authforce 0.9.6 review
DownloadAuthforce is an HTTP authentication brute forcer
|
|
Authforce is an HTTP authentication brute forcer. Using various methods, it attempts brute force username and password pairs for a site. It has the ability to try common username and passwords, username derivations, and common username/password pairs. It is used to both test the security of your site and to prove the insecurity of HTTP authentication based on the fact that users just don’t pick good passwords.
For basic usage, make sure the data files have the data you want, and then run authforce with the argument being the url of the site you want to brute force. At the moment, it is not possible to disable a method, but you can get the same effect by making it use an empty data file. For example, I don't usually use the concat method, because the datalist I have for it sucks.
The major special item that may cause a little confusion is the session support. I think it works :P. Start up authforce with the -s option (for session support) and let it run. When you want to stop it, kill it with USRINT (^C or kill -INT pid) which will cause the program to write its current position to session.save (by default) and quit.
The data lists are very sparse at the moment. Make your own or find one. Programs like John the Ripper have good lists, although you usually don't want yours that long. If you make a good list of your own, please contribute it. Then if you want to resume the session, type authforce -r.
The password.lst file has a new syntax now. Along with regular passwords are the keywords {username} and {emanresu} which insert the username and the username reversed, respectively. Things like {username}123 and {username}{emanresu} are valid (and encouraged!). If you have any ideas for other keywords, please let me know.
What's New in This Release:
src/: getopt.c, getopt.h, getopt1.c: Forgot to add getopt files last time
authforce 0.9.6 search tags