cd /usr/share/seclists/Passwords/ sudo tar -xzvf rockyou.txt.tar.gz | File | Use | |------|-----| | Usernames/top-usernames-shortlist.txt | Quick user enum | | Usernames/xato-net-10-million-usernames.txt | Massive username list | Parameter Discovery | File | Use | |------|-----| | Discovery/Web_Parameters/parameters.txt | Common parameter names | | Discovery/Web_Parameters/param_mini.txt | Small, fast list |
Happy hunting.
wfuzz -c -z file,/usr/share/seclists/Fuzzing/XSS.txt http://target.com/search?q=FUZZ | File | Use | |------|-----| | Passwords/Common-Credentials/10k-most-common.txt | 10,000 most common passwords | | Passwords/rockyou.txt.tar.gz | Famous rockyou list (extract first) | | Passwords/Leaked-Databases/ | Large real-world password dumps | seclists
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web_Content/common.txt | File | Use | |------|-----| | Discovery/DNS/subdomains-top1million-5000.txt | Top 5000 subdomains | | Discovery/DNS/bitquark-subdomains-top100000.txt | 100k subdomains from scans | cd /usr/share/seclists/Passwords/ sudo tar -xzvf rockyou
ffuf -u http://example.com -H "Host: FUZZ.example.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt | File | Use | |------|-----| | Fuzzing/sql-injection.txt | SQLi payloads | | Fuzzing/XSS.txt | XSS vectors | | Fuzzing/LFI/LFI-graceful.txt | Local file inclusion | | Fuzzing/XXE/xxe-injection.txt | XXE payloads | | Fuzzing/command-injection.txt | OS command injection | seclists