SecLists
SecLists is an essential collection of multiple types of lists used during security assessments. It contains wordlists for fuzzing, password attacks, directory discovery, and payload injection across a wide variety of security testing scenarios.
Installation
Seção intitulada “Installation”On Kali Linux
Seção intitulada “On Kali Linux”sudo apt install seclistsFrom GitHub
Seção intitulada “From GitHub”cd ~/tools
git clone https://github.com/danielmiessler/SecLists.git
cd SecListsDefault Location on Kali
Seção intitulada “Default Location on Kali”/usr/share/seclists/Directory Structure Overview
Seção intitulada “Directory Structure Overview”| Directory | Purpose |
|---|---|
Discovery/ | Wordlists for discovering resources (web, DNS, infrastructure) |
Fuzzing/ | Payloads for fuzzing web applications and APIs |
Passwords/ | Common and leaked password lists |
Payloads/ | Injection payloads (SQLi, XSS, command injection, etc.) |
Pattern-Matching/ | Regex patterns and signatures for identification |
Usernames/ | Common usernames and account names |
Web-Shells/ | Backdoor shells and webshell code |
Discovery Lists
Seção intitulada “Discovery Lists”Web Content Discovery
Seção intitulada “Web Content Discovery”# Common directories (14K+ entries)
/usr/share/seclists/Discovery/Web-Content/common.txt
# Directory list 2.3 medium (220K+ entries)
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# RAFT medium directories (63K+ entries)
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# Huge directory list (1.4M+ entries)
/usr/share/seclists/Discovery/Web-Content/big.txtDNS/Subdomain Discovery
Seção intitulada “DNS/Subdomain Discovery”# Top 5K subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Top 110K subdomains
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
# BitQuark top 100K subdomains
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txtInfrastructure Discovery
Seção intitulada “Infrastructure Discovery”# Common router/device IP addresses
/usr/share/seclists/Discovery/Infrastructure/common-router-ips.txtPassword Lists
Seção intitulada “Password Lists”Common Credentials
Seção intitulada “Common Credentials”# 10K most common passwords
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
# Top 100K from 10M password list
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
# Best 1050 passwords
/usr/share/seclists/Passwords/Common-Credentials/best1050.txtLeaked Databases
Seção intitulada “Leaked Databases”# RockYou (14M+ passwords) - Install separately if needed
# Download from external sources due to size
# Location when installed
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txtDefault Credentials
Seção intitulada “Default Credentials”# Common default credentials for routers, devices
/usr/share/seclists/Passwords/Default-Credentials/Fuzzing Lists
Seção intitulada “Fuzzing Lists”Local File Inclusion (LFI)
Seção intitulada “Local File Inclusion (LFI)”/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txtSQL Injection (SQLi)
Seção intitulada “SQL Injection (SQLi)”/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
/usr/share/seclists/Fuzzing/SQLi/SQLMap.txtCross-Site Scripting (XSS)
Seção intitulada “Cross-Site Scripting (XSS)”/usr/share/seclists/Fuzzing/XSS/XSS-BruteLogic.txt
/usr/share/seclists/Fuzzing/XSS/Jhaddix.txtCommand Injection
Seção intitulada “Command Injection”/usr/share/seclists/Fuzzing/command-injection/Username Lists
Seção intitulada “Username Lists”Common Usernames
Seção intitulada “Common Usernames”# Xato.net 10 million usernames
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
# Short username list
/usr/share/seclists/Usernames/top-usernames-shortlist.txt# First and last names for targeting
/usr/share/seclists/Usernames/Names/Payload Lists
Seção intitulada “Payload Lists”Injection Payloads
Seção intitulada “Injection Payloads”# Payloads organized by injection type
/usr/share/seclists/Payloads/
# Common directories:
# - api-endpoints/ - API testing payloads
# - burp-parameter-names/ - Common parameter names
# - xss/ - XSS payloads
# - xxe/ - XML External Entity payloads
# - ldap-injection/ - LDAP injection payloadsUsage with Common Tools
Seção intitulada “Usage with Common Tools”ffuf (Fuzzing Framework)
Seção intitulada “ffuf (Fuzzing Framework)”# Directory discovery
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
# Subdomain enumeration
ffuf -u https://FUZZ.target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Parameter fuzzing
ffuf -u http://target.com/api/users?FUZZ=value -w /usr/share/seclists/Payloads/burp-parameter-names/common.txtGobuster
Seção intitulada “Gobuster”# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt
# DNS subdomain enumeration
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtFeroxbuster
Seção intitulada “Feroxbuster”# Recursive directory discovery
feroxbuster -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txtBurp Intruder
Seção intitulada “Burp Intruder”# Load SecLists wordlists into Burp Intruder
# Set payload type to "Simple list"
# Copy-paste content from desired list file
# Use for parameter fuzzing, SQL injection testing# Web application fuzzing
wfuzz -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404
# Parameter fuzzing
wfuzz -u http://target.com/page?param=FUZZ -w /usr/share/seclists/Payloads/Fuzzing/XSS/XSS-BruteLogic.txtHydra (Brute-force)
Seção intitulada “Hydra (Brute-force)”# SSH password attack
hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt ssh://target.com
# HTTP basic auth
hydra -l admin -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt target.com http-basic /adminHashcat
Seção intitulada “Hashcat”# Dictionary attack
hashcat -m 1400 hashes.txt /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
# Hybrid attack (wordlist + rules)
hashcat -m 1400 hashes.txt -w /usr/share/seclists/Passwords/Common-Credentials/best1050.txt -r rules.txt# Use SecLists payloads in custom Nuclei templates
# Reference wordlist paths in template YAML files
# Example: Fuzzing/ payloads for XSS/SQLi detectionChoosing the Right List
Seção intitulada “Choosing the Right List”| Task | List | Size | Best For |
|---|---|---|---|
| Quick directory scan | common.txt | 14K | Speed, common paths |
| Thorough directory scan | directory-list-2.3-medium.txt | 220K | Comprehensive coverage |
| Subdomain enumeration | subdomains-top1million-5000.txt | 5K | Speed, top targets |
| Extensive subdomain search | bitquark-subdomains-top100000.txt | 100K+ | Deep reconnaissance |
| Password guessing (fast) | best1050.txt | 1K | Common passwords quickly |
| Password cracking (thorough) | 10-million-password-list-top-100000.txt | 100K | Hashcat, offline attacks |
| Username enumeration | top-usernames-shortlist.txt | Small | Quick user discovery |
| Payload injection testing | XSS-BruteLogic.txt | Varied | Web app fuzzing |
Custom List Building
Seção intitulada “Custom List Building”Combine Multiple Lists
Seção intitulada “Combine Multiple Lists”# Merge lists
cat list1.txt list2.txt list3.txt > combined.txt
# Combine and deduplicate
cat list1.txt list2.txt list3.txt | sort -u > combined.txtDeduplication
Seção intitulada “Deduplication”# Remove duplicate entries
sort -u wordlist.txt -o wordlist.txtFiltering
Seção intitulada “Filtering”# Filter by length (4-12 characters)
awk 'length($0) >= 4 && length($0) <= 12' wordlist.txt > filtered.txt
# Remove comments
grep -v '^#' wordlist.txt > filtered.txt
# Filter by pattern
grep '^[a-z]*$' wordlist.txt > lowercase_only.txtSorting
Seção intitulada “Sorting”# Sort alphabetically
sort wordlist.txt -o wordlist.txt
# Sort by frequency (with counts)
sort | uniq -c | sort -rn wordlist.txtExtract and Create Custom Lists
Seção intitulada “Extract and Create Custom Lists”# Extract lines matching pattern
grep -E '\.php|\.asp|\.jsp' /usr/share/seclists/Discovery/Web-Content/big.txt > web-extensions.txt
# Keep only entries up to specific length
awk 'length <= 15' wordlist.txt > short-entries.txtTroubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”Missing Lists
# Check installed location
ls -la /usr/share/seclists/
# If empty, reinstall
sudo apt reinstall seclists
# Or clone from GitHub
git clone https://github.com/danielmiessler/SecLists.gitFile Not Found in Expected Path
# Search for specific list
find /usr/share/seclists -name "common.txt"
# Or search your local clone
find ~/tools/SecLists -name "*common*"Permission Denied
# Ensure readable permissions
sudo chmod -R 644 /usr/share/seclists/
sudo chmod -R 755 /usr/share/seclists/*/Tools Not Finding Lists
# Verify full path in tool arguments
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt
# Or use relative path if in SecLists directory
cd ~/tools/SecLists
ffuf -w ./Discovery/Web-Content/common.txtBest Practices
Seção intitulada “Best Practices”-
Start Small, Expand: Begin with shorter lists (common.txt, best1050.txt) for speed, expand only if needed.
-
Combine Multiple Lists: Mix discovery lists with different sources for better coverage without huge file sizes.
-
Sort and Deduplicate: Remove duplicates before using lists to avoid wasted requests.
-
Update Regularly: SecLists is actively maintained. Pull latest updates via Git:
cd ~/tools/SecLists git pull origin master -
Use Appropriate Payloads: Match payload type to target vulnerability (XSS payloads for XSS testing, SQLi payloads for SQLi).
-
Filter by Extension: When targeting specific file types, create filtered lists:
grep -E '\.(php|asp|jsp|html|txt)$' directory-list-2.3-medium.txt > web-files.txt -
Consider Response Codes: Configure tools to filter common responses (404, 403) to reduce noise.
-
Test in Lab First: Validate lists and settings in controlled environments before targeting production.
-
Respect Rate Limits: Use tool delays (
-pin ffuf,--delayin Burp) to avoid overwhelming targets. -
Document Your Wordlists: Track which lists were used for each assessment for reporting.
Related Tools
Seção intitulada “Related Tools”| Tool | Purpose | Integration |
|---|---|---|
| CeWL | Generate custom wordlists from websites | Combine with SecLists |
| Crunch | Create custom character-based wordlists | Supplement SecLists |
| Mentalist | GUI tool for wordlist generation | Alternative to manual creation |
| Weakpass | Password dataset downloads | Supplement password lists |
| PayloadsAllTheThings | Comprehensive exploitation payloads | Expand Payloads/ collection |
| Common Regex | Pattern matching library | Custom SecLists filtering |
Additional Resources
Seção intitulada “Additional Resources”- GitHub Repository: github.com/danielmiessler/SecLists
- Documentation: Full list descriptions and update history in repository README
- Issue Tracker: Report missing lists or suggest additions on GitHub
- License: MIT - Free for personal and commercial use