Bundled wordlists
Legion ships with six curated wordlists ready to use out of the box. These cover the most common cases for web fuzzing, subdomain enumeration, and credential attacks without needing to download anything extra.
| File | What it's for |
|---|---|
| web-common.txt | Common web paths and files for directory fuzzing |
| web-raft-small.txt | RAFT small web content list |
| dns-subdomains-5000.txt | Top 5,000 DNS subdomains for enumeration |
| users-common.txt | Common usernames for login attacks |
| users-top-shortlist.txt | Shorter high-probability username list |
| pass-common.txt | Common passwords for credential spraying |
Using wordlists in tools
Any tool that accepts a wordlist shows a dropdown in its form. The bundled lists appear there automatically. Select the one you want and run the tool. You don't need to know where the files are stored or type any paths.
SecLists and rockyou
If you need a broader set of lists, you can install the full SecLists collection from the Downloads section. This gives you thousands of additional lists covering web content, credentials, fuzzing payloads, and more. The rockyou password list is included with that install.
Once installed, all the SecLists lists show up alongside the bundled ones in the wordlist dropdown.
Wordlists already on your machine
If you already have wordlists installed on your system, Legion detects them automatically and adds them to the dropdown. This is useful on Kali where SecLists is often pre-installed, or if you have custom lists you use regularly.