Authforce is a very fast tool for brute forcing HTTP Basic Authentication protected URLs. In HTTP Basic authentication the username and password is Base64 encoded and passed along with the HTTP headers from the client to the HTTP server. This means that the credentials are passed over the network in plaintext and is vulnerable to eavesdropping by an attacker. Despite this weakness, it is still quite widely used - for example access to the default Tomcat manager page is protected by HTTP Basic by default.

When a client requests a HTTP Basic-protected resource, the web server will challenge with a HTTP 401 Authorization Required (See www.w3.org's page for a listing of all HTTP codes) which causes a username/password dialog to pop up in your browser. Now you've identified the target URL for authforce to run against.

Authforce needs a list of usernames, a list of passwords, and target URL to work. Here's an example:

authforce --verbose --beep --logfile=aftest --username-file=users --password-file=words http://192.168.1.100/tmp

authforce will show you the current username and password being tried in realtime. If it gets a match you will see something like this:

match [goonda:mysecretpass]

Note that authforce will work against both http and https URLs, however you will need to add the --no-ssl-fail option if the site uses self-signed certificates. Happy Hacking!

[ add comment ] ( 1189 views )   |  permalink

---

<Back | 1 | 2 | 3 | Next> Last>>

All information on this blog copyright Goonda Security Inc. - Page Generated in 0.1188 seconds