SecLists

SecLists is an essential collection of multiple types of lists used during security assessments. It contains wordlists for fuzzing, password attacks, directory discovery, and payload injection across a wide variety of security testing scenarios.

Installation

On Kali Linux

sudo apt install seclists

From GitHub

cd ~/tools
git clone https://github.com/danielmiessler/SecLists.git
cd SecLists

Default Location on Kali

/usr/share/seclists/

Directory Structure Overview

Directory	Purpose
`Discovery/`	Wordlists for discovering resources (web, DNS, infrastructure)
`Fuzzing/`	Payloads for fuzzing web applications and APIs
`Passwords/`	Common and leaked password lists
`Payloads/`	Injection payloads (SQLi, XSS, command injection, etc.)
`Pattern-Matching/`	Regex patterns and signatures for identification
`Usernames/`	Common usernames and account names
`Web-Shells/`	Backdoor shells and webshell code

Discovery Lists

Web Content Discovery

# Common directories (14K+ entries)
/usr/share/seclists/Discovery/Web-Content/common.txt

# Directory list 2.3 medium (220K+ entries)
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

# RAFT medium directories (63K+ entries)
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

# Huge directory list (1.4M+ entries)
/usr/share/seclists/Discovery/Web-Content/big.txt

DNS/Subdomain Discovery

# Top 5K subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Top 110K subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

# BitQuark top 100K subdomains
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

Infrastructure Discovery

# Common router/device IP addresses
/usr/share/seclists/Discovery/Infrastructure/common-router-ips.txt

Password Lists

Common Credentials

# 10K most common passwords
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

# Top 100K from 10M password list
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt

# Best 1050 passwords
/usr/share/seclists/Passwords/Common-Credentials/best1050.txt

Leaked Databases

# RockYou (14M+ passwords) - Install separately if needed
# Download from external sources due to size

# Location when installed
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Default Credentials

# Common default credentials for routers, devices
/usr/share/seclists/Passwords/Default-Credentials/

Fuzzing Lists

Local File Inclusion (LFI)

/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

SQL Injection (SQLi)

/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
/usr/share/seclists/Fuzzing/SQLi/SQLMap.txt

Cross-Site Scripting (XSS)

/usr/share/seclists/Fuzzing/XSS/XSS-BruteLogic.txt
/usr/share/seclists/Fuzzing/XSS/Jhaddix.txt

Command Injection

/usr/share/seclists/Fuzzing/command-injection/

Username Lists

Common Usernames

# Xato.net 10 million usernames
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

# Short username list
/usr/share/seclists/Usernames/top-usernames-shortlist.txt

Names

# First and last names for targeting
/usr/share/seclists/Usernames/Names/

Payload Lists

Injection Payloads

# Payloads organized by injection type
/usr/share/seclists/Payloads/

# Common directories:
# - api-endpoints/ - API testing payloads
# - burp-parameter-names/ - Common parameter names
# - xss/ - XSS payloads
# - xxe/ - XML External Entity payloads
# - ldap-injection/ - LDAP injection payloads

Usage with Common Tools

ffuf (Fuzzing Framework)

# Directory discovery
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Subdomain enumeration
ffuf -u https://FUZZ.target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Parameter fuzzing
ffuf -u http://target.com/api/users?FUZZ=value -w /usr/share/seclists/Payloads/burp-parameter-names/common.txt

Gobuster

# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

# DNS subdomain enumeration
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Feroxbuster

# Recursive directory discovery
feroxbuster -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt

Burp Intruder

# Load SecLists wordlists into Burp Intruder
# Set payload type to "Simple list"
# Copy-paste content from desired list file
# Use for parameter fuzzing, SQL injection testing

wfuzz

# Web application fuzzing
wfuzz -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404

# Parameter fuzzing
wfuzz -u http://target.com/page?param=FUZZ -w /usr/share/seclists/Payloads/Fuzzing/XSS/XSS-BruteLogic.txt

Hydra (Brute-force)

# SSH password attack
hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt ssh://target.com

# HTTP basic auth
hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt target.com http-basic /admin

Hashcat

# Dictionary attack
hashcat -m 1400 hashes.txt /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt

# Hybrid attack (wordlist + rules)
hashcat -m 1400 hashes.txt -w /usr/share/seclists/Passwords/Common-Credentials/best1050.txt -r rules.txt

Nuclei

# Use SecLists payloads in custom Nuclei templates
# Reference wordlist paths in template YAML files
# Example: Fuzzing/ payloads for XSS/SQLi detection

Choosing the Right List

Task	List	Size	Best For
Quick directory scan	common.txt	14K	Speed, common paths
Thorough directory scan	directory-list-2.3-medium.txt	220K	Comprehensive coverage
Subdomain enumeration	subdomains-top1million-5000.txt	5K	Speed, top targets
Extensive subdomain search	bitquark-subdomains-top100000.txt	100K+	Deep reconnaissance
Password guessing (fast)	best1050.txt	1K	Common passwords quickly
Password cracking (thorough)	10-million-password-list-top-100000.txt	100K	Hashcat, offline attacks
Username enumeration	top-usernames-shortlist.txt	Small	Quick user discovery
Payload injection testing	XSS-BruteLogic.txt	Varied	Web app fuzzing

Custom List Building

Combine Multiple Lists

# Merge lists
cat list1.txt list2.txt list3.txt > combined.txt

# Combine and deduplicate
cat list1.txt list2.txt list3.txt | sort -u > combined.txt

Deduplication

# Remove duplicate entries
sort -u wordlist.txt -o wordlist.txt

Filtering

# Filter by length (4-12 characters)
awk 'length($0) >= 4 && length($0) <= 12' wordlist.txt > filtered.txt

# Remove comments
grep -v '^#' wordlist.txt > filtered.txt

# Filter by pattern
grep '^[a-z]*$' wordlist.txt > lowercase_only.txt

Sorting

# Sort alphabetically
sort wordlist.txt -o wordlist.txt

# Sort by frequency (with counts)
sort | uniq -c | sort -rn wordlist.txt

Extract and Create Custom Lists

# Extract lines matching pattern
grep -E '\.php|\.asp|\.jsp' /usr/share/seclists/Discovery/Web-Content/big.txt > web-extensions.txt

# Keep only entries up to specific length
awk 'length <= 15' wordlist.txt > short-entries.txt

Troubleshooting

Common Issues

Missing Lists

# Check installed location
ls -la /usr/share/seclists/

# If empty, reinstall
sudo apt reinstall seclists

# Or clone from GitHub
git clone https://github.com/danielmiessler/SecLists.git

File Not Found in Expected Path

# Search for specific list
find /usr/share/seclists -name "common.txt"

# Or search your local clone
find ~/tools/SecLists -name "*common*"

Permission Denied

# Ensure readable permissions
sudo chmod -R 644 /usr/share/seclists/
sudo chmod -R 755 /usr/share/seclists/*/

Tools Not Finding Lists

# Verify full path in tool arguments
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt

# Or use relative path if in SecLists directory
cd ~/tools/SecLists
ffuf -w ./Discovery/Web-Content/common.txt

Best Practices

Start Small, Expand: Begin with shorter lists (common.txt, best1050.txt) for speed, expand only if needed.
Combine Multiple Lists: Mix discovery lists with different sources for better coverage without huge file sizes.
Sort and Deduplicate: Remove duplicates before using lists to avoid wasted requests.
Update Regularly: SecLists is actively maintained. Pull latest updates via Git:
```
cd ~/tools/SecLists
git pull origin master
```
Use Appropriate Payloads: Match payload type to target vulnerability (XSS payloads for XSS testing, SQLi payloads for SQLi).

Filter by Extension: When targeting specific file types, create filtered lists:

grep -E '\.(php|asp|jsp|html|txt)$' directory-list-2.3-medium.txt > web-files.txt

Consider Response Codes: Configure tools to filter common responses (404, 403) to reduce noise.
Test in Lab First: Validate lists and settings in controlled environments before targeting production.
Respect Rate Limits: Use tool delays (-p in ffuf, --delay in Burp) to avoid overwhelming targets.
Document Your Wordlists: Track which lists were used for each assessment for reporting.

Tool	Purpose	Integration
CeWL	Generate custom wordlists from websites	Combine with SecLists
Crunch	Create custom character-based wordlists	Supplement SecLists
Mentalist	GUI tool for wordlist generation	Alternative to manual creation
Weakpass	Password dataset downloads	Supplement password lists
PayloadsAllTheThings	Comprehensive exploitation payloads	Expand Payloads/ collection
Common Regex	Pattern matching library	Custom SecLists filtering

Additional Resources

GitHub Repository: github.com/danielmiessler/SecLists
Documentation: Full list descriptions and update history in repository README
Issue Tracker: Report missing lists or suggest additions on GitHub
License: MIT - Free for personal and commercial use