This tool is part of AttackAPI.

This is an idea I am still developing. The malicious JavaScript presented here tries to guess URLs that contain credentials. It is sort of Basic Authentication/FTP Authentication bruteforcer.

The source code can be downloaded from here.

The POC works well in IE6, IE7, Firefox and Opera. I wasn’t able to suppress the Basic Authentication dialog when trying to create real Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. A typical attack vector will be as it follows:

  1. The attacker discovers your internal IP
  2. Based on your IP a class C range is enumerated using the Port Scanning or Visited Link Scanning technique
  3. Once a target is discovered, a large enough dictionary is used to find valid credentials associated with each IP

In order to make IE work a style sheet that is embeded inside the current document needs to be reused. Read the provided source code for more information. This obstacle is quite easily solved in AttackAPI.

In order to make the POC work, a url like this one needs to be visited first.








My advice to you is to never, never, never, ever use credentials in URLs. I know it is easier to type ftp://user:pass@192.168.3.2 but this also puts your privacy at a huge risk.