Gorilla: A Unified Wordlist Generator That Replaces Your Entire Password Cracking Toolkit
Hook
Password crackers typically juggle four different tools to generate wordlists—crunch for patterns, cupp for formats, CeWL for web scraping, and hashcat for mutations. Gorilla replaces all of them with a single binary and a YAML file.
Context
The traditional password cracking workflow is a mess of chained utilities. You start with crunch to generate pattern-based wordlists, pipe them through custom scripts for formatting, scrape target websites with CeWL, then apply hashcat rules to mutate everything into realistic password candidates. Each tool has its own syntax, output format, and quirks. If you want to version-control your wordlist generation strategy or share it with your team, you’re writing bash scripts that glue together binaries from different decades.
Gorilla emerged from this frustration as a Rust-based alternative that unifies these workflows behind a consistent CLI and declarative YAML mutation files. Instead of maintaining shell scripts that coordinate multiple tools, you define mutation sets in structured configuration files and let Gorilla handle the orchestration. The promise is simple: one tool, one syntax, and the performance benefits of Rust’s memory safety and concurrency primitives.
Technical Insight
Gorilla’s architecture centers on four input modes—patterns, templates, web scraping, and file-based wordlists—all feeding into a unified mutation pipeline. The pattern language should feel immediately familiar if you’ve used crunch, but Gorilla extends it with character sets, numeric ranges, and experimental comma-separated value expansion.
The simplest pattern generates character ranges: gorilla --from-pattern "{a-z}{a-z}{a-z}{a-z}{a-z}" produces every five-letter lowercase combination. But Gorilla’s syntax gets more powerful when you combine range types. Character ranges like {a-c} expand to individual letters (a, b, c), while numeric ranges like {2020-2026} expand to years. The parser distinguishes between them by checking whether both ends are single characters. You can also use predefined character sets: {l} for lowercase, {u} for uppercase, {d} for digits, {s} for symbols, or combine them like {luds} for all printable characters. A pattern like administrator{0-9} generates ten candidates in a single command.
The real power emerges when you move beyond CLI arguments to YAML mutation files. Here’s a practical example from the repository:
name: simple
mutation_sets:
- [ nothing ] # => word
- [ reverse ] # => drow
- [ remove_last_letter ] # => wor
- [ remove_first_letter ] # => ord
- [ uppercase_all ] # => WORD
- [ "append:{0-9}" ] # => word0..word9
- [ "2 append:{0-9}" ] # => word00..word99
- [ "replace:o:0", "replace:a:4", "replace:e:3" ] # => w0rdEach mutation set in the array represents a separate transformation pipeline applied to every input word. The nothing mutation passes words through unchanged (useful for including original dictionary words), while reverse flips character order. The append:{0-9} syntax leverages the same pattern expansion engine from pattern generation, so a single mutation set can produce ten variants. Chaining mutations within a set applies them sequentially—the leet-speak example replaces ‘o’ with ‘0’, ‘a’ with ‘4’, and ‘e’ with ‘3’ in order.
Gorilla processes mutations efficiently by applying all sets to each input word before moving to the next. From a single input word, the simple.yml configuration generates 27 variants. When processing large wordlists with --from-file, this architecture becomes critical—you’re not making multiple passes over a multi-gigabyte file, but rather applying all transformations in a single stream.
The tool also supports conditional mutations through if_contains and if_length directives, as documented in the README. You can build mutation sets that only apply transformations when specific conditions are met, enabling sophisticated filtering without separate preprocessing steps. The README provides examples like filtering words that don’t contain ‘admin’ or conditionally prepending underscores to words longer than five characters.
For pattern generation specifically, Gorilla offers --pattern-threads to parallelize computation across multiple CPU cores. This becomes relevant when generating massive wordlists like {a-z}{a-z}{a-z}{a-z}{a-z}{a-z} (308 million combinations), where single-threaded generation would take hours.
Web scraping is straightforward but currently limited: gorilla --from-website https://example.org/ extracts text content after stripping script and style tags. The HTML parser produces a wordlist from visible text, which you can then pipe through mutation sets. This replicates CeWL’s basic functionality but currently lacks spider/crawler features for comprehensive site mapping.
Gotcha
The tool is in early development, and the maintainer acknowledges this upfront. The most telling sign is the documentation approach for mutations—while basic mutations like reverse, uppercase_all, and conditional mutations (if_contains, if_length) are documented in the README, the maintainer notes that maintaining a complete list of all mutations ‘would be very painful’ and directs users to check the Action enum in src/mutation.rs for the full feature set. If you’re expecting hashcat-level documentation with comprehensive mutation syntax references, you’ll need to supplement the README with source code exploration.
Web scraping currently only works on single pages. The README explicitly states ‘(For now) you can only scrap a specific page for words,’ indicating this is a known limitation rather than a design decision. You can’t provide a starting URL and have Gorilla spider through an entire site following links. This makes it less capable than CeWL for reconnaissance work where you need comprehensive coverage of a target domain’s vocabulary—you’re limited to one-shot scraping of individual URLs.
The pattern expansion and mutation combinations can produce exponentially large outputs without warning. When combining multiple mutation sets—especially those using pattern expansion like append:{0-9}—your output can explode in size. If you feed a 100,000-word dictionary through eight mutation sets that each produce an average of five variants, you’re generating 4 million passwords. The README doesn’t mention built-in deduplication or size estimation features, so you may need external tools for post-processing.
Verdict
Use Gorilla if you’re building reproducible wordlist generation pipelines that you need to version-control and share with a team—the YAML mutation files are far more maintainable than bash scripts chaining crunch, hashcat, and awk. It’s especially valuable if you’re already working in Rust environments and want to avoid installing Python (cupp), Ruby (CeWL), and other interpreters. The unified pattern syntax and mutation pipeline eliminate context-switching between different tools’ syntaxes, and the multi-threading support makes pattern generation significantly faster on modern CPUs. Skip Gorilla if you need battle-tested tools with comprehensive documentation for high-stakes engagements, require web spidering beyond single-page scraping, or want every mutation documented inline rather than having to reference source code for advanced features. The ‘early development’ status and documentation gaps around less common mutations mean you may spend time exploring the codebase to discover the full feature set. Stick with the traditional toolchain (crunch + hashcat + CeWL) if you need proven reliability, extensive community knowledge bases, and complete feature documentation for time-sensitive penetration testing engagements.
