A professional, engagement-ready wordlist generator designed for penetration testers.
Generates high-quality, realistic, and efficient wordlists for:
- Active Directory Password Spraying
- Kerberos / AS-REP Roasting
- SMB / LDAP / RDP low-noise spraying
- Web login brute forcing (Hydra / Burp Suite)
- SSH / FTP brute forcing
- Offline cracking (hashcat)
All wordlists are English-only, optimized for PNPT-level engagements, CTFs, and real-world pentests.
- Linux/Unix system (Kali Linux recommended)
- Bash 4.0+
- Optional: RockYou wordlist (
/usr/share/wordlists/rockyou.txt)
git clone https://github.com/mbcyberworks/pnpt-wordlist-generator
cd pnpt-wordlist-generator
chmod +x pnpt-wordlist-generator.shSimple version:
./pnpt-wordlist-generator.sh <CompanyName>Examples:
./pnpt-wordlist-generator.sh Capstone
./pnpt-wordlist-generator.sh MarvelOptional: specify RockYou path:
./pnpt-wordlist-generator.sh Capstone /usr/share/wordlists/rockyou.txtOutput directory:
pnpt-wordlists/
βββ pnpt_spray.txt
βββ pnpt_bruteforce.txt
βββ pnpt_ultimate.txt
βββ component files
| File | Entries | Use Case |
|---|---|---|
| pnpt_spray.txt | ~120 | AD spraying (safe) |
| pnpt_bruteforce.txt | ~4000 | Web/SSH brute force |
| pnpt_ultimate.txt | ~4500 | Offline cracking |
Used for:
- Kerberos password spraying
- AS-REP roasting username validation
- SMB / LDAP spraying
- RDP low-noise attempts
Contains:
- base weak passwords
- seasons & years
- company patterns
- department names
- complexity strings
Safe by design to prevent lockouts and SIEM alerts.
Best for:
- Hydra login brute forcing
- Burp Suite Intruder
- SSH / FTP brute forcing
- Weak password testing in labs
Includes:
- everything from the spraylist
- custom high-value words
- curated RockYou top-3500
Best for offline cracking or extended brute forcing.
hydra -l admin -P pnpt-wordlists/pnpt_bruteforce.txt \
10.10.10.10 http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid"netexec smb 10.10.10.0/24 -u users.txt \
-p pnpt-wordlists/pnpt_spray.txt \
--continue-on-successkerbrute passwordspray -d marvel.local users.txt pnpt-wordlists/pnpt_spray.txthydra -l root -P pnpt-wordlists/pnpt_bruteforce.txt <target> sshhashcat -m 3200 hashes.txt pnpt-wordlists/pnpt_ultimate.txtNote:
<CompanyName>is always required as the first argument, even when troubleshooting RockYou. The script will not run without it.
The script could not locate the RockYou wordlist at the default path:
/usr/share/wordlists/rockyou.txt
This is optional β the script will still run without it.
sudo apt install seclistsThe RockYou file will then be available at:
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Tell the script where it is:
./pnpt-wordlist-generator.sh MyCompany \
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt./pnpt-wordlist-generator.sh MyCompany /path/to/rockyou.txtIf you don't need RockYou entries, simply run the script without providing a path:
./pnpt-wordlist-generator.sh MyCompanyThe spraylist and bruteforce list will still be fully functional.
Found a bug or want to add patterns? PRs and issues are welcome!
- Bug fixes
- New patterns for industries
- Performance improvements
Created by MB Cyberworks.
MIT License β Use responsibly.