What are Wordlists?
Wordlists are plain-text files containing thousands — or millions — of candidate passwords, usernames, directory names, or other strings used as input to brute-force and dictionary attack tools. They are not tools themselves but are the core resource that powers tools like hydra, hashcat, john, gobuster, ffuf, and wifite. The quality of your wordlist directly determines the success of any attack that depends on guessing.
On Kali Linux, the most important wordlists are pre-packaged and located under /usr/share/wordlists/. The most famous is rockyou.txt — a real-world leaked password list from the 2009 RockYou data breach containing over 14 million passwords.
Only use wordlists to attack systems you own or have explicit written permission to test. Unauthorized credential attacks violate Pakistan's PECA 2016 and international cybercrime laws.
Installation & Setup
# Install the wordlists package (Kali) sudo apt update sudo apt install wordlists -y # Decompress rockyou.txt (compressed by default on Kali) sudo gunzip /usr/share/wordlists/rockyou.txt.gz # Install SecLists — the most comprehensive collection sudo apt install seclists -y # Or clone directly from GitHub git clone https://github.com/danielmiessler/SecLists.git /usr/share/seclists # Check what's available ls /usr/share/wordlists/ ls /usr/share/seclists/
Key Wordlist Locations on Kali
| File / Path | Size | Best Used For |
|---|---|---|
| /usr/share/wordlists/rockyou.txt | ~134 MB / 14M lines | Password cracking (Wi-Fi, hashes, logins) |
| /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt | Small | Fast spraying, quick wins |
| /usr/share/seclists/Discovery/Web-Content/common.txt | ~4,700 lines | Web directory/file fuzzing |
| /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt | ~220K lines | Deep web directory brute-force |
| /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | 5,000 lines | Subdomain enumeration |
| /usr/share/seclists/Usernames/Names/names.txt | ~10K lines | Username enumeration |
| /usr/share/seclists/Fuzzing/SQLi/ | Various | SQL injection fuzzing payloads |
| /usr/share/seclists/Fuzzing/XSS/ | Various | XSS fuzzing payloads |
Using Wordlists with Common Tools
# --- Hydra: SSH brute-force --- hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10 # --- Hydra: HTTP login form --- hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.10 http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid" # --- Hashcat: crack an MD5 hash --- hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt # --- John the Ripper: crack /etc/shadow --- john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt # --- Gobuster: directory brute-force --- gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/common.txt # --- ffuf: directory fuzzing --- ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt # --- ffuf: subdomain fuzzing --- ffuf -u http://FUZZ.target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" # --- Wifite: WPA handshake cracking --- sudo wifite --dict /usr/share/wordlists/rockyou.txt
Creating Custom Wordlists
Generic wordlists miss context-specific passwords. For targeted attacks, custom lists based on the target organization or person significantly improve success rates.
# --- CeWL: scrape a website to build a custom wordlist --- cewl https://target.com -d 2 -m 5 -w custom_target.txt # -d: crawl depth, -m: minimum word length # --- Crunch: generate wordlists by pattern --- # All 8-char alphanumeric combos (warning: huge files) crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 -o output.txt # Generate with a specific pattern (@ = lowercase, % = digit) crunch 9 9 -t Password% -o pinlist.txt # --- cupp: interactive profiling-based generator --- pip install cupp cupp -i # Prompts for name, DOB, pet name, keywords — outputs targeted list # --- Mentalist (GUI tool for rule-based lists) --- # Available via: pip install mentalist # --- Combine and deduplicate two lists --- cat rockyou.txt custom_target.txt | sort -u > merged.txt # --- Filter by minimum length --- awk 'length >= 8' /usr/share/wordlists/rockyou.txt > rockyou_8plus.txt # --- Extract only lines matching a pattern (e.g. Pakistan-related) --- grep -i "pakistan\|lahore\|karachi\|islamabad" /usr/share/wordlists/rockyou.txt > pk_words.txt
Wordlist Manipulation Tips
# Count lines in a wordlist wc -l /usr/share/wordlists/rockyou.txt # Preview first 20 entries head -20 /usr/share/wordlists/rockyou.txt # Remove duplicates from a list sort -u wordlist.txt -o wordlist_dedup.txt # Apply hashcat rules to expand a wordlist (adds variations like P@ssw0rd) hashcat -m 0 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule # Convert a wordlist to uppercase variants tr '[:lower:]' '[:upper:]' < rockyou.txt > rockyou_upper.txt # Append a year to every word in a list (e.g. password → password2024) sed 's/$$/2024/' rockyou.txt > rockyou_2024.txt
Common Use Cases
- WPA/WPA2 handshake cracking after wireless capture with
wifiteoraircrack-ng - Password hash cracking with
hashcatorjohnduring post-exploitation - Web directory and file enumeration with
gobusterorffuf - Subdomain discovery during reconnaissance
- Credential stuffing and password spraying against login portals
- CTF challenges involving password-protected archives, hashes, or login pages
- Fuzzing for SQL injection, XSS, and path traversal payloads
Further Reading
The SecLists GitHub repository (github.com/danielmiessler/SecLists) is the most comprehensive collection of security-focused wordlists maintained by the community. For hash cracking specifically, study hashcat's built-in rules (/usr/share/hashcat/rules/) — rules multiply a small wordlist into millions of variations without needing a 14GB file. Practice against real challenges on TryHackMe, HackTheBox, and hackzia.site labs.