Getting Started Guide
How to Install and Use SecLists
This guide covers downloading SecLists and using its wordlists with tools like ffuf, Gobuster, Hashcat, and Nuclei for effective security testing.
Prerequisites
- -A security testing tool that accepts wordlists (ffuf, gobuster, hashcat, etc.)
Install SecLists
Download the SecLists collection. On Kali Linux it's pre-installed.
Kali Linux (pre-installed)
ls /usr/share/seclists/apt
sudo apt install seclistsGit clone
git clone https://github.com/danielmiessler/SecLists.git ~/SecListsNote: SecLists is about 1GB downloaded. It's a collection of wordlists, not a tool itself - you use these lists with other tools.
Directory Brute-Forcing
Use SecLists' Discovery wordlists with ffuf or Gobuster to find hidden directories and files on web servers.
ffuf with common list
ffuf -u https://target.com/FUZZ -w ~/SecLists/Discovery/Web-Content/common.txtGobuster with bigger list
gobuster dir -u https://target.com -w ~/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txtAPI endpoint discovery
ffuf -u https://target.com/api/FUZZ -w ~/SecLists/Discovery/Web-Content/api/api-endpoints.txtNote: Start with common.txt (4,700 entries) for quick scans. Move to directory-list-2.3-medium.txt (220,000 entries) for thorough coverage. The API wordlists are gold for testing REST APIs.
Subdomain Enumeration
Use DNS wordlists for subdomain brute-forcing.
With ffuf
ffuf -u https://FUZZ.target.com -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200With gobuster
gobuster dns -d target.com -w ~/SecLists/Discovery/DNS/subdomains-top1million-20000.txtPassword Attacks
SecLists includes curated password lists and username lists for credential testing.
Common passwords with Hydra
hydra -l admin -P ~/SecLists/Passwords/Common-Credentials/10k-most-common.txt target.com sshUsername enumeration
ffuf -u https://target.com/login -X POST -d 'user=FUZZ&pass=test' -w ~/SecLists/Usernames/top-usernames-shortlist.txt -mc 200Default credentials
cat ~/SecLists/Passwords/Default-Credentials/Note: The Default-Credentials directory contains default username:password combos for hundreds of products - routers, databases, web apps. Check these first before brute-forcing.
What's Inside
A quick tour of the most useful directories in SecLists.
Browse the structure
find ~/SecLists -maxdepth 2 -type d | head -30Note: Key directories: Discovery/Web-Content/ (directory bruting), Discovery/DNS/ (subdomain lists), Passwords/ (credential lists), Fuzzing/ (injection payloads for XSS, SQLi, etc.), Usernames/ (username lists). The Fuzzing directory is especially useful for manual testing - it has payloads for every injection type.