AUTHFORCE(1)AUTHFORCE(1)NAMEauthforce - HTTP authentication brute forcer
SYNOPSISauthforce [options] URL
DESCRIPTION
Authforce is an HTTP Authentication brute forcer. Using various meth‐
ods, it attempts brute force username and password pairs for a site. It
has the ability to try common username and passwords, username deriva‐
tions, and common username/password pairs. It is used to both test the
security of your site and to prove the insecurity of HTTP Authentica‐
tion based on the fact that users just don't pick good passwords.
OPTIONS
-b Beep when a match is found
-d, --debug
Set debugging level between 0 and 5
--dummy-file
File containing dummy matches. [username:password form]
-h, --help
Display help and exit
-l FILE, --logfile=FILE
Set logfile to FILE
-r, --resume[=FILE]
Resume old session (using FILE) [default session.save]
-s, --save[=FILE]
Save session on SIGUSR1 (to FILE) [default session.save]
-c, --max-connects=NUMBER
Don't make more than NUMBER connections
-u, --max-users=NUMBER
Don't try more than NUMBER users
-U, --user-agent=STRING
Set user agent to STRING
--pairs-file=FILE
File containing username:password pairs
--password-delay=NUMBER
Delay for NUMBER seconds between attempts
--password-file=FILE
File containing common passwords
-p, --path=STRING
Look for pathlist STRING
-P, --proxy=STRING
Set proxy to STRING
-q, --quiet
Don't output to stdout
--user-delay=NUMBER
Delay for NUMBER seconds between usernames
--username-file=FILE
File containing list of usernames
-v, --verbose
be verbose (default), opposite of --quiet
-V, --version
Print version information and exist
RETURN VALUE
The program returns 0 if no matches were found, and 1 if atleast one
match is found.
FILES
/usr[/local]/share/authforce
Data files containing usernames and passwords
BUGS
\r printed items leave garbage at end of line sometimes
Invalid chars are not filtered, curl will prompt for password:
If a password has a space, only chars up to the space will be submitted
Assumes authentication is needed, reporting false successes (sorta)
Downloads the page, shouldnt do this
No way of setting debug before parse_config
AUTHOR
Zachary P. Landau <kapheine@hypa.net>
BUG REPORTS
Report bugs to kapheine@hypa.net
Contact
Email: kapheine@hypa.net
URL: http://kapheine.hypa.net/authforce
GPG Key: http://kapheine.hypa.net/kapheine.asc
AUTHFORCE(1)