Linux/Unix>> bruteforce-http-auth>> 返回
项目作者: erforschr

项目描述 :
Bruteforce HTTP Authentication
高级语言: Python
项目地址: git://github.com/erforschr/bruteforce-http-auth.git
创建时间: 2017-01-28T15:52:42Z
项目社区:https://github.com/erforschr/bruteforce-http-auth
开源协议:
下载


Bruteforce HTTP Authentication

Warning

/!\ Not adequately tested /!\

Description

Simple tool to bruteforce HTTP authentication forms.

Supports:

  • Basic HTTP authentication
  • Digest HTTP authentication
  • NTLM authentication

Usage

Usage example:

  1. python3 bruteforce-http-auth.py -T targets_file -U usernames_file -P passwords_file --verbose

Output example:

  1. [10-00-43] --------------------------
  2. [10-00-43] ~  Bruteforce HTTP Auth  ~
  3. [10-00-43] --------------------------
  4. [10-00-43] 
  5. [10-00-43] Included in bruteforce scope:
  6. [10-00-43] 
  7. [10-00-43] => URL: https://www.my-first-protected-resource.com
  8. [10-00-43]    Status code: 401
  9. [10-00-43]    Server: Apache/2.4.18 (Ubuntu)
  10. [10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT
  11. [10-00-43]    Authentication type: basic
  12. [10-00-43] 
  13. [10-00-43] => URL: https://www.my-second-protected-resource.com
  14. [10-00-43]    Status code: 401
  15. [10-00-43]    Server: Apache/2.4.18 (Ubuntu)
  16. [10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT
  17. [10-00-43]    Authentication type: basic
  18. [10-00-43] 
  19. [10-00-43] Excluded from bruteforce scope:
  20. [10-00-43] 
  21. [10-00-43] => URL: https://www.my-third-unprotected-resource.com
  22. [10-00-43]    Status code: 200
  23. [10-00-43]    Server: Apache/2.4.18 (Ubuntu)
  24. [10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT
  25. [10-00-43]    Authentication type: None
  26. [10-00-43]
  27. [10-00-43] Launch bruteforce on included targets [y/N] ? y
  28. [10-00-45] 
  29. [10-00-45] Authentication failed: Username: "user1" Password: "pass2" URL: https://www.my-first-protected-resource.com
  30. [10-00-45] Authentication failed: Username: "user2" Password: "pass1" URL: https://www.my-first-protected-resource.com
  31. [10-00-45] Authentication failed: Username: "user1" Password: "pass1" URL: https://www.my-first-protected-resource.com
  32. [10-00-45] Authentication successful: Username: "user2" Password: "pass2" URL: https://www.my-first-protected-resource.com
  33. [10-00-45] Authentication failed: Username: "user3" Password: "pass1" URL: https://www.my-first-protected-resource.com
  34. [10-00-45] Authentication failed: Username: "user3" Password: "pass2" URL: https://www.my-first-protected-resource.com
  35. [10-00-46] Authentication successful: Username: "user1" Password: "pass1" URL: https://www.my-second-protected-resource.com
  36. [10-00-46] Authentication failed: Username: "user1" Password: "pass2" URL: https://www.my-second-protected-resource.com
  37. [10-00-46] Authentication failed: Username: "user2" Password: "pass1" URL: https://www.my-second-protected-resource.com
  38. [10-00-46] Authentication failed: Username: "user2" Password: "pass2" URL: https://www.my-second-protected-resource.com
  39. [10-00-46] Progress : 10
  40. [10-00-46] Authentication failed: Username: "user3" Password: "pass1" URL: https://www.my-second-protected-resource.com
  41. [10-00-46] Authentication failed: Username: "user3" Password: "pass2" URL: https://www.my-second-protected-resource.com
  42. [10-00-46] Progress : 12 (end)
  43. [10-00-46] 
  44. [10-00-46] Finished

Arguments:

  1.   -t TARGET, --target TARGET
  2.                         URL
  4.   -T TARGETFILE, --targetfile TARGETFILE
  5.                         File of URL
  7.   -u USERNAME, --username USERNAME
  8.                         Username ("username" or "username:password")
  10.   -U USERNAMESFILE, --usernamesfile USERNAMESFILE
  11.                         File of usernames ("username" or "username:password")
  13.   -p PASSWORD, --password PASSWORD
  14.                         Password
  16.   -P PASSWORDSFILE, --passwordsfile PASSWORDSFILE
  17.                         File of passwords
  19.   -w WORKERS, --workers WORKERS
  20.                         Number of threads (interger between 1 and 100)
  22.   -o ORDER, --order ORDER
  23.                         Targets order ("serie" or "parallel")
  25.   -v, --verbose         Verbose
NTLM authentication

Usernames format for NTLM authentication: domain\username

/!\ Be aware that a NTLM authentication bruteforce could lock an account. /!\

Requirements

Python libs required:

Install:

  1. python3 -m pip install -r requirements.txt

Dictionaries

List Source Link
unix_users.txt Metasploit wordlists https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/unix_users.txt
unix_passwords.txt Metasploit wordlists https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/unix_passwords.txt
seclists_usernames_top_shortlist.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Usernames/top_shortlist.txt
seclists_passwords_top_shortlist.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Passwords/top_shortlist.txt
seclists_10_million_password_list_top_100.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_100.txt
seclists_10_million_password_list_top_500.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_500.txt
seclists_10_million_password_list_top_1000.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000.txt
seclists_10_million_password_list_top_10000.txt SecLists https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_10000.txt
custom_common_web_services_usernames_short.txt N/A
custom_common_web_services_usernames_medium.txt N/A
custom_common_web_services_passwords_short.txt N/A
custom_common_web_services_passwords_medium.txt N/A
custom_tomcat_userpass.list N/A
custom_jboss_userpass.list N/A