Authforce is a software application that performs brute force attacks on HTTP authentication.
The program is easy to use for basic applications. Simply ensure that the data files contain the information you want, and run Authforce with the argument being the URL of the site you want to brute force. At this time, it is not possible to disable a method, but you can achieve the same effect by making use of an empty data file. For instance, if you don't usually use the concat method, you can add an empty list to it.
One of the unique features of Authforce is the session support, which can cause some confusion for new users. Start up Authforce with the -s option to enjoy session support. You can stop the program with USRINT (^C or kill -INT pid), which triggers the program to write its current position to session.save (by default) and quit.
However, the data lists offered by the program are currently limited, so you may need to create your own or find one. The software works well with lists from programs such as John the Ripper, but be wary of the length. If you make your data list, you're encouraged to contribute it to the program.
With the new release, the password.lst file now has a new syntax. Along with regular passwords, there are now keywords such as {username} and {emanresu} that insert the username and the username reversed, respectively. Other keywords can also be added.
Overall, Authforce makes an excellent software choice for those looking for a powerful HTTP authentication brute forcer. The software's various methods and features make it easy to test the security of your site while demonstrating the potential insecurities of HTTP authentication. The program is easy to use for basic purposes, and users can create custom data lists for better results.
Version 0.9.9: N/A