SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Hi,

I was thinking about building a simple API to allow web developers to check a password provided by a user against the top-n list. It would be provided free to the community. As in, either me or my company would build and host it for free.

It raises some important questions;

1. You have put all this effort in to collating these lists, and I would not build anything like this without your explicit approval.
2. I have been thinking about whether there is a downside to building this as an API and I would really like someone else's opinion on whether this could potentially be abused.

If this API is indeed built, there are a couple of things to think about;

• There is something unnerving about a site sending a user's new password to this random API on the internet to check whether it is in the most-commonly-used. If the API was nefarious, it could potentially store the data and correlate it to the site, thus providing an easier attack vector. That may be the thing that kills the idea dead :) Unless there is a way to ensure the data cannot be correlated and provide assurances around that.
• The API would return the position on the list, i.e "1000th most commonly used". It is then up to the calling site to determine what they consider acceptable.

This may be a stupid idea, but I thought I'd put it out there to see what other people think.

Good day Daniel Each time I try to git clone the seclist repo, it is extremely slow and then times out, leaving this error message as a result;

┌──(kali㉿kali)-[~/Documents/CTF] └─$ git clone https://github.com/danielmiessler/SecLists.git Cloning into 'SecLists'... remote: Enumerating objects: 11021, done. error: 1276 bytes of body are still expectedMiB | 181.00 KiB/s fetch-pack: unexpected disconnect while reading sideband packet fatal: early EOF fatal: fetch-pack: invalid index-pack output

Please is there a solution to this?

Hey 🙂

Nextcloud & ownCloud are two famous software for creating and using file hosting service.

PS: this adding might also be done on bigger discovery list because none of big list contains them

Hello,

I've been searching around Google for a list of port numbers sorted according to their frequency of use, and so far, I've found no results corresponding to what I was looking for, so I wanted to suggest adding something like it to SecLists.

Problems and Goals

The goal that I have in mind for a list of such kind is to use it to quickly check if a host is alive in the fastest time possible while assuming that there are packet filtering devices on the way. The only workaround that I can think of regarding this problem is to establish connections to legit services being hosted on my targets, which packet filtering devices usually allow (I think so, I have very little experience with this so bear with me). But the thing is, I don't know which legit services are running on my targets.

I'm aware that I can do a full 0-65535 port scan on my target hosts, but I think starting with the most frequently used port numbers will shorten my port scan time by a lot, considering that I'm looking for only 1 port to successfully be detected.

Data Gathering Methodology

One method that I could think of in the creation of such a list is to query Shodan (https://www.shodan.io/) for each of the 65536 port numbers using their port search filter (port:1, port:2, port:n). Each query will return a frequency value for each port and we can use this value to sort our list.

I wanted to do this myself, but I've noticed that the use of the API is charged, so maybe this list could be compiled as a result of a mix of collaborative manual work, and (for those who are more charitable) automated work.

I might start my own GitHub project regarding this possible contibution to SecLists. I'll update this post once I do.

Disclaimer

I'm new to this so I'm not sure if there are any better approaches or actual tools out there that will do this job, but I think that having this kind of list would lead to a faster way of checking for hosts that might be hiding behind packet filtering devices.

I think it would be immesely useful if SecLists had a wordlist for web discovery, which contained the unique entries from all other wordlists, sorted by commonness.

I've already done this, and I could submit a pull request to add these to your repository. In the repository I linked, there are two wordlists: one for directories and one for words. They're composed entirely of SecLists' wordlists and have been extremely helpful for hackthebox.

If you're worried about keeping them up to date, then I assume it's possible to create a github pipeline for creating these wordlists automatically.

If you'd accept these combined wordlists into your repo, then I'd try to get AutoRecon to use these as well. People on /r/oscp have been complaining that AutoRecon isn't good enough, when in reality, it just uses too small wordlists by default.

I think this small addition would make it much easier for people to have good web enumeration

I find it hard to believe that Stonecol and Stonecold are, separately, among the 10k most commonly used words. Thoughts?

https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt

Hi,

This PR (fix and replace the PR #745) add other possible types of SSH key files and variations on the extensions:

• identity
• id_dsa
• id_ecdsa
• id_ed25519
• id_ecdsa_sk
• id_ed25519_sk

My sources were the following:

1. The content of the sshd_config file:

2. The content of the configuration folder of a ssh server /etc/ssh:

3. The documentation of the ssh-keygen tool:

Thank you very much in advance 😃

Note:

In addition, I made a proposal for #760

Hi,

This PR refer to the issue #654

I have used the following command against several local (Luxembourg) domains:

curl -sk "https://crt.sh/?q=[BASE_DOMAIN]&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u

Domains used, as sources, were defined in each commits. You will find English and French identifiers depending on the companies owing the domains.

Thank you very much in advance 😃

Hi,

Do you think that a dictionary with the collection of environment names can be interesting/useful?

A search on uat terms shown that this environment name is already present in plenty of files.

The goal of the proposal is to have a central dictionary when someone wants to perform a targeted discovery operation for environments on a base domain/URL.

Example of content of the dictionary :

dev
develop
uat
tuat
test
testing
int
staging
pre-prod
pprod
prod

If you find it useful, I can propose a PR 😃

Thank a lot in advance for your feedback.

Hi,

In this PR, I propose the adding of 2 "render" endpoint to detect the following dynamic rendering engines:

• Rendertron
• Prerender

Information are based on this blog post.

Thanks a lot in advance 😃

Some wordlists in Web-Content include a leading slash, some do not. This leads to an additional step being required before using some wordlists (since some webservers treat /index.html and //index.html differently).

It would be handy if all of these wordlists could follow the same pattern, either with or without the leading slash. Happy to make these changes and send a pull request, my preference would be no leading slash.

Here are some examples:

doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head aem2.txt 
{0}.1.json
.1.json
.1.xml
.4.2.1...json
a.css
admin
adminui
aem/apps.html/content/phonegap
aem/forms.html/content/dam/formsanddocuments
aem/publications.html/content/publications
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head AdobeCQ-AEM.txt 
/libs/granite/core/content/login.html
/libs/cq/core/content/login.html
/crx/explorer/index.jsp
/crx/packmgr/index.jsp
/bin/querybuilder.json?type=rep:User&p.hits=selective&p.properties=rep:principalName%20rep:password&p.limit=100
/.json
/.1.json
/.tidy.6.json
/.tidy.infinity.json
/bin.tidy.infinity.json
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head quickhits.txt 
/!.gitignore
/!.htaccess
/!.htpasswd
/%3f/
/%ff/
/.7z
/.access
/.addressbook
/.adm
/.admin
doi@DESKTOP-43210-1:~/tools/SecLists/Discovery/Web-Content$ head common.txt 
.bash_history
.bashrc
.cache
.config
.cvs
.cvsignore
.forward
.git
.git-rewrite
.git/HEAD

Hi,

This PR add the file extension .server.js that is used for React Server Components source code file.

📚 Sources used were the following:

• https://blog.logrocket.com/what-you-need-to-know-about-react-server-components/
• https://blog.logrocket.com/react-server-components-nextjs-12/

💡 To be consistent, I only added the extension in flavor of the raft-*-extensions.txt and raft-*-extensions-lowercase.txt dictionaries already containing .server.* extension, like .server.php for example.

Thank you very much in advance 😃

List of DotNetNuke default resources from the DNN repo (https://raw.githubusercontent.com/dnnsoftware/Dnn.Platform/2b530d234439f4e9cb1e0719d76c2bacd475c2d8/DNN%20Platform/Website/DotNetNuke.Website.csproj)

Hi,

This PR performed the following content on the file common.txt :

1. Add the following entries, often seen in front end app using framework like Angular, ReactJS or Vue.js:

.browserslistrc
.env.development
.env.production
.eslintrc.js
.gitignore
.gitlab-ci.yml
babel.config.js
jest.config.js
package.json
tsconfig.json
vue.config.js
yarn.lock
package.lock
.svn/entries
.svn/format
.svn/wc.db
.svn/wc.db-journal

2. Perform a sort -u against the entire updated content to remove duplicate and sort entries alphabetically.

Thanks in advance 😃

Inventory subdomains

This wordlist is based on the subdomains dataset of ~70 public bug bounty programs collected on Inventory.

Robots

This one contains the raw data of 100, 1000, and 10000 websites' robots.txt files. [^1]

Technologies

These wordlists are based on the source code of the technologies listed here.

There are two versions of each wordlist:

• Base Lists the full paths of each file in the repository

webapps/examples/WEB-INF/classes/websocket/echo/servers.json

• All levels Includes all directory levels of the files in the base wordlist. This wordlist will be larger than the base wordlist, but it accounts for cases where the directory structure of the repository isn't mapped perfectly on the target.

webapps/examples/WEB-INF/classes/websocket/echo/servers.json
examples/WEB-INF/classes/websocket/echo/servers.json
WEB-INF/classes/websocket/echo/servers.json
websocket/echo/servers.json
echo/servers.json
servers.json

The wordlists are sourced from trickest/wordlists.

[^1]: Credit to the RobotsDisallowed and RAFT projects for the original concept.