CeWL — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Custom wordlist generator that crawls a target site and extracts unique words — perfect for context-aware password cracking.

Use case: Password CrackingDifficulty: BeginnerHomepage: https://github.com/digininja/CeWL

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install cewl

Source

git clone https://github.com/digininja/CeWL && cd CeWL && bundle install

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Crawl site, output wordlist

cewl https://target.com -w wordlist.txt

Min word length 6, depth 3

cewl https://target.com -m 6 -d 3 -w wordlist.txt

Include digits in words

cewl https://target.com --with-numbers -w wordlist.txt

Crawl AND extract emails

cewl https://target.com -e -w words.txt

PDF / DOC content too

cewl https://target.com --meta -w words.txt --meta_file meta.txt

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -d 3 default depth. Bump to 5 for thorough crawl, drop to 1 for quick top-level.
  • --ua "Mozilla..." custom UA — many sites block default Ruby UA.
  • -m 6 minimum word length — shorter generates noise.
  • Pair with rsmangler to permute results: leetspeak, capitalisation, year suffixes.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Crawls only HTML by default. PDF/DOCX content needs --meta + extra plugins.
  • Some sites block Ruby HTTP libraries. Set --ua.
  • Speed: crawls one URL at a time. Big sites = hours.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • katana (ProjectDiscovery) — modern crawler; pipe through tr for word extraction.
  • BBHM (in Burp) — passive word extraction from proxy traffic.

India context and engagement notes

Indian-context password cracking: CeWL the company website + LinkedIn profile + product names. Combine with rsmangler — finds RingSafe@2026, Manish123, cybersec!-style passwords that no generic wordlist contains.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Continue learning

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
Continue Learning

Related Academy modules

View all modules
Hacking Tools 2026

Sliver C2 Operator Guide — Implants, Transports, OPSEC, and the Detection Patterns Blue Teams Should Hunt

Sliver is the open-source post-Cobalt-Strike C2 framework — accessible to Indian red teams without licensing barriers,…

May 8, 2026 · 6 min read
Hacking Tools 2026

Burp Suite Pro 2026 — Five Production Bambdas and Three Custom BChecks (Paste-Ready)

Burp Bambdas (per-request JavaScript) and BChecks (YAML scanner checks) are the highest-leverage features in Burp Pro…

May 8, 2026 · 6 min read
Hacking Tools 2026

Caido for Web Pentest — A Modern Alternative to Burp Suite Pro (Hands-On Walkthrough)

Caido is the first credible challenger to Burp Suite Pro — Rust-built, web UI, multi-tester collaboration.…

May 8, 2026 · 6 min read