{"id":13540222,"url":"https://github.com/duyet/bruteforce-database","last_synced_at":"2026-01-28T04:33:58.645Z","repository":{"id":37388451,"uuid":"43639985","full_name":"duyet/bruteforce-database","owner":"duyet","description":"Bruteforce database","archived":false,"fork":false,"pushed_at":"2024-03-02T15:10:12.000Z","size":32637,"stargazers_count":1389,"open_issues_count":4,"forks_count":558,"subscribers_count":70,"default_branch":"master","last_synced_at":"2024-05-21T15:27:39.593Z","etag":null,"topics":["brute-force","brute-force-attacks","bruteforce","duyetdev","hacktoberfest","password","password-dictionaries","seclists"],"latest_commit_sha":null,"homepage":"http://duyet.github.io/bruteforce-database","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duyet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"duyet","ko_fi":"duyet"}},"created_at":"2015-10-04T14:55:41.000Z","updated_at":"2024-06-03T15:42:06.294Z","dependencies_parsed_at":"2024-06-03T15:41:59.671Z","dependency_job_id":null,"html_url":"https://github.com/duyet/bruteforce-database","commit_stats":null,"previous_names":["duyetdev/bruteforce-database"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duyet%2Fbruteforce-database","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duyet%2Fbruteforce-database/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duyet%2Fbruteforce-database/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duyet%2Fbruteforce-database/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duyet","download_url":"https://codeload.github.com/duyet/bruteforce-database/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247369937,"owners_count":20927927,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","brute-force-attacks","bruteforce","duyetdev","hacktoberfest","password","password-dictionaries","seclists"],"created_at":"2024-08-01T09:01:43.048Z","updated_at":"2026-01-28T04:33:58.640Z","avatar_url":"https://github.com/duyet.png","language":null,"funding_links":["https://github.com/sponsors/duyet","https://ko-fi.com/duyet"],"categories":["\u003ca id=\"73c3c9225523cbb05333246f23342846\"\u003e\u003c/a\u003e工具","\u003ca id=\"de81f9dd79c219c876c1313cd97852ce\"\u003e\u003c/a\u003e破解\u0026\u0026Crack\u0026\u0026爆破\u0026\u0026BruteForce","Python"],"sub_categories":["\u003ca id=\"53084c21ff85ffad3dd9ce445684978b\"\u003e\u003c/a\u003e未分类的","\u003ca id=\"f2c76d99a0b1fda124d210bd1bbc8f3f\"\u003e\u003c/a\u003eWordlist生成"],"readme":"# Bruteforce Database - Wordlists for Ethical Security Testing\n\n[![CI](https://github.com/duyet/bruteforce-database/actions/workflows/validate.yml/badge.svg)](https://github.com/duyet/bruteforce-database/actions/workflows/validate.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)\n\n![](http://2.bp.blogspot.com/-DBFErnG-8AE/VhJ-z3Y-41I/AAAAAAAADgA/FGCt8naBMKs/s1600/mtyourmind.10001mb.com.png)\n\nA collection of wordlists for security testing, penetration testing, and password analysis.\n\n\u003e **Note:** For authorized testing only. Only use on systems you own or have permission to test.\n\n---\n\n## Quick Start\n\n```bash\n# Clone the repository\ngit clone https://github.com/duyet/bruteforce-database.git\ncd bruteforce-database\n\n# Example: Test SSH login (authorized testing only!)\nhydra -L usernames.txt -P 1000000-password-seclists.txt ssh://target.example.com\n\n# Example: Web directory brute-forcing\ngobuster dir -u https://example.com -w forced-browsing/all.txt\n\n# Example: Subdomain enumeration\nffuf -u https://FUZZ.example.com -w subdomains-10000.txt\n```\n\n---\n\n## What's Inside\n\n### Stats\n- 11+ million total entries\n- 135+ MB of data\n- 4 main categories: Passwords, Usernames, Infrastructure, Identities\n- Validated with automated CI/CD\n\n### Use Cases\n\n| I need to... | Use this wordlist | Why? |\n|-------------|------------------|------|\n| Test common passwords | `1000000-password-seclists.txt` | Most common passwords from breach data |\n| Test password policy | `8-more-passwords.txt` | Filtered for length, complexity requirements |\n| Enumerate user accounts | `usernames.txt` | 400K+ common US usernames |\n| Find hidden directories | `forced-browsing/all.txt` | Comprehensive web path discovery |\n| Discover subdomains | `subdomains-10000.txt` | 10K most common subdomain names |\n| Test against massive dataset | `2151220-passwords.txt` | 2.1M password compilation |\n| Generate wordlist for JtR | `uniqpass_v16_password.txt` | Optimized for John the Ripper |\n| Test keyboard patterns | `cain.txt` | Includes common patterns from Cain \u0026 Abel |\n\n---\n\n## Available Wordlists\n\n### Password Dictionaries\n\n#### General Purpose\n- **`1000000-password-seclists.txt`** (1M entries, 8.5 MB)\n  - Source: [SecLists](https://github.com/danielmiessler/SecLists) project\n  - Use: Initial password testing, most common passwords\n\n- **`2151220-passwords.txt`** (2.1M entries, 20 MB)\n  - Source: Dazzlepod.com compilation\n  - Use: Comprehensive password testing\n\n#### Filtered Sets\n- **`8-more-passwords.txt`** (62K entries, 629 KB)\n  - Filters: 8+ chars, requires caps + numbers, no consecutive chars\n  - Use: Testing password policies with complexity requirements\n\n- **`7-more-passwords.txt`** (528K entries, 5 MB)\n  - Filters: 7+ chars, numeric-only removed\n  - Use: Medium-complexity password policies\n\n#### Specialized\n- **`cain.txt`** (307K entries, 2.5 MB)\n  - Source: Cain \u0026 Abel password cracker\n  - Use: Classic patterns, keyboard walks, common substitutions\n\n- **`bitcoin-brainwallet.lst`** (395K entries, 3.4 MB)\n  - Source: Dictionary words used for Bitcoin brainwallets\n  - Use: Passphrase testing, dictionary attacks\n\n- **`38650-password-sktorrent.txt`** (39K entries, 309 KB)\n  - Source: SKTorrent.eu leaked database\n  - Use: Real-world password patterns\n\n#### Tool-Specific\n- **`uniqpass_v16_password.txt`** (2.1M entries, 20 MB)\n  - Source: Optimized for [John the Ripper](https://www.openwall.com/john/)\n  - Use: Hash cracking with JtR\n\n### Usernames \u0026 Identities\n\n- **`usernames.txt`** (403K entries, 3.3 MB)\n  - Source: US username compilation\n  - Use: Account enumeration, user testing\n\n- **`38650-username-sktorrent.txt`** (39K entries, 258 KB)\n  - Source: SKTorrent.eu leaked database\n  - Use: Real-world username patterns\n\n- **`facebook-firstnames.txt`** (4.3M entries, 37 MB)\n  - Source: Facebook public first names\n  - Use: Name-based password testing\n\n### Geographic Data\n\n- **`us-cities.txt`** (21K entries, 199 KB)\n  - Use: Location-based password testing\n\n- **`indo-cities.txt`** (102 entries, 1.2 KB)\n  - Use: Regional password testing\n\n### Infrastructure Testing\n\n- **`subdomains-10000.txt`** (10K entries, 97 KB)\n  - Use: Subdomain enumeration, DNS reconnaissance\n  - Tools: [Sublist3r](https://github.com/aboul3la/Sublist3r), [ffuf](https://github.com/ffuf/ffuf), [gobuster](https://github.com/OJ/gobuster)\n\n### Forced Browsing / Directory Discovery\n\n**`forced-browsing/`** directory contains specialized wordlists for web application testing:\n\n- **`all.txt`** (43K entries) - Comprehensive file/directory list\n- **`all-extensionless.txt`** (25K entries) - Paths without file extensions\n- **`all-dirs.txt`** - Directory names only\n\n#### Categorized by File Type\n\n**`forced-browsing/cat/`** - Organized by file category:\n- `Conf/` - Configuration files (`.conf`, `.config`, `.htaccess`, `.properties`)\n- `Database/` - Database files (`.sql`, `.mdb`, `.xml`, `.ini`)\n- `Language/` - Source code files (`.php`, `.asp`, `.jsp`, `.java`)\n- `Project/` - Project files (`.csproj`, `.pdb`, `.sln`)\n\n#### Context-Based Paths\n\n**`forced-browsing/context/`** - Organized by context:\n- `admin.txt` - Admin panels and interfaces\n- `test.txt` - Test environments and files\n- `debug.txt` - Debug endpoints\n- `error.txt` - Error pages and handlers\n- `help.txt` - Help and documentation paths\n- Plus many more specialized contexts\n\n**Usage Example:**\n```bash\n# Scan for admin panels\ngobuster dir -u https://target.com -w forced-browsing/context/admin.txt\n\n# Look for config files\nffuf -u https://target.com/FUZZ -w forced-browsing/cat/Conf/conf.txt\n\n# Comprehensive directory scan\ndirsearch -u https://target.com -w forced-browsing/all.txt\n```\n\n---\n\n## Usage Examples\n\n### Password Cracking\n\n```bash\n# John the Ripper\njohn --wordlist=2151220-passwords.txt hashes.txt\n\n# Hashcat (MD5)\nhashcat -m 0 -a 0 hashes.txt 1000000-password-seclists.txt\n\n# Hydra (SSH brute force)\nhydra -l admin -P 8-more-passwords.txt ssh://192.168.1.100\n```\n\n### Web Application Testing\n\n```bash\n# Directory discovery with gobuster\ngobuster dir -u https://example.com -w forced-browsing/all.txt -t 50\n\n# File discovery with specific extensions\ngobuster dir -u https://example.com -w forced-browsing/all-extensionless.txt -x php,html,txt\n\n# Fast fuzzing with ffuf\nffuf -u https://example.com/FUZZ -w forced-browsing/context/admin.txt -mc 200,301,302\n```\n\n### Subdomain Enumeration\n\n```bash\n# Sublist3r\nsublist3r -d example.com -w subdomains-10000.txt\n\n# ffuf for subdomain fuzzing\nffuf -u https://FUZZ.example.com -w subdomains-10000.txt -mc 200\n\n# gobuster DNS mode\ngobuster dns -d example.com -w subdomains-10000.txt\n```\n\n### Account Enumeration\n\n```bash\n# Test for valid usernames (authorized only!)\n./enum4linux -U target.com -w usernames.txt\n\n# Check username availability\ncurl https://api.example.com/check-username -d \"username=FUZZ\" -w usernames.txt\n```\n\n---\n\n## Decision Guide: Which Wordlist?\n\n### For Password Testing\n\n**Quick test (\u003c 1 minute):**\n- Use `8-more-passwords.txt` (62K entries)\n- Fast, focuses on complex passwords\n\n**Standard test (5-10 minutes):**\n- Use `1000000-password-seclists.txt` (1M entries)\n- Industry standard, best coverage-to-time ratio\n\n**Comprehensive test (30+ minutes):**\n- Use `2151220-passwords.txt` (2.1M entries)\n- Maximum coverage\n\n**Policy-specific testing:**\n- Strong policy (8+ chars, complexity): `8-more-passwords.txt`\n- Medium policy (7+ chars): `7-more-passwords.txt`\n- Weak/no policy: `1000000-password-seclists.txt`\n\n### For Web Testing\n\n**Quick scan:**\n- `forced-browsing/context/\u003cspecific\u003e.txt` (targeted)\n\n**Standard scan:**\n- `forced-browsing/all-dirs.txt` (directories only)\n\n**Comprehensive scan:**\n- `forced-browsing/all.txt` (everything)\n\n**File-specific:**\n- `forced-browsing/cat/\u003ctype\u003e/` (by file extension)\n\n---\n\n## Tools That Work With These Wordlists\n\n### Password Cracking\n- [John the Ripper](https://www.openwall.com/john/) - Password cracking\n- [Hashcat](https://hashcat.net/hashcat/) - Advanced password recovery\n- [Hydra](https://github.com/vanhauser-thc/thc-hydra) - Network login cracker\n\n### Web Testing\n- [Gobuster](https://github.com/OJ/gobuster) - Directory/file \u0026 DNS busting\n- [ffuf](https://github.com/ffuf/ffuf) - Fast web fuzzer\n- [Dirsearch](https://github.com/maurosoria/dirsearch) - Web path scanner\n- [Burp Suite](https://portswigger.net/burp) - Web application testing\n\n### Subdomain Discovery\n- [Sublist3r](https://github.com/aboul3la/Sublist3r) - Subdomain enumeration\n- [Amass](https://github.com/OWASP/Amass) - Network mapping\n\n---\n\n## Automation \u0026 Quality\n\nThis repository includes automation tools:\n\n### Validation Tools\n\n```bash\n# Validate all wordlists\npython3 scripts/validate.py\n\n# Validate specific file\npython3 scripts/validate.py --file passwords.txt\n\n# Deduplicate wordlists\npython3 scripts/deduplicate.py passwords.txt\n\n# Deduplicate all\npython3 scripts/deduplicate.py --all\n```\n\n### CI/CD Pipeline\n\nEvery commit and pull request is automatically:\n- Validated for encoding and format\n- Checked for file corruption\n- Scanned for sensitive data\n- Analyzed for statistics\n- Verified for integrity\n\nSee [`.github/workflows/validate.yml`](.github/workflows/validate.yml)\n\n### Manifest\n\nThe `manifest.json` file contains metadata for every wordlist:\n- Entry counts and unique entries\n- File sizes and checksums\n- Encoding information\n- Validation status\n\nGenerated automatically on every commit.\n\n---\n\n## Contributing\n\nWe welcome contributions! See [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed guidelines.\n\n### Quick Contribution Checklist\n\n- [ ] Wordlist is unique (not a duplicate)\n- [ ] Source is documented\n- [ ] File is UTF-8 encoded\n- [ ] Deduplicated and validated\n- [ ] README updated with entry\n- [ ] Commit message is descriptive\n\n### Running Validation Locally\n\n```bash\n# Before submitting PR\npython3 scripts/validate.py\npython3 scripts/deduplicate.py --all\n```\n\n---\n\n## Ethics \u0026 Responsible Use\n\n**IMPORTANT:** These wordlists are for authorized security testing only.\n\n### Acceptable Use\n- Penetration testing with written authorization\n- Security research on your own systems\n- Educational purposes in controlled environments\n- Password policy analysis and improvement\n- Academic research with ethical approval\n\n### Unacceptable Use\n- Unauthorized access to any system\n- Testing systems without explicit permission\n- Malicious hacking or cybercrime\n- Harassment or targeting individuals\n- Any illegal activity under applicable laws\n\n**By using these wordlists, you agree to use them responsibly and legally.**\n\nSee [CLAUDE.md](./CLAUDE.md) for our full philosophy on ethical use.\n\n---\n\n## Project Philosophy\n\nRead [CLAUDE.md](./CLAUDE.md) for our principles:\n- Quality over quantity\n- Ethical use only\n- Full transparency\n- Community first\n- Evolution, not stagnation\n\n---\n\n## Contributors\n\nThank you to everyone who has contributed to this project:\n\n- Van-Duyet Le - [**@duyet**](https://github.com/duyet) - Creator \u0026 Maintainer\n- Taufiq Sumadi - [**@taufiqsumadi**](https://github.com/taufiqsumadi)\n- San Sayidul Akdam Augusta - [**@sanAkdam**](https://github.com/sanAkdam)\n- Dani Vijay - [**@danivijay**](https://github.com/danivijay) - Forced-browsing wordlists\n\nWant to contribute? See [CONTRIBUTING.md](./CONTRIBUTING.md)!\n\n---\n\n## License\n\nThis project is licensed under the [MIT License](./LICENSE).\n\nYou are free to:\n- Use for any purpose (commercial or non-commercial)\n- Modify and create derivatives\n- Distribute and share\n\nRequirements:\n- Include the license and copyright notice\n- Use responsibly and legally\n\n---\n\n## Support This Project\n\nIf you find this project useful:\n\n- Star this repository on GitHub\n- Report issues to help us improve\n- Contribute new wordlists or improvements\n- Share with the security community\n- Sponsor via [GitHub Sponsors](https://github.com/sponsors/duyet)\n\n---\n\n## Related Resources\n\n- [SecLists](https://github.com/danielmiessler/SecLists) - Collection of security lists\n- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) - Penetration testing payloads\n- [FuzzDB](https://github.com/fuzzdb-project/fuzzdb) - Attack patterns database\n- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - Web security testing methodology\n\n---\n\n## Changelog\n\nSee [CHANGELOG.md](./CHANGELOG.md) for version history and updates.\n\n---\n\n**\"Quality is not an act, it's a habit.\" - Aristotle**\n\nMade with ❤️ by the security community, for the security community.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduyet%2Fbruteforce-database","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduyet%2Fbruteforce-database","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduyet%2Fbruteforce-database/lists"}