Skip to main content
Wordlists are essential for brute-force attacks and directory enumeration. The Ethical Audit Framework uses different wordlists for WPScan password attacks and Gobuster directory discovery.

Default Wordlist Configuration

Wordlist paths are configured in source/config.py: 
class Config:
    # Wordlist for brute-force
    WORDLIST_PATH = '/usr/share/wordlists/rockyou.txt'
    
    # Gobuster wordlist
    GOBUSTER_WORDLIST = '/usr/share/wordlists/dirb/common.txt'

Wordlist Types

WORDLIST_PATH
string
default:"/usr/share/wordlists/rockyou.txt"
Used by WPScan for WordPress login brute-force attacks (menu option 5)
rockyou.txt Details:
  • Size: 139.9 MB (compressed), 14,344,391 passwords
  • Source: Real passwords from RockYou data breach (2009)
  • Format: Plain text, one password per line
  • Coverage: Includes common passwords, leetspeak, keyboard patterns
Default Location (Kali Linux):
/usr/share/wordlists/rockyou.txt
Extraction (if compressed):
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Verifying Wordlist Availability

Before running audits, verify wordlists exist: 
# Check if wordlists exist
ls -lh /usr/share/wordlists/rockyou.txt
ls -lh /usr/share/wordlists/dirb/common.txt

# View wordlist statistics
wc -l /usr/share/wordlists/rockyou.txt
wc -l /usr/share/wordlists/dirb/common.txt
If rockyou.txt is missing or compressed:
# Extract from gz archive
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# Verify extraction
ls -lh /usr/share/wordlists/rockyou.txt

Custom Wordlist Setup

Creating Custom Password Wordlists

For targeted attacks, create custom wordlists:
Create subset of rockyou.txt:
# Top 10,000 passwords
head -n 10000 /usr/share/wordlists/rockyou.txt > ~/wordlists/top10k.txt

# Top 100,000 passwords
head -n 100000 /usr/share/wordlists/rockyou.txt > ~/wordlists/top100k.txt
Update config.py:
WORDLIST_PATH = '/home/user/wordlists/top10k.txt'
Benefits:
  • Faster brute-force (seconds vs hours)
  • Good for testing/development
  • Covers most common weak passwords

Creating Custom Directory Wordlists

Optimize directory enumeration with targeted wordlists:
Install SecLists collection:
# Clone SecLists
git clone https://github.com/danielmiessler/SecLists.git ~/SecLists

# Popular directory wordlists:
# - ~/SecLists/Discovery/Web-Content/common.txt (4,651 entries)
# - ~/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt (220,560 entries)
# - ~/SecLists/Discovery/Web-Content/raft-large-directories.txt (62,284 entries)
Update config.py:
GOBUSTER_WORDLIST = '/home/user/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt'

Performance Considerations

Impact on attack duration:
WordlistSizeWPScan Time*Gobuster Time*
top1000.txt1,000~30 seconds~5 seconds
top10k.txt10,000~5 minutes~30 seconds
common.txt4,614~2 minutes~20 seconds
rockyou.txt14M~8-12 hoursN/A
directory-list-2.3-medium.txt220KN/A~10 minutes
*Approximate times, varies by network speed and target responsivenessRecommendations:
  • Development/Testing: Use top1000-10000 for quick results
  • CTF/Labs: Use full rockyou.txt for comprehensive coverage
  • Production Pentests: Start small, escalate if needed
Factors affecting performance:
  1. Network Latency:
    • Local VM: <1ms (fast)
    • Same subnet: 1-10ms (moderate)
    • Remote host: 50-200ms (slow)
  2. Target Response Time:
    • Failed login: 50-100ms
    • Rate limiting: 1-5 seconds per attempt
    • WAF/IPS: May block after N attempts
  3. Concurrent Threads:
    • WPScan: 5-10 threads (default)
    • Gobuster: 10 threads (default)
    • Higher threads = faster but more detectable
1. Start Small, Escalate:
# Phase 1: Quick test
WORDLIST_PATH = '/usr/share/wordlists/fasttrack.txt'  # 222 passwords

# Phase 2: Common passwords
WORDLIST_PATH = '/home/user/wordlists/top10k.txt'

# Phase 3: Full attack
WORDLIST_PATH = '/usr/share/wordlists/rockyou.txt'
2. Filter by Intelligence:
# If you know password policy: min 8 chars, must have number
grep -E '^.{8,}' /usr/share/wordlists/rockyou.txt | \
grep '[0-9]' > ~/wordlists/policy-compliant.txt
3. Combine with OSINT:
# Add discovered usernames, company names, dates
cat > ~/wordlists/osint.txt << EOF
john.doe
johndoe
jdoe2024
CompanyName
CompanyName123
EOF

Common Wordlist Locations

Standard wordlist paths across distributions: 
# Password wordlists
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/fasttrack.txt
/usr/share/wordlists/metasploit/

# Directory wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/

# SecLists (if installed)
/usr/share/seclists/

Troubleshooting

Error:
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/wordlists/rockyou.txt'
Solutions:
# 1. Check if compressed
ls /usr/share/wordlists/rockyou.txt.gz
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# 2. Install wordlists package
sudo apt update
sudo apt install wordlists

# 3. Download manually
sudo mkdir -p /usr/share/wordlists
cd /usr/share/wordlists
sudo wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# 4. Use alternative path
# Update config.py to point to existing wordlist
Error:
PermissionError: [Errno 13] Permission denied: '/usr/share/wordlists/rockyou.txt'
Solutions:
# Check file permissions
ls -l /usr/share/wordlists/rockyou.txt

# Fix permissions
sudo chmod 644 /usr/share/wordlists/rockyou.txt

# Or copy to user directory
cp /usr/share/wordlists/rockyou.txt ~/wordlists/

# Update config.py
WORDLIST_PATH = '/home/user/wordlists/rockyou.txt'
Problem: WPScan taking hours with rockyou.txtSolutions:
# 1. Use smaller wordlist
head -n 10000 /usr/share/wordlists/rockyou.txt > ~/wordlists/top10k.txt

# 2. Use common passwords first
# Framework automatically tries COMMON_PASSWORDS before wordlist
# Check config.py COMMON_PASSWORDS list

# 3. Add likely passwords to COMMON_PASSWORDS
# Edit config.py:
COMMON_PASSWORDS = [
    'password', 'admin', 'admin123',
    # Add discovered patterns
    'YourTargetName123', 'Welcome2024'
]

Best Practices

Development

  • Use small wordlists (1K-10K entries)
  • Fast feedback loop for testing
  • Verify functionality before full run

Production Pentests

  • Start with common passwords
  • Escalate to full wordlists if needed
  • Monitor for rate limiting/blocking

CTF Challenges

  • Use full rockyou.txt for coverage
  • Check for password hints in challenge
  • Create custom wordlists from hints

Lab Practice

  • Test different wordlist sizes
  • Measure performance impact
  • Experiment with custom wordlists

Configuration Settings

View all configuration options including COMMON_PASSWORDS

WordPress Attack

Learn how WPScan uses the password wordlist

Directory Enumeration

See how Gobuster uses directory wordlists

Hash Cracking

Understand the two-phase cracking process

Build docs developers (and LLMs) love

Get started for freeTalk to us