The source code can be downloaded from here.
The POC works well in IE6, IE7, Firefox and Opera. I wasn’t able to suppress the Basic Authentication dialog when trying to create a real Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. A typical attack vector will work like this:
- The attacker discovers your internal IP.
- Based on your IP, a class C range is enumerated using the Port Scanning or Visited Link Scanning techniques.
- Once a target is discovered, a large enough dictionary is used to find valid credentials associated with each IP.
My advice to you is to never, never, never, ever use credentials in URLs. I know it is easier to type
ftp://user:firstname.lastname@example.org but this also puts your privacy at a huge risk.