# Enumeration with Wordlists

## Directory Enumeration

#### gobuster

Gobuster to burp --proxy, hide responses with specific response length (--ex\*), ignore TLS cert (-k)

{% code title="gobuster" %}

```
gobuster dir --url https://a/api --wordlist /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -k -r -b 500,404 -t 1 --timeout 25s --exclude-length 47340 --proxy http://127.0.0.1:8080 -o gobuster-apwfuzz
```

{% endcode %}

**Wfuzz**

Wfuzz can ignore specific HTTP response status codes.

```
wfuzz -c --hc 302 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt https://example.com/FUZZ
```

**wfuzz with HTTP proxy**

Chain wfuzz with HTTP Proxy such Burp, handy when a dictionary is too big. You can specify maximum timeout for a request (--req-delay 1000) and number of threats (-t1). Use (-Z) to ignore connection errors.

```
wfuzz  -t1 -c --hc 302 --req-delay 1000 -Z  --sc 200,202,204,307,403 -f ./wfuzz_out.txt -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -p 127.0.0.1:8080:HTTP https://example.com/FUZZ   
```

**kiterunner**

<https://github.com/assetnote/kiterunner>

```
kr scan http://10.10.0.200:5000/users -A=httparchive_apiroutes_2024_01_28.txt -x 1 kiterunner
```

### REST API FUZZY LIST

<https://www.sqrsec.com/api-fuzzing-lists>

### REST API - OpenAPI, Swagger

```
/api
/api-docs
/api/api-docs
/api/docs
/api/openapi.json
/api/openapi.yaml
/api/swagger.json
/api/swagger.yaml
/api/v1/openapi.json
/api/v1/openapi.yaml
/api/v1/swagger.json
/api/v1/swagger.yaml
/api/v2/openapi.json
/api/v2/openapi.yaml
/api/v2/swagger.json
/api/v2/swagger.yaml
/openapi
/openapi-docs
/openapi-resources
/openapi-ui.html
/openapi.json
/openapi.yaml
/openapi/api-docs
/openapi/api-docs
/openapi/docs
/openapi/index.html
/openapi/v1/api-docs
/openapi/v1/openapi.json
/openapi/v1/openapi.json/
/openapi/v1/openapi.yaml
/openapi/v2/api-docs
/openapi/v2/openapi.json
/openapi/v2/openapi.yaml
/static/api/openapi.json
/static/api/openapi.yaml
/static/api/swagger.json
/static/api/swagger.yaml
/swagger-resources
/swagger-ui.html
/swagger.json
/swagger.yaml
/swagger/api-docs
/swagger/index.html
/swagger/v1/api-docs
/swagger/v1/swagger.json
/swagger/v1/swagger.json/
/swagger/v1/swagger.yaml
/swagger/v2/api-docs
/swagger/v2/swagger.json
/swagger/v2/swagger.yaml
/ui
/v1/api-docs
/v1/openapi-docs
/v2/api-docs
/v2/openapi-docs
```

### Admin panels

<https://github.com/Karanxa/Bug-Bounty-Wordlists/blob/main/admin.txt>

## Usernames

<https://github.com/danielmiessler/SecLists/tree/master/Usernames>

<https://github.com/insidetrust/statistically-likely-usernames>

## Passwords

<https://wiki.skullsecurity.org/index.php/Passwords>

## Accounts

A quick list for application and user accounts enumeration

```
Admin
Administrator
adm
admin
administrator
alex
ali
ana
andrea
anna
ansible
antonio
api
app
appadmin
author
azureuser
backup
bwsa
carlos
daniel
david
designer
ec2-user
ftp
ftpuser
git
guest
hadoop
hbv7
info
jose
kisadmin
laura
local
localadmin
marco
maria
michael
mysql
nagios
operator
oracle
pi
postgres
puppet
root
sa
sandra
sara
service
su
super
superadmin
support
test
test1
test2
ts3
ubnt
ubuntu
user
user1
user2
users
usuario
vagrant
vice
writer
wwo
www
```

## Projects

{% embed url="<https://wordlists.assetnote.io/>" %}

{% embed url="<https://github.com/bhavesh-pardhi/Wordlist-Hub>" %}

{% embed url="<https://github.com/trickest/wordlists>" %}

{% embed url="<https://github.com/gmelodie/awesome-wordlists>" %}

## References

[Stok epic video](https://www.youtube.com/watch?v=ngZ1Osul4P8) about wordlists.