暴力破解字典列表
GitHub上的:
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases
https://github.com/duyetdev/bruteforce-database
一些博客的:
Large Password Lists: Password Cracking Dictionary’s Download For Free
For cracking passwords, you might have two choices
1. Dictionary Attack
2. Brute Force Attack.
The Dictionary attack is much faster then as compared to Brute Force Attack. (There is another method named as “Rainbow table”, it is similar to Dictionary attack).
In order to achieve success in a dictionary attack, we need a large size of Password lists.
Here is the list of 1,717,681 passwords & More (Free to download):
If you didn’t get your required password in that dictionary or file you might wanna follow our custom wordlist tutorial for creating your own wordlist.
WPA-PSK WORDLIST 3 Final (13 GB).rar 4GB
b0n3z-wordlist-sorted_REPACK-69.3GB.7z 9GB
b0n3z_dictionary-SPLIT-BY-LENGTH-34.6GB.7z 3GB
crackstation-human-only.txt.gz 246MB
You can find 20+ wordlists here: https://www.hacktoday.net/t/password-dictionaries/47
Password List Download Best Word List – Most Common Passwords
Password list download below, best word list and most common passwords are super important when it comes to password cracking and recovery, as well as the whole selection of actual leaked password databases you can get from leaks and hacks like Ashley Madison, Sony and more.
Generate your own Password List or Best Word List
There are various powerful tools to help you generate password lists or wordlists for brute forcing based on information gathered such as documents and web pages such as:
– Wyd – password profiling tool
– Crunch – Password Cracking Wordlist Generator
– CeWL v5.1 – Password Cracking Custom Word List Generator
– RSMangler – Keyword Based Wordlist Generator For Bruteforcing
– The Associative Word List Generator (AWLG) – Create Related Wordlists
These are useful resources that can add unique words that you might not have if your generic lists, using a combination of generated lists, most common passwords and leaked password databases you can generate a very powerful selection of passwords for brute force cracking.
Also, add all the company related words you can and if possible use industry-specific word lists (chemical names for a lab, medical terms for a hospital etc).
And always brute force in the native language. There are some language-specific resources below.
Password List Download Best Word Lists
Although old, one of the most complete word list sets is here (easily downloadable by FTP too):
This includes a whole bunch of language specific resources too (Afrikaans, American, Aussie, Chinese, Croatian, Czech, Danish, French, German, Hindi, Japanese, Polish, Russian, Spanish and more).
This is another famous pass list txt which is over 2GB uncompressed, Argon v2:
Here we have 50,000 words, common login/passwords and African words (this used to be a great resource):
One of the most famous lists is still from Openwall (the home of John the Ripper) and now costs money for the full version:
Some good lists here organized by topic including surnames, family names, given names, jargon, hostnames, movie characters etc.
Packetstorm has some good topic-based lists including sciences, religion, music, movies and common lists.
French Spanish & Language Specific Word Lists
There’s a good French word list here with and without accents, also has some other languages including names:
Spanish password list that has 172122 words:
Russian wordlist that has 296790 words:
Swedish password wordlist that contains 24292 words:
Tools for Password List Brute Forcing
You can also check out some default password lists and if you aren’t sure what tools to use I suggest checking out:
- Medusa 1.4 – Parallel Password Cracker
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool
- Cain And Abel Download – Windows Password Cracker
- JTR (Password Cracking) – John the Ripper 1.7 Released
Enjoy! And as always if you have any good resources or tools to add – do mention them in the comments.
此外,还可以使用crunch来生成密码。
crunch默认安装在kali环境中(05-Password Attacks),Crunch可以按照指定的规则生成密码字典,生成的字典字符序列可以输出到屏幕、文件或重定向到另一个程序中,Crunch可以参数可能的组合和排列,其最新版本为3.6。并具备如下特征:
- Crunch可以以组合和排列的方式生成字典
- 它可以通过行数或文件大小中止输出
- 现在支持恢复
- 现在支持数字和符号模式
- 现在分别支持大小写字符模式
- 在生成多个文件时添加状态报告
- 新的-l选项支持@,%^
- 新的-d选项可以限制重复的字符,可以通过man文件查看详细信息
- 现在支持unicode
Crunch其实最厉害的是知道密码的一部分细节后,可以针对性的生成字典,这在渗透中就特别有用,比如知道用户密码的习惯是taobao2013(taobao+数字年),这可以通过Crunch生成taobao+所有的年份字典,用来进行暴力破解攻击其效果尤佳!
例如:比较有用的命令
(1)生成pass01-pass99所有数字组合
- crunch 6 6 -t pass%% >>newpwd.txt
(2)生成六位小写字母密码,其中前四位为pass
- crunch 6 6 -t pass@@ >>newpwd.txt
(3)生成六位密码,其中前四位为pass,后二位为大写
- crunch 6 6 -t pass,, >>newpwd.txt
(4)生成六位密码,其中前四位为pass,后二位为特殊字符
- crunch 6 6 -t pass^^ >>newpwd.txt
(5)制作8为数字字典
- crunch 8 8 charset.lst numeric -o num8.dic
(6)制作6为数字字典
- crunch 6 6 0123456789 –o num6.dic
(7)制作139开头的手机密码字典
- crunch 11 11 +0123456789 -t 139%%%%%%%% -o num13.dic
文件大小为1144 MB,还可以每次生成文件大小为20M,自动生成文件:
- crunch 11 11 +0123456789 -t 139%%%%%%%% -b 20mib -o START
(8)在线使用生成的密码
不用把庞大的字典保存在硬盘上,生成一个密码用一个,不过消耗的时间多,比较占用cpu,参数最后面的-表示引用crunch生成的密码,例如无线密码在线破解:
- crunch 2 4 0123456789 | aircrack -ng a,cap -e MyESSID -w -
- crunch 10 1012345 --stodout | airolib -ng testdlb -import passwd –
- crunch 1 6 0123456789 | john pwd.txt --stdin -