Cheat sheets

Password lists for Kali Linux and more

We have listed down 900+ projects which hold thousands and millions of passwords and tools which you can use for your (Kali Linux) password lists.

The great part of this collection is that all of the projects are related to passwords.

This means that the projects that you find here are:

  • Massive password lists
  • Password tools
  • Password recovery tools

All of the mentioned items above have the password list included.

How to use

Well, the list contains Github projects, and the cool thing with Github is, that it allows you to download the Github project locally. It is recommended to download the Github projects, and perform a query to get all of the passwords from those projects. Once you have your selection, you can make your password list for let’s say Kali Linux.


There are many types of tools we can use for password cracking. Sometimes custom scripts will be written to perform this task. More often, default tools will be used which are available for free or already present in distributions like Kali Linux.

These are 10 top password cracking tools which you find in Kali Linux:

John the Ripper
John the Ripper is one of the better known password hacking tools and is available by default in Kali Linux. There are also Mac and Windows variants of John the Ripper.

John the ripper

John the Ripper is fully configurable according to your wishes and insight and combines different cracking methods and is specifically focused on cracking weak Linux passwords. Out-of-the-box, John the Ripper supports crypt (3), DES, MD5, Kerberos and many others.

Aircrack-NG is specially designed for recovering WiFi (WEP / WPA (2)) passwords. Aircrack-NG is a suite which consists of Airmon, Airodump and Aircrack. Aircrack-NG retrieves WiFi passwords by analyzing packets that are sent wirelessly.


Aircrack-NG is a command-line tool but there are several GUI-based scripts that use Aircrack-NG in the background, such as e.g. Fluxion.

L0phtCrack is an alternative variant of OphCrack. OphCrack is a rainbow-table password cracking tool for Windows. L0phtCrack is also this, but offers multiple functions such as dictionary attacks and brute forcing.


L0phtCrack works on workstations, servers, network stations, AD etc. In addition, L0phtCrack offers configurable routine audits. L0phtCrack is a fantastic Windows password cracking tool.

Cain and Able
Remarkably, Cain and Able is only available for Windows systems and is used for cracking Windows passwords. However, Cain and Able can do a lot more than just recover Windows passwords.

Cain and Able can also act as a network sniffer or a Man-in-the-Middle proxy. But it can also record VoIP calls, perform cryptanalysis attacks, reveal password boxes, retrieve passwords from different caches, etc. Cain and Able works through dictionary attacks and brute-force attacks.

THC Hydra
THC Hydra is a web application cracking tool for recovering passwords. Medusa, Wfuzz and many other tools are available to crack web applications. However, THC Hydra is a great choice if you are trying to retrieve HTTP-FORM-GET and POST, HTTP-GET, HTTPS-GET, IMAP, ICQ, IRC, LDAP, MS-SQL, NNTP passwords.

These are not the only authentication methods that are supported. THC Hydra is incredibly fast and the functionality can be expanded through various modules. THC Hydra is available on almost all platforms.

Wfuzz is a web application password cracking tool. Wfuzz cracks passwords using brute-forcing but at the same time tries to find hidden resources such as scripts and dictionaries. Wfuzz supports the use of proxy and SOCKS and can be set to take a break after x number of requests. Generated output is a formatted HTML.

HashCat is perhaps the best-known password cracker. According to the documentation, Hashcat is one of the fastest password crackers because HashCat uses multi-threading and thus functions optimally on modern computers.

HashCat also supports multiple (maximum 128) GPUs and focuses on cracking passwords via dictionary attacks. HashCat can handle more than 150 algorithms including MD5, SHA-1, SHA-512, IKE-PSK, Kerberos 5 etc.

Crowbar (formerly Levye) is in my top 10 list because Crowbar supports algorithms that many popular password cracking tools do not support. Think of VNC Key Authentication, OpenVPN, SSP Private Key Authentication, RDP with NLA.

Crowbar uses brute-forcing methods. Crowbar also works differently from other tools. While many tools for SSH Brute Force use a username and password, Crowbar tries to use the SSH keys (if these can be intercepted).

Brutus is an older password cracking tool that has not been maintained for a while. Like Cain and Able, Brutus is only available for Windows. Despite its age, it can still be very handy in many cases.

Brutus supports the following authentications by default: HTTP (basic authentication & HTML Form / CGI), POP3, FTP, SMB, Telnet, IMAP, NNTP.

RainbowCrack is, as the name suggests, a hash-cracking tool based on rainbow tables. RainbowCrack uses a “large-scale time-memory trade off process” and therefore works very fast.

RainbowCrack helps you generate the Rainbow tables, but the makers have also made various rainbow tables (LM, NTLM, MD5, SHA1) available for download which you can use for free.

Download Password list projects