In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:

  • If you are security testing a hospital, you may want to add a dictionary with medical terms.
  • If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
  • Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape).

Adding custom wordlists this way will work in Metasploit Express and Metasploit Pro. If you want to try it out, get your free Metasploit Pro trial today!