:keyboard: Wordlists, Dictionaries and Other Data Sets for Writing Software Security Test Cases

View on GitHub

Twitter: @decalresponds Ask Me Anything! werdlists Apache License 2.0 repo-size made-with-bash


“Word Lists” for Software Security Test Cases

Word lists, Dictionary Files, Attack Strings, Miscellaneous Datasets and Proof-of-Concept Test Cases With a Collection of Tools for Penetration Testers

Introduction to Tools in werdlists

A major benefit of the data sets distributed with werdlists is that they can be utilized with security testing tools to increase the chances that positive results will be returned from a penetration tester’s reconaissance procedures. The names of the tool categories below have been purposefully ordered to reflect the order in which they might be used during the course of a pen test. Many word list files in the werdlists repository were either created for or are distributed with a tool that fulfills one of the purposes in the sections below:

DNS Hostname Enumeration

Host name enumeration and enumeration of other information from the DNS protocol are exercises carried out in the early phases of a network test. Although resolving domain names may seem like a simplistic operation to the uninitiated, it actually has such a number of complexities that one can almost never claim they’ve completely downloaded all available info from a particular name server without dynamic updates and zone transfers. scenario. Therefore, having detailed wordlists and tools with speedy execution are keys to success.

    Tool  Name     Description of Utility
subdomain3 :email:
OWASP Amass  

Forced Browsing

    Tool  Name     Description of Utility
pathgro :email:
[dirb](https://dirb.sf.net “”)  
[nikto](https://cirt.net/Nikto2 “”)  
[Dir-Xcan](https://github.com/NoobieDog/Dir-Xcan “”)  
[OpenDoor](https://github.com/stanislav-web/OpenDoor “”)  
[dirsearch](https://github.com/maurosoria/dirsearch “”)  
[gobuster](https://github.com/OJ/gobuster “”)  
[pathbrute](https://github.com/milo2012/pathbrute “”)  

Username Enumeration

Once a particular service is known, a pen tester should be keen on attacking its remote access control–particularly authentication. It is highly likely that a username/password combination is required. Therefore, enumeration of user names will be a handy ability. The names of common system accounts and even common human accounts will be especially helpful at this point.

    Tool  Name     Description of Utility
usernamer :email:

Password Cracking

When an account has been singled out for attack and it uses password authentication, then very often the next step is cracking that account’s password itself or the cipher-text version of it. Testers will probably benefit from the data provided by werdlists in a scenario such as cracking a password online via brute-force search against a network daemon. The wordlist files stored in the folders passes-dicts and passes-sites were invented specifically for such a purpose.

    Tool  Name     Description of Utility
hashcat :email:
John The Ripper :email:  

HTTP Attack Proxies

HTTP attack proxies are indispensable tools for anyone involved in web application penetration testing.

    Tool  Name     Description of Utility
Burp Suite :email:
Fiddler :microscope:
Charles :door:
James :scroll: