SecLists Path Map
Base path: /usr/share/seclists/
Subdomain / DNS Enumeration
Discovery/DNS/bitquark-subdomains-top100000.txt # Top 100k subdomains
Discovery/DNS/subdomains-top1million-110000.txt # 1M subdomains
Discovery/DNS/shubs-subdomains.txt # Alternative quality list
Discovery/DNS/dns-Jhaddix.txt # Comprehensive subdomain list
Discovery/DNS/namelist.txt # Short, fast list
Discovery/DNS/fierce-hostlist.txt # Fierce default list
Discovery/DNS/combined_subdomains.txt # Combined mega list
Web Directory / Content Enumeration
Discovery/Web-Content/raft-medium-words.txt # Balanced: 63k entries (RECOMMENDED)
Discovery/Web-Content/raft-large-words.txt # Large: 119k entries
Discovery/Web-Content/raft-small-words.txt # Fast: 43k entries
Discovery/Web-Content/directory-list-2.3-medium.txt # Dirb classic medium
Discovery/Web-Content/directory-list-2.3-big.txt # Dirb classic big
Discovery/Web-Content/common.txt # Quick 4k common paths
Discovery/Web-Content/big.txt # 20k common paths
Discovery/Web-Content/raft-medium-directories.txt # Directories only
Discovery/Web-Content/raft-medium-files.txt # Files only
Discovery/Web-Content/raft-medium-extensions.txt # Extension enumeration
Discovery/Web-Content/SVNDigger/all.txt # SVN/code repos
Discovery/Web-Content/CMS/ # CMS-specific lists
Discovery/Web-Content/IIS.fuzz.txt # IIS-specific
Discovery/Web-Content/nginx.txt # Nginx-specific
API Endpoints
Discovery/Web-Content/api/api-endpoints.txt # Common API paths
Discovery/Web-Content/api/api-endpoints-res.txt # API resource patterns
Discovery/Web-Content/api/api-seen-in-wild.txt # Wild API endpoints
Discovery/Web-Content/api/objects.txt # API object names
Discovery/Web-Content/api/actions.txt # API action names
Discovery/Web-Content/api/graphql.txt # GraphQL endpoint paths
Passwords by Service
# SSH brute force
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/wordlists/rockyou.txt # Classic 14M
# HTTP form brute force
/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
/usr/share/seclists/Passwords/Common-Credentials/best110.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt
# Default credentials (service-specific)
/usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/mysql-betterdefaultpasslist.txt
/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt
# Web application defaults
/usr/share/seclists/Passwords/darkweb2017-top10000.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-10.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou-25.txt
# SNMP community strings
/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
/usr/share/seclists/Discovery/SNMP/snmp.txt
# WPA handshake cracking
/usr/share/wordlists/rockyou.txt # Start here
/usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
# VNC/RDP brute
/usr/share/seclists/Passwords/Common-Credentials/500-worst-passwords.txt
# WordPress xmlrpc brute
/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
Usernames
Usernames/top-usernames-shortlist.txt # 17 common usernames
Usernames/Names/names.txt # First names
Usernames/cirt-default-usernames.txt # Device default users
Usernames/CommonAdminBase64.txt # Admin base64 encoded
Usernames/mssql-betterdefaultpasslist.txt # MSSQL defaults
Fuzzing
# LFI / Path Traversal
Fuzzing/LFI/LFI-Jhaddix.txt # 929 LFI payloads (BEST)
Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt # Huge LFI list
Fuzzing/LFI/LFI-gracefulsecurity-linux.txt # Linux-specific
Fuzzing/LFI/LFI-gracefulsecurity-windows.txt # Windows-specific
# XSS
Fuzzing/XSS/XSS-Jhaddix.txt # Comprehensive XSS payloads
Fuzzing/XSS/XSS-BruteLogic.txt # BruteLogic collection
Fuzzing/XSS/XSS-Bypass-Strings-BruteLogic.txt # WAF bypass payloads
Fuzzing/XSS/xss-payload-list.txt # Extended XSS list
# SQL Injection
Fuzzing/SQLi/Generic-SQLi.txt # Generic SQL injection
Fuzzing/SQLi/quick-SQLi.txt # Quick test payloads
Fuzzing/SQLi/MySQL-SQLi-Login-Bypass.txt # MySQL login bypass
Fuzzing/SQLi/MSSQL-Enumeration.fuzzdb.txt # MSSQL enumeration
# SSTI
Fuzzing/template-engines-expression.txt # Template injection payloads
# SSRF
Fuzzing/SSRF/SSRF-payloads.txt # SSRF bypass payloads
# XXE
Fuzzing/XXE/ # XXE payloads directory
# Open Redirect
Fuzzing/open-redirects-payloads.txt # Open redirect vectors
IDOR / ID Enumeration
# Numeric IDs
seq 1 10000 # Pipe to ffuf: -w <(seq 1 10000)
seq 1 1000000 | shuf | head -10000 # Random sample
# UUID generation
python3 -c "import uuid; [print(uuid.uuid4()) for _ in range(1000)]"
# Alphanumeric short IDs
/usr/share/seclists/Fuzzing/alphanumeric-case.txt
Web Backup / Sensitive Files
Discovery/Web-Content/sensitive-files.txt # Sensitive file paths
Discovery/Web-Content/backup-extensions.fuzz.txt # Backup extensions
Discovery/Web-Content/CGI-Http/apache.txt # Apache CGI
Discovery/Web-Content/.well-known/ # .well-known paths
Hashcat Rules
# Location
/usr/share/hashcat/rules/
# Best overall (start here)
/usr/share/hashcat/rules/best64.rule # 64 fast rules
/usr/share/hashcat/rules/d3ad0ne.rule # 34k rules
/usr/share/hashcat/rules/rockyou-30000.rule # rockyou-derived
/usr/share/hashcat/rules/dive.rule # Deep coverage
# Combination rules
/usr/share/hashcat/rules/combinator.rule # Word combination
/usr/share/hashcat/rules/leetspeak.rule # Leet speak transforms
# Community rules (download separately)
# OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules
# /opt/OneRuleToRuleThemAll.rule # 52k rules (BEST community)
# Multiple rules (combine effects)
hashcat -m 1000 hashes.txt wordlist.txt \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/d3ad0ne.rule
# Generate rule from known password pattern
python3 -c "
# Pattern: Capitalize first, add year + special
# Word: password → Password2024!
print('c') # capitalize
print('$2$0$2$4') # append 2024
print('$!') # append !
" > custom.rule
Mask Attack Patterns (hashcat -a 3)
# Charsets:
# ?l = lowercase a-z
# ?u = uppercase A-Z
# ?d = digit 0-9
# ?s = special chars
# ?a = all printable
# ?b = all 0x00-0xff
# Corporate password patterns (8-12 chars)
?u?l?l?l?l?l?d?d # Passw01 style (8 chars)
?u?l?l?l?l?l?l?d?d # Password01 style (9 chars)
?u?l?l?l?l?d?d?d?d # Pass0000 style (9 chars)
?u?l?l?l?l?l?l?l?d?d?d?d # Password0000 (12 chars)
?u?l?l?l?l?l?l?d?d?s # Password1! (10 chars)
# PINs and numeric
?d?d?d?d # 4-digit PIN
?d?d?d?d?d?d