Adding custom wordlists in Metasploit for brute force password audits

Blog Post created by ckirsch on Dec 5, 2011

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:


  • If you are security testing a hospital, you may want to add a dictionary with medical terms.
  • If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
  • Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape).


Once you have a wordlist, you can easily add it to Metasploit. Here's a video to show you how:



Adding custom wordlists this way will work in Metasploit Express and Metasploit Pro. If you want to try it out, get your free Metasploit Pro trial today!