loading
loading
Utilities
A Ruby app that spiders a URL and returns a wordlist for password crackers.
overview
CeWL spiders a given URL to a set depth and collects the words it finds on the pages, then writes them out as a wordlist. Instead of a generic dictionary, you get terms drawn from the target itself: product names, internal jargon, employee names, and phrases that people at that organization reuse in passwords. That makes the list far more relevant to one engagement than an off-the-shelf rockyou.
You control how the spider behaves and what it keeps. Set crawl depth with -d, follow external links or stay on-site, require a minimum word length, and optionally pull email addresses and document metadata while it runs. Authentication and proxy options let it crawl pages behind a login or through an intercepting proxy.
In a Trickest workflow, CeWL takes a URL and writes a file plus a folder of results. Run it early to seed a target-specific wordlist, then feed that list into a password-cracking or fuzzing stage so the rest of the workflow tests credentials and paths that match the target's own vocabulary.
source github.com/digininja/CeWL
use cases
Spider a company site to harvest its own terminology, then feed the list to a cracker so guesses match the words employees reuse in passwords.
Enable --email and --meta to pull addresses and document author data alongside the wordlist, useful for OSINT and username generation.
Supply basic or digest credentials so CeWL reaches words on pages behind a login, where the richer internal vocabulary tends to live.
Pass the generated wordlist into a content or parameter fuzzer so brute-force guesses draw on terms the target itself exposes.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | The site to spider (passed as the positional target URL). |
| depth | STRING | -d | Depth to spider to (default 2). |
| min-word-length | STRING | --min_word_length | Minimum word length to keep (default 3). |
| count | BOOLEAN | --count | Show the count for each word found. |
| with-numbers | BOOLEAN | --with-numbers | Accept words containing numbers, not only letters. |
| BOOLEAN | Include email addresses found while crawling. | ||
| meta | BOOLEAN | --meta | Include document metadata in the results. |
| offsite | BOOLEAN | --offsite | Let the spider visit sites beyond the target. |
Showing key inputs. cewl exposes 25 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | · | The site to spider (passed as the positional target URL). |
| depth | STRING | -d | Depth to spider to (default 2). |
| min-word-length | STRING | --min_word_length | Minimum word length to keep (default 3). |
| max-word-length | STRING | --max_word_length | Maximum word length (default unset). |
| count | BOOLEAN | --count | Show the count for each word found. |
| with-numbers | BOOLEAN | --with-numbers | Accept words containing numbers, not only letters. |
| lowercase | BOOLEAN | --lowercase | Lowercase all parsed words. |
| groups | BOOLEAN | --groups | Return groups of words as well as single words. |
| BOOLEAN | Include email addresses found while crawling. | ||
| meta | BOOLEAN | --meta | Include document metadata in the results. |
| offsite | BOOLEAN | --offsite | Let the spider visit sites beyond the target. |
| allowed | STRING | --allowed | Regex pattern a path must match to be followed. |
| exclude | FILE | --exclude | File listing paths to exclude from the crawl. |
| header | STRING | --header | Extra header in name:value form; can be passed multiple times. |
| user-agent | STRING | --ua | User agent string to send with requests. |
| auth-type | STRING | --auth_type | Authentication type: digest or basic. |
| auth-user | STRING | --auth_user | Authentication username for pages behind a login. |
| auth-pass | STRING | --auth_pass | Authentication password. |
| proxy-host | STRING | --proxy_host | Proxy host to route requests through. |
| proxy-port | STRING | --proxy_port | Proxy port (default 8080). |
| proxy-username | STRING | --proxy_username | Username for the proxy, if required. |
| proxy-password | STRING | --proxy_password | Password for the proxy, if required. |
| convert-umlauts | BOOLEAN | --convert-umlauts | Convert common Latin-1 umlauts (ä to ae, ö to oe, ü to ue, ß to ss). |
| verbose | BOOLEAN | --verbose | Verbose output. |
| debug | BOOLEAN | --debug | Print extra debug information. |
example
# spider example.com to depth 2, keep words 5+ chars, show counts, allow digitscewl -d 2 --min_word_length 5 --count --with-numbers https://example.com > wordlist.txtexample, 318security, 205platform, 154research, 132engineering, 118automation, 96credentials, 74workflow, 61onboarding, 47guidance
Reach for CeWL when a target's own vocabulary will beat a generic dictionary, such as cracking credentials at one organization. For a static, reusable wordlist there is nothing to crawl. For pulling links and endpoints rather than raw words, use a crawler like katana instead.
Crawls for endpoints and links, not words. Use it to map an app, CeWL to harvest its vocabulary.
Fast web spider for URLs. CeWL is purpose-built to emit a wordlist for cracking.
Cleans and normalizes a list. Run it after CeWL to tidy the harvested words.
faq
related
Import, export, and link workflow data with Airtable.
Decode Android APK files into smali sources and resources.
Check a file's values against conditions and exit with a matching code.
Extract all hosted zones from AWS Route53.
Output file lines by batch size, given START_LINE and END_LINE.
Extract a batch range from a file's lines or a folder's files, with parallel processing.
A target URL feeds CeWL, which spiders the site, collects its words, and writes a target-specific wordlist ready for cracking or fuzzing.
Facts on this page come from the live Trickest tool library.