Wordlists and passwords handcrafted with ♥
A pretty comprehensive set of password dictionaries and wordlists designed for quick wins in red teaming scenarios. Why is it different? The goal here is not to crack every password possible, it is to move forward inside a network. And if cracking is really needed then the bigger lists can be used, however, the assumption here is that it will be done in a reasonable time span and with limited resources (like a VM, hijacked host etc).
A few facts:
- The rulesets, keywords and password combinations are based on analysis of roughly 400GB of pure data and dozens of peer-reviewed scientific articles.
- It is not an ordinary dump of all things available. All wordlists and rules were processed manually.
- The HTTP paths and files dictionaries are designed to avoid alerting WAFs, there are no payloads that can be easily detected as it is the case with many popular lists.
A brief introduction to brutas-passwords-#
lists:
- the number of passwords grows with the consecutive file number;
- passwords are not sorted according to the probability, they are combined into groups of probability instead;
- each consecutive file does not contain passwords from any of the previous sets.
NOTE: Due to Github limits, only lists 1-3 are precompiled. You need to run ./scripts/build.py -p main.Extended
to generate the complete set (see the tutorial below).
% ./scripts/build.py
% ./scripts/build.py -p main.Extended -t /media/user/External/tmp -o /media/user/External
% ./scripts/build.py -p main.Custom -t /media/user/External/tmp/custom -o /media/user/External/custom
There are two options:
- either overwrite
brutas-lang-int-*.txt
files; - or use the
main.Custom
class with keywords copied tokeywords/brutas-custom.txt
.
The first one would cause the build to use the specific language as the base, while other languages would still be used (starting with brutas-passwords-6-xl.txt
list). The second option would ignore the normal build process and use the full set of rules on the keywords/brutas-custom.txt
file. You should expect a massive output in that case.
You can store your local configuration in scripts/local_config.py
. For example, you may want to disable some rules (or add your own?), or change paths to hashcat-utils
binaries.
- Python 3.x
- hashcat-utils
- lzop (recommended)
- Bash
- The
main.Extended
generator takes roughly six hours to complete on a 2.6 GHz Intel Core i7 with 16GB of RAM and currently requires 130GB of free disk space to store the final results plus roughly 300GB for temporary files, SSD highly recommended. - File sizes for
main.Extended
:- brutas-passwords-5-l.txt (~400MB)
- brutas-passwords-6-xl.txt (~2.5GB)
- brutas-passwords-7-xxl.txt (~130GB)
- Building password list with
main.Custom
andkeywords/brutas-custom.txt
containing 5.5k of lines generates approx. 560GB of data and requires around 680GB for temporary files (an extra drive is recommended due to heavy I/O).
The combined lists brutas-passwords-{1,2,3,4}-*.txt
seem to be most effective for general purpose and reasonably fast password cracking. Start with the smallest one and move forward. The lists brutas-passwords-{1,2}-*.txt
are designed for a quick win in large networks. If you need something really minimalistic, try using brutas-passwords-1-xxs.txt
solely - my highly opinionated view of the top 100.
However, I recommend experimenting on your own and rebuilding these sets depending on the target. You may want to incorporate your native language keywords, too. For example, file or a domain name combined with brutas-passwords-numbers.txt
turns out to be pretty effective on encrypted archives and wireless networks. As with everything, a little social engineering comes handy to understand the local approach to the "password policy".
brutas-passwords-{1,2,3,4,5,6,7}-*.txt
- wordlists combined with passwords generated using keywords, hashcat rules and string partials (seebrutas/scripts/main/__init__.py
for details)brutas-passwords-classics.txt
- typical admin passwords based on roles (test, admin), words (password, secret) or "funny" ones (likeletmein
ortrustno1
)brutas-passwords-patterns.txt
- close key combinations or simple phrases (e.g.abcd
) combined with capitalization, numbers, repetitions etc.brutas-passwords-top.txt
- is a list composed of most popular user passwords found in leaks, doesn't contain close keys or any more sophisticated combinationsbrutas-passwords-unique.txt
- passwords which are complex enough to be used as independent passwords and are rarely mixed with any extra characters, usually related to pop-culture or sports (e.g.apollo13
,9inchnails
,ronaldo7
)brutas-passwords-numbers.txt
- a small list of numbers used in passwords (e.g. dates, math constants)
brutas-http-files-extensions-common.txt
- common file extensionsbrutas-http-files-extensions-less.txt
- less common extensionsbrutas-http-files-generic.txt
- generic file names for automated discoverybrutas-http-files-unique.txt
- unique file names e.g..bash_history
,WEB-INF/web.xml
brutas-http-params.txt
- simplistic and realistic approach to HTTP parametersbrutas-http-paths.txt
- no path traversal or pseudo exploits to keep low profile, no subs (use recursion instead) - paths onlybrutas-usernames.txt
- most common usernamesbrutas-usernames-small.txt
- a short list of usernamesbrutas-ports-tcp-http.txt
- common and not that obvious HTTP portsbrutas-ports-tcp-internal.txt
- list of TCP services that may come up internallybrutas-ports-tcp-public.txt
- list of public TCP ports, useful for host discovery
brutas-subdomains-1-small.txt
- a fairly reasonable list for host discovery composed of common conventions, self-hosted software etc.brutas-subdomains-2-large.txt
- extended list with some extra pre-/postfixes likehost-srv
,f.host
orhost10
keywords/brutas-lang-int-common.txt
- set of most frequent English (and not only) words used in passwords internationally (also from literature, pop culture etc)keywords/brutas-lang-int-less.txt
- less frequent English words used in passwords by native speakerskeywords/brutas-lang-*
- other languages based mostly on leakskeywords/brutas-all-lang.txt
- all languages combinedkeywords/brutas-subdomains.txt
- keywords and rules used to generate lists for subdomainskeywords/brutas-subdomains-extra.txt
- additional prefixes for subdomain discoverykeywords/brutas-wifi.txt
- bits and pieces useful in generating passwords for wireless networkskeywords/brutas-custom.txt
- file used withmain.Custom
generator
The build process is automated and handled by the script located in ./scripts/build.py
. Check it out to understand what are the blocks and how I set the priorities (or in other words what is most probable in my opinion).
usage: build.py [-h] [-p PATH] [-t TEMPORARY_DIR] [-o OUTPUT_DIR] [--min-length MIN_LENGTH] [--cores CORES] [--memory MEMORY] [--debug]
Brutas build script
options:
-h, --help show this help message and exit
-p PATH, --path PATH Class path. [Default: main.Basic]
-t TEMPORARY_DIR, --temporary-dir TEMPORARY_DIR
Temporary directory path. [Default: auto]
-o OUTPUT_DIR, --output-dir OUTPUT_DIR
Output directory path. [Default: .]
--min-length MIN_LENGTH
Minimal length for a password when merging lists. [Default: 4]
--cores CORES Number of cores to be used for sorting. [Default: auto]
--memory MEMORY Percentage of memory to be used for sorting. [Default: 80%]
--debug Enable debug level logging
main.Basic
- builds everything and password lists 2-4main.Extended
- extendsmain.Basic
with lists 5-7main.Custom
- parseskeywords/brutas-custom.txt
with all available rules plus some extra combinations, ordering etc.main.MergeAll
- concatenates lists 1-7 into a single filebrutas-passwords-all.txt