Personal compilation of wordlists & dictionaries for everything. Users, passwords, directories, files, vulnerabilities, fuzzing, injections, wordlists of tools, etc.

If you want to add more or If you know the authorship of a dictionary, contact me.

Passwords

• Passwords, by SecLists
  • Common Credentials
  • Cracked Hashes milw0rm-dictionary
  • Default Credentials by services
  • Honeypot Captures
  • Leaked Databases
• Probable-Wordlist, by Berzerk0
  • Real Passwords MegaLinks
  • Passwords Default
  • Top 304 Thousand
  • Top 12 Thousand
  • Top 1575
  • Top 207
  • Analysis Files
  • WPA
    • Real Password MegaLinks, by Berzerk0
    • Top204Thousand, by Berzerk0
    • Top 4800, by Berzerk0
    • Top 447, by Berzerk0
    • Top 62, by Berzerk0
• Passwords mix, by Werdlists
• Nmap

Users

• Users Common
• Users mix by SecLists

Injections

• PayloadsAllTheThings
  • A list of useful payloads and bypass for Web Application Security and Pentest/CTF (CSRF, LDAP, NoSQL, XEE, etc.).
• Cross-Site Scripting (XSS)
• Cross-Site Scripting (XSS) by SecLists
• XSS swf fuzz
• XSS remote payloads HTTPS
• XSS remote payloads HTTP
• XSS payloads quick
• XSS grep
• XSS funny stored
• XSS find inject
• XSS escape chars
• XML Attacks
• Auth Bypass
• command exec
• Overflow
• Payload injectx
• SQLI error based
• SQLI time based
• SQLI union select
• SQLI escape chars
• SQL
• SQL by SecLists
• Databases by SecLists
• Path Trasversal
• Path Trasversal short
• Path Trasversal by 1N3
• URL payloads
• SSI
• SSI Jhaddix
• LFI
• LDAP
• JSON

Languages

• German
• Spanish

Vendors/Software

• Web content
  • CMS, DB, APIs, Web Servers, etc. by SecLists.
• Vendor Default
• Tomcat
• Oracle
• ckeditor 4.7.3 (by @_devalias)
• GovCMS 7.x-2.15 (by @_devalias)
• ASP
• JSP
• PHP 1/2
• PHP 2/2
• Exploitable PHP functions

Domains/Subdomains

• Mix Subdomains popular 2020 (incoming…)
• Mix Subdomains popular 2017
• Mix Subdomains popular 2016
• Certificate Transparency Subdomains

Others

• Naughty Strings
• User Agents
• Google 10000 English
  • This repo contains a list of the 10,000 most common English words in order of frequency, as determined by n-gram frequency analysis of the Google’s Trillion Word Corpus.

Tools

• BurpSuite
  • Burp-pack with all the dictionaries available in the tool BurpSuite.
• SQLmap
  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
• Hashcat
  • World’s fastest and most advanced password recovery utility.
• Dirb
  • DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
• Fuzzdb
  • Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• DirSearch
  • Web path scanner.
• Wfuzz
  • Web application fuzzer http://wfuzz.io.
• Cfuzzer
  • url-fuzzer.
• Pyfuzz
  • URL fuzzing tool made of Python.
• CommonSpeak
  • Commonspeak is a wordlist generation tool that leverages public datasets from Google’s BigQuery platform.