Http Basic Auth Bruteforcer

Description:

From a list of IPs, check the basic auth with the credentials given or using admin/admin by default. To create the list of IPs, you can use a Shodan query or a file with an IP per line Note that shodan API only give 100 results per query instead of the real number of results found.

Output: An html file with a list of IPs with access granted and the credentials working for these IPs

Dependencies: Shodan library: easy_install shodan

Usage example: httpauthcrack.py -u user -p pass -s "linksys port:80" -v

Author: Ignacio Sorribas (a.k.a. H4rds3c) sorribas[at]gmail.com / hardsec[at]gmail.com http://hardsec.net

Versions:

v0.1 (2013/08/08).

• First release.

v0.2 (2014/02/04).

• Added port 8080 from shodan results to list of IPs.
• Fix a bug in the arguments command line
• Added option -d / --port to look for into shodan results
• Optimised to avoid create all threads specified by -t switch if they aren't needed

v0.3 (2014/02/09).

• Filter of false positives on many IP phone devices.
• Optimized code from "check_basic_auth" function.

v0.4 (2014/02/27).

• Fix bugs in "test_host" function
• Separate log functions in other file
• Add colors to output
• Add report dir with templates for header.html and footer.html to make the reports.
• the output report is stored in the output folder
• Embeded Logo added to the html report