HomeToolsDocsPricingGalleryExtensionContact Get the App
// tools & library

Wordlists

Bundled wordlists

Legion ships with six curated wordlists ready to use out of the box. These cover the most common cases for web fuzzing, subdomain enumeration, and credential attacks without needing to download anything extra.

FileWhat it's for
web-common.txtCommon web paths and files for directory fuzzing
web-raft-small.txtRAFT small web content list
dns-subdomains-5000.txtTop 5,000 DNS subdomains for enumeration
users-common.txtCommon usernames for login attacks
users-top-shortlist.txtShorter high-probability username list
pass-common.txtCommon passwords for credential spraying

Using wordlists in tools

Any tool that accepts a wordlist shows a dropdown in its form. The bundled lists appear there automatically. Select the one you want and run the tool. You don't need to know where the files are stored or type any paths.

SecLists and rockyou

If you need a broader set of lists, you can install the full SecLists collection from the Downloads section. This gives you thousands of additional lists covering web content, credentials, fuzzing payloads, and more. The rockyou password list is included with that install.

Once installed, all the SecLists lists show up alongside the bundled ones in the wordlist dropdown.

Wordlists already on your machine

If you already have wordlists installed on your system, Legion detects them automatically and adds them to the dropdown. This is useful on Kali where SecLists is often pre-installed, or if you have custom lists you use regularly.

The bundled lists are enough for most tasks. Only install SecLists if you need the extra coverage.
Next: Offline Reference Library Back to Docs