This script, `ffuf_basicauth.sh`, is a shell script designed to generate...

July 5, 2025 at 05:08 PM

#!/bin/sh ############################################################################## # Script name: ffuf_basicauth.sh # Description: Generate HTTP basic authentication username:password # credential combinations from provided wordlists. # Author: Joona Hoikkala # Email: joohoi@io.fi ############################################################################## # # Usage example: # Test each HTTP basic authentication username:password combination # in https://example.org/endpoint, and filter out 403 - Forbidden responses. # # ./ffuf_basicauth.sh usernames.txt passwords.txt |ffuf -w -:AUTH \ # -u https://example.org/endpoint -H "Authorization: Basic AUTH" -fc 403 # ############################################################################## if [ "$#" -ne 2 ]; then printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2 exit 1 fi if ! [ -f "$1" ]; then printf "%s file not found.\n\n" "$1" >&2 printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2 exit 1 fi if ! [ -f "$2" ]; then printf "%s file not found.\n\n" "$2" >&2 printf "Usage: %s usernames.txt passwords.txt\n" "$0" >&2 exit 1 fi USERNAME_WORDLIST="$1" PASSWORD_WORDLIST="$2" USERNAME_WORDLIST_SIZE=$(wc -l "$USERNAME_WORDLIST" |awk '{print $1;}') PASSWORD_WORDLIST_SIZE=$(wc -l "$PASSWORD_WORDLIST" |awk '{print $1;}') OUTPUT_WORDLIST_SIZE=$((USERNAME_WORDLIST_SIZE * PASSWORD_WORDLIST_SIZE)) printf "\nGenerating HTTP basic authentication strings. This can take a while depending on the length of user and password lists.\n\n" >&2 printf "Usernames: %s\n" "$USERNAME_WORDLIST_SIZE" >&2 printf "Passwords: %s\n" "$PASSWORD_WORDLIST_SIZE" >&2 printf "Total combinations: %s\n\n" "$OUTPUT_WORDLIST_SIZE" >&2 while IFS= read -r user do while IFS= read -r password do printf "%s:%s" "$user" "$password" |base64 done < "$PASSWORD_WORDLIST" done < "$USERNAME_WORDLIST"

This script, ffuf_basicauth.sh, is a shell script designed to generate Base64-encoded combinations of HTTP Basic Authentication credentials from two input wordlists: one for usernames and another for passwords. Here's what it does:

High-Level Overview

  • Inputs: The script takes two input files — a list of usernames and a list of passwords.
  • Outputs: It produces Base64-encoded username:password combinations for HTTP Basic Authentication, which can be passed to other tools like ffuf.

Detailed Breakdown

  1. Shebang: The script starts with #!/bin/sh, indicating it should be executed in a POSIX-compliant shell.

  2. Argument Verification:

    • It ensures that exactly two arguments are provided (usernames.txt and passwords.txt).
    • If invalid usage is detected, it prints a usage message and exits.

  3. File Existence Check:

    • The script verifies the existence of the provided username and password files. If one or both files are missing, an error message is printed.

  4. Wordlist Sizes:

    • It calculates the number of lines (entries) in the username file (USERNAME_WORDLIST_SIZE) and the password file (PASSWORD_WORDLIST_SIZE) using wc -l.
    • The script then calculates the total number of possible combinations of usernames and passwords (OUTPUT_WORDLIST_SIZE = usernames × passwords).

  5. User Feedback:

    • Before starting the generation process, the script prints the number of entries in both wordlists and the total number of combinations that will be generated.

  6. Credential Combination Generation:

    • For each username in the username file:
      • For each password in the password file:
        • It prints a Base64-encoded username:password string. The encoding is done using the base64 utility in a UNIX-like fashion.

  7. Usage Example:

    • The script is intended to be paired with tools like ffuf. For instance, the example shows how these Base64 credentials can be used by ffuf to test HTTP endpoints: 
      ./ffuf_basicauth.sh usernames.txt passwords.txt | ffuf -w -:AUTH \
-u https://example.org/endpoint -H "Authorization: Basic AUTH" -fc 403
      • Here:
        • The script generates Base64 strings to be used in HTTP Basic Authentication.
        • These strings are passed as input to ffuf to test the endpoint https://example.org/endpoint.

Key Features

  • Base64 Encoding: Essential for HTTP Basic Authentication, as it requires credentials to be sent in the format Authorization: Basic <Base64(username:password)>.
  • Dynamic Calculation: Automatically calculates the size of input files and provides feedback on the progress.
  • Tool Integration: Designed for use in conjunction with tools like ffuf for automated testing workflows, such as brute-forcing protected endpoints.

Example Input and Output

Inputs:

  • usernames.txt: 
    admin
user
guest
  • passwords.txt: 
    password123
admin123
guest

Output:

The script will output Base64-encoded combinations of username:password, one per line:

YWRtaW46cGFzc3dvcmQxMjM=
YWRtaW46YWRtaW4xMjM=
YWRtaW46Z3Vlc3Q=
dXNlcjpzd29yZDEyMw==
dXNlcjpzdWVyMTIz==
[....]

This output can then be fed into testing tools to validate HTTP Basic Authentication credentials.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node