Documentation

How it works

PassingCrackwords generates targeted base-word dictionaries for credential testing. Two modes, one output format — plain text wordlists optimised for rule-based expansion.

Contents

Generation Modes City Detection Output Format & Rule Expansion Tool Integration Advanced Options Limitations Authorization

Generation Modes

AI Location AI

Enter any city, region, or country. AI generates up to 1,000 culturally relevant base words — sports teams, landmarks, local businesses, universities, historical figures, regional slang, food, and cultural references. Output is base words only, ready for rule expansion.

SITE SCRAPENo API cost Site Scrape

Enter a target URL. Our crawler crawls the site and extracts every unique word the organisation uses — brand names, product lines, executive names, campaign terms, and industry jargon. No word cap. Runs entirely locally, no AI API cost.

Default crawl depth is 1 (homepage only). Increase in Advanced Options for broader coverage. Deeper crawls take longer and may approach the Cloudflare tunnel timeout on large sites.

City Detection

City detection is enabled by default on Site Scrape. After the crawl completes, the tool looks up the company's global headquarters via live web search, then runs a Location AI pass for that city and appends the results to your wordlist.

Example: Scraping a Houston-based company's site detects Houston, Texas and appends ~800 Houston-specific terms — Texans, Astros, bayou, rodeo, Galveston, and similar. Scraping a Netherlands-based company would detect the relevant city and append Dutch cultural references.

City detection uses live web search to verify current headquarters data rather than relying on static model knowledge. If the company is not found with high confidence, city detection is skipped and the scrape-only wordlist is returned.

Output Format & Rule Expansion

Output is a plain-text .txt file, one word per line, deduplicated. The filename encodes mode, target, and date:

crackwords_scrape_https___target_com_2026-03-11.txt
crackwords_location_Houston_Texas_2026-03-11.txt

Why base words only?

Words are not pre-expanded with year suffixes, l33tspeak, capitalisation variants, or special character appends. This is intentional — rule engines like d3adOne and best64 generate these variants more comprehensively and efficiently at crack time. Pre-expanding inflates the wordlist with lower-quality variants and slows your attack.

Hashcat rule expansion

# Apply d3adOne rule (recommended for targeted attacks)
hashcat -a 0 -m 1000 hashes.ntds wordlist.txt -r d3adOne.rule

# Stack rules for broader coverage
hashcat -a 0 -m 1000 hashes.ntds wordlist.txt -r best64.rule -r d3adOne.rule

# Combine multiple wordlists before applying rules
cat location_wordlist.txt scrape_wordlist.txt | sort -u > combined.txt
hashcat -a 0 -m 1000 hashes.ntds combined.txt -r d3adOne.rule

Tool Integration

Pentera

Upload the .txt file as a custom wordlist in your Pentera campaign configuration. Pentera's rules engine applies variant expansion automatically — do not pre-expand before importing. Base words are the correct format.

Medusa

medusa -H targets.txt -U users.txt -P crackwords_output.txt -M ssh -t 4

Hashcat

# NTLM hashes with rule expansion
hashcat -m 1000 -a 0 hashes.ntds crackwords_output.txt -r d3adOne.rule --force

# NetNTLMv2
hashcat -m 5600 -a 0 captured.txt crackwords_output.txt -r best64.rule

Burp Suite Intruder

Load the .txt file as a Simple List payload in Intruder. Use against login endpoints in a credential stuffing test. Combine with a username list from LinkedIn or OSINT for targeted spraying.

Advanced Options

Crawl Depth — 1 to 3. Default: 1 (homepage only). Depth 2–3 captures more pages but increases crawl time and the risk of hitting the 100s Cloudflare timeout. Use depth 1 for quick profiling, depth 2–3 for comprehensive coverage on smaller sites.
Min Word Length — Minimum characters for a scraped word to be included. Default: 3. Increase to 6 to eliminate common short words (the, and, for, etc.) that add noise without adding value as password candidates.
Include Metadata — Extracts words from meta tags, alt attributes, and page titles in addition to body text. Useful for finding product codenames, taglines, and SEO keywords.
City Detection — On by default. Disable to skip city lookup and Location AI, returning a scrape-only wordlist. Useful when the company location is already known or when speed is the priority.

Limitations

JavaScript-rendered sites — React, Next.js, and Angular SPAs return 0 words because our crawler reads static HTML. If the site renders entirely client-side, the scrape will fail. Check the page source to confirm readable HTML content exists before scraping.
Authenticated or WAF-protected sites — Sites behind login walls, CAPTCHAs, or aggressive bot detection may block the crawl or return partial content.
City detection accuracy — Accuracy depends on the company's online footprint. Well-known companies are reliably detected. Smaller or regional companies may return no city or an incorrect one — verify the detected city before using.
Crawl timeout — The Cloudflare tunnel has a 100-second timeout. Deep crawls on large sites may be cut short. The async job system returns whatever was collected before the timeout.
Location AI word cap — Each Location AI run generates ~1,000 words. For engagements requiring broader coverage, run multiple cities and merge the output files.

Authorization

This tool is for authorized security testing only. Use only against targets for which you have explicit written permission. Unauthorized credential testing and password cracking is illegal in most jurisdictions. The operator assumes no liability for misuse.