SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Related tags

Security SecLists
Overview

seclists.png

About SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

This project is maintained by Daniel Miessler, Jason Haddix, and g0tmi1k.


Install

Zip

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
  && unzip SecList.zip \
  && rm -f SecList.zip

Git (Small)

git clone --depth 1 https://github.com/danielmiessler/SecLists.git

Git (Complete)

git clone https://github.com/danielmiessler/SecLists.git

Kali Linux (Tool Page)

apt -y install seclists

Attribution

See CONTRIBUTORS.md


Contributing

See CONTRIBUTING.md


Similar Projects


Licensing

This project is licensed under the MIT license.

MIT License

β€”

NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.

Issues
  • Build an API to check common passwords?

    Build an API to check common passwords?

    Hi,

    I was thinking about building a simple API to allow web developers to check a password provided by a user against the top-n list. It would be provided free to the community. As in, either me or my company would build and host it for free.

    It raises some important questions;

    1. You have put all this effort in to collating these lists, and I would not build anything like this without your explicit approval.
    2. I have been thinking about whether there is a downside to building this as an API and I would really like someone else's opinion on whether this could potentially be abused.

    If this API is indeed built, there are a couple of things to think about;

    • There is something unnerving about a site sending a user's new password to this random API on the internet to check whether it is in the most-commonly-used. If the API was nefarious, it could potentially store the data and correlate it to the site, thus providing an easier attack vector. That may be the thing that kills the idea dead :) Unless there is a way to ensure the data cannot be correlated and provide assurances around that.
    • The API would return the position on the list, i.e "1000th most commonly used". It is then up to the calling site to determine what they consider acceptable.

    This may be a stupid idea, but I thought I'd put it out there to see what other people think.

    question proposal 
    opened by flytzen 14
  • 1.4 billion password breach compilation wordlist

    1.4 billion password breach compilation wordlist

    How about include this password list?

    https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3

    enhancement 
    opened by riramar 9
  • top million passwords minus one.

    top million passwords minus one.

    the file 10_million_password_list_top_1000000.txt does have a million lines, but from a small look on it the 1 million-th line is empty.

    bug question 
    opened by My1 9
  • Git clone failing here.

    Git clone failing here.

    Should I not be able to just git clone URL ?

    Am I missing a download link? I apologize I'm just sort of new to this area.

    opened by W6NZX 9
  • [Suggestion] List of Ports Sorted According to Frequency of Use

    [Suggestion] List of Ports Sorted According to Frequency of Use

    Hello,

    I've been searching around Google for a list of port numbers sorted according to their frequency of use, and so far, I've found no results corresponding to what I was looking for, so I wanted to suggest adding something like it to SecLists.

    Problems and Goals

    The goal that I have in mind for a list of such kind is to use it to quickly check if a host is alive in the fastest time possible while assuming that there are packet filtering devices on the way. The only workaround that I can think of regarding this problem is to establish connections to legit services being hosted on my targets, which packet filtering devices usually allow (I think so, I have very little experience with this so bear with me). But the thing is, I don't know which legit services are running on my targets.

    I'm aware that I can do a full 0-65535 port scan on my target hosts, but I think starting with the most frequently used port numbers will shorten my port scan time by a lot, considering that I'm looking for only 1 port to successfully be detected.

    Data Gathering Methodology

    One method that I could think of in the creation of such a list is to query Shodan (https://www.shodan.io/) for each of the 65536 port numbers using their port search filter (port:1, port:2, port:n). Each query will return a frequency value for each port and we can use this value to sort our list.

    I wanted to do this myself, but I've noticed that the use of the API is charged, so maybe this list could be compiled as a result of a mix of collaborative manual work, and (for those who are more charitable) automated work.

    I might start my own GitHub project regarding this possible contibution to SecLists. I'll update this post once I do.

    Disclaimer

    I'm new to this so I'm not sure if there are any better approaches or actual tools out there that will do this job, but I think that having this kind of list would lead to a faster way of checking for hosts that might be hiding behind packet filtering devices.

    enhancement 
    opened by penafieljlm 9
  • Adding nextcloud & owncloud to common.txt

    Adding nextcloud & owncloud to common.txt

    Hey πŸ™‚

    Nextcloud & ownCloud are two famous software for creating and using file hosting service.

    PS: this adding might also be done on bigger discovery list because none of big list contains them

    enhancement 
    opened by clem9669 9
  • Duplicate (mixed case) file in Fuzzing Directory

    Duplicate (mixed case) file in Fuzzing Directory

    'Fuzzing/UserAgents-IE.txt'
    'Fuzzing/useragents-ie.txt'
    

    One needs blowing away.

    bug 
    opened by ChrisMcKee 9
  • Stonecol and Stonecold are both common words?

    Stonecol and Stonecold are both common words?

    I find it hard to believe that Stonecol and Stonecold are, separately, among the 10k most commonly used words. Thoughts?

    https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt

    question 
    opened by aJetHorn 8
  • new secret keywords added

    new secret keywords added

    enhancement 
    opened by nsonaniya2010 8
  • Duplicated entries in tomcat-betterdefaultpasslist.txt

    Duplicated entries in tomcat-betterdefaultpasslist.txt

    Hello,

    There are some duplicated entries in Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt The entries that could be removed are:

    admin:admin
    tomcat:admin
    tomcat:s3cret
    

    Thanks!

    opened by kai2s 0
  • Password List Builder / Duplicate Catcher / Bad String Removal Tool

    Password List Builder / Duplicate Catcher / Bad String Removal Tool

    I created a tool several years ago to help brute forcing tools by building new password lists from existing collections according to various rules, including user-defined rules, and by stripping duplicates from groups of lists while merging them into larger, more usable lists.

    The app is not perfect, but it is functional and I find it handy when I'm using lists like SecLists stuff.

    Please feel free to include it with SecLists or wherever you like if you believe others will get some use out of it as well. Daniel suggested I submit it here. The source is here:

    https://github.com/Deepspeed/listerene

    opened by Deepspeed 0
  • Add

    Add "h2-console" word

    Hi,

    This PR add the word "h2-console" in relation to the following discovery/event:

    • https://mp.weixin.qq.com/s/Yn5U8WHGJZbTJsxwUU3UiQ
    • https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console
    • https://www.shodan.io/search?query=http.title%3A%22H2+Console%22

    Thank you very much in advance πŸ˜ƒ

    opened by righettod 0
  • added 8443, tomcat ssl

    added 8443, tomcat ssl

    null

    opened by AddaxSoft 0
  • Adding Spring Boot Gateway Actuator

    Adding Spring Boot Gateway Actuator

    The gateway actuator can be used to view, add, and delete routes. The general request to gateway or actuator/gateway will return a 404. Displaying the routes should be sufficient in showing that this actuator is enabled.

    Reference: https://wya.pl/2021/12/20/bring-your-own-ssrf-the-gateway-actuator/

    opened by wdahlenburg 0
  • Is there a thing that can make out 4-digit pin codes that are not in this list?

    Is there a thing that can make out 4-digit pin codes that are not in this list?

    I wanted to use a secure lock for the game "Rust" so i wouldn't get code raided and other such stuff. Can anyone help ne out?

    opened by ArifOrcan 1
  • Missing /opcache/ directory in Web-Content

    Missing /opcache/ directory in Web-Content

    On a recent pentest i noticed a webserver using php opcache gui (https://github.com/amnuts/opcache-gui) The unprotected gui shows up some jucy information about the running web server and could be useful for further analysis. The /opcache/ name is not included in any wordlist. Is there a chance to include this directory name in one of the Web-Content lists?

    Cheers.

    opened by blacklist-arcc 0
  • Create days.txt

    Create days.txt

    password permutations of days of the week

    opened by 5tr1x 0
  • Create months.txt

    Create months.txt

    password permutations of months

    opened by 5tr1x 0
  • Create seasons.txt

    Create seasons.txt

    password permutations of seasons

    opened by 5tr1x 5
Releases(2021.4)
Owner
Daniel Miessler
Exploring the fascinating intersection of security, technology, and humans.
Daniel Miessler
Web Shells that can bypass system firewalls

No System Is Safe Summary Tsayou web shell is a backdoor built using the PHP programming language and designed to bypass multiple system firewalls on

22XploiterCrew 26 Jun 21, 2021
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Alan Woo 31 Jan 18, 2022
SЁCU is a public API to store self-destructing data payloads with url shortener and handle anonymous chat-rooms.

SЁCU Introduction SЁCU is a public API to store self-destructing data payloads. This repository includes only backend part using Laravel framework. Fr

SЁCU 18 Oct 11, 2021
Easily anonymize sensitive data through eloquent queries

Laravel Encryptable This package allows you to anonymize sensitive data (like the name, surname and email address of a user) similarly to Laravel's En

H-FARM Innovation 79 Nov 15, 2021
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatica

Ambionics Security 2k Jan 19, 2022
Security advisories as a simple composer exclusion list, updated daily

Roave Security Advisories This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Installa

Roave, LLC 2.3k Jan 15, 2022
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 11 Jan 4, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

PΓ‘draic Brady 133 Jan 14, 2022
Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8

Laravel Encrypt Database Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8. I'm yet building the tests. Important Note th

Wellington Barbosa 2 Dec 15, 2021
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 724 Jan 13, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.4k Jan 14, 2022
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

Current version: 1.3.5 PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted a

null 3.7k Jan 19, 2022
ChestRandomBP: This plugin generates chests in random places within a specific world. Where you can customize what each one of them contains, the time and the world of spawning.

ChestRandomBP ChestRandomBP: This plugin generates chests, it works PocketMine-MP and random places within a specific world. Where you can customize w

null 5 Sep 19, 2021
Test a method against a list of XSS known.

php-xss-tests Test a method against a list of XSS known. How to run Just execute "run.sh", it will start a docker container to do all stuff. How I kno

null 1 Oct 25, 2021
Fast, general Elliptic Curve Cryptography library. Supports curves used in Bitcoin, Ethereum and other cryptocurrencies (secp256k1, ed25519, ..)

Fast Elliptic Curve Cryptography in PHP Information This library is a PHP port of elliptic, a great JavaScript ECC library. Supported curve types: Sho

Simplito 140 Jan 18, 2022
Password manager featuring client-side encryption, vaults, folders and more.

vaults is a password manager featuring client side AES-256 encryption, PBKDF2 hashing, vaults, password generation & more. Features Technical overview

null 13 Nov 10, 2021
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.8k Jan 9, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Jan 11, 2022