{"id":13473891,"url":"https://github.com/erforschr/bruteforce-http-auth","last_synced_at":"2025-03-26T19:34:56.195Z","repository":{"id":46746438,"uuid":"80293225","full_name":"erforschr/bruteforce-http-auth","owner":"erforschr","description":"Bruteforce HTTP Authentication","archived":false,"fork":false,"pushed_at":"2019-03-21T22:17:45.000Z","size":84,"stargazers_count":139,"open_issues_count":2,"forks_count":40,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-10-30T06:33:38.810Z","etag":null,"topics":["authentication","basic","bruteforce","digest","http","https","ntlm","pentest","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/erforschr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-28T15:52:42.000Z","updated_at":"2024-10-14T09:09:23.000Z","dependencies_parsed_at":"2022-09-03T19:51:56.280Z","dependency_job_id":null,"html_url":"https://github.com/erforschr/bruteforce-http-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erforschr%2Fbruteforce-http-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erforschr%2Fbruteforce-http-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erforschr%2Fbruteforce-http-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erforschr%2Fbruteforce-http-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/erforschr","download_url":"https://codeload.github.com/erforschr/bruteforce-http-auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245723000,"owners_count":20661864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","basic","bruteforce","digest","http","https","ntlm","pentest","python"],"created_at":"2024-07-31T16:01:07.801Z","updated_at":"2025-03-26T19:34:53.838Z","avatar_url":"https://github.com/erforschr.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Bruteforce HTTP Authentication\n\n\n### Warning\n\n/!\\ Not adequately tested /!\\ \n\n\n\n### Description\n\nSimple tool to bruteforce HTTP authentication forms.\n\nSupports:\n* Basic HTTP authentication\n* Digest HTTP authentication\n* NTLM authentication\n\n\n\n### Usage\n\nUsage example:\n```sh\npython3 bruteforce-http-auth.py -T targets_file -U usernames_file -P passwords_file --verbose\n```\n\nOutput example:\n\n```sh\n[10-00-43] --------------------------\n[10-00-43] ~  Bruteforce HTTP Auth  ~\n[10-00-43] --------------------------\n[10-00-43] \n[10-00-43] Included in bruteforce scope:\n[10-00-43] \n[10-00-43] =\u003e URL: https://www.my-first-protected-resource.com\n[10-00-43]    Status code: 401\n[10-00-43]    Server: Apache/2.4.18 (Ubuntu)\n[10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT\n[10-00-43]    Authentication type: basic\n[10-00-43] \n[10-00-43] =\u003e URL: https://www.my-second-protected-resource.com\n[10-00-43]    Status code: 401\n[10-00-43]    Server: Apache/2.4.18 (Ubuntu)\n[10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT\n[10-00-43]    Authentication type: basic\n[10-00-43] \n[10-00-43] Excluded from bruteforce scope:\n[10-00-43] \n[10-00-43] =\u003e URL: https://www.my-third-unprotected-resource.com\n[10-00-43]    Status code: 200\n[10-00-43]    Server: Apache/2.4.18 (Ubuntu)\n[10-00-43]    Date: Sat, 11 Nov 2017 10:00:40 GMT\n[10-00-43]    Authentication type: None\n[10-00-43]\n[10-00-43] Launch bruteforce on included targets [y/N] ? y\n[10-00-45] \n[10-00-45] Authentication failed: Username: \"user1\" Password: \"pass2\" URL: https://www.my-first-protected-resource.com\n[10-00-45] Authentication failed: Username: \"user2\" Password: \"pass1\" URL: https://www.my-first-protected-resource.com\n[10-00-45] Authentication failed: Username: \"user1\" Password: \"pass1\" URL: https://www.my-first-protected-resource.com\n[10-00-45] Authentication successful: Username: \"user2\" Password: \"pass2\" URL: https://www.my-first-protected-resource.com\n[10-00-45] Authentication failed: Username: \"user3\" Password: \"pass1\" URL: https://www.my-first-protected-resource.com\n[10-00-45] Authentication failed: Username: \"user3\" Password: \"pass2\" URL: https://www.my-first-protected-resource.com\n[10-00-46] Authentication successful: Username: \"user1\" Password: \"pass1\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Authentication failed: Username: \"user1\" Password: \"pass2\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Authentication failed: Username: \"user2\" Password: \"pass1\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Authentication failed: Username: \"user2\" Password: \"pass2\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Progress : 10\n[10-00-46] Authentication failed: Username: \"user3\" Password: \"pass1\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Authentication failed: Username: \"user3\" Password: \"pass2\" URL: https://www.my-second-protected-resource.com\n[10-00-46] Progress : 12 (end)\n[10-00-46] \n[10-00-46] Finished\n```\n\nArguments:\n```sh\n  -t TARGET, --target TARGET\n                        URL\n                        \n  -T TARGETFILE, --targetfile TARGETFILE\n                        File of URL\n                        \n  -u USERNAME, --username USERNAME\n                        Username (\"username\" or \"username:password\")\n                        \n  -U USERNAMESFILE, --usernamesfile USERNAMESFILE\n                        File of usernames (\"username\" or \"username:password\")\n                        \n  -p PASSWORD, --password PASSWORD\n                        Password\n                        \n  -P PASSWORDSFILE, --passwordsfile PASSWORDSFILE\n                        File of passwords\n                        \n  -w WORKERS, --workers WORKERS\n                        Number of threads (interger between 1 and 100)\n                        \n  -o ORDER, --order ORDER\n                        Targets order (\"serie\" or \"parallel\")\n                        \n  -v, --verbose         Verbose\n```\n\n\n\n##### NTLM authentication\n\nUsernames format for NTLM authentication: `domain\\username`\n\n/!\\ Be aware that a NTLM authentication bruteforce could lock an account. /!\\\n\n\n\n### Requirements\nPython libs required:\n* [requests](https://github.com/kennethreitz/requests)\n* [requests_ntlm](https://github.com/requests/requests-ntlm)\n* [validators](https://github.com/kvesteri/validators)\n\nInstall:\n```sh\npython3 -m pip install -r requirements.txt\n```\n\n\n### Dictionaries\n\n| List                                            | Source               | Link                                                                                                    |\n|-------------------------------------------------|----------------------|---------------------------------------------------------------------------------------------------------|\n| unix_users.txt                                  | Metasploit wordlists | https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/unix_users.txt                |\n| unix_passwords.txt                              | Metasploit wordlists | https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/unix_passwords.txt            |\n| seclists_usernames_top_shortlist.txt            | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Usernames/top_shortlist.txt                      |\n| seclists_passwords_top_shortlist.txt            | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Passwords/top_shortlist.txt                      |\n| seclists_10_million_password_list_top_100.txt   | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_100.txt   |\n| seclists_10_million_password_list_top_500.txt   | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_500.txt   |\n| seclists_10_million_password_list_top_1000.txt  | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_1000.txt  |\n| seclists_10_million_password_list_top_10000.txt | SecLists             | https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_10000.txt |\n| custom_common_web_services_usernames_short.txt  | N/A            \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n| custom_common_web_services_usernames_medium.txt | N/A           \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n| custom_common_web_services_passwords_short.txt  | N/A           \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n| custom_common_web_services_passwords_medium.txt | N/A            \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n| custom_tomcat_userpass.list \t\t\t\t\t  | N/A          \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n| custom_jboss_userpass.list\t\t\t\t      | N/A          \t\t | \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t   |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferforschr%2Fbruteforce-http-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferforschr%2Fbruteforce-http-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferforschr%2Fbruteforce-http-auth/lists"}