Tyler's Blog
  • About Me
  • Writeups
    • HackTheBox
      • Linux
        • Cap
        • Backdoor
        • SwagShop
      • Windows
        • Jeeves
    • TryHackMe
      • Rooms
        • Dirty Pipe: CVE-2022-0847
        • Solar, exploiting log4j
        • Spring4Shell: CVE-2022-22965
        • GoldenEye
    • VulnHub
      • GoldenEye
  • Tools
    • Configuration
      • Init
    • Enumeration
      • AutoRecon
      • Subdomain Enumeration
    • GitLeaks
  • Pentesting
    • Privilege Escalation
      • Linux
        • VIM Tricks
    • Reverse Engineering
      • Cutter
      • Immunity Debugger
      • Binary Enumeratoin
    • Misc Commands
      • SSH Tunnel
      • Carve out file from memory
      • Powershell
    • Active Directory
      • Domain Enumeration
    • Application Security
      • SSTI
    • Passwords
      • Hashcat
      • Wordlists
    • C2
      • Metasploit
    • Shells
  • LeetCode
    • Challenges
      • Palindrome Number
      • Two Sum
    • Simple Security Tools
      • Port Scanner
  • Cloud
    • Security Tools
      • Multi Cloud
      • AWS
  • CTF Platforms I Like
    • HackTheBox
    • TryHackMe
    • VulnHub
    • OWASP Juice Shop
  • Connect With Me
    • Linkedin
    • Github
  • 😎Support
    • ko-fi
Powered by GitBook
On this page
  • Password Spraying Tips and Tricks
  • ProbablePasswordList V2.0
  • RockYou2021 | 8.4 Billion Entries
  1. Pentesting
  2. Passwords

Wordlists

PreviousHashcatNextC2

Keep a personal "Wins" list during each engagement.

Password Spraying Tips and Tricks

Examine the password policy

#~ cme smb 10.0.0.250 -u foobar -p 'Fall2020' --pass-pol

Depending on the domain you will likely retrieve the password policy even without having valid user credentials.

ProbablePasswordList V2.0

The Probable Password List is a good place to start. The majority of passwords which are "crackable" will be cracked will be cracked with the wordlists included within.

RockYou2021 | 8.4 Billion Entries

Use this one if either money or time is not a factor. This list will take some cycles, as a comparison the traditional rockyou.txt contains 14.3 million entries making RockYou2021 almost 1000 times bigger.

# This combines all the following passwords lists:
https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
https://www.hack3r.com/forum-topic/wikipedia-wordlist
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://github.com/berzerk0/Probable-Wordlists
https://weakpass.com/download
password from 3.2 Billion COMB list from early this year. thanks to whoever created it.
LogoGitHub - berzerk0/Probable-Wordlists: Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!GitHub
LogoGitHub - ohmybahgosh/RockYou2021.txt: RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists. RockYou2021.txt DOES NOT CONTAIN USER:PASS logins!GitHub