postmodernNov 15, 2024

wordlistctl lists installable wordlists from SecLists, but lists them by file name (ex: SecLists/Fuzzing/Databases/NoSQL.txt -> NoSQL). Would it be better to list installable wordlists by relative path (ex: Fuzzing/Databases/NoSQL) or file name (ex: NoSQL)?

#wordlists

relative path
100%
filename
0%
Poll ended at .
wordlistctl/repo.json at master · BlackArch/wordlistctl

Fetch, install and search wordlist archives from websites and torrent peers. - BlackArch/wordlistctl

GitHub
postmodernJul 26, 2024
I saw this passphrase wordlist project popup. Just like to remind folks that passphrase passwords (ex: correcthorsebatterystapler), even with character substitution, can be enumerated and that GPUs will eventually be able to bruteforce the inevitable password dumps from data breaches. In fact a certain someone wrote up a blog post two years ago showing how you could enumerate all permutations of passphrases using Ruby to build your own custom passphrase wordlists; which of course was met with immediate poo-pooing upon.
#wordlists #passphrase #enumeration #ruby
initstring / passphrase-wordlist · GitLab

Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords

GitLab
postmodernJul 9, 2024
Does anyone actually use the User-Agent wordlists from SecLists that are grouped by OS/platform? Some of these files only contain a single User-Agent (lol) because apparently LG adds a random string to their UAs. /cc @danielmiessler https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/operating-platform/
#wordlists #seclists
SecLists/Fuzzing/User-Agents/operating-platform at master · danielmiessler/SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, ...

GitHub
Show threadpostmodernMay 11, 2024

Top recommendations so far are:

Show threadpostmodernNov 28, 2023

If a password is manually typed in, it is probably going to be a combination of a few common words, and maybe some random numbers on the end, and maybe a random deliminator character between the words/numbers. For that purpose you can just do a cartesian product of multiple wordlits, a list of numbers/years, and an array of symbol characters. This can be done using the Ruby wordlist library and CLI. Do you suspect they did any "leet speak" character substitutions? Both the wordlist library and CLI supports enumerating over every possible substitution mutation of every generated word.

If a password is generated by a password manager, than all you need to do is pick a character set (usually visible ASCII characters), and generate all strings of a range of lengths. This can be done using using the Ruby chars library (ex: Chars::VISIBLE.strings_of_length(10..14).each { |password| ... }).
#wordlists #ruby #pentesting

postmodern - enumerating xkcd-style passwords with ruby

postmodernNov 28, 2023
I want to know what the purpose/value of the highly-specific wordlist generator template syntax that hashcat/crunch use? Like where is the value in specifying that character 2 is alphabetic, but character 3 is symbolic, and character 4 is numeric? How do you even get that highly-specific information about someone's password, yet don't know the full password? Shoulder surfing? Hidden camera? Trying to decode the keystrokes via the microphone? And why do wordlist builder utils always use a confusing and difficult to remember syntax for their wordlist template format (ex: "@ represents lowercase letters").
#rant #wordlists #hashcat #crunch
Using Hashcat Rules to Create Custom Wordlists

When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for…

Infinite Logins
🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Sep 22, 2023

#Create #Custom #Wordlists Using #Crunch in #Kali #Linux

https://www.geeksforgeeks.org/create-custom-wordlists-using-crunch-in-kali-linux/

Create Custom Wordlists Using Crunch in Kali Linux - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.

GeeksforGeeks
postmodernSep 12, 2023
Just released wordlist 1.1.0, the Ruby library/CLI for reading, combining, mutating, and building wordlists. It slices, it dices, and it now supports reading and writing zip and 7zip compressed wordlists.
https://github.com/postmodern/wordlist.rb#readme
#ruby #infosec #wordlist #wordlists
postmodernJul 17, 2023
If a wordlist generator util has an option to allow digits in words, should it only allow ASCII digits or all unicode digits?
#wordlists #unicode
only 0-9
70.6%
0-9 and unicode decimal digits
5.9%
all unicode "numbers"
23.5%
Poll ended at .
Find all Unicode Characters from Hieroglyphs to Dingbats – Unicode Compart

All Unicode Symbols with Names and Descriptions on One Page

https://www.compart.com/en/unicode/category/Nd
postmodernMay 26, 2023
What would be a good sub-command name for downloading a wordlist into the current working directory?
#wordlists #cli #namingthings
download
6.3%
install
0%
get
18.8%
fetch
75%
Poll ended at .