danielmiessler / seclists Goto Github PK

I was looking for some good wordlists (that include passwords too!) and it seems that some of the .txt files have a lot of http:// junk, .app junk, and shockwave junk entries. It was a pain to clean up...lol

search rockyou.txt for http, shockwave, .app and you'll find the weird entries that aren't really one liners at all.

Edit: maybe they weren't multi-liners, but the weird copy & paste passwords don't work for my uses, but it probably isn't an error (users copy & paste sections of code to use for passwords)

I still recommend that files you keep from this repo be checked thoroughly and to be kept separately.

hi ,
As you can see in https://httpsonly.blogspot.in/2017/01/0day-writeup-xxe-in-ubercom.html
example.com/API/fuzz
Can you please create list for API path fuzz.

This seems like an oversight.

$ cat ~/Downloads/merged\ 2.txt | grep -Ei "^password$"

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

Hi there,

I'm working to get some decent lists of HTTP request and response headers, as well as examples for each for this repo. I've started my work here: https://github.com/craSH/SecLists/commits/http-headers

Before I do a PR, I was wondering if you had suggestions for organizing the data - e.g. should I create a new subdirectory under Miscellaneous, keep them as separate files like they are now, or do you have another suggestion? I'd like to keep the structure as organized as possible, but I don't think there's any agreed upon standard for that with the repo at this moment (e.g. some things have comments above certain payloads, etc.)

Thanks!

How about include this password list?

https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3

https://github.com/shipcod3/Piata-Common-Usernames-and-Passwords

the file 10_million_password_list_top_1000000.txt does have a million lines, but from a small look on it the 1 million-th line is empty.

The file 10_million_password_list_top_1000000.txt contains ETX
on line 912955
this should be removed.

Edit:

3 passwords have this ETX.

The file contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped, which again contains 16 zipped files, which contain 1 file, with the size of 4.3GB.

So, if you extract all files, you will most likely run out of space :-)

http://www.unforgettable.dk/

SecLists currently has the following Domino list:

• https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web_Content/domino.txt

In doing some googling for a recent assessment, I came across the following project:

• https://sourceforge.net/projects/dominohunter/files/dominohunter/0.9/

Inside the zip there are the following wordlist files:

• Domino_files.txt
• Commands_Documents.txt
• Commands_NSF.txt
• Commands_Views.txt

Domino_files is a list of common domino paths (which could probably be merged with the current list), the other 3 are 'command suffixes' that can be appended to Documents, NSF files and Views.

@coldfusion39 's domi-owned project also contains some wordlists that may be useful:

• https://github.com/coldfusion39/domi-owned/tree/master/domi_owned/data
• https://github.com/coldfusion39/domi-owned/blob/583d0a5ade9305c40329916e0ecf1540a089c9be/domi_owned/fingerprint.py#L60-L72

Metasploit has a couple of paths as well:

• https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/lotus/lotus_domino_version.rb

iNotes/Forms5.nsf
iNotes/Forms6.nsf
iNotes/Forms7.nsf
help/readme.nsf?OpenAbout
download/filesets/l_LOTUS_SCRIPT.inf
download/filesets/n_LOTUS_SCRIPT.inf
download/filesets/l_SEARCH.inf
download/filesets/n_SEARCH.inf

A couple more I found:

Help/help9_admin.nsf
Help/help9_client.nsf
Help/help9_designer.nsf

Do you have a list of default paths for commons document root?
Example:

/var/www/sites/all
/var/www/html/default/
/home/www/
/var/www/public/
...

I came to seclists looking for some nosql / mongo injection lists and couldn't find anything.

Ended up finding the following and got some good use out of it:
https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt

Figured it could be a nice addition :)

hello, I'm having trouble downloading this. whenever I click on 'download' it just keeps on loading. any advice?

Hi,

I was thinking about building a simple API to allow web developers to check a password provided by a user against the top-n list. It would be provided free to the community. As in, either me or my company would build and host it for free.

It raises some important questions;

1. You have put all this effort in to collating these lists, and I would not build anything like this without your explicit approval.
2. I have been thinking about whether there is a downside to building this as an API and I would really like someone else's opinion on whether this could potentially be abused.

If this API is indeed built, there are a couple of things to think about;

• There is something unnerving about a site sending a user's new password to this random API on the internet to check whether it is in the most-commonly-used. If the API was nefarious, it could potentially store the data and correlate it to the site, thus providing an easier attack vector. That may be the thing that kills the idea dead :) Unless there is a way to ensure the data cannot be correlated and provide assurances around that.
• The API would return the position on the list, i.e "1000th most commonly used". It is then up to the calling site to determine what they consider acceptable.

This may be a stupid idea, but I thought I'd put it out there to see what other people think.

Hey guys, forgive me if I'm misunderstanding this Polyglot, but instead of the current value for line 2 of the SQLi_Polyglots

Shouldn't it be this instead?

IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/

I find it hard to believe that Stonecol and Stonecold are, separately, among the 10k most commonly used words. Thoughts?

https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt

@danielmiessler @jhaddix Looks like a bunch of iCloud metadata files were committed in place of the actual files. I'm thinking this may have been accidental.

Pull request #44 contains both of these additions.

Firstly, thanks for sharing your code with the open-source world.

As you may or may not be aware, we have included your tool in our Kali Linux penetration testing distribution so it can be easily installed by our large user-base. You can follow the package development cycle here - http://pkg.kali.org/pkg/seclists

As the distribution includes hundreds of tools, keeping them updated is a significant undertaking. We would like to ensure that your tool is always kept as current as possible so that our users can benefit from the latest features and fixes. You could help us in this task immensely by tagging your releases here on GitHub. Tagging releases allows us to automate the process of checking for new releases, ensuring that tools get updated far more quickly.

Tagging can be included in your workflow very easily and would go a long way to helping us keep your tool updated in our distribution. The most common type of tag is the "lightweight" version as follows (where 0.3 is the new version number):

git-tag v0.3
git push --tags

Thanks!

Hi

Virustotal flags some files like FUZZDB_cmdasp.aspx as malware

https://www.virustotal.com/en-gb/file/5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655/analysis/1422380865/

Is that a known issue?

Thanks

subdomains-top1mil-*.txt contains some lines with extra dot at the end, e.g

$ grep -E ".$" subdomains-top1mil-110000.txt
m.
ns2.cl.bellsouth.net.
ns1.viviotech.net.
ns2.viviotech.net.
ns3.cl.bellsouth.net.
ferrari.fortwayne.com.
jordan.fortwayne.com.
quatro.oweb.com.
c.ns.emailvision.net.
a.ns.emailvision.net.
b.ns.emailvision.net.
d.ns.emailvision.net.
mail.
...

Its drive to wrong concatination result.

Hi
Is there an estimated release date for version 3.4.0.CR1
We are currently waiting for the blacklist functionality within KEYCLOAK-5244.
Thank you

Even i tried github cloning ,payloads merged with each others .any tips for using fuzzlist on windows.

Found the following word list while browsing today: https://github.com/berzerk0/Probable-Wordlists

I'm wondering if this list (even though the licensing is currently "unknown") would make a good addition to this list. (That is, if it has a compatible licensing requirement)

hi
how can open this file (phpbb-withcount.txt.icloud) !!!

Hi
I'm student from NTHU ( national tsing hua university )
We've joined SC16 Student Cluster Competition and got the highest password recover.
We use SecLists as our dictionary.

This is our result
https://github.com/bob-beck/sc16passwords

Big thanks to SecLists.

Sorry to post this here.

Is there any mobile app password leak or any password leak whose passwords have been set on mobiles that you can provide. Need it for a research project.

Best Regards

Looking through the project and the issues, I was unable to find a license. Can one be added to the project? Otherwise, cannot use anything until usage restrictions are known.

Let me preface by saying these two things:

• I appreciate the hard work you are putting into this - I'm excited to see this develop!
• Organization of things like this is tricky

That being said, I noticed that the organization of this repo wasn't standardized, and there may be some improvements that can be made. Here are some suggestions (in no particular order):

• Case standardization - "Discovery": vs "stress", etc. Might I suggest going all lower-caps, as this would be easier to traverse in a standard CLI environment?
• Why is there two "DNS" folders? One in /, one in "Discovery/"?
• Many of the items in "vuln/" are repeated (and expanded) in subsequent "Discovery/" files (e.g. see coldfusion)
• I personally can't see any use for the file pi_large.txt, but please let me know if there is one!
• Repeated files (e.g. "alphanum_case.txt" found in both "stress/" and "Misc/"
• In general, it seems as though many things that could be considered "subcategories" are found in the root folder. Though this interpretation is different for everyone, I personally find that moving things like "DNS/" and "URLs/" to the "Discovery" folder would make the root a bit more logically structured.

These were just a few suggestions after glancing at the repo. Feel free to change/disregard as you see fit. Thanks again for all the hard work!

Passwords/README states that a file merged.txt.tar.gz should exist.

That file doesn't seem to be in /passwords

Reminder to myself to add this: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot via @jhaddix

This wordlist seems to have an extra whitespace in the line beginning for each entry. Can you remove these?

Numeric: https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/FuzzLists/numeric_fields_only.txt

Main list repository: https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/FuzzLists

I've got this cloned onto my system and the directory takes up 778M of which 380M is the .git directory. This seems excessive. Might it be worthwhile to run garbage collection and pruning to reduce this down a bit? Or is there a valid reason to keep it all that I'm missing?

Maybe run something like what is suggested here:
https://stackoverflow.com/questions/2116778/reduce-git-repository-size

Can you add the following list to the repo please:
http://arstechnica.com/security/2013/10/izmy-p55w0rd-saph/

Many of the XSS payload files are not directly consumable by fuzzing applications, such as Burp Intruder. I think it would be great if there were seperate fuzzing files to the discussion files. For example, Mario's XSS file is AWESOME and so advanced that it's akin to magic, but it takes a bit of work to use within tools.

How best to help you guys with this?

Hi,
I cannot find the merged.txt.tar which is supposed to be the archived with all the different password lists sorted.
Best,
Alex

Instead of alphabetical order, it would be better to order the list according to frequency of occurrence.
I could provide this if you want (with and/or without count).

Greetings

fierce, knock, subbrute, etc.

Hey there,

I feel a bit shitty for opening this issue, but I am the creator of Gitrob and I would really appreciate a Thanks and a reference to the tool in the README as the Gitrob file signatures have been included in SecLists here.

Thanks for maintaining this awesome project. It is truly useful!

Thanks for this collection - it's a really useful set!

There's some duplication in the WebLogic files in the Discovery/Web_Contents/ directory.

• Weblogic.fuzz.txt - all have the leading slash, and there are 159 lines.
• weblogic.txt - none have the leading slash, and there are 361 lines.

Together, there are 520 lines.

I merged the two files, normalized them to all include the leading slash and no trailing whitespace.
This resulted in a single list of 359 lines. I'm suggesting that this one file should replace the original two.

I put the result on pastebin, if you'd like to use it.
Or you can run this to make it yourself:

SecLists/Discovery/Web_Content$ cat Weblogic.fuzz.txt weblogic.txt | sed -e 's/^\///' -e 's/ $//' | sort -u | sed -e 's/^/\//'

https://github.com/govolution/betterdefaultpasslist

Could be a good resource to submodule.

Hello,

I've been searching around Google for a list of port numbers sorted according to their frequency of use, and so far, I've found no results corresponding to what I was looking for, so I wanted to suggest adding something like it to SecLists.

Problems and Goals

The goal that I have in mind for a list of such kind is to use it to quickly check if a host is alive in the fastest time possible while assuming that there are packet filtering devices on the way. The only workaround that I can think of regarding this problem is to establish connections to legit services being hosted on my targets, which packet filtering devices usually allow (I think so, I have very little experience with this so bear with me). But the thing is, I don't know which legit services are running on my targets.

I'm aware that I can do a full 0-65535 port scan on my target hosts, but I think starting with the most frequently used port numbers will shorten my port scan time by a lot, considering that I'm looking for only 1 port to successfully be detected.

Data Gathering Methodology

One method that I could think of in the creation of such a list is to query Shodan (https://www.shodan.io/) for each of the 65536 port numbers using their port search filter (port:1, port:2, port:n). Each query will return a frequency value for each port and we can use this value to sort our list.

I wanted to do this myself, but I've noticed that the use of the API is charged, so maybe this list could be compiled as a result of a mix of collaborative manual work, and (for those who are more charitable) automated work.

I might start my own GitHub project regarding this possible contibution to SecLists. I'll update this post once I do.

Disclaimer

I'm new to this so I'm not sure if there are any better approaches or actual tools out there that will do this job, but I think that having this kind of list would lead to a faster way of checking for hosts that might be hiding behind packet filtering devices.

Hey there,

I recently released a simple tool to quickly find default creds for network devices, web applications, etc. and I was wondering if the file with all the creds would be a good addition to this project as well?

The file is in JSON format. Take a look at it here.

Edit: Maybe I should mention that I did not compile this list myself; it was obtained from cirt.net.

Hello,

I realized that the ] symbol is not included inside this list(SecLists/Fuzzing/special_chars.txt).

Thanks

@bitquark has some interesting DNS analysis in his project:
https://github.com/bitquark/dnspop

The specific DNS results:
https://github.com/bitquark/dnspop/tree/master/results

Would make for a great submodule to this repo.

Hi there,

I'm interested in using one of the files in this repo for a potential open source software project.

I usually release open source code under the MIT license but I understand this project is licensed under a creative commons license (CC BY-SA 3.0). I'm wondering if this is permitted under the 'Share-Alike' clause of the CC license. Any guidance is appreciated.

Thanks

It looks like there are a few Symfony entries in the raft files but it may be worth creating a separate entry under the CMS directory.

A few interesting files from verison 1.x (now EoL):
/frontend_dev.php
/frontend_staging.php
/admin
/backend_dev.php
/backend.php

From version 2.x
/app.php
/web/app.php
/app_dev.php
/web/app_dev.php
/config.php
/app_dev.php/admin
/admin

31 new passwords (though they introduced a duplicate, "letmein" for some reason)

To find the updated list, log out of twitter.com if you're signed in, then visit their signup page. Find "bannedPasswords" in the page source. You can probably guess how to extract it from there, and I won't deprive you of the fun in figuring it out.

Thanks to @binkybear for suggesting I forward this here.