One of the types of attacks used by Atomic password recovery programs is dictionary attack . In this case, the program sequentially checks all possible passwords stored in special files called password dictionary. Typically, dictionaries store frequently used passwords and familiar words, such as names and place names. Password Dictionaries may contain words from various languages ​​of the world. Password crackers check them one by one in search of a suitable one.

If you decide to use dictionary attack, you will need some basic dictionaries.

Many are asking about password wordlist files and where they can download it,

First of all, if you are using Kali Linux you don’t need to download a Password dictionaries to perform a dictionary attack at least try the one you have before you download a new dictionary!

Kali Linux provides some Password dictionary files as part of its standard installation.

you can find that file /usr/share/wordlists/rockyou.txt.gz

and even if you are looking for a new dictionary just go to the end of the post and you will find what you want

but for real rockyou.txt.gz is one of best dictionary file’s

So let’s take a copy of rockyou.txt.gz to root directory

To do so write this command:

cp /usr/share/wordlists/rockyou.txt.gz .

Now to unzip it type:

gunzip rockyou.txt.gz

you will get a new file rockyou.txt

To know how many passwords this file contains type:

wc -l rockyou.txt

The password inside this file include password’s with more and less then 8 characters

so if you want to use it for WPA2 penetration it’s better to make a dictionary that contains passwords with minimum 8 characters so it becomes a wpa dictionary

To do that type this command :

cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > kalitut.txt

kalitut.txt contains 9606665 passwords that’s a huge list 😉

I called mine kalitut.txt but maybe you should call it wpa.txt if you are making it for WiFi penetration or anything you want just remember it.

Now you have a good password list containing the most used password in the world.

to download new password dictionary / password lists to make your list even bigger check those tow website with an updated dictionary

hashes

https://hashes.org/left.php

on Hashes you can find more than 25 Dictionary with a daily updated list

skullsecurity

https://wiki.skullsecurity.org/Passwords

Here it’s one of the best websites I found for password dictionaries with a huge list of dictionaries

to download any of them go to the website, and there you will find many Password dictionary

Password dictionary attack

Not all software contains exploitable vulnerabilities (as some would like). But the chain, as you know, breaks at the weakest link. And it doesn’t matter how strong the rest of the links are if we find the weak.

Very often, the weak link is the person. That is why social engineering is quite popular. Another type of attack, which I would also attribute to the human factor, is an attack on weak passwords. As it became known from recent news , even some computer security professionals, real hackers, sometimes use weak passwords.

Password attacks can be divided into two large groups: a hash attack and an attempt to pick up a password for authentication. We will not dwell on their characteristics in detail. Since password dictionary attack is possible in both groups.

So we come to the most important thing – where to get the dictionaries. Different tasks require different dictionaries:

if we brute force login to a remote service, then we need not very large dictionaries, but with the most common usernames and passwords. This is due to the fact that most network services have a customized brute force protection. Those. so that our IP is not blocked by an automatic script, we must make a long interval between attempts. It will take a lot of time, so it makes sense to start only with the most popular sets of words;

Bruteforcing a Wi-Fi network password (in an intercepted handshake), we still need a high-quality dictionary with popular passwords, but the larger the dictionary, the better, especially if you have medium or strong hardware;

Bruteforcing the addresses of admin areas, subdomains, directories, files – you need a specialized dictionary with the most common addresses.

I think the meaning is clear: you can’t have one best dictionary for all occasions. There should be several such dictionaries.

rockyou.txt Password dictionary