An overpower wordlist generator, splitter, merger, finder, saver, create words permutation and combinations, apply different encoding/decoding and everything you need.
Frustration killer! & Customizable!
Use Go or download latest builds
go install -v github.com/glitchedgitz/cook/v2/cmd/cook@latest
After installation, run
cookfor one time.
It will setup and download cook-ingredients at
%USERPROFILE%/cook-ingredientsfor windows &
$home/cook-ingredientsfor linux.
Without basics, everything is useless.
Name them anything and use them to generate the pattern. This will be more useful when you apply encoding column-wise using methods.
cook -start intigriti,bugcrowd -sep _,- -end users.rar,secret.zip / start sep end
Note: you must include parameter in the pattern, otherwise it will not print anything.
Append line by line. So basically if you want to merge two lists line by line. Then use it. And as always you can append multiple columns using column
Cook uses cook-ingredients, it's YAML Collection of word-sets, extensions, funcitons to generate pattern and wordlists.
Current fetched databases
| Name | Link |
|---|---|
| Assetnotes Wordlsits | https://wordlists.assetnote.io/ |
| Seclist | https://github.com/danielmiessler/SecLists |
| FuzzDB | https://github.com/fuzzdb-project/fuzzdb |
| Bruteforce Database | https://github.com/duyet/bruteforce-database |
| Bruteforce Lists | https://github.com/random-robbie/bruteforce-lists |
| OneListForAll | https://github.com/six2dez/OneListForAll |
cook search [keyword]
Here we search for api using cook search api
then using the file name you can fetch use the file cook an-apiroutes
Note that
secis shortname for seclist,anfor assetnote,fzfor fuzzdb like this...
Edit my.yaml manually or use these commands.
cook add [keyword]=[values, separated by comma] in [category]
If keyword doesn't exist it will create it.Otherwise it will update it and add the new value in the same variable.
cook add same variable=https://example2.com in filescook add unique_name=word1,word2,word3 in listsCategory are
files,raw-files,functionsandlists
cook delete [keyword]
To fetch local files or URLs, use : after param name.
cook -f: live.txt f
cook -f: https://example.com/wordlist.txt f
Using methods you can encode, decode, reverse, split, sort, extract and can do much more...
Methods can be applied on final output or column-wise
-m/-methodto apply methods on the final output-mc/-methodcolto apply column-wise.param.methodnameapply to any parameter-wise, will example this param thing later.
- Overlapping Encodings:
- Use dot
. md5.b64e.urleapply multiple methods one by one.- Output Logic:
Generated Pattern>md5 hashing>base 64 encoding>URL Encoding.
- Use dot
- Different Encodings:
- Use comma
, md5,sha1,sha256apply different encoding to the same generated pattern.- Output Logic:
Generated Pattern>md5 hashingGenerated Pattern>sha1 hashingGenerated Pattern>sha256 hashing
- Use comma
Special focus on these 2 methods, these will be great help everytime you use any wordlist.
▶ cook adminNew,admin_new -m smart
admin
New
admin
new
It breaks and join back with the supplied character.
▶ cook adminNew,admin-old -m smartjoin[:_]
admin_New
admin_old
Apply Cases over separated
Here we applied camlecase
▶ cook suppose_this_is_long_text -m smartjoin[c:_]
suppose_This_Is_Long_Text
All methods cook help methods
All methods
METHODS
Apply different sets of operations to your wordlists
STRING/LIST/JSON
sort - Sort them
sortu - Sort them with unique values only
reverse - Reverse string
split - split[char]
splitindex - splitindex[char:index]
replace - Replace All replace[this:tothis]
leet - a->4, b->8, e->3 ...
leet[0] or leet[1]
json - Extract JSON field
json[key] or json[key:subkey:sub-subkey]
smart - Separate words with naming convensions
redirectUri, redirect_uri, redirect-uri -> [redirect, uri]
smartjoin - This will split the words from naming convensions &
param.smartjoin[c,_] (case, join)
redirect-uri, redirectUri, redirect_uri -> redirect_Uri
u upper - Uppercase
l lower - Lowercase
t title - Titlecase
URLS
fb filebase - Extract filename from path or url
s scheme - Extract http, https, gohper, ws, etc. from URL
user - Extract username from url
pass - Extract password from url
h host - Extract host from url
p port - Extract port from url
ph path - Extract path from url
f fragment - Extract fragment from url
q query - Extract whole query from url
k keys - Extract keys from url
v values - Extract values from url
d domain - Extract domain from url
tld - Extract tld from url
alldir - Extract all dirrectories from url's path
sub subdomain - Extract subdomain from url
allsubs - Extract subdomain from url
ENCODERS
b64e b64encode - Base64 encoder
hexe hexencode - Hex string encoder
charcode - Give charcode encoding
charcode[0] without semicolon
charcode[1] with semicolon
jsone jsonescape - JSON escape
urle urlencode - URL encode reserved characters
utf16 - UTF-16 encoder (Little Endian)
utf16be - UTF-16 encoder (Big Endian)
xmle xmlescape - XML escape
urleall urlencodeall - URL encode all characters
unicodee unicodeencodeall - Unicode escape string encode (all characters)
DECODERS
b64d b64decode - Base64 decoder
hexd hexdecode - Hex string decoder
jsonu jsonunescape - JSON unescape
unicoded unicodedecode - Unicode escape string decode
urld urldecode - URL decode
xmlu xmlunescape - XML unescape
HASHES
md5 - MD5 sum
sha1 - SHA1 checksum
sha224 - SHA224 checksum
sha256 - SHA256 checksum
sha384 - SHA384 checksum
sha512 - SHA512 checksum
Too overpower? But everyday you came accross weird BB stuff, like a big json file from target? May be you want to extract, join, merge or whatever. You can use cook smartly as per your usecase.
Let's say you read this blog https://blog.assetnote.io/2020/09/18/finding-hidden-files-folders-iis-bigquery/.
Now you will also want to save BIG ZIP FILE wordlist by assetnote. https://storage.googleapis.com/zipfilesbq/zipfiles.json
COOK already saved this file at cook shub_zip_files, but if save a wordlist, use cook add shub_zip_files=[URL] in files
File contains data like this, but this isn't directly useful for you, Is it?
{"repo_name":"cocowool/RoseCMS","ref":"refs/heads/1","path":"user_guide/_downloads/ELDocs.tmbundle.zip","mode":"33261","id":"f7a11b364ca918379b48ad525798148e7470b6b1"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/fast.zip","mode":"33188","id":"f4ed17b98c9d7bcd21efc4523ce75fbe2b071d0a"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/store.zip","mode":"33188","id":"e2add30dc0e3129dc89e20a71abe7314052d0002"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/ultra.zip","mode":"33188","id":"86a8ec776107c075ce2c7f803472aa97dc25cbf7"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/normal.zip","mode":"33188","id":"b4602c94ee000ee54c71c9302b9db956b3fd9f0e"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/fastest.zip","mode":"33188","id":"f4ed17b98c9d7bcd21efc4523ce75fbe2b071d0a"}
{"repo_name":"xuguanfeng/practise","ref":"refs/heads/1","path":"node_modules/selenium-webdriver/node_modules/adm-zip/test/assets/maximum.zip","mode":"33188","id":"86a8ec776107c075ce2c7f803472aa97dc25cbf7"}
...Not just we can extract it, we extracted filebase from path and sort unique, then use smartjoin to create diff permuataions.
cook -z shub_zip_files z.json[path].fb.sortu.smartjoin[c:_]
- Use
*for horizontal repeating. - Use
**for vertical repeating. - And try this
*10-1or this*1-10.
You can use generated output from cook directly with ffuf or any other tools using pipe.
cook usernames_list : passwords_list -m b64e | ffuf -u https://target.com -w - -H "Authorization: Basic FUZZ"
Similarly you can fuzz directories/headers/params/numeric ids... And can apply required algorithms on your payloads.
cook **100 | ffuf -w - -u https://example.com/FUZZcook -dob date[17,Sep,1994] elliot _,-, dob
Customize:
Create your own functions incook-ingredients/my.yamlunder functions:
| Columns | Separated by space |
| Values | Separated by comma |
| Params | You can give param any name, use - before anything to make it param -param value |
| Raw Strings | Use ` before and after the string to stop cook's parsing. Useful when you need to use any keyword as a word. |
| Pipe Input | Take pipe input using - as value of any param. |
| File Input | Use : after param name to take file input. cook -f: live.txt f |
| Functions | Can be called using params only. |
| Methods | Can be used on params or on final output |
| Flag | Usage |
|---|---|
| -a, -append | Append to the previous lines, instead of permutations |
| -c, -col | Print column numbers and there values |
| -conf, -config | Config Information |
| -mc, -methodcol | Apply methods column wise -mc 0:md5,b64e; 1:reverse To all cols separate -mc md5,b64e |
| -m, -method | Apply methods to final output |
| -h, -help | Help |
| -min | Minimum no of columns to print |
- Concurrency
- Autocomplete for shells
- Make append work something like this
cook file1 =/= file2, make sure chars directly work with all terminals. - Add wordlists, wordsets, functions, ports and other things in cook-ingredients
- Making raw string works like as it works in programming languages. Means better parser.
- I don't know, you might use your creativity and add some awesome features. Or you can buy me a coffee☕
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent