{"id":48159120,"url":"https://github.com/mrhenrike/wordlistsforhacking","last_synced_at":"2026-04-08T00:01:21.897Z","repository":{"id":74963760,"uuid":"528168176","full_name":"mrhenrike/WordListsForHacking","owner":"mrhenrike","description":"Brazilian pentest wordlists: 1.5M+ passwords, 1.1K+ usernames, 2.4K+ default credential pairs. PT-BR dictionary + cultural phrases + manufacturer defaults. Red team, SOC training, security workshops.","archived":false,"fork":false,"pushed_at":"2026-03-30T14:15:57.000Z","size":9831,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-04T18:40:41.024Z","etag":null,"topics":["brazilian-dic","brazilian-portuguese","brazilian-wordlist","bruteforce","credential-stuffing","default-credentials","hacking","hacking-tools","iot-security","ot-security","password-cracking","pentest","pt-br","redteam","security-awareness","siem","wordlist","wordlist-brasil","wordlist-brazil","wordlists"],"latest_commit_sha":null,"homepage":"https://github.com/mrhenrike/WordListsForHacking/releases/tag/v2.0.0","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrhenrike.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-23T21:28:01.000Z","updated_at":"2026-04-01T00:50:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"17812fc8-d12a-49e8-97f3-b8ebc7da39ae","html_url":"https://github.com/mrhenrike/WordListsForHacking","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/mrhenrike/WordListsForHacking","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrhenrike%2FWordListsForHacking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrhenrike%2FWordListsForHacking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrhenrike%2FWordListsForHacking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrhenrike%2FWordListsForHacking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrhenrike","download_url":"https://codeload.github.com/mrhenrike/WordListsForHacking/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrhenrike%2FWordListsForHacking/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31533824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brazilian-dic","brazilian-portuguese","brazilian-wordlist","bruteforce","credential-stuffing","default-credentials","hacking","hacking-tools","iot-security","ot-security","password-cracking","pentest","pt-br","redteam","security-awareness","siem","wordlist","wordlist-brasil","wordlist-brazil","wordlists"],"created_at":"2026-04-04T17:20:31.732Z","updated_at":"2026-04-08T00:01:21.884Z","avatar_url":"https://github.com/mrhenrike.png","language":"Python","readme":"# WordListsForHacking\n\n\u003e **Author:** André Henrique ([@mrhenrike](https://github.com/mrhenrike))  \n\u003e **Version:** 2.0.0 · **License:** MIT · **Updated:** 2026-03-30\n\nCurated wordlists for authorized penetration testing, red team exercises, SOC training,\nand security workshops — focused on Brazilian environments and global device defaults.\n\n---\n\n## Files\n\n| File | Type | Lines (approx.) | Purpose |\n|------|------|-----------------|---------|\n| `wlist_brasil.lst` | Passwords | ~1.4M | Brazilian passwords: PT-BR dictionary + real leaks + cultural phrases + leet variations |\n| `username_br.lst` | Usernames | ~350 | Brazilian and global usernames: corporate roles, default accounts, MSP/MSSP patterns |\n| `default-creds-combo.lst` | `user:password` | ~4,500 | Default credentials for 200+ device/software vendors — no length filtering |\n| `labs_passwords.lst` | Passwords | ~116 | Passwords used in Prof. André's classes and security events |\n| `labs_users.lst` | Usernames | ~10 | Usernames used in classes and events |\n| `labs_mikrotik_pass.lst` | Passwords | ~38 | MikroTik-specific passwords for tool demonstrations |\n\n---\n\n## Why Pure Numeric Sequences Are NOT Included\n\nPurely numeric sequences (PINs, dates, CPF/CNPJ numbers, phone numbers, ID numbers)\nare intentionally **omitted** from `wlist_brasil.lst` and `username_br.lst`.\n\n**Reason:** Tools like `crunch`, `cupp`, and `hashcat --increment` generate these\nsets **locally in seconds** with far greater efficiency than maintaining millions of\nstatic numeric lines in a file. Including them would inflate file size without\nadding real attack value.\n\n### How to Generate Numeric Wordlists with Crunch\n\nInstall Crunch:\n\n```bash\n# Debian / Ubuntu / Kali\nsudo apt install crunch\n\n# Arch Linux / BlackArch\nsudo pacman -S crunch\n\n# Fedora / RHEL\nsudo dnf install crunch\n```\n\n#### All 6- and 8-digit combinations\n\n```bash\n# 6 digits: 000000 to 999999 (1,000,000 entries)\ncrunch 6 6 0123456789 -o numeric-6.lst\n\n# 8 digits: 00000000 to 99999999 (100,000,000 entries)\ncrunch 8 8 0123456789 -o numeric-8.lst\n\n# 6 to 8 digits in one file\ncrunch 6 8 0123456789 -o numeric-6to8.lst\n```\n\n#### Dates — Brazilian formats\n\n```bash\n# DDMMYYYY (e.g., 15081990) — years 2000 to 2025\nfor y in $(seq 2000 2025); do\n  crunch 8 8 -t \"%%$$${y}\" \u003e\u003e datas-ddmmyyyy.lst 2\u003e/dev/null\ndone\n\n# YYYYMMDD\nfor y in $(seq 2000 2025); do\n  crunch 8 8 -t \"${y}$$%%\" \u003e\u003e datas-yyyymmdd.lst 2\u003e/dev/null\ndone\n\n# DDMMYY (6 digits)\ncrunch 6 6 0123456789 -t \"%%$$%%\" -o datas-ddmmyy.lst\n\n# YYMMDD\ncrunch 6 6 0123456789 -t \"%%$$%%\" -o datas-yymmdd.lst\n```\n\n#### CPF (Brazilian tax ID — 11 digits, no punctuation)\n\n```bash\n# All combinations — note: ~100 GB uncompressed; use prefix filters\ncrunch 11 11 0123456789 -o cpf-all.lst\n\n# Filter by São Paulo prefix (011–019):\ncrunch 11 11 0123456789 -t \"01%%%%%%%%%%\" -o cpf-sp.lst\n```\n\n#### CNPJ (Brazilian company ID — 14 digits)\n\n```bash\n# All combinations\ncrunch 14 14 0123456789 -o cnpj-all.lst\n\n# Root (8 digits) + fixed branch \"0001\" + check digits\ncrunch 8 8 0123456789 -t \"%%%%%%%%\" | awk '{print $0\"00010001\"}' \u003e cnpj-filtered.lst\n```\n\n#### Phone numbers\n\n```bash\n# Mobile without DDD (9 digits, starts with 9)\ncrunch 9 9 0123456789 -t \"9%%%%%%%%\" -o celular-sem-ddd.lst\n\n# Mobile with São Paulo DDD 11\ncrunch 11 11 0123456789 -t \"119%%%%%%%%\" -o celular-sp.lst\n\n# Landline without DDD (8 digits)\ncrunch 8 8 0123456789 -o fixo-sem-ddd.lst\n\n# Landline with DDD 11\ncrunch 10 10 0123456789 -t \"11%%%%%%%%\" -o fixo-sp.lst\n\n# All valid DDDs (mobile)\nfor ddd in 11 12 13 14 15 16 17 18 19 21 22 24 27 28 31 32 33 34 35 37 38 \\\n           41 42 43 44 45 46 47 48 49 51 53 54 55 61 62 63 64 65 66 67 68 69 \\\n           71 73 74 75 77 79 81 82 83 84 85 86 87 88 89 91 92 93 94 95 96 97 98 99; do\n  crunch 11 11 0123456789 -t \"${ddd}9%%%%%%%%\" \u003e\u003e celulares-todos-ddd.lst 2\u003e/dev/null\ndone\n```\n\n#### Tips for Hashcat and Hydra\n\n```bash\n# Hashcat — brute-force numeric without a wordlist file\nhashcat -a 3 hash.txt ?d?d?d?d?d?d          # 6 digits\nhashcat -a 3 hash.txt ?d?d?d?d?d?d?d?d      # 8 digits\nhashcat -a 3 hash.txt -i --increment-min=6  # 6 to max\n\n# Pipe Crunch directly into Hydra\ncrunch 8 8 0123456789 | hydra -l admin -P - 192.168.1.1 http-get /login\n```\n\n---\n\n## Other Recommended Wordlists\n\n```bash\n# RockYou (14M passwords — classic)\n/usr/share/wordlists/rockyou.txt  # pre-installed on Kali\n\n# SecLists (Daniel Miessler — comprehensive collection)\nsudo apt install seclists\ngit clone --depth 1 https://github.com/danielmiessler/SecLists.git\n\n# CrackStation (1.49 billion real leaked passwords)\n# https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm\n\n# BRDumps (Brazil-specific wordlists)\ngit clone https://github.com/BRDumps/wordlists.git\n\n# Brazilian Portuguese system dictionary (Kali/Debian)\nsudo apt install wbrazilian\n# Location: /usr/share/dict/brazilian\n```\n\n---\n\n## Methodology\n\nThis wordlist was built using:\n\n1. **Public research** — NordPass annual reports, HIBP public datasets, academic\n   studies on Brazilian password habits (2020–2025)\n2. **Brazilian Portuguese dictionary** — ~320,000 words from the LibreOffice/Mozilla\n   spell-check corpus, filtered to ≥6 characters, with 7 orthographic variations each\n3. **Algorithmic variation engine** — rich leet-speak mappings (multiple substitutions\n   per character), case mutations, accent stripping, and suffix patterns (`123`,\n   `@123`, `2024`–`2026`) based on documented PT-BR human password-writing habits\n4. **Cultural phrases** — viral expressions, song lyrics, political slogans and memes\n   from 2014–2025, sourced from public media and social platforms\n5. **Corporate patterns** — MSP/MSSP × client naming conventions derived from public\n   job postings on LinkedIn, InfoJobs and Vagas.com.br; patterns follow documented\n   human tendencies when creating credentials in managed environments (PCFG model,\n   Weir et al.)\n6. **Manufacturer defaults** — DefaultCreds-cheat-sheet (ihebski/GitHub, 3,755+\n   entries), ICS default passwords (arnaudsoullie/GitHub), product manuals and FCC ID\n   databases\n7. **Linguistic basis** — variation rules are grounded in corpus linguistics of PT-BR\n   writing patterns, including phonetic substitutions (ç→c, ã→a) and keyboard-walk\n   sequences documented in password cracking literature\n\n---\n\n## ⚠️ Ethical Disclaimer\n\n**If a password belonging to you or your organization appears in this wordlist,\nit means it matched one or more deterministic rules described above — not that\nit was extracted from any system, database, vault, PAM, or credential store.**\n\nAny reasonably skilled attacker or programmer could independently construct the\nsame entries by applying the same publicly documented algorithms.\n\nThis wordlist is a **security awareness tool**. It demonstrates that:\n- Patterns based on company names, years, and keyboard walks are trivially guessable\n- Leet-speak does NOT make a password strong if the base word is in a dictionary\n- Brazilian cultural references are among the first candidates in targeted attacks\n\n**Never use patterns from this list as real credentials. Use a password manager\nand generate truly random credentials.**\n\n---\n\n## Check If Your Password Is in This List\n\nYou can quickly verify whether your password appears in `wlist_brasil.lst` using\nbuilt-in tools — **no extra software required**.\n\n\u003e ⚠️ Run this check **offline**, after downloading the file locally.\n\u003e Never type your real password into an online form or transmit it over a network.\n\n### Step 1 — Download the file\n\n```bash\n# Linux / macOS\nwget https://raw.githubusercontent.com/mrhenrike/WordListsForHacking/main/wlist_brasil.lst\n# or\ncurl -O https://raw.githubusercontent.com/mrhenrike/WordListsForHacking/main/wlist_brasil.lst\n```\n\n```powershell\n# Windows PowerShell\nInvoke-WebRequest `\n  -Uri \"https://raw.githubusercontent.com/mrhenrike/WordListsForHacking/main/wlist_brasil.lst\" `\n  -OutFile \"wlist_brasil.lst\"\n```\n\n### Step 2 — Search for your password\n\nReplace `yourpassword` with the password you want to check.\n\n```bash\n# Linux / macOS — exact match, case-sensitive\ngrep -Fx \"yourpassword\" wlist_brasil.lst \\\n  \u0026\u0026 echo \"⚠️  FOUND — CHANGE YOUR PASSWORD NOW\" \\\n  || echo \"✓  Not found in this list\"\n```\n\n```bash\n# Linux / macOS — case-insensitive (catches leet-speak variants too)\ngrep -Fix \"yourpassword\" wlist_brasil.lst \\\n  \u0026\u0026 echo \"⚠️  FOUND — CHANGE YOUR PASSWORD NOW\" \\\n  || echo \"✓  Not found in this list\"\n```\n\n```powershell\n# Windows PowerShell — exact match\n$result = Select-String -Path \"wlist_brasil.lst\" -Pattern \"^yourpassword$\" -CaseSensitive\nif ($result) { Write-Host \"⚠️  FOUND — CHANGE YOUR PASSWORD NOW\" -ForegroundColor Red }\nelse          { Write-Host \"✓  Not found in this list\" -ForegroundColor Green }\n```\n\n```cmd\n:: Windows CMD — exact match\nfindstr /x /c:\"yourpassword\" wlist_brasil.lst\n:: If output appears: your password was found. Change it immediately.\n```\n\n### Step 3 — What to do if your password is found\n\n1. **Change it immediately** in every service where you use it\n2. **Never reuse passwords** — each account must have a unique credential\n3. **Use a password manager**: [Bitwarden](https://bitwarden.com) (free/open-source),\n   KeePass, 1Password, or your OS built-in vault\n4. **Generate truly random passwords** — avoid: names, dates, keyboard walks,\n   company names, football teams, song lyrics, or leet-speak of dictionary words\n5. **Enable MFA/2FA** on every account that supports it\n\n\u003e **Important:** if your password is found here, it does **not** mean it was\n\u003e extracted from a specific breach, vault, or PAM system. It means your password\n\u003e follows a **predictable pattern** that this wordlist was built to detect — and\n\u003e that any motivated attacker would try first. Treat it as a wake-up call.\n\n---\n\n## Legal Notice\n\n- Use only in environments where you have **explicit written authorization**\n- Never use for unauthorized access to any system\n- Author accepts no liability for misuse\n- Maintain attribution when redistributing\n\n---\n\n## Changelog\n\n| Version | Date | Changes |\n|---------|------|---------|\n| v2.0.0 | 2026-03-30 | Complete rewrite: PT-BR dictionary (320k words + 7 variations), rich leet mapping, Brazilian cultural/music/memes phrases (2014–2025), 200+ vendor defaults (SIEM/EDR/OT/Cloud/Linux/HW-mgmt), user:password combo file, removal of purely numeric entries and entries \u003c6 chars, comprehensive READMEs |\n| v1.x | 2022–2025 | Previous versions — manual wordlists and ad-hoc collections |\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrhenrike%2Fwordlistsforhacking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrhenrike%2Fwordlistsforhacking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrhenrike%2Fwordlistsforhacking/lists"}