"Fossies" - the Fresh Open Source Software Archive 
Member "authforce-0.9.9/README" (13 May 2007, 3614 Bytes) of package /linux/www/old/authforce-0.9.9.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 [ authforce v0.9.9 README]
2 by Zachary P. Landau
3
4 [ description ]
5
6 Authforce is an HTTP authentication brute forcer. Using various methods,
7 it attempts brute force username and password pairs for a site. It has
8 the ability to try common username and passwords, username derivations,
9 and common username/password pairs. It is used to both test the security
10 of your site and to prove the insecurity of HTTP authentication based on
11 the fact that users just don't pick good passwords.
12
13 [ installation ]
14
15 See INSTALL.
16
17 [ how to use ]
18
19 For basic usage, make sure the data files have the data you want, and then
20 run authforce with the argument being the url of the site you want to brute
21 force. At the moment, it is not possible to disable a method, but you can
22 get the same effect by making it use an empty data file. For example, I
23 don't usually use the concat method, because the datalist I have for it
24 sucks.
25
26 The major special item that may cause a little confusion is the session
27 support. I think it works :P. Start up authforce with the -s option (for
28 session support) and let it run. When you want to stop it, kill it with
29 USRINT (^C or kill -INT pid) which will cause the program to write its
30 current position to session.save (by default) and quit. Then when you want
31 to resume the session, type authforce -r.
32
33 The data lists are very sparse at the moment. Make your own or find one.
34 Programs like John the Ripper have good lists, although you usually don't
35 want yours that long. If you make a good list of your own, please
36 contribute it.
37
38 The password.lst file has a new syntax now. Along with regular passwords
39 are the keywords {username} and {emanresu} which insert the username and
40 the username reversed, respectively. Things like {username}123 and
41 {username}{emanresu} are valid (and encouraged!). If you have any ideas
42 for other keywords, please let me know.
43
44 [ notes ]
45
46 First, a note on contributing. Please do it :P It would be immensely
47 helpful to get any type of contribution. If you find a bug, don't assume
48 it has already been reported, report it to me (with information about your
49 system etc, please) If there are misspellings or tiny mistakes, notify me
50 or submit a patch. If you would like to add something, do it (you may want
51 to email me about it before hand, just in case I want to discuss it with
52 you). Better documentation would be fine. Nice data files with common
53 passwords would help. (see TODO && BUGS)
54
55 Secondly, I wrote this because I couldn't find a program that did it. I
56 know I saw one a while ago, but I couldn't find it. If someone knows of
57 a program like this, please tell me. If I think it's better, perhaps I'll
58 abandon this and maybe help with that.
59
60 If you compile with the development CFLAGS, and you wish to leave in
61 -DMEMWATCH, you'll need to get memwatch from:
62 http://www.link-data.com/memwatch-2.64.tar.gz
63 Put memwatch.c and memwatch.h in the authforce directory and compile. It
64 is really a great program and I recommend you use it for your own projects.
65
66 Please contact me. Even if it is just to say that you are using the
67 program. Feedback helps me understand how well I'm doing :P Feel free to
68 send it gpg encrypted too. You know, so 'they' can't intercept it.
69
70 P.S. Memory leaks are spawned by the devil. Elimate them for me and I
71 will be very happy. To find the ones I know about, grep for MEMWATCH.
72 End Transmission.
73
74 [ contact ]
75
76 URL: http://divineinvasion.net/authforce
77 Email: kapheine@divineinvasion.net
78 GPG Key: http://divineinvasion.net/kapheine.asc