Note to the reader: **This text has been written for younger crackers in order to help them to make effective wordlists** You were interested in security and hacking so have started to read various texts on the subject. Then, you have downloaded the lastest versions of the best crack engines and after toying with it for some time,you decide to give it a try on a pass board.You have downloaded all wordlists available and make you own attack lists and ... you miserably failed to crack request after request.Then you talk with other crackers and they tell you : "use a leecher!!" Suddenly,you start to have success so you stick on that approach.After a few months,you start to have reputation as a skilled cracker but , inside yourself, you know that you're nothing much than a button pusher. You have no REAL KNOWLEDGE, no deep understanding. "Ce qui se conçoit bien s'énonce clairement et les mots pour le dire viennent aisément." Boileau So let's start with the basics: the wordlist. Creating your own wordlist is very important.Why? Because each individual has his own experiences, culture, interests etc. So each cracker add something to the cracking community by doing this exercise. Furthermore, it builds patience, reflexion and the right attitude needed to become an accomplished hacker. How people choose their passes?That's a good question you have to answer in order to build your lists. Personaly, I have created my own concepts that I describe below.They represent my understanding of the customers' habits.You can use them or create your own classes,it does not matter.What matter is that you adopt what fits your understanding. Tip: RESD YOUR LEECHED COMBOS MANY,MANY TIMES.Ask youself how someone could have chosen these particular combos? What drove them in their choice? Note the most commons patterns.Then decide which classes you will create. Personaly, I use these 5 basic classes 1.Related to the subject: Many login/password are from a vocabulary closely related to the subject or the name of the site. Examples: great:sex cock:sucker hand:job blow:job anal:sex etc. Note that a specific wordlist designed to attack a BDSM site will likely have words like bondage, whip,gag,slave,master,trampled ... while a general wordlist will should stick to more common words like pussy,porn,cock,dick boob,boobs,breast ... The same is also true if you attack an accounting site,words like assets,liability,profit,losses ... will fit well. Does it make sense to you? 2.Related to the user: first names,last names,daughters,sons,center of interests ... joe99:joe mikes:msmith mikes:smike mike:ekim mike:smith mike:analsex etc. Note: combos in the form name + 2 digits:name are 15 times more common than name:name+ 2 digits combos name+2 digits: 2digits+name appears almost equally to name:name+2 digits it means that tony69:tony will appear much more often than tony:tony69 tony69:69tony will appear as often as tony:tony69 3.Visual associations / visual oppositions sun:moon qaz:wsx qwert:poiuy qwert:asdf screen:saver laser:printer check:mate etc. 4.Social associations /social oppositions bill:clinton (politics,celebrities) benson:hedges (company) miami:dolphins (sports) black:white (racial) etc. 5.Logical associations /logical oppositions 1234:12345 1234:5678 123:456 abc:123 abc:def true:false in:out etc. It is common to see combos where the login as been chosen in the related to user and the pasword in the related to the subject classe or in the logical association class. example: mike:123 joe:123456 joe:sex etc. Search where are the good sources of informations.Example: the site of the U.S. census bureau hosts the male,female and last names lists in order of frequency in the U.S.A. Do you think it can help? Well do your search. Have you already make the link: if it exists in the U.S.A. maybe it exists in other countries ... Broadening the field of study: Creating wordlists is not by itself hacking.However, gaining an account name can sometime be done only through brute attack. Don't reject this as lame. Checking for weak l/p is not more of less lame than using a port scanner to map a server or using JtR to decrypt a stolen .htpasswd file.It is part of a hacking process or any serious security audition exercise. Now that you got some tips how to create effective wordlists,time to work!! But start reading on HTML, ports, TCP IP protocol, exploits ... Install a version of Linux on your computer and gain some experience with it and remember: there is NO theoretical hacking.You have to do and try what you read.Only practical experiences will give you REAL KNOWLEDGE !!Now it's time to work!!!! Good luck, Just1ce.