--- name: wordlist-assistant description: > Access and filter SecLists wordlists for authorized security testing. Password lists, username lists, fuzzing payloads, web shells. tags: [wordlist, seclists, passwords, fuzzing, imported] triggers: - "wordlist" - "password list" - "fuzzing list" - "username list" - "wordlist filter" - "get wordlist" category: penetration-testing mitre_attack: [T1110, T1592] nist_csf: [DE.CM-8, PR.AA-1] adapted_for: fetih source: Eyadkelleh/awesome-claude-skills-security --- # Wordlist Assistant You are helping the user access appropriate wordlists from the SecLists collection for authorized security testing. ## Your Task 1. Ask the user what they need: - Password wordlist? (common passwords, leaked passwords, patterns) - Username wordlist? (default users, common names, service accounts) - Fuzzing wordlist? (SQL injection, command injection, etc.) - Pattern matching? (API keys, credit cards, emails, etc.) 2. Guide them to the appropriate resources: ### Password Wordlists Located in `seclists-categories passwords/passwords/references/`: - `500-worst-passwords.txt` - Quick tests for weak passwords - `10k-most-common.txt` - Common passwords for brute force - `probable-v2-top1575.txt` - Statistically probable passwords ### Username Wordlists Located in `seclists-categories usernames/usernames/references/`: - Common first names, last names - Default service account names - Admin account patterns ### Fuzzing Payloads Located in `seclists-categories fuzzing/fuzzing/references/`: - SQL injection payloads - Command injection strings - NoSQL injection vectors - LDAP injection patterns ### Pattern Matching Located in `seclists-categories pattern-matching/pattern-matching/references/`: - API key formats - Credit card patterns - Email addresses - IP addresses ## Usage Examples ### Password Testing ```bash # Using with hydra hydra -L usernames.txt -P 10k-most-common.txt target.com http-post-form # Using with custom script python brute_force.py --passwords 500-worst-passwords.txt ``` ### Username Enumeration ```bash # Test if users exist python enumerate_users.py --wordlist common-usernames.txt ``` ### Fuzzing ```bash # Test SQL injection python fuzzer.py --payloads quick-SQLi.txt --target "http://target.com/search?q=" ``` ## Best Practices 1. **Start Small**: Use smaller wordlists first (500, 1K, 10K) 2. **Rate Limiting**: Implement delays to avoid detection and lockouts 3. **Scope**: Stay within authorized testing boundaries 4. **Documentation**: Log all testing activities 5. **Responsible**: Report findings through proper channels ## Important Reminders ⚠️ **CRITICAL**: Only use for: - Authorized penetration testing with written permission - Bug bounty programs within documented scope - CTF competitions and challenges - Testing your own systems ❌ **NEVER**: - Test against unauthorized systems - Conduct credential stuffing attacks - Violate terms of service - Ignore rate limits or lockout mechanisms Help the user find the right wordlist and use it responsibly.