Crack HTTP authentication by brute-force
Types of authentication currently supported:
- Basic Auth
- Digest Auth
Works on every OS.
Regarding 3rd party libraries, only requests
is required and could be installed by running the following command from the project's directory:
pip3 install -r requirements.txt
The basic usage where one username is tested against a list of passwords is very straightforward
./httpbrute <taret_url> -u <username> -P <path_to_passlist>
- Brute-forcing multiple users is possible by passing
-U <path_to_userlist>
instead of-u <username>
- It is possible to test a single password by passing
-p <password>
instead of-P <path_to_passlist>
(useful for cases where only the username is known)
param | description | default |
---|---|---|
-s, --sleep | sleep between requests (each worker individually) | 0[s] |
-t, --timeout | request timeout in seconds | 10[s] |
-w. --workers | amount of workers (running threads) | 16 |
This tool is only for testing and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and am not responsible for any misuse or damage caused by this tool and software.
Distributed under the GNU License.