Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/duyet/bruteforce-database

Bruteforce database
https://github.com/duyet/bruteforce-database

brute-force brute-force-attacks bruteforce duyetdev hacktoberfest password password-dictionaries seclists

Last synced: 5 months ago
JSON representation

Bruteforce database

Awesome Lists containing this project

README 

          
# Bruteforce Database - Wordlists for Ethical Security Testing



[![CI](https://github.com/duyet/bruteforce-database/actions/workflows/validate.yml/badge.svg)](https://github.com/duyet/bruteforce-database/actions/workflows/validate.yml)

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)



![](http://2.bp.blogspot.com/-DBFErnG-8AE/VhJ-z3Y-41I/AAAAAAAADgA/FGCt8naBMKs/s1600/mtyourmind.10001mb.com.png)



A collection of wordlists for security testing, penetration testing, and password analysis.



> **Note:** For authorized testing only. Only use on systems you own or have permission to test.



---



## Quick Start



```bash

# Clone the repository

git clone https://github.com/duyet/bruteforce-database.git

cd bruteforce-database



# Example: Test SSH login (authorized testing only!)

hydra -L usernames.txt -P 1000000-password-seclists.txt ssh://target.example.com



# Example: Web directory brute-forcing

gobuster dir -u https://example.com -w forced-browsing/all.txt



# Example: Subdomain enumeration

ffuf -u https://FUZZ.example.com -w subdomains-10000.txt

```



---



## What's Inside



### Stats

- 11+ million total entries

- 135+ MB of data

- 4 main categories: Passwords, Usernames, Infrastructure, Identities

- Validated with automated CI/CD



### Use Cases



| I need to... | Use this wordlist | Why? |

|-------------|------------------|------|

| Test common passwords | `1000000-password-seclists.txt` | Most common passwords from breach data |

| Test password policy | `8-more-passwords.txt` | Filtered for length, complexity requirements |

| Enumerate user accounts | `usernames.txt` | 400K+ common US usernames |

| Find hidden directories | `forced-browsing/all.txt` | Comprehensive web path discovery |

| Discover subdomains | `subdomains-10000.txt` | 10K most common subdomain names |

| Test against massive dataset | `2151220-passwords.txt` | 2.1M password compilation |

| Generate wordlist for JtR | `uniqpass_v16_password.txt` | Optimized for John the Ripper |

| Test keyboard patterns | `cain.txt` | Includes common patterns from Cain & Abel |



---



## Available Wordlists



### Password Dictionaries



#### General Purpose

- **`1000000-password-seclists.txt`** (1M entries, 8.5 MB)

  - Source: [SecLists](https://github.com/danielmiessler/SecLists) project

  - Use: Initial password testing, most common passwords



- **`2151220-passwords.txt`** (2.1M entries, 20 MB)

  - Source: Dazzlepod.com compilation

  - Use: Comprehensive password testing



#### Filtered Sets

- **`8-more-passwords.txt`** (62K entries, 629 KB)

  - Filters: 8+ chars, requires caps + numbers, no consecutive chars

  - Use: Testing password policies with complexity requirements



- **`7-more-passwords.txt`** (528K entries, 5 MB)

  - Filters: 7+ chars, numeric-only removed

  - Use: Medium-complexity password policies



#### Specialized

- **`cain.txt`** (307K entries, 2.5 MB)

  - Source: Cain & Abel password cracker

  - Use: Classic patterns, keyboard walks, common substitutions



- **`bitcoin-brainwallet.lst`** (395K entries, 3.4 MB)

  - Source: Dictionary words used for Bitcoin brainwallets

  - Use: Passphrase testing, dictionary attacks



- **`38650-password-sktorrent.txt`** (39K entries, 309 KB)

  - Source: SKTorrent.eu leaked database

  - Use: Real-world password patterns



#### Tool-Specific

- **`uniqpass_v16_password.txt`** (2.1M entries, 20 MB)

  - Source: Optimized for [John the Ripper](https://www.openwall.com/john/)

  - Use: Hash cracking with JtR



### Usernames & Identities



- **`usernames.txt`** (403K entries, 3.3 MB)

  - Source: US username compilation

  - Use: Account enumeration, user testing



- **`38650-username-sktorrent.txt`** (39K entries, 258 KB)

  - Source: SKTorrent.eu leaked database

  - Use: Real-world username patterns



- **`facebook-firstnames.txt`** (4.3M entries, 37 MB)

  - Source: Facebook public first names

  - Use: Name-based password testing



### Geographic Data



- **`us-cities.txt`** (21K entries, 199 KB)

  - Use: Location-based password testing



- **`indo-cities.txt`** (102 entries, 1.2 KB)

  - Use: Regional password testing



### Infrastructure Testing



- **`subdomains-10000.txt`** (10K entries, 97 KB)

  - Use: Subdomain enumeration, DNS reconnaissance

  - Tools: [Sublist3r](https://github.com/aboul3la/Sublist3r), [ffuf](https://github.com/ffuf/ffuf), [gobuster](https://github.com/OJ/gobuster)



### Forced Browsing / Directory Discovery



**`forced-browsing/`** directory contains specialized wordlists for web application testing:



- **`all.txt`** (43K entries) - Comprehensive file/directory list

- **`all-extensionless.txt`** (25K entries) - Paths without file extensions

- **`all-dirs.txt`** - Directory names only



#### Categorized by File Type



**`forced-browsing/cat/`** - Organized by file category:

- `Conf/` - Configuration files (`.conf`, `.config`, `.htaccess`, `.properties`)

- `Database/` - Database files (`.sql`, `.mdb`, `.xml`, `.ini`)

- `Language/` - Source code files (`.php`, `.asp`, `.jsp`, `.java`)

- `Project/` - Project files (`.csproj`, `.pdb`, `.sln`)



#### Context-Based Paths



**`forced-browsing/context/`** - Organized by context:

- `admin.txt` - Admin panels and interfaces

- `test.txt` - Test environments and files

- `debug.txt` - Debug endpoints

- `error.txt` - Error pages and handlers

- `help.txt` - Help and documentation paths

- Plus many more specialized contexts



**Usage Example:**

```bash

# Scan for admin panels

gobuster dir -u https://target.com -w forced-browsing/context/admin.txt



# Look for config files

ffuf -u https://target.com/FUZZ -w forced-browsing/cat/Conf/conf.txt



# Comprehensive directory scan

dirsearch -u https://target.com -w forced-browsing/all.txt

```



---



## Usage Examples



### Password Cracking



```bash

# John the Ripper

john --wordlist=2151220-passwords.txt hashes.txt



# Hashcat (MD5)

hashcat -m 0 -a 0 hashes.txt 1000000-password-seclists.txt



# Hydra (SSH brute force)

hydra -l admin -P 8-more-passwords.txt ssh://192.168.1.100

```



### Web Application Testing



```bash

# Directory discovery with gobuster

gobuster dir -u https://example.com -w forced-browsing/all.txt -t 50



# File discovery with specific extensions

gobuster dir -u https://example.com -w forced-browsing/all-extensionless.txt -x php,html,txt



# Fast fuzzing with ffuf

ffuf -u https://example.com/FUZZ -w forced-browsing/context/admin.txt -mc 200,301,302

```



### Subdomain Enumeration



```bash

# Sublist3r

sublist3r -d example.com -w subdomains-10000.txt



# ffuf for subdomain fuzzing

ffuf -u https://FUZZ.example.com -w subdomains-10000.txt -mc 200



# gobuster DNS mode

gobuster dns -d example.com -w subdomains-10000.txt

```



### Account Enumeration



```bash

# Test for valid usernames (authorized only!)

./enum4linux -U target.com -w usernames.txt



# Check username availability

curl https://api.example.com/check-username -d "username=FUZZ" -w usernames.txt

```



---



## Decision Guide: Which Wordlist?



### For Password Testing



**Quick test (< 1 minute):**

- Use `8-more-passwords.txt` (62K entries)

- Fast, focuses on complex passwords



**Standard test (5-10 minutes):**

- Use `1000000-password-seclists.txt` (1M entries)

- Industry standard, best coverage-to-time ratio



**Comprehensive test (30+ minutes):**

- Use `2151220-passwords.txt` (2.1M entries)

- Maximum coverage



**Policy-specific testing:**

- Strong policy (8+ chars, complexity): `8-more-passwords.txt`

- Medium policy (7+ chars): `7-more-passwords.txt`

- Weak/no policy: `1000000-password-seclists.txt`



### For Web Testing



**Quick scan:**

- `forced-browsing/context/.txt` (targeted)



**Standard scan:**

- `forced-browsing/all-dirs.txt` (directories only)



**Comprehensive scan:**

- `forced-browsing/all.txt` (everything)



**File-specific:**

- `forced-browsing/cat//` (by file extension)



---



## Tools That Work With These Wordlists



### Password Cracking

- [John the Ripper](https://www.openwall.com/john/) - Password cracking

- [Hashcat](https://hashcat.net/hashcat/) - Advanced password recovery

- [Hydra](https://github.com/vanhauser-thc/thc-hydra) - Network login cracker



### Web Testing

- [Gobuster](https://github.com/OJ/gobuster) - Directory/file & DNS busting

- [ffuf](https://github.com/ffuf/ffuf) - Fast web fuzzer

- [Dirsearch](https://github.com/maurosoria/dirsearch) - Web path scanner

- [Burp Suite](https://portswigger.net/burp) - Web application testing



### Subdomain Discovery

- [Sublist3r](https://github.com/aboul3la/Sublist3r) - Subdomain enumeration

- [Amass](https://github.com/OWASP/Amass) - Network mapping



---



## Automation & Quality



This repository includes automation tools:



### Validation Tools



```bash

# Validate all wordlists

python3 scripts/validate.py



# Validate specific file

python3 scripts/validate.py --file passwords.txt



# Deduplicate wordlists

python3 scripts/deduplicate.py passwords.txt



# Deduplicate all

python3 scripts/deduplicate.py --all

```



### CI/CD Pipeline



Every commit and pull request is automatically:

- Validated for encoding and format

- Checked for file corruption

- Scanned for sensitive data

- Analyzed for statistics

- Verified for integrity



See [`.github/workflows/validate.yml`](.github/workflows/validate.yml)



### Manifest



The `manifest.json` file contains metadata for every wordlist:

- Entry counts and unique entries

- File sizes and checksums

- Encoding information

- Validation status



Generated automatically on every commit.



---



## Contributing



We welcome contributions! See [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed guidelines.



### Quick Contribution Checklist



- [ ] Wordlist is unique (not a duplicate)

- [ ] Source is documented

- [ ] File is UTF-8 encoded

- [ ] Deduplicated and validated

- [ ] README updated with entry

- [ ] Commit message is descriptive



### Running Validation Locally



```bash

# Before submitting PR

python3 scripts/validate.py

python3 scripts/deduplicate.py --all

```



---



## Ethics & Responsible Use



**IMPORTANT:** These wordlists are for authorized security testing only.



### Acceptable Use

- Penetration testing with written authorization

- Security research on your own systems

- Educational purposes in controlled environments

- Password policy analysis and improvement

- Academic research with ethical approval



### Unacceptable Use

- Unauthorized access to any system

- Testing systems without explicit permission

- Malicious hacking or cybercrime

- Harassment or targeting individuals

- Any illegal activity under applicable laws



**By using these wordlists, you agree to use them responsibly and legally.**



See [CLAUDE.md](./CLAUDE.md) for our full philosophy on ethical use.



---



## Project Philosophy



Read [CLAUDE.md](./CLAUDE.md) for our principles:

- Quality over quantity

- Ethical use only

- Full transparency

- Community first

- Evolution, not stagnation



---



## Contributors



Thank you to everyone who has contributed to this project:



- Van-Duyet Le - [**@duyet**](https://github.com/duyet) - Creator & Maintainer

- Taufiq Sumadi - [**@taufiqsumadi**](https://github.com/taufiqsumadi)

- San Sayidul Akdam Augusta - [**@sanAkdam**](https://github.com/sanAkdam)

- Dani Vijay - [**@danivijay**](https://github.com/danivijay) - Forced-browsing wordlists



Want to contribute? See [CONTRIBUTING.md](./CONTRIBUTING.md)!



---



## License



This project is licensed under the [MIT License](./LICENSE).



You are free to:

- Use for any purpose (commercial or non-commercial)

- Modify and create derivatives

- Distribute and share



Requirements:

- Include the license and copyright notice

- Use responsibly and legally



---



## Support This Project



If you find this project useful:



- Star this repository on GitHub

- Report issues to help us improve

- Contribute new wordlists or improvements

- Share with the security community

- Sponsor via [GitHub Sponsors](https://github.com/sponsors/duyet)



---



## Related Resources



- [SecLists](https://github.com/danielmiessler/SecLists) - Collection of security lists

- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) - Penetration testing payloads

- [FuzzDB](https://github.com/fuzzdb-project/fuzzdb) - Attack patterns database

- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - Web security testing methodology



---



## Changelog



See [CHANGELOG.md](./CHANGELOG.md) for version history and updates.



---



**"Quality is not an act, it's a habit." - Aristotle**



Made with ❤️ by the security community, for the security community.