SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Related tags

SecLists
Overview

seclists.png

About SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

This project is maintained by Daniel Miessler, Jason Haddix, and g0tmi1k.


Install

Zip

wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
  && unzip SecList.zip \
  && rm -f SecList.zip

Git (Small)

git clone --depth 1 https://github.com/danielmiessler/SecLists.git

Git (Complete)

git clone https://github.com/danielmiessler/SecLists.git

Kali Linux (Tool Page)

apt -y install seclists

Attribution

See CONTRIBUTORS.md


Contributing

See CONTRIBUTING.md


Similar Projects


Licensing

This project is licensed under the MIT license.

MIT License

β€”

NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.

Issues
  • Build an API to check common passwords?

    Build an API to check common passwords?

    Hi,

    I was thinking about building a simple API to allow web developers to check a password provided by a user against the top-n list. It would be provided free to the community. As in, either me or my company would build and host it for free.

    It raises some important questions;

    1. You have put all this effort in to collating these lists, and I would not build anything like this without your explicit approval.
    2. I have been thinking about whether there is a downside to building this as an API and I would really like someone else's opinion on whether this could potentially be abused.

    If this API is indeed built, there are a couple of things to think about;

    • There is something unnerving about a site sending a user's new password to this random API on the internet to check whether it is in the most-commonly-used. If the API was nefarious, it could potentially store the data and correlate it to the site, thus providing an easier attack vector. That may be the thing that kills the idea dead :) Unless there is a way to ensure the data cannot be correlated and provide assurances around that.
    • The API would return the position on the list, i.e "1000th most commonly used". It is then up to the calling site to determine what they consider acceptable.

    This may be a stupid idea, but I thought I'd put it out there to see what other people think.

    proposal question 
    opened by flytzen 14
  • Duplicate (mixed case) file in Fuzzing Directory

    Duplicate (mixed case) file in Fuzzing Directory

    'Fuzzing/UserAgents-IE.txt'
    'Fuzzing/useragents-ie.txt'
    

    One needs blowing away.

    bug 
    opened by ChrisMcKee 9
  • 1.4 billion password breach compilation wordlist

    1.4 billion password breach compilation wordlist

    How about include this password list?

    https://gist.github.com/scottlinux/9a3b11257ac575e4f71de811322ce6b3

    enhancement 
    opened by riramar 9
  • Adding nextcloud & owncloud to common.txt

    Adding nextcloud & owncloud to common.txt

    Hey πŸ™‚

    Nextcloud & ownCloud are two famous software for creating and using file hosting service.

    PS: this adding might also be done on bigger discovery list because none of big list contains them

    enhancement 
    opened by clem9669 9
  • top million passwords minus one.

    top million passwords minus one.

    the file 10_million_password_list_top_1000000.txt does have a million lines, but from a small look on it the 1 million-th line is empty.

    bug question 
    opened by My1 9
  • [Suggestion] List of Ports Sorted According to Frequency of Use

    [Suggestion] List of Ports Sorted According to Frequency of Use

    Hello,

    I've been searching around Google for a list of port numbers sorted according to their frequency of use, and so far, I've found no results corresponding to what I was looking for, so I wanted to suggest adding something like it to SecLists.

    Problems and Goals

    The goal that I have in mind for a list of such kind is to use it to quickly check if a host is alive in the fastest time possible while assuming that there are packet filtering devices on the way. The only workaround that I can think of regarding this problem is to establish connections to legit services being hosted on my targets, which packet filtering devices usually allow (I think so, I have very little experience with this so bear with me). But the thing is, I don't know which legit services are running on my targets.

    I'm aware that I can do a full 0-65535 port scan on my target hosts, but I think starting with the most frequently used port numbers will shorten my port scan time by a lot, considering that I'm looking for only 1 port to successfully be detected.

    Data Gathering Methodology

    One method that I could think of in the creation of such a list is to query Shodan (https://www.shodan.io/) for each of the 65536 port numbers using their port search filter (port:1, port:2, port:n). Each query will return a frequency value for each port and we can use this value to sort our list.

    I wanted to do this myself, but I've noticed that the use of the API is charged, so maybe this list could be compiled as a result of a mix of collaborative manual work, and (for those who are more charitable) automated work.

    I might start my own GitHub project regarding this possible contibution to SecLists. I'll update this post once I do.

    Disclaimer

    I'm new to this so I'm not sure if there are any better approaches or actual tools out there that will do this job, but I think that having this kind of list would lead to a faster way of checking for hosts that might be hiding behind packet filtering devices.

    enhancement 
    opened by penafieljlm 9
  • new secret keywords added

    new secret keywords added

    enhancement 
    opened by nsonaniya2010 8
  • Stonecol and Stonecold are both common words?

    Stonecol and Stonecold are both common words?

    I find it hard to believe that Stonecol and Stonecold are, separately, among the 10k most commonly used words. Thoughts?

    https://github.com/danielmiessler/SecLists/blob/master/Passwords/10k_most_common.txt

    question 
    opened by aJetHorn 8
  • Add specific

    Add specific "render" endpoints

    Hi,

    In this PR, I propose the adding of 2 "render" endpoint to detect the following dynamic rendering engines:

    • Rendertron
    • Prerender

    Information are based on this blog post.

    Thanks a lot in advance πŸ˜ƒ

    enhancement 
    opened by righettod 7
  • Add port 3000 (Ruby on Rails) to common ports

    Add port 3000 (Ruby on Rails) to common ports

    This is the default port rails uses in a fresh installation, this is mentioned on the command line docs here and I also have a lot of experience with rails confirming this port is often used in practice

    3001 is also used when people run two servers but that's more just convention than the framework enforcing it, i wasn't sure how small you are trying to keep the list so I left it off for now.

    opened by jakecraige 0
  • Add

    Add "UniqueId" http request header

    Hi,

    This PR add the header UniqueId to the file http-request-headers-fields-large.txt, I have seen it often during web pentest.

    I have verified first that it was not present in the updated section of dictionaries:

    image

    I think that it can be interesting to target it in a fuzzing operation because it can perhaps lead to an injection point depending on how it is consumed by the web app.

    Thank in advance πŸ˜ƒ

    opened by righettod 0
  • full 10 million password list?

    full 10 million password list?

    the "10 Million Password list" in common credentials has several top x files up to top 1 million, but there does not seem to be a full file. is that available somewhere?

    opened by My1 0
  • Mistake found in special-chars.txt

    Mistake found in special-chars.txt

    The special-chars.txt file found at ./Seclists/Fuzzing/special-chars.txt contains an error.

    The two special characters found at lines 13 and 14 are exactly the same , namely both are ASCII underscores, with corresponding hexcode value of 5F.

    One of these two characters needs to be changed to the ASCII hyphen(subtraction sign) with corresponding hexcode value of 2D , as that special character is currently missing in that list.

    opened by Neticegear 1
  • Add Base64 Encoded tomcat-betterdefaultpasslist

    Add Base64 Encoded tomcat-betterdefaultpasslist

    proposal 
    opened by sAsPeCt488 2
  • Update admin.txt

    Update admin.txt

    adding administrator-panel to the list

    enhancement 
    opened by ahronmoshe 1
  • Update all.txt

    Update all.txt

    added adminHeader.html endpoint

    enhancement 
    opened by afaq1337 2
  • Anyone see value in adding a Chrome malicious extension list?

    Anyone see value in adding a Chrome malicious extension list?

    I figured I'd open it up to the collective to see if y'all would find value to the list I keep of malicious Chrome extensions before making a pull request:

    Just the IDs: https://github.com/mallorybowes/chrome-mal-ids/blob/master/current-list.csv IDs + metadata: https://github.com/mallorybowes/chrome-mal-ids/blob/master/current-list-meta.csv

    I could see ppl using it for figuring out malicious extensions on desktops for various pentest-like engagements or if someone wanted a known malicious id to test AV-type functionality. There's also 2 ppl that currently pull the list to scan through their application inventories for the networks they manage.

    If ppl think it would be a good addition, I'll put in the pull request.

    Thanks!

    proposal 
    opened by mallorybowes 2
  • Common Username Patterns?

    Common Username Patterns?

    I've been using the SecLists repository for a while now, and I think it's amazing. Thank you to all the contributors for compiling this amazing resource into one place.

    One thing that I have considered is that, with the Usernames directory, there's nothing on common usernames using common names/common username patterns for corporate email addresses and login details.

    I have written a program that ingests the files in Usernames/Names and converts them into text files which contain each of the common username pattents (e.g. first+last, first+"."+last).

    The resulting output from this program is a 161MB directory containing 2,000,000 text files (one for each name combination).

    I'm unsure whether it is better to contribute the code to do this (written in Python 3.8) or the resulting export, as the data export is very large.

    enhancement proposal 
    opened by redstonedesigner 1
  • Add JWT default secrets

    Add JWT default secrets

    From: https://github.com/wallarm/jwt-secrets/blob/master/jwt.secrets.list By @d0znpp / @wallarm If the license is compatible of course :)

    enhancement 
    opened by cnotin 1
Releases(2021.2)
Owner
Daniel Miessler
Exploring the fascinating intersection of security, technology, and humans.
Daniel Miessler
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatica

Ambionics Security 1.7k Jun 13, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.3k Jun 17, 2021
PHP Malware Finder

PHP Malware Finder _______ __ __ _______ | ___ || |_| || | | | | || || ___| | |___| || || |___ Webshell finder, |

NBS System 105 Jun 7, 2021
Fetches random integers from random.org instead of using PHP's PRNG implementation

TrulyRandom Composer-compatible library to interact with random.org's API in order to generate truly random lists of integers, sequences of integers,

Erik Wurzer 42 Apr 25, 2021
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

PΓ‘draic Brady 131 Apr 25, 2021
Web Shells that can bypass system firewalls

No System Is Safe Summary Tsayou web shell is a backdoor built using the PHP programming language and designed to bypass multiple system firewalls on

22XploiterCrew 12 Jun 14, 2021
WordPress plugin that provides instant switching between user accounts.

User Switching Stable tag: 1.5.7 Requires at least: 3.7 Tested up to: 5.7 Requires PHP: 5.3 License: GPL v2 or later Tags: users, profiles, user switc

John Blackbourn 133 Jun 15, 2021
A library for generating random numbers and strings

RandomLib A library for generating random numbers and strings of various strengths. This library is useful in security contexts. Install Via Composer

Anthony Ferrara 818 Jun 16, 2021
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Jun 10, 2021
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

timoh 53 Dec 22, 2020
Compatibility with the password_* functions that ship with PHP 5.5

password_compat This library is intended to provide forward compatibility with the password_* functions that ship with PHP 5.5. See the RFC for more d

Anthony Ferrara 2.1k Apr 27, 2021
πŸ€– Id obfuscation based on Knuth's multiplicative hashing method for PHP.

Optimus id transformation With this library, you can transform your internal id's to obfuscated integers based on Knuth's integer hash. It is similar

Jens Segers 1.1k Jun 11, 2021
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.7k Jun 18, 2021
Simple Encryption in PHP.

php-encryption composer require defuse/php-encryption This is a library for encrypting data with a key or password in PHP. It requires PHP 5.6 or new

Taylor Hornby 3.3k Jun 18, 2021