Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt

Use this file to discover all available pages before exploring further.

Kali Portable bundles everything you need for dictionary and rule-based attacks without any manual downloads after the build. The Dockerfile automatically fetches rockyou.txt (~133 MB) and the complete SecLists collection during the image build, deposits them at well-known paths inside the container, and pre-configures symlinks so tools like Gobuster and FFUF can reference them by short names. Hashcat rules ship with the APT package and are verified at build time. Host-side wordlists are available read-only at /host-wordlists, and a persistent workspace under /root/pentest/wordlists/ syncs to ./data/wordlists/ on your host so custom lists survive container restarts.

Environment Variable Paths

Three environment variables are baked into the image and available to every tool and script running inside the container:
WORDLISTS_PATH=/usr/share/wordlists
SECLISTS_PATH=/usr/share/seclists
HASHCAT_RULES_PATH=/usr/share/hashcat/rules
You can reference these in any command or script without hardcoding absolute paths.

Wordlists

rockyou.txt

The most widely used password cracking wordlist, downloaded from the official naive-hashcat mirror during the image build.
PropertyValue
Location/usr/share/wordlists/rockyou.txt
Size~133 MB
Entries~14.3 million unique passwords
SourceGitHub — brannondorsey/naive-hashcat release
# Reference rockyou via the environment variable
hashcat -m 22000 capture.hc22000 $WORDLISTS_PATH/rockyou.txt -O

SecLists Complete Collection

The full SecLists repository is cloned and extracted into /usr/share/seclists/ at build time, giving you instant access to every password, directory, fuzzing, payload, and pattern list maintained by Daniel Miessler’s project.
PropertyValue
Location/usr/share/seclists/
SourceGitHub — danielmiessler/SecLists (master branch)
Key subdirectories inside $SECLISTS_PATH:
/usr/share/seclists/
├── Discovery/
│   ├── Web-Content/          # common.txt, raft-*, directory-list-*
│   ├── DNS/                  # subdomain wordlists
│   └── Infrastructure/       # network enumeration lists
├── Passwords/
│   ├── Common-Credentials/   # 10-million-password-list-*
│   ├── Leaked-Databases/
│   └── WiFi-WPA/             # WPA-focused lists
├── Fuzzing/                   # SQLi, XSS, SSTI, path traversal payloads
├── Usernames/
└── Miscellaneous/

Symlinked Convenience Lists

Two frequently used SecLists files are symlinked directly into $WORDLISTS_PATH so short path references work out of the box:
Alias PathPoints To
/usr/share/wordlists/common.txt$SECLISTS_PATH/Discovery/Web-Content/common.txt
/usr/share/wordlists/directory-list-medium.txt$SECLISTS_PATH/Discovery/Web-Content/directory-list-2.3-medium.txt
# Gobuster with the symlinked common.txt
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/common.txt

# Medium directory list
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/directory-list-medium.txt

Host Wordlists (Read-Only Mount)

When the container starts, your host machine’s /usr/share/wordlists/ directory is mounted read-only at /host-wordlists. This gives you access to any wordlists installed on the host (e.g., Kali native installs) without duplicating storage.
# Access host wordlists inside the container
ls /host-wordlists/
hashcat -m 22000 capture.hc22000 /host-wordlists/rockyou.txt -O

Persistent User Wordlists

The /root/pentest/wordlists/ directory inside the container is bind-mounted to ./data/wordlists/ on the host. Any wordlists you copy here persist across container restarts and image rebuilds.
# Copy a custom wordlist to the persistent volume (from host)
cp ~/my-custom-list.txt ./data/wordlists/

# Use it inside the container
hashcat -m 22000 capture.hc22000 /root/pentest/wordlists/my-custom-list.txt -O
Store large corporate-specific or custom-generated wordlists in ./data/wordlists/ on the host. They will appear at /root/pentest/wordlists/ inside every container session without bloating the Docker image.

Hashcat Rules

Hashcat rules ship with the hashcat APT package from Kali’s repository and land at /usr/share/hashcat/rules/. The Dockerfile verifies their presence at build time. The project also includes an extended rules collection (including hybrid rules) that maps to /root/pentest/rules/ inside the container via the ./data/rules/ volume mount.

Core Rules

Rule FileDescription
best64.ruleTop 64 most effective password mutations
best66.ruleExtended best-64 with 2 additional transforms
d3ad0ne.ruleLarge comprehensive mutation set (~34k rules)
T0XlC.ruleAdvanced transformations — symbols, numbers, substitutions
T0XlCv2.ruleRevised and expanded T0XlC ruleset
T0XlC_3_rule.ruleThird iteration of the T0XlC series
T0XlC-insert_00-99_1950-2050_toprules_0_F.ruleYear/number insertion rules
T0XlC-insert_space_and_special_0_F.ruleSpace and special character insertion
T0XlC-insert_top_100_passwords_1_G.ruleTop-100 password injection rules
T0XlC_insert_HTML_entities_0_Z.ruleHTML entity substitution rules
leetspeak.ruleStandard leet-speak character substitutions
Incisive-leetspeak.ruleExtended leet-speak with additional symbol coverage
unix-ninja-leetspeak.ruleUnix-Ninja variant leet-speak transforms
rockyou-30000.ruleRules optimized for rockyou.txt candidate generation
combinator.ruleCombination attack helper rules
dive.ruleDeep exploration ruleset for stubborn hashes
oscommerce.ruleRules derived from osCommerce password patterns
generated.ruleAuto-generated mutation rules
generated2.ruleSecond auto-generated ruleset
specific.ruleTarget-specific rule patterns
stacking58.rule58-level stacking rule combination
InsidePro-HashManager.ruleRules ported from InsidePro HashManager
InsidePro-PasswordsPro.ruleRules ported from InsidePro PasswordsPro
top10_2025.ruleRules targeting current-year top password patterns
toggles1.ruletoggles5.ruleCase-toggling rules (1–5 positions)

Hybrid Rules

The hybrid/ subdirectory contains append and prepend rule combinations for hybrid dictionary+mask attacks. Files follow a consistent naming scheme:
hybrid/
├── append_d.rule              # Append digits
├── append_ds.rule             # Append digits + special chars
├── append_du.rule             # Append digits + uppercase
├── append_l.rule              # Append lowercase
├── append_ld.rule             # Append lowercase + digits
├── append_lu.rule             # Append lowercase + uppercase
├── append_lus.rule            # Append lowercase + uppercase + special
├── append_s.rule              # Append special characters
├── append_u.rule              # Append uppercase
├── prepend_d.rule             # Prepend digits
├── prepend_l.rule             # Prepend lowercase
├── prepend_ld.rule            # Prepend lowercase + digits
...                            # (passthrough variants for each)
Each rule also has a _passthrough variant that passes the original candidate unmodified alongside the mutated version — useful for hybrid attacks where you want both the base word and its appended mutation as candidates.

Using Wordlists with Hashcat

Standard Dictionary Attack

# Attack WPA2 handshake with rockyou.txt
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt

Dictionary + Rule Attack

# With best64 rule — doubles effective candidate count
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule -O

# With d3ad0ne for deeper mutations
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/d3ad0ne.rule -O

SecLists Password Lists

# 1-million common passwords
hashcat -m 22000 capture.hc22000 \
  /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt -O

# WPA-specific wordlist from SecLists
hashcat -m 22000 capture.hc22000 \
  /usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt -O

Hybrid Append Attack

# Append digits to every rockyou candidate (e.g., password → password123)
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt \
  -r /root/pentest/rules/hybrid/append_d.rule -O

Resuming an Interrupted Attack

Hashcat automatically checkpoints its progress. If a crack session is interrupted (container restart, power loss), resume exactly where it left off:
hashcat -m 22000 capture.hc22000 --restore
The Hashcat session file (.hashcat/session.restore) is stored inside the container at /root/.hashcat/. To make restore files persist across container restarts, ensure your attack targets files stored under /root/pentest/ (which is bind-mounted to ./data/ on the host). Potfile entries at ~/.hashcat/hashcat.potfile are also preserved this way.

Showing Cracked Results

# Display all cracked hashes from the current potfile
hashcat -m 22000 capture.hc22000 --show

# Save results to a report file
hashcat -m 22000 capture.hc22000 --show > /root/pentest/loot/cracked.txt

Build docs developers (and LLMs) love