"Fossies" - the Fresh Open Source Software Archive

Member "authforce-0.9.9/doc/authforce.texi" (13 May 2007, 5939 Bytes) of package /linux/www/old/authforce-0.9.9.tar.gz:

Caution: As a special service "Fossies" has tried to format the requested Texinfo source page into HTML format but that may be not always succeeeded perfectly. Alternatively you can here view or download the uninterpreted Texinfo source code. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

Authforce

Next: , Up: (dir)   [Contents][Index]

Top

authforce - HTTP authentication brute forcer

Overview:  Features of authforce.
Usage:  Using authforce
Invoking:  authforce command-line arguments.
Examples:  Examples of usage.
Contact:  Contacting the author
Concept Index:  Topics covered by this manual.

Next: , Previous: , Up: Top   [Contents][Index]

1 Overview

Authforce is an HTTP Authentication brute forcer. Using various methods, it attempts brute force username and password pairs for a site. It has the ability to try common username and passwords, username derivations, and common username/password pairs. It is used to both test the security of your site and to prove the insecurity of HTTP Authentication based on the fact that users just don’t pick good passwords.

Furthermore, authforce is free software. This means that everyone may use it, redistribute it and/or modify it under the terms of the GNU General Public License, as published by the Free Software Foundation.

Next: , Previous: , Up: Top   [Contents][Index]

2 Usage

For basic usage, make sure the data files have the data you want, and then run authforce with the argument being the url of the site you want to brute force. At the moment, it is not possible to disable a method, but you can get the same effect by making it use an empty data file. For example, I don’t usually use the concat method, because the datalist I have for it sucks.

The major special item that may cause a little confusion is the session support. I think it works :P. Start up authforce with the -s option (for session support) and let it run. When you want to stop it, kill it with USRINT (^C or kill -INT pid) which will cause the program to write its current position to session.save (by default) and quit. Then when you want to resume the session, type authforce -r.

The data lists are very sparse at the moment. Make your own or find one. Programs like John the Ripper have good lists, although you usually don’t want yours that long. If you make a good list of your own, please contribute it.

The password.lst file has a new syntax now. Along with regular passwords are the keywords {username} and {emanresu} which insert the username and the username reversed, respectively. Things like {username123} and {usernameemanresu} are valid (and encouraged!). If you have any ideas for other keywords, please let me know.

If you compile with the development CFLAGS, and you wish to leave in -DMEMWATCH, you’ll need to get memwatch from: http://www.link-data.com/memwatch-2.64.tar.gz

Put memwatch.c and memwatch.h in the authforce directory and compile. It is really a great program and I recommend you use it for your own projects.

P.S. Memory leaks are spawned by the devil. Elimate them for me and I will be very happy. To find the ones I know about, grep for MEMWATCH.

Next: , Previous: , Up: Top   [Contents][Index]

3 Invoking

By default, authforce is simple to invoke. The basic syntax is:

authforce [options] URL

The program returns 0 if no matches were found, and 1 if atleast one match is found.

The directory /usr[/local]/share/authforce contains the data files containing usernames and passwords.

-b

Beep when a match is found

-d
--debug=NUMBER

Set debugging level between 0 and 5

--dummy-file

File containing dummy matches. [username:password form]

-h
--help

Display help and exit

-l FILE
--logfile=FILE

Set logfile to FILE

-r
--resume[=FILE]

Resume old session (using FILE) [default session.save]

-s
--save[=FILE]

Save session on SIGUSR1 (to FILE) [default session.save]

-c
--max-connects=NUMBER

Don’t make more than NUMBER connections

-u
--max-users=NUMBER

Don’t try more than NUMBER users

-U
--user-agent=STRING

Set user agent to STRING

--pairs-file=FILE

File containing username:password pairs

--password-delay=NUMBER

Delay for NUMBER seconds between attempts

--password-file=FILE

File containing common passwords

-p
--path=STRING

Look for pathlist STRING

-P
--proxy=STRING

Set proxy to STRING

-q
--quiet

Don’t output to stdout

--user-delay=NUMBER

Delay for NUMBER seconds between usernames

--username-file=FILE

File containing list of usernames

-v
--verbose

be verbose (default), opposite of –quiet

-V
--version

Print version information and exits

Next: , Previous: , Up: Top   [Contents][Index]

4 Examples

In this chapter we’ll give you some examples to help you getting started. 

authforce http://www.mywebsite.com/members/index.html

Search for a login/password combination on the given URL.

Next: , Previous: , Up: Top   [Contents][Index]

5 Contact

Please contact me. Even if it is just to say that you are using the program. Feedback helps me understand how well I’m doing :P Feel free to send it gpg encrypted too. You know, so ’they’ can’t intercept it.

You can always download the latest version of authforce at http://kapheine.hypa.net/authforce

Email the author at kapheine@hypa.net

Get his GPG Key at http://kapheine.hypa.net/kapheine.asc so you can use secure mail.

Previous: , Up: Top   [Contents][Index]

Concept Index

Jump to:   S  
Index Entry  Section
S
Sample index entry: Overview
Jump to:   S  

Table of Contents