Many websites use HTTP basic authentication to restrict access to content. This is especially prevalent in embedded devices such as routers. The Python requests
library has built-in support for basic authentication, making an easy way to create an authentication brute force script.
Before creating this recipe, you're going to need a list of passwords to attempt to authenticate with. Create a local text file called passwords.txt
, with each password on a new line. Check out Brute forcing passwords in Chapter 2, Enumeration, for password lists from online resources. Also, spend some time to scope out the target server as you're going to need to know how it responds to a failed login request, so that we can differentiate when the brute force works or not.
The following code will attempt to brute force entry to website through basic authentication:
import requests from requests.auth import HTTPBasicAuth with open('passwords.txt') as passwords: for password in passwords.readlines(): password = password.strip() req = requests.get('http://packtpub.com/admin_login.html', auth=HTTPBasicAuth('admin', password)) if req.status_code == 401: print password, 'failed.' elif req.status_code == 200: print 'Login successful, password:', password break else: print 'Error occurred with', password break
The first part of this script reads in the password list, line by line. Then, it sends an HTTP GET
request to the login page:
req = requests.get('http://packtpub.com/admin_login.html', auth=HTTPBasicAuth('admin', password))
This request has an additional auth
parameter, which contains the username admin
and the password
read from the passwords.txt
file. When sending an HTTP request with a basic Authorization
header, the raw data looks like the following:
Notice that in the Authorization
header the data is sent in an encoded format, such as YWRtaW46cGFzc3dvcmQx
. This is the username and password in a base64
encoded form of username:password
; the requests.auth.HTTPBasicAuth
class just does this conversion for us. This can be verified by using the base64
library, as shown in the following screenshot:
Knowing this information means that you could still get the script to run without the external requests library; instead, it crafts an Authorization
header manually using the base64
default library.
The following is a screenshot of the brute force script in action:
In this example, we've used a fixed username of admin in the authorization request, as this was known. If this is unknown, you could create a username.txt
text file and loop through each of those lines too, just as we've done with the password text file. Note that this is a much slower process and creates a lot of HTTP requests to the target site, which is likely to get you blacklisted, unless you implement rate limiting.
Check out the Checking username validity and Brute forcing usernames recipes in Chapter 2, Enumeration, for further ideas on username and password combinations.