SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells

SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place.

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells

List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

Contents of SecLists

Each section has tonnes of content including the below:

  • Discovery lists (DNS, SNMP, Web content)
  • Fuzzing Payloads (Databases, LFI, SQLi, XSS)
  • Password lists (Common credentials, cracked hashes, honeypot captures, leaked lists)
  • Data Pattern lists
  • Payload files (Zip bombs, flash, images)
  • Username lists (Honeypot captures)
  • Web shells

Install SecLists


Git (Small)

Git (Complete)

You can access all the lists here:

Topic: Hacking Tools

DeepSound – Audio Steganography Tool

DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract secret files directly from audio files or audio CD tracks.

DeepSound - Audio Steganography Tool

This audio steganography tool can be used as copyright marking software for wave, flac, wma, ape, and audio CD.

DeepSound also support encrypting secret files using AES-256(Advanced Encryption Standard) to improve data protection. The application additionally contains an easy to use Audio Converter Module that can encode several audio formats (FLAC, MP3, WMA, WAV, APE) to others (FLAC, MP3, WAV, APE).

How to use DeepSound Audio Steganography Tool

To hide data into audio file, follow these steps:

  • Click to ‘Open carrier files (F2)’ or drag and drop audio file (flac, wav, wma, mp3, ape) to Carrier audio files list.
  • Click to ‘Add secret files (F3)’ or drag and drop secret files into the Secret files list on the bottom side of application.
  • Press F4 key or click to ‘Encode secret files’ button.
  • You can choose output audio format (wav, flac or ape). DeepSound does not support wma output format. If you want to hide data into wma, hide secret data into wav file and then use external software such as Windows Media Encoder for convert wav to wma lossless audio format.
  • In ‘Encode secret files’ dialog window you can turn on/off AES-256 encryption. Modified audio file will be copied to output directory. If you want to change output directory, click to Settings.
  • Click to ‘Encode secret files’ button to start hiding secret files into carrier audio file.

You can download DeepSound here:


Or read more here.

Topic: Cryptography

What are the MOST Critical Web Vulnerabilities in 2019?

So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?

What are the MOST Critical Web Vulnerabilities in 2019

Well luckily for you Acunetix compiles an annual web application vulnerability report which is a fairly hefty piece of analysis on data gathered from the previous year. This is compiled from the automated web and network perimeter scans run on the Acunetix Online platform, over a 12 month period, across more than 10,000 scan targets.

To be more specific:

  • 67,355 Network scans
  • 10,000 Scan targets
  • 76,686 Web scans

It was found that as many that almost half of the scanned websites contain high severity vulnerabilities with almost all containing medium severity vulnerabilities.

Although SQL Injection vulnerabilities are on the slight decline, XSS vulnerabilities, vulnerable JavaScript libraries, and WordPress related issues were found to each claim a significant 30% of the sampled targets.

2019 High Severity Vulnerabilities

What are the most critical web vulnerabilities in 2019?

The report gives you the low down on:

  • Which vulnerabilities are rising and falling in frequency
  • Current security concerns, such as the increasing complexity of new apps, the accelerating rate of new versions, and the problem of scale
  • Changes in threat landscape from both the client and server sides
  • The four major stages of vulnerability analysis
  • Vulnerability findings by type and severity
  • An analysis of each discovered vulnerability in terms of how it works, its statistical status and pointers for remediation.

So, top line message – keep yourself safe!

You can download the full report here:

Acunetix Web Application Vulnerability Report 2019

Topic: Advertorial

GoBuster – Directory/File & DNS Busting Tool in Go

GoBuster is a Go-based tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support) – essentially a directory/file & DNS busting tool.

GoBuster - Directory/File & DNS Busting Tool in Go

The author built YET ANOTHER directory and DNS brute forcing tool because he wanted..

  • … something that didn’t have a fat Java GUI (console FTW).
  • … to build something that just worked on the command line.
  • … something that did not do recursive brute force.
  • … something that allowed me to brute force folders and multiple extensions at once.
  • … something that compiled to native on multiple platforms.
  • … something that was faster than an interpreted script (such as Python).
  • … something that didn’t require a run-time.
  • … use something that was good with concurrency (hence Go).
  • … to build something in Go that wasn’t totally useless.

Using GoBuster Directory/File & DNS Busting Tool

There are many options for GoBuster, these include:

You can download GoBuster here:

Or read more here.

Topic: Hacking Tools
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy

BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy

BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads (software updates for example) from vendors that don’t validate data integrity. The Backdoor Factory allows you to patch binaries with shell-code so combining that with mitmproxy, which is a Python proxy-server that […]

Topic: Hacking Tools
Domained - Multi Tool Subdomain Enumeration

Domained – Multi Tool Subdomain Enumeration

Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains that are passed to EyeWitness for reporting. This produces categorized screenshots, server response headers and signature based default credential checking. It is written in Python heavily leveraging Recon-ng. Domains Subdomain Enumeration Tools […]

Topic: Hacking Tools