Wordlists are a core component of brute-force attacks. Let's learn what they are and how to use them.
Imagine that you’re a security professional who’s performing a penetration test on a client’s website. Your job is to find potential weak points in their security. After running some basic scans, you notice that the login form looks vulnerable.
It lacks rate limiting and strong password protections. So, you might be able to try multiple passwords without being locked out. This is where a wordlist comes into play.
Instead of guessing random passwords one by one, you can use a pre-made wordlist. The list will contain thousands or even millions of potential passwords.
You can combine this wordlist with a brute-force tool like Hydra to perform an attack. The tool goes through the wordlist, testing each password against the login form. After a while, you hit a match. You’ve just cracked the login.
As an ethical hacker, you would notify the client of the weak password policy. You could then suggest stronger security measures to avoid this scenario. But this shows how critical wordlists can be when it comes to exploiting weak login systems.
In this article, we’ll look at wordlists in detail. We’ll cover what they are and a few use cases along with some popular wordlists.
What are Wordlists?
Wordlists are exactly what they sound like: lists of words. In cybersecurity, these words represent passwords, usernames, or even URLs.
Wordlists can be simple collections of common passwords like “123456” or “password”. Or they can be custom lists generated to target specific systems.
Penetration testers feed these wordlists into tools that let them test multiple inputs quickly. These tools include password-cracking software, brute-forcing scripts, or directory scanners. The wordlist acts as the source of input, trying each word against the target in an attempt to find a match.
How are Wordlists Used?
Let’s look at a few common scenarios where wordlists can be useful.
Password Cracking
One of the most common uses of wordlists is password cracking. Attackers feed a wordlist into tools like John the Ripper or Hashcat. These tools then test each word against a password hash to find a match.
Let’s assume that a hacker finds hashed passwords from a compromised database. They can use a wordlist to attempt to reverse those hashes into the original passwords.
Modern security practices encourage complex passwords. But many people still use weak, common passwords. Wordlists exploit this human tendency by including frequently used passwords.
One of the most famous password wordlists in the hacking community is Rockyou.txt. It has 14 million passwords collected after the site Rockyou.com was breached by hackers. Here is the full wordlist.
Username Enumeration
In some systems, knowing the correct username is half the battle. Hackers often use wordlists to enumerate usernames before attempting a password attack. It works by submitting different usernames to a login form and watching the system’s response.
For example, some systems will return an error message like “Username not found”. A well-crafted wordlist of usernames allows you to quickly discover which accounts exist.
A username wordlist can help in this type of scenario. It doesn’t have to be long like a password wordlist. But a list of common usernames would help. Here is one such wordlist.
Directory and File Enumeration
When testing a web app, it’s important to find hidden files and directories. They may not be publicly listed. And these hidden URLs may reveal sensitive information or hidden functionality.
Tools like Gobuster or Dirbuster use wordlists to automate this process. They try each word in the wordlist as a potential directory or file name.
For example, testing a wordlist on a website could find a hidden admin panel at /admin
, or a backup file at /backup.zip
. This can be useful for finding unintended exposures.
Here is a sample directory wordlist.
Subdomain Enumeration
Subdomain enumeration involves finding all the subdomains associated with a target website. Like hidden pages, subdomains can also contain useful and sensitive information.
For example, a product at product.com can contain a development server at dev.product.com. Or an admin panel at admin.product.com. These subdomains might not be well protected like the main website.
Tools like Sublist3r and Amass are popular for this task. Here is a subdomain wordlist for these types of attacks.
How to Create Custom Wordlists
Sometimes, general wordlists aren’t enough. For specific engagements, it’s worth creating your own wordlist tailored to the target.
For example, if you’re pentesting for a company, you might build a custom wordlist for that company. It can have employee names, department names, or relevant terms unique to that company.
Several tools help you create custom wordlists.
CeWL (custom wordlist generator) — generates wordlists by scraping text from a website specific to the target.
Crunch — creates wordlists by mixing and matching the characters that you provide.
Conclusion
Wordlists are powerful tools that every cybersecurity professional should have in their arsenal. They simplify complex tasks like password cracking, brute-forcing, and directory enumeration. The right wordlist can save you hours and help find vulnerabilities quickly and efficiently.
Hope this tutorial helped you understand how to use wordlists. For more articles on Cybersecurity, join our free newsletter Stealth Security. To learn hacking using hands-on labs, check out our private community The Hacker’s Hub.