The purpose of HTTPBrute is threefold:

  • To help developers when implementing algorithm for HTTP digest as per RFC 2617. The tool can act as an authentication response calculator.
  • To measure how secure your web server is, and/or how secure is your VoIP password used in SIP  signaling.
  • To retrieve forgotten password. 
The tool can be used by security experts as well as novice users. The main purpose and motivation is education. 
Its use should not be towards malicious activities such as intrusion into VoIP accounts or simple web pages that still rely on HTTP digest. An exception would be to retrieve a VoIP password for the device you got from the ITSP (Internet Telephone Service Provider). In some cases they want you to use their VoIP ATAs (which suck). Still, they discourage you from using other devices (which work better) just so they have less headaches supporting your account. In case you retrieve the password you have enough information to start considering using different VoIP enabled device. 
Most of today's secure web sites use SSL/TLS anyway. The same applies to VoIP. Having said that, I do not see causing a huge risk by making such tool available. Rather it can serve as a preventive measure to stop intrusion and insure your network is not compromised easily. Trust me, no one can protect you better than yourself.

The tool itself can be programmed to perform a brute-force password attack. It does not support a dictionary password attack.  It provides a smart programming which helps eliminate a whole slew of passwords one may guess are unlikely used. Examples of such passwords are: 'aaabbbccc', 'abaaaaaaaa', 'ABAAAAAA', '!^$!$*#)$',... You get the idea :-)

The program is multi-threaded and running it on multi-core computer would be ideal. To speed up guessing there is a number of tweaks available such as: password length, max consecutive repetitions of the same character, max appearance of the same character, upper case characters and what characters are used for password generation.

No matter what, this tool will fail when security is strong (passwords are lengthy) and unpredictable combinations of alpha-numeric values and special characters are used. One spend significant amount of time running the tool and trying different combination. If the password is strong enough his efforts will be in vain.
If you happen to be from a 'rogue country' or your intents are malicious please stay away. 

Zarko Coklin

tumblr tracker