Home Forums Article Discussions Article Discussions by Author Discuss content posted by Geoff Albin How to recover a SQL Server login password. RE: How to recover a SQL Server login password.

  • March 5, 2013 at 4:32 pm

    #1593684

    As a note for the mildly more advanced, in general, it's best to run the very quick checks first to remove those, and the large checks later.

    For the even more advanced practitioner doing dictionary cracking (see below), after a reasonable pass, any passwords you find should be added to your cracking dictionary and then start over.

    Here's an example of "quick first, slow last" oclHashcat-lite brute force, including an example phone number test:

    rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..

    rem After that, move to oclHashcat-plus and use rules based dictionary attacks!

    rem If you have more time and/or processing power, put larger pw sizes earlier.

    rem If you have less, put larger pw sizes later.

    rem First: Extremely Low sizes, brute force with full hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=1 --pw-max=4 --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

    rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=5 --pw-max=5 -1 ?d?l?u?s?D?F?R?h 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

    rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=6 --pw-max=6 -1 ?d?l?u?s 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

    rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=7 --pw-max=7 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?1?1

    rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=13 --pw-max=13 -1 ?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 "(?1?1?1)?1?1?1-?1?1?1?1"

    rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=8 --pw-max=8 -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?2?2?2?2?2?2?2?2

    rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.

    rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=9 --pw-max=9 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=10 --pw-max=10 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=11 --pw-max=11 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-lite64.exe -m 132 --pw-min=12 --pw-max=12 -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_lite_Brute.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2

    And here's an oclHashcat-plus test that starts with brute force and quickly proceeds to dictionary attacks. This is much more appropriate for most corporate password audits.

    rem General technique: Try brute forcing as much as possible, first - larger character sets at short lengths, small sets at long lengths..

    rem After that, try rules based dictionary attacks, many large rules for small lists, small rules for large lists.

    rem If you have more time and/or processing power, put larger pw sizes earlier.

    rem If you have less, put larger pw sizes later.

    rem since we're removing hashes from the file as we crack them, let's start fresh for each run.

    copy /y SQL2005to2008R2Many.hash.orig SQL2005to2008R2Many.hash

    rem First: Extremely Low sizes, brute force with full hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove --hex-charset -1 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1

    rem Next: Very Low sizes, brute force with multilingual printables and upper hex set!

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s?D?F?R?h --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1

    rem Next: Fairly Low sizes, brute force with Digit, Lower, Upper, and Symbol

    rem No need to go through a rules-based dictionary attack at these sizes unless it includes characters not in this set.

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?1?1?1?1?1

    rem Next Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash ?1?2?2?2?2?1?1

    rem U.S. (xxx)xxx-xxxx phone number format - this runs very quickly indeed for a "13 character" password with digits and symbols, compared to a non-patterned pure brute force search.

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 SQL2005to2008R2Many.hash "(?1?1?1)?1?1?1-?1?1?1?1"

    rem Next Medium-Low sizes, we'll get clever. Brute with a pattern - larger sets at the ends, smaller in the middle.

    rem NOTE: see that the larger sets are strict supersets of the smaller, so the smaller sets are a comprehensive check?

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?d?l?u?s -2 ?l?d 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?2?2?2?2?2?2?2?2

    rem Next Medium sizes, we're grasping at whatever we can squeeze through our machine.

    rem We'll try a little Digit Lower first character plus Lower only, and then Digit parens dash Lower first character plug Digit parens dash only

    rem These REALLY MUST go through rules-based dictionary attacks - we have massive gaps!

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?l 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2

    YourPath\oclHashcat-plus64.exe --attack-mode=3 -m 132 --remove -1 ?l?d-() -2 ?d-() 0x0100SaltHash --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 ?1?2?2?2?2?2?2?2?2?2?2?2

    rem Now we're going to do rules based dictionary attacks!

    rem Let's start with the quickest, because any passwords we can remove now give later iterations less work.

    rem Mode Straight rules: Best64 Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: specific Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\specific.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Combinator rules: Best64 Wordlist: Phpbb * 500worst

    YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt YourWordlistPath\500worst.txt

    rem Mode Straight rules: Best64 Wordlist: American English Very Large

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

    rem Mode Straight rules: leetspeak * Best64 Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: T0XlC Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: combinator * Best64 Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: Best64 Wordlist: Rockyou

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

    rem Mode Straight rules: leetspeak * Best64 Wordlist: American English Very Large

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

    rem Mode Straight rules: Best64 Wordlist: American English Small * American English Small

    YourPath\oclHashcat-plus64.exe --attack-mode=1 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\best64.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishSmall.txt YourWordlistPath\EnglishSmall.txt

    rem Mode Straight rules: generated Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\generated.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: d3ad0ne Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: d3ad0ne Wordlist: American English Very Large

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

    rem Mode Straight rules: T0XlC Wordlist: Rockyou

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\T0XlC.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

    rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: combinator + d3ad0ne Wordlist: Phpbb

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\phpbb.txt

    rem Mode Straight rules: d3ad0ne Wordlist: Rockyou

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

    rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: American English Very Large

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

    rem Mode Straight rules: combinator + d3ad0ne Wordlist: American English Very Large

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\EnglishVeryLarge.txt

    rem Mode Straight rules: leetspeak + d3ad0ne Wordlist: Rockyou

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\leetspeak.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

    rem Mode Straight rules: combinator + d3ad0ne Wordlist: Rockyou

    YourPath\oclHashcat-plus64.exe --attack-mode=0 -m 132 --remove --outfile=SQL2005to2008R2_plus_Many.out --outfile-format=7 --rules-file YourPath\rules\combinator.rule --rules-file YourPath\rules\d3ad0ne.rule SQL2005to2008R2Many.hash YourWordlistPath\rockyou.txt

    I leave conversion to CPU-based Hashcat as an exercise for the reader!

    Phpbb and Rockyou are two very common password lists, both very well regarded; Phpbb is much smaller.

    I'm sure everyone can Google an N worst passwords list as well.

    The English Open Word List is available online as well.

    ETA: Don't forget to dump your username list into your dictionaries as well!