Provision wordlists for password cracking at install time#99
Merged
Conversation
Install script now downloads: - rockyou.txt (14M passwords) — default wordlist for hashcat/john - SecLists top-1M password list — fast credential spraying - SecLists xato-net usernames — user enumeration Handles existing rockyou.txt.gz (Kali default) by decompressing. Adds rockyou readiness check. Bump to 2.1.7. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds install-time provisioning of common password/username wordlists needed by cracking tooling in the network-ops capability, and wires a readiness check to ensure the expected rockyou path exists at runtime.
Changes:
- Download (or decompress, if present)
rockyou.txtinto/usr/share/wordlists/during provisioning. - Download SecLists top-1M password list and a common username list into
/usr/share/wordlists/. - Bump
network-opsversion and add a capability readiness check forrockyou.txt.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| capabilities/network-ops/scripts/install_coercion_tools.sh | Adds wordlist provisioning (download/decompress) to ensure cracking tools have expected default wordlists available. |
| capabilities/network-ops/capability.yaml | Version bump and adds a readiness check for the rockyou wordlist. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- rockyou.txt — standard 14M password list (unchanged) - 10k-most-common.txt — fast first-pass for spraying (replaces 1M list) - OneRuleToRuleThemAll.rule — hashcat rules that multiply any wordlist's effectiveness (replaces username list) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…r suppression Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wordlist and rules download failures should not abort the script and prevent coercion script cloning. Added || echo fallbacks to all curl and gunzip calls. Fixed mkdir for hashcat rules dir to fail gracefully with a clear message instead of falling through to a broken curl. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| # Combines rules from Hob0Rules, KoreLogic, NSA, and hashcat generated rules | ||
| # Non-fatal: rules dir may not be writable and that's OK | ||
| RULES_DIR="/usr/share/hashcat/rules" | ||
| if mkdir -p "$RULES_DIR" 2>/dev/null; then |
Contributor
Author
There was a problem hiding this comment.
Fixed in 4a35d08 — changed to 2>&1 so mkdir errors are visible alongside our fallback message.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hashcat and john_the_ripper default to
/usr/share/wordlists/rockyou.txtwhich doesn't exist on the runtime.Added
rockyou.txt(14M passwords), SecLists10k-most-common.txt(fast spraying), andOneRuleToRuleThemAll.rule(hashcat rules) at provision timerockyou.txt.gzby decompressing instead of re-downloadingrockyou.txtcurl --retry 3for transient network resilience