In the previous post, we learned about one of the attack methods that hashcat offers - the dictionary attack. To perform such attack we need dictionary - a good dictionary,
Let's be clear we need solid and (not always) big dictionary to perform good attack.
Let's start by explaining what a wordlist, also known as a dictionary is. It is a text file containing a list of words, each word/entry on a separate line. This file can be zipped (we suggest to used .7z but also other like .gz works ).
Dictionaries
Why are dictionaries so important? Firstly, we need to be aware of how the process of cracking passwords using the dictionary method works. A hashcat in a dictionary attack generates candidates ( passwords that are currently being tested ) based on the contents of a given wordlist. Consequently, the larger the dictionary, the more candidates and the greater the chance of cracking the password. A good, large dictionary is also the basis for rule-based attacks. In addition, the hashcat works more efficiently when it has a large number of candidates and they are continuously supplied to the GPU.
Most of the available dictionaries are a collection of passwords leaked during hacks.
The most well-known dictionary is rockyou.txt.gz.
Company named RockYou in December 2009 had a data breach and the rockyou dictionary is precisely the collection of passwords that were
obtained thanks to an sql injection attack on RockYou company database with succesfull extraction of 32,603,388 passwords - and all of them was unencrypted.
The hackers made the leaked data available to the public and this is where the dictionary got its name.
Rockyou
rockyou.txt.gz is a very small dictionary, in .gz format (packed) it's just 51M and, when unpacked it's only 134M and contain 14344392 unique passwords.
It's pre-installed on systems such as Kali linux and parrot what makes rockyou in some way a default dictionary, therefore if we have to crack passwords on CTF or obtain some hashes during hacking some machines on hackthebox or tryhackme we will choose this dictionary first.
Rockyou2021
Let's stick to rockyou - in 2021 a new dictionary was released called Rockyou2021 (rockyou2021.7z), this dictionary is considerably larger because it is 12.67GB packed, 91.62GB when unpacked and contains 8459060239 unique passwords.
CrackStation
An online cracking service - CrackStation uses massive rainbow tables to crack password hashes. They check to see if the hash you specify is in their database, if so they provide a plain text password of the hash. CrackStation supports : LM, NTLM, md2, md4, md5, md5(md5_hex),md5-half,sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+(sha1(sha1_bin)),QubesV3.1BackupDefaults
The author of CrackStation provides his own downloadable wordlists. He describes his dictionary as follows:
The list contains every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.
And it's avialable at:
CrackStation Dictionary
SkullSecurity
This is a collection of dictionaries used to crack passwords in one place, and is not as comprehensive and updated as weakpass, which we will discuss in a moment. However, it is a very well-known source of dictionaries in the community.
SkullSecurity wordlists are collected in one file and can be downloaded from:
Hashesorg
Hashes.org was a community aimed at security enthusiasts, which ceased operations in early 2021. But the dictionaries they created are still available and very much used today.
Weakpass
In 2015 weakpass project start and first wordlist was relased. Within a year version 1.0 was avialable to download with a lot of changes, improvements and additions. Authors got one rule and one rule only:
At the beggining there was some rule – add one dictionary each week.
First presentation about weakpass was at Weakpass - defcon russia 23
Thanks to w34kp455 dictionaries, which are generally available for download on the world wide web, have been collected in one place and made available for your convenience:
Bigger is better.
One day they decided to create one big dictionary from all the dictionaries they had collected over the years.
The result is a great All-in-one dictionary:
Weakpass All-in-one
The zipped All-in-one.7z dictionary takes up 57 GB, when unzipped it would take up 444.57 GB and has 40247321168 unique entries.
Real good wordlist list:
https://github.com/kkrypt0nn/Wordlists
https://github.com/berzerk0/Probable-Wordlists
https://github.com/clem9669/wordlists
https://f002.backblazeb2.com/file/passphrase-wordlist/passphrases.txt
https://weakpass.com/wordlist/1939
https://weakpass.com/wordlist/1858
https://weakpass.com/wordlist/1849
https://contest-2010.korelogic.com/wordlists.html
https://github.com/berzerk0/Probable-Wordlists
https://github.com/kaonashi-passwords/Kaonashi
https://github.com/clem9669/wordlists
https://github.com/tasooshi/brutas/tree/master/wordlists/passwords
https://github.com/webpwnized/byepass/tree/master/passwords
https://github.com/webpwnized/byepass/tree/master/dictionaries
https://packetstormsecurity.com/Crackers/wordlists/
https://github.com/praetorian-inc/Hob0Rules/tree/master/wordlists
https://github.com/ignis-sec/Pwdb-Public/tree/master/wordlists
https://github.com/MusicGivesMeLife/BiblePass
Language based dictionary:
https://github.com/eyaler/hebrew_wordlists
https://github.com/utkusen/turkce-wordlist
https://github.com/napolux/paroleitaliane
https://github.com/richiemann/vietnam-password-lists
https://github.com/webpwnized/byepass/tree/master/dictionaries
https://github.com/ignis-sec/Pwdb-Public/tree/master/wordlists/language-specifics
It is also a good idea to create your own dictionaries, especially if you are cracking passwords that are not English-language based. We'll do a separate post about creating your own dictionaries, as it's a very important topic.
What about when a dictionary attack fails ? Then we start to manipulate our dictionary and for this we use rules to squeeze even more from our wordlists - each rule manipulates in a predefined way each candidate. We cover that topic in next post.
