explaingit

danielmiessler/seclists

70,740PHPAudience · ops devopsComplexity · 1/5LicenseSetup · easy

TLDR

SecLists is a large collection of text wordlists for security testing, covering common passwords, hidden web paths, attack payloads, and subdomain names, so penetration testers have every list they need in one place.

Mindmap

mindmap
  root((seclists))
    What it contains
      Password lists
      Web path lists
      Attack payloads
      Subdomain names
    Used with
      Burp Suite
      ffuf gobuster
      Hashcat Hydra
    Use cases
      Brute force testing
      Directory fuzzing
      Injection testing
    Audience
      Pen testers
      Bug bounty hunters
      Security researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Feed common password and username lists into a tool like Hydra or Burp Suite to test whether a login endpoint is vulnerable to brute-force attacks.

USE CASE 2

Use directory and file path lists with ffuf or gobuster to discover hidden endpoints and admin panels on a web server.

USE CASE 3

Supply injection payload lists to a web proxy to automate testing for SQL injection or cross-site scripting vulnerabilities.

USE CASE 4

Use subdomain wordlists with a DNS brute-forcing tool to map out all publicly reachable subdomains of a target domain.

Getting it running

Difficulty · easy Time to first run · 5min

The full repository is multiple gigabytes, use a shallow git clone to avoid downloading the entire history.

Licensed under the MIT License, which lets you use, share, and modify the files freely for any purpose including commercial security work.

In plain English

SecLists is a large collection of text lists that security testers use during penetration testing and security assessments. A penetration tester is someone hired to try to break into a system to find vulnerabilities before real attackers do. Many security testing techniques involve trying large numbers of values systematically, for example guessing common passwords, trying common file and directory names on a web server, or inserting known attack strings into input fields. SecLists brings together all the wordlists and data files needed for these tasks in one place. The collection includes many categories of lists: common usernames and passwords for brute-force credential testing, URL paths and directory names for discovering hidden web content through fuzzing (automated probing), sensitive data patterns for finding accidentally exposed files, injection payloads for testing against SQL injection, cross-site scripting, and other vulnerabilities, web shell filenames, subdomain names for reconnaissance, and more. The goal described in the README is that a security tester can clone this repository onto a new testing machine and immediately have access to every type of list they might need, without hunting for individual lists across the internet. It is pre-installed in security-focused Linux distributions like Kali Linux and BlackArch. You would use SecLists if you are a security researcher, penetration tester, or bug bounty hunter who needs wordlists as input for security tools like Burp Suite, ffuf, or hashcat. There is no software to run from this repository, the files themselves are the product. The repository is very large (multiple gigabytes), so the README suggests using a shallow git clone for faster download. It is licensed under MIT and maintained by a small team of security researchers.

Copy-paste prompts

Prompt 1
Write the ffuf command that uses SecLists Discovery/Web-Content/common.txt to fuzz for hidden directories on https://example.com/FUZZ and saves results to a file.
Prompt 2
Show me the hashcat command to crack a list of MD5 hashes using the SecLists Passwords/Leaked-Databases/rockyou.txt wordlist with the right hash mode.
Prompt 3
I want to test a login form for common default credentials using Burp Suite Intruder. Which SecLists files should I use for usernames and passwords, and how do I set up a cluster bomb attack?
Prompt 4
Write a Python script that reads lines from SecLists/Fuzzing/SQLi/Generic-SQLi.txt and sends each as a query parameter to a test URL, logging any response that returns a 500 status code.
Prompt 5
Which SecLists file is best for enumerating subdomains during passive reconnaissance, and what tool and command would I pair it with?
Open on GitHub → Explain another repo

← danielmiessler on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.