The brute force attack is still one of the most popular password-cracking methods. Nevertheless, it is not just for password cracking. Brute force attacks can also be used to discover hidden pages and content in a web application. This attack is basically “a hit and try” until you succeed. This attack sometimes takes longer, but its success rate is higher.
In this article, we will try to collect popular wordlists used in different scenarios for performing brute force attacks to get desired results.
Default Credentials
Search in google for default credentials of the technology that is being used, or try this links:
- https://github.com/ihebski/DefaultCreds-cheat-sheet
- http://www.phenoelit.org/dpl/dpl.html
- http://www.vulnerabilityassessment.co.uk/passwordsC.htm
- https://192-168-1-1ip.mobi/default-router-passwords-list/
- https://datarecovery.com/rd/default-passwords/
- https://bizuns.com/default-passwords-list
- https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv
- https://github.com/Dormidera/WordList-Compendium
- https://www.cirt.net/passwords
- http://www.passwordsdatabase.com/
- https://many-passwords.github.io/
Create your own Wordlist
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
- Crunch: https://www.kali.org/tools/crunch/
- Cewl: https://github.com/digininja/CeWL
- CUPP: https://github.com/Mebus/cupp
- pydictor: https://github.com/LandGrey/pydictor
Dictionary:
- https://github.com/danielmiessler/SecLists
- https://github.com/Dormidera/WordList-Compendium
- https://github.com/kaonashi-passwords/Kaonashi
- https://github.com/google/fuzzing/tree/master/dictionaries
- https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
- https://www.kaggle.com/datasets/wjburns/common-password-list-rockyoutxt