saves time and increases the chances of success when trying to guess passwords or uncover hidden data. Here’s why they’re essential:

  • Speed: They allow automated tools to try thousands of entries quickly.
  • Efficiency: Wordlists often include common passwords, leaked credentials, and patterns based on real user behavior.
  • Customization: You can build your own wordlists tailored to your target (for example, using names of employees, pet names, birthdays, etc.).

In penetration testing, using good wordlists can mean the difference between finding a vulnerability and missing it entirely.

So whether you’re testing login security or hunting for directories on a web server, wordlists are one of the most practical tools in your hacking arsenal.

Wordlists in Kali Linux

Kali Linux includes default wordlists in the directory:

/usr/share/wordlists

Wordlists Directory

This directory contains tools like dirb, dirbuster (for directory brute force), fern-wifi (WiFi passwords), metasploit, and wfuzz. Notable files include:

  • nmap.lst
  • john.lst
  • rockyou.txt.gz – a compressed wordlist you must extract first:
gzip -d /usr/share/wordlists/rockyou.txt.gz
Extract Rockyou

If you're not using root, you need sudo. When prompted, enter your login password (no characters will appear as you type).

rockyou.txt contains over 14 million lines. Avoid opening with default editors—use something like Sublime Text.

Other Wordlists

Kali's built-in lists may not be enough. You can explore:

GitHub Wordlists

Find many wordlists on GitHub:

https://github.com/search?q=wordlists

SecLists

To install:

sudo apt install seclists
Seclists

Files are located at: /usr/share/seclists

Note: Don’t forget the "s" at the end of seclists.

https://github.com/danielmiessler/SecLists

Assetnote Wordlists

https://wordlists.assetnote.io/

Packetstorm Wordlists

https://packetstormsecurity.com/crackers/wordlists

Creating Your Own Wordlists

Making personalized lists is smart—names like "aungaung" or "ayeaye" may not be in default sets.

Useful tools to create custom wordlists:

  • Cewl
  • Crunch
  • CUPP
  • Bopscrk
  • BEWGor
  • DyMerge
  • Mentalist

Thank you all.

Post a Comment

0 Comments