SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Related tags

Security SecLists
Overview

seclists.png

About SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

This project is maintained by Daniel Miessler, Jason Haddix, and g0tmi1k.


Install

Zip

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
  && unzip SecList.zip \
  && rm -f SecList.zip

Git (Small)

git clone --depth 1 https://github.com/danielmiessler/SecLists.git

Git (Complete)

git clone https://github.com/danielmiessler/SecLists.git

Kali Linux (Tool Page)

apt -y install seclists

Attribution

See CONTRIBUTORS.md


Contributing

See CONTRIBUTING.md


Similar Projects


Licensing

This project is licensed under the MIT license.

MIT License

NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.

Comments
  • Build an API to check common passwords?

    Build an API to check common passwords?

    Hi,

    I was thinking about building a simple API to allow web developers to check a password provided by a user against the top-n list. It would be provided free to the community. As in, either me or my company would build and host it for free.

    It raises some important questions;

    1. You have put all this effort in to collating these lists, and I would not build anything like this without your explicit approval.
    2. I have been thinking about whether there is a downside to building this as an API and I would really like someone else's opinion on whether this could potentially be abused.

    If this API is indeed built, there are a couple of things to think about;

    • There is something unnerving about a site sending a user's new password to this random API on the internet to check whether it is in the most-commonly-used. If the API was nefarious, it could potentially store the data and correlate it to the site, thus providing an easier attack vector. That may be the thing that kills the idea dead :) Unless there is a way to ensure the data cannot be correlated and provide assurances around that.
    • The API would return the position on the list, i.e "1000th most commonly used". It is then up to the calling site to determine what they consider acceptable.

    This may be a stupid idea, but I thought I'd put it out there to see what other people think.

    question proposal 
    opened by flytzen 14
  • Seclist refusing to clone into my kali

    Seclist refusing to clone into my kali

    Good day Daniel Each time I try to git clone the seclist repo, it is extremely slow and then times out, leaving this error message as a result;

    ┌──(kali㉿kali)-[~/Documents/CTF] └─$ git clone https://github.com/danielmiessler/SecLists.git Cloning into 'SecLists'... remote: Enumerating objects: 11021, done. error: 1276 bytes of body are still expectedMiB | 181.00 KiB/s fetch-pack: unexpected disconnect while reading sideband packet fatal: early EOF fatal: fetch-pack: invalid index-pack output

    Please is there a solution to this?

    question 
    opened by KingTomasi 11
  • Adding nextcloud & owncloud to common.txt

    Adding nextcloud & owncloud to common.txt

    Hey 🙂

    Nextcloud & ownCloud are two famous software for creating and using file hosting service.

    PS: this adding might also be done on bigger discovery list because none of big list contains them

    enhancement 
    opened by clem9669 9
  • [Suggestion] List of Ports Sorted According to Frequency of Use

    [Suggestion] List of Ports Sorted According to Frequency of Use

    Hello,

    I've been searching around Google for a list of port numbers sorted according to their frequency of use, and so far, I've found no results corresponding to what I was looking for, so I wanted to suggest adding something like it to SecLists.

    Problems and Goals

    The goal that I have in mind for a list of such kind is to use it to quickly check if a host is alive in the fastest time possible while assuming that there are packet filtering devices on the way. The only workaround that I can think of regarding this problem is to establish connections to legit services being hosted on my targets, which packet filtering devices usually allow (I think so, I have very little experience with this so bear with me). But the thing is, I don't know which legit services are running on my targets.

    I'm aware that I can do a full 0-65535 port scan on my target hosts, but I think starting with the most frequently used port numbers will shorten my port scan time by a lot, considering that I'm looking for only 1 port to successfully be detected.

    Data Gathering Methodology

    One method that I could think of in the creation of such a list is to query Shodan (https://www.shodan.io/) for each of the 65536 port numbers using their port search filter (port:1, port:2, port:n). Each query will return a frequency value for each port and we can use this value to sort our list.

    I wanted to do this myself, but I've noticed that the use of the API is charged, so maybe this list could be compiled as a result of a mix of collaborative manual work, and (for those who are more charitable) automated work.

    I might start my own GitHub project regarding this possible contibution to SecLists. I'll update this post once I do.

    Disclaimer

    I'm new to this so I'm not sure if there are any better approaches or actual tools out there that will do this job, but I think that having this kind of list would lead to a faster way of checking for hosts that might be hiding behind packet filtering devices.

    enhancement 
    opened by penafieljlm 9
  • Stonecol and Stonecold are both common words?

    Stonecol and Stonecold are both common words?

    I find it hard to believe that Stonecol and Stonecold are, separately, among the 10k most commonly used words. Thoughts?

    https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt

    question 
    opened by aJetHorn 8
  • Add other possible types of SSH key files.

    Add other possible types of SSH key files.

    Hi,

    This PR (fix and replace the PR #745) add other possible types of SSH key files and variations on the extensions:

    • identity
    • id_dsa
    • id_ecdsa
    • id_ed25519
    • id_ecdsa_sk
    • id_ed25519_sk

    My sources were the following:

    1. The content of the sshd_config file:

    image

    1. The content of the configuration folder of a ssh server /etc/ssh:

    image

    1. The documentation of the ssh-keygen tool:

    image

    Thank you very much in advance 😃

    Note:

    In addition, I made a proposal for #760

    opened by righettod 7
  • PR for issue 654 (environment identifiers dict)

    PR for issue 654 (environment identifiers dict)

    Hi,

    This PR refer to the issue #654

    I have used the following command against several local (Luxembourg) domains:

    curl -sk "https://crt.sh/?q=[BASE_DOMAIN]&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u
    

    Domains used, as sources, were defined in each commits. You will find English and French identifiers depending on the companies owing the domains.

    Thank you very much in advance 😃

    enhancement proposal 
    opened by righettod 7
  • Add specific

    Add specific "render" endpoints

    Hi,

    In this PR, I propose the adding of 2 "render" endpoint to detect the following dynamic rendering engines:

    • Rendertron
    • Prerender

    Information are based on this blog post.

    Thanks a lot in advance 😃

    enhancement 
    opened by righettod 7
  • Create universally useful combined web discovery wordlists which auto-update

    Create universally useful combined web discovery wordlists which auto-update

    As I promised in issue #652, here's the pull request 😁

    Some very unlikely but possible issues in the future:

    • If both actions trigger simultaneously, only one will be able to finish, as the other one will fail with an error like ! [remote rejected] HEAD -> master (cannot lock ref 'refs/heads/master': is at 7271aab5abc3fcad4f61de3872dcee911b177156 but expected b2ee580771ed4195027759aa5d35f6e5728bf8e0) error: failed to push some refs to 'https://github.com/danielmiessler/SecLists.git'
    • If the wordlists at some point go past 100Mb, we will have to use Git Large File Storage

    Other than that, this should work without any intervention ╰(°▽°)╯

    enhancement proposal 
    opened by ItsIgnacioPortal 6
  • Is there a way for me NOT to download the Payloads folder of this repository?

    Is there a way for me NOT to download the Payloads folder of this repository?

    Hi, yes, I’d like to not download a bunch of ZIP bombs on my computer while I’m trying to do pen testing, thanks. I used WSL to clone the repository, and now Windows Defender is going apeshit with like 200 different virus detections

    question 
    opened by JohnMackYouTube05 6
  • Add a dict with OAUTH2/OIDC scopes.

    Add a dict with OAUTH2/OIDC scopes.

    Hi,

    This PR add a dictionary containing OAuth 2.0 / OpenID Connect scopes found using the procedure described below.

    This dictionary can be used to discover scope that can be used for a Client ID on a OAUTH Authorization Server / OpenID Provider if the file /.well-known/openid-configuration is not reachable or some scope are defined but not used by the Client ID.

    I have created this script to perform, among others, this kind of operation.

    The dictionary was created using the following steps.

    1. Get data from Shodan for IP hosting an instance of the Keycloak software.

    The following script was used:

    #!/bin/bash
    # Made an initial request without the page parameter and take the value of the "total" attribute
    # Then divide it by 100 to have the number of pages
    for p in {1..11}
    do
    	curl -X GET "https://api.shodan.io/shodan/host/search?key=[api_key]&query=keycloak&page=$p" --output "data$p.json"
    done
    

    Content of each JSON file:

    json-extract

    1. Extract of the Location header for every entry from all json files to create a first source of data (urls) named source1.txt.

    The following script was used, it leverage the JQ tool to extract data from JSON files:

    #!/bin/bash
    rm data1.txt 2>/dev/null
    for f in `ls data*.json`
    do
    	jq -r ".matches[].data" $f >> data1.txt
    done
    grep -Po "Location:\s.*" data1.txt | cut -d' ' -f2 > source1.txt
    
    1. Extraction of all hostnames header for every entry from all json files to create a second source of data (urls) named source2.txt.

    The following script was used, it adds a Keycloak url path to all hostnames, this one is normally present on a Keycloak instance:

    #!/bin/bash
    rm data2.txt 2>/dev/null
    for f in `ls data*.json`
    do
    	jq -r ".matches[].hostnames" $f | grep -Po '".*"' | tr -d '"' | sort -u >> data2.txt
    done
    awk 'NF{print "https://" $0 "/auth/realms/master/protocol/openid-connect/auth"}' data2.txt > source2.txt
    
    1. Merging of the two data sources via cat source1.txt source2.txt | sort -u > source.txt and fixing of invalid urls manually (find right urls to use via manual request against the hostname)

    2. Generation of the file scopes.txt and realms.txt via the following python script (dirty script non-optimised) named grab-scopes-realms.py:

    import requests
    # pip3 install requests
    # Very dirty script to create a dict of Scopes and Realms
    # Shodan query: https://www.shodan.io/search?query=%22keycloak%22
    requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
    with open("source.txt", "r") as f:
        urls = f.read().splitlines()
    scopes = []
    realms = []
    urls_processed = []
    urls_not_processed = []
    marker = "/protocol"
    c = 0
    t = len(urls)
    with requests.Session() as session:
        session.verify = False
        session.headers.update({"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"})
        for u in urls:
            u = u.split("?")[0]
            c += 1
            if u in urls_processed or marker not in u:
                continue
            urls_processed.append(u)
            print(f"\rProcessing url {c}/{t}", end="", flush=True)
            base_url_realms = u[0:u.index(marker)]
            metadata_url = f"{base_url_realms}/.well-known/openid-configuration"
            realm = base_url_realms.split("/")[-1]
            try:
                http_response = session.get(url=metadata_url, allow_redirects=True, timeout=5)
            except requests.exceptions.RequestException:
                urls_not_processed.append(u)
                continue
            if (http_response.status_code == 200 and "Content-Type" in http_response.headers
                and "application/json" in http_response.headers["Content-Type"]
                    and "scopes_supported" in http_response.json()):
                scopes.extend(http_response.json()["scopes_supported"])
                if realm not in realms:
                    realms.append(realm)
        print(f"\r{len(urls_processed)} urls processed - {len(urls_not_processed)} urls not processed.", end="", flush=True)
    scopes = list(set(scopes))
    scopes.sort()
    realms.sort()
    urls_not_processed.sort()
    with open("scopes.txt", "w") as f:
        f.write("\n".join(scopes))
    with open("realms.txt", "w") as f:
        f.write("\n".join(realms))
    with open("urls-not-processed.txt", "w") as f:
        f.write("\n".join(urls_not_processed))
    

    Execution:

    $ python --version
    Python 3.7.5
    $ python grab-scopes-realms.py
    1080 urls processed - 404 urls not processed.
    

    The goal is to enrich it with the time when new scopes are identified.

    Thanks in advance 😃

    enhancement 
    opened by righettod 6
  • [spring-boot.txt] Add new endpoints

    [spring-boot.txt] Add new endpoints

    Hi,

    This PR use this documentation to add the prefix management/ to endpoints list from this documentation:

    image

    image

    Command used to extract endpoints:

    curl -sk https://docs.spring.io/spring-boot/docs/2.1.7.RELEASE/reference/html/production-ready-endpoints.html | grep -Po '<code class="literal">([a-z]+)</code>' | cut -d'>' -f2 | cut -d'<' -f1 | sort -u
    

    Thanks in advance 😃

    opened by righettod 2
  • Collection methodology for the dutch passwordlists

    Collection methodology for the dutch passwordlists

    Hello,

    Thank you very much for putting this repo together.

    I would like to ask for information please on what was the collection source and methodology for the following password lists:

    • https://github.com/danielmiessler/SecLists/blob/master/Passwords/dutch_common_wordlist.txt
    • https://github.com/danielmiessler/SecLists/blob/master/Passwords/dutch_passwordlist.txt
    • https://github.com/danielmiessler/SecLists/blob/master/Passwords/dutch_wordlist

    Are they related in any way? IE is one generated from the other?

    Thank you, Tamas

    opened by vorost 1
Releases(2022.3)
Owner
Daniel Miessler
Exploring the fascinating intersection of security, technology, and humans.
Daniel Miessler
Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.

Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.

Sam Sanoop 399 Sep 9, 2022
Web Shells that can bypass system firewalls

No System Is Safe Summary Tsayou web shell is a backdoor built using the PHP programming language and designed to bypass multiple system firewalls on

22XploiterCrew 26 Jun 21, 2021
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Alan Woo 48 Sep 23, 2022
Easily anonymize sensitive data through eloquent queries

Laravel Encryptable This package allows you to anonymize sensitive data (like the name, surname and email address of a user) similarly to Laravel's En

H-FARM Innovation 93 Sep 6, 2022
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatica

Ambionics Security 2.4k Sep 27, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Sep 3, 2022
Security advisories as a simple composer exclusion list, updated daily

Roave Security Advisories This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Installa

Roave, LLC 2.4k Sep 23, 2022
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 20 Sep 27, 2022
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 166 Sep 30, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 133 Apr 23, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Floe design + technologies 642 Sep 22, 2022
Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8

Laravel Encrypt Database Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8. I'm yet building the tests. Important Note th

Wellington Barbosa 2 Dec 15, 2021
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 748 Sep 3, 2022
Web page performance/seo/security/accessibility analysis, browser-less for PHP

Web page performance/seo/security/accessibility analysis, browser-less for PHP

Lightship 5 Jun 12, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Sep 18, 2022
ChestRandomBP: This plugin generates chests in random places within a specific world. Where you can customize what each one of them contains, the time and the world of spawning.

ChestRandomBP ChestRandomBP: This plugin generates chests, it works PocketMine-MP and random places within a specific world. Where you can customize w

null 5 Sep 19, 2021
All in one tool for Information Gathering and Vulnerability Scanning

All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers

r3dhax0r 2.2k Sep 28, 2022
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

Current version: 1.3.5 PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted a

null 4.3k Sep 23, 2022
Test a method against a list of XSS known.

php-xss-tests Test a method against a list of XSS known. How to run Just execute "run.sh", it will start a docker container to do all stuff. How I kno

null 1 Oct 25, 2021