Improvement proposal : Wordlists packages for a better security pentest user experience

AkechiShiro · April 13, 2024, 2:54am

Hello all,

I would like to discuss about an improvement I would like to make for all wordlists related packages (security related) but I’m not sure if that is a good idea or if there is another good idea, see :

github.com

NixOS/nixpkgs/blob/0c165dec843e9aa71379c4928df273b5ea8b7df7/pkgs/by-name/ro/rockyou/package.nix#L12C101-L12C122


      
          tar -xvzf ${seclists}/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz -C $out/share/wordlists/

If I’m using for instance wpscan/gobuster/feroxbuster/nmap/hydra (a tool that needs as an input a wordlist to bruteforce) my experience is not great during pentesting because I need to find in /nix/store/ the proper package folder containing seclists pkg and look into $out/share/wordlists

Usually under others distros wordlists installed using a package manager are stored in /usr/share/wordlists but this is not always the case (others paths proposed are /usr/share/dict or /usr/share/<whatever_name_that_feats>

I would like community feedback on this possible improvement and also know if it seems wise to other users or is there a better way to use the current package without changing anything that I’m not aware of ?

Pamplemousse · April 13, 2024, 8:17am

I don’t think this is necessary.

Because, when using the wordlists package, you get two extra scripts that are wordlists and wordlists_path, which respectively display the lists from disk, and give the filesystem location where the lists can be found.

c.f.

github.com

NixOS/nixpkgs/blob/ba8e82848732220598bab1a5dc33ead37ff045b5/pkgs/by-name/wo/wordlists/package.nix#L29-L36


      
          # A command to show the location of the links.
          wordlistsBin = writeShellScriptBin "wordlists" ''
            ${lib.getExe tree} ${wordlistsCollection}/share/wordlists
          '';
          # A command for easy access to the wordlists.
          wordlistsPathBin = writeShellScriptBin "wordlists_path" ''
            printf "${wordlistsCollection}/share/wordlists\n"
          '';

AkechiShiro · April 13, 2024, 6:07pm

This is true only using the wordlist pkgs, how does it relate to other wordlists packages such as seclists or rockyou ?

Pamplemousse · April 14, 2024, 9:03am

These lists aren’t meant to be consumed as is by end users. They are bundled into wordlists package like so:

environment.systemPackages = [
  (pkgs.wordlists.override { lists = with pkgs; [ rockyou seclists ] })
]

or

nix-shell -p 'wordlists.override { lists = with (import <nixpkgs> {}); [ rockyou seclists ]; }'

c.f. search.nixos.org/packages?show=wordlists

AkechiShiro · April 14, 2024, 9:05am

Sorry I wasn’t aware, has this been documented somewhere on a manual ?

Pamplemousse · April 14, 2024, 9:44am

Sadly, no, because the author of the package didn’t want to do it:

AkechiShiro · April 14, 2024, 9:45am

Thanks, will see if I can improve this then !

Janik · April 14, 2024, 10:30am

Hey, I did as I said in the comment and wrote it into the package description D:

The wordlists package provides two scripts. One is called wordlists, and it will list a tree of all the wordlists installed. The other one is called wordlists_path which will print the path to the nix store location of the lists. You can for example do $(wordlists_path)/rockyou.txt to get the location of the rockyou wordlist. If you want to modify the available wordlists you can override the lists attribute`. In your nixos configuration this would look similiar to this:
environment.systemPackages = [
  (pkgs.wordlists.override { lists = with pkgs; [ rockyou ] })
]
you can use this with nix-shell by doing: nix-shell -p 'wordlists.override { lists = with (import <nixpkgs> {}); [ nmap ]; }' If you want to add a new package that provides wordlist/s the convention is to copy it to {file}$out/share/wordlists/myNewWordlist`.