Latest News

Sun May 13 19:41:30 EDT 2007 - Daniel Black, a Gentoo developer, has been very helpful in bringing the autoconf setup up to date. He also provided a fix for a crash caused by providing an absolute path to —username-file. Other than that, this release isn’t too execiting. I promise the next one will include time travel and a paradox solver.

Mon Feb 12 19:39:59 EST 2007 - Well, I suppose it is about time for another release. Juan Ezquerro and Henjin Tai-sho submitted most of the changes. I cleaned up a few little things, including fixing a bug reported on the Gentoo bug database. It’s been so long since I’ve done a release that I may have messed something up. So if something is wrong, please let me know.

Previously I had mentioned that I started a new version of authforce. Recently Juan Ezquerro started a version based on the ideas from ‘authforce2’. If you are interested in helping him, you can contact him at <arrase at gulcas.org>. I’m sure he’d appreciate an extra hand.

Tue Nov 18 11:12:02 EST 2003 - It’s been a while since there has been a release, but Henjin Tai-Sho has done a lot of work cleaning up bugs, so I’d like to get a major bugfix release out there. If any of you have found bugs in authforce, please submit them to me. I’d like to fix as many bugs as possible. Some of the bugs that were found were pretty major, so a lot of you aren’t reporting the bugs you found :P

Sun Mar 9 14:19:31 EST 2003 - A while ago I started working on a new version of authforce. It had an interface where people could drop in new output modules without recompiling. This would allow people to create modules to bruteforce many different interfaces, such as a cgi based web login or even an ftp server if they wanted to. Unfortunately I got lazy pretty early on and didn’t get much of it done. If anyone is interested, I still have the code I’ve written so far.

Tue May 22 16:41:11 EDT 2001 - There has been a major bug for a long time where large password files would cause authforce to segfault. Okay, well, there were two. I fixed one bug, and then a lot of people reported yet another bug that messed up even larger files. Anyway, this should be fixed. If it isn’t, please let me know. Better yet, find the bug and submit a patch. Also, as always, if any of you have a good password list, submit them. But you won’t, because nobody ever does :). A good password list in my eyes is one that is short, and only has very common passwords, because you aren’t trying to DoS a site :) Well it depends on the situation. Anyway. Yes. Enjoy. It’s in the download section. P.S. I released RPMs last time because someone sent them to me, but I am not going to make it a habit to try to get RPMs built. If people would like to create rpms and then send them to me, I will happily put them up.

Thu Feb 15 20:03:46 EST 2001 - Okay, today is when I’m ACTUALLY releasing the new version. I was waiting to get some RPMs setup, and well, bleh I say. I have some RPMs in the download section, but they may not even work. I don’t have an RPM system and so I’m not giving it extensive testing. If they work for you, good. If not, just get the source. It takes half a second to compile it, and you won’t have tons of library errors etc. Hopefully I’m going to add some features that have been sitting on the TODO list for a while. I want to add multiple site support for one, and also I would like to assemble halfway decent datalists. If anyone would like to contribute, be my guest.

Mon Feb 12 21:33:46 EST 2001 - It’s an update! Oh my! This version mainly sports additions by Panagiotis Issaris. He added things like internationalisation support (with a Dutch translation) and a configure script. He also added a .spec file for an rpm release. I’m still looking for good data lists to include with authforce, but since nobody seems to have any I’ll hopefully try to make my own. As always, contributions are always welcome. There are a couple things in the BUGS file that aren’t too complicated, as well as a lot of tiny things in the TODO file that anyone could do. Enjoy.

Description

Authforce is an HTTP authentication brute forcer. Using various methods, it attempts brute force username and password pairs for a site. It has the ability to try common username and passwords, username derivations, and common username/password pairs. It is used to both test the security of your site and to prove the insecurity of HTTP authentication based on the fact that users just don’t pick good passwords.

History

I made this because I was curious how bad people were at choosing decent passwords. It can also be used to test the security of your site.

Usage

See the README. You run it, it searches and displays matches.

Help Wanted

As mentioned above, help is always wanted. Email me.

Download

Credits

Toby Deshane, for helping me with the tough areas of programming
Daniel Stenberg, for writing curl (curl.haxx.se)
The authors of BASH, for some code (see extract.c)
Bob Stout, for strrev (misc.c) obtained from www.brokersys.com/snippets
S.E. Margison and Robert B.Stout for most of remove_crud
Johan Lindh, for memwatch (www.link-data.com/memwatch-2.64.tar.gz)
Panagiotis Issaris, for the configure script, internationalisation support, translations, bugfixes, testing, and rpm building
Michael K. Hubbard, for rpm building
S.T. Apler, for the logo
www.mutt.org, for the site layout idea
henjin tai-sho <henjin at tai-sho.m4f.net>, for various patches
Juan Ezquerro <arrase at gulcas.org>, for various patches
Daniel Black <dragonheart@gentoo.org>, for patches and bug reports