
Wordlists for Hacking
Basical Knowledge About Password Cracking
When logging into services like Facebook, we use usernames and passwords. If someone knows both, they can access your account. For example, if your password is aungaung123
, an attacker might guess it through patterns like aungaung1
, aungaung12
, aungaung123
, etc. This is called manual brute force. But with thousands or millions of possibilities, manual brute force is slow. That's why automated tools are used with prepared password files called wordlists.
What are Wordlists?
Wordlists are simple text files that contain a list of words or phrases. In the world of cybersecurity and ethical hacking, these "words" are typically possible passwords, usernames, URLs, or other strings that might be used in attacks like brute force or dictionary attacks.
Think of them like a cheat sheet for hackers — a ready-made list of guesses that can be fed into automated tools. These tools try each word in the list one by one, checking if any of them work as a password or reveal access to a system.
How Do Wordlists Work?
Wordlists are used with tools like Hydra, Burp Suite, John the Ripper, or Hashcat to perform automated attacks. These tools use the list to attempt logins, crack password hashes, or explore directories and subdomains.
Here's how it works in practice:
- You point the tool to the login page or hashed password.
- You attach a wordlist file that contains thousands (or even millions) of potential passwords.
- The tool tries each word in the list — quickly and automatically.
This method is much faster and more efficient than typing in passwords manually. It’s often the first step attackers (and ethical hackers) use to test the strength of a system’s password security.
Why Do We Need to Use Wordlists?
Using wordlists saves time and increases the chances of success when trying to guess passwords or uncover hidden data. Here’s why they’re essential:
- Speed: They allow automated tools to try thousands of entries quickly.
- Efficiency: Wordlists often include common passwords, leaked credentials, and patterns based on real user behavior.
- Customization: You can build your own wordlists tailored to your target (for example, using names of employees, pet names, birthdays, etc.).
In penetration testing, using good wordlists can mean the difference between finding a vulnerability and missing it entirely.
So whether you’re testing login security or hunting for directories on a web server, wordlists are one of the most practical tools in your hacking arsenal.
Wordlists in Kali Linux
Kali Linux includes default wordlists in the directory:
/usr/share/wordlists

This directory contains tools like dirb, dirbuster (for directory brute force), fern-wifi (WiFi passwords), metasploit, and wfuzz. Notable files include:
nmap.lst
john.lst
rockyou.txt.gz
– a compressed wordlist you must extract first:
gzip -d /usr/share/wordlists/rockyou.txt.gz

If you're not using root, you need sudo
. When prompted, enter your login password (no characters will appear as you type).
rockyou.txt
contains over 14 million lines. Avoid opening with default editors—use something like Sublime Text.
Other Wordlists
Kali's built-in lists may not be enough. You can explore:
GitHub Wordlists
Find many wordlists on GitHub:
https://github.com/search?q=wordlists
SecLists
To install:
sudo apt install seclists

Files are located at: /usr/share/seclists
Note: Don’t forget the "s" at the end of seclists
.
https://github.com/danielmiessler/SecLists
Assetnote Wordlists
https://wordlists.assetnote.io/
Packetstorm Wordlists
https://packetstormsecurity.com/crackers/wordlists
Creating Your Own Wordlists
Making personalized lists is smart—names like "aungaung" or "ayeaye" may not be in default sets.
Useful tools to create custom wordlists:
- Cewl
- Crunch
- CUPP
- Bopscrk
- BEWGor
- DyMerge
- Mentalist
Thank you all.
0 Comments