I'm doing some password cracking experiments with different tools. I've a local set up within VMWare Workstation. I have a website protected by HTTP Basic Auth (A dialog pops up when i browse to it).
I'm struggling with the syntax of Patator though - I cant make it brute force the website (tools like Ncrack and Hydra worked OK). I have used it for SSH so i know the tool works, just can't figure the command for HTTP Basic Auth
patator http_fuzz auth_type=basic url=http://10.1.1.15 user_pass=FILE0:FILE0 0=./passwd_lists/user_pass.txt -x ignore:code=401
Where user_pass.txt contains a 'username':'password' separated by a colon
Basic Auth password is '123' and the user_pass.txt contain all permutations from 000 - 999, the username is consistent throughout. I can see Patator making 1000 attempts however they all fail with a HTTP 401
11:26:27 patator INFO - 401 672:456 0.001 | molly:969 | 970 | HTTP/1.1 401 Unauthorized
11:26:27 patator INFO - 401 672:456 0.001 | molly:979 | 980 | HTTP/1.1 401 Unauthorized
11:26:27 patator INFO - 401 672:456 0.001 | molly:989 | 990 | HTTP/1.1 401 Unauthorized
11:26:27 patator INFO - 401 672:456 0.001 | molly:999 | 1000 | HTTP/1.1 401 Unauthorized
11:26:28 patator INFO - Hits/Done/Skip/Fail/Size: 1000/1000/0/0/1000, Avg: 732 r/s, Time: 0h 0m 1s
I think i have the command syntax incorrect, any help really appreciated.
Thanks
Turns out i had the syntax incorrect, my user name and password were colon separated in one file, so the syntax should be
patator http_fuzz auth_type=basic url=http://10.1.1.15 user_pass=FILE0 0=./passwd_lists/user_pass.txt -x ignore:code=401
The difference being the single reference to to FILE0