basicbuster 0.1.0__tar.gz → 0.1.2__tar.gz

basicbuster-0.1.2/PKG-INFO

@@ -0,0 +1,108 @@
+Metadata-Version: 2.4
+Name: basicbuster
+Version: 0.1.2
+Summary: CLI tool for HTTP Basic Authentication testing with wordlists.
+Author: dhina016
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/dhina016/basicbuster
+Project-URL: Repository, https://github.com/dhina016/basicbuster
+Project-URL: Issues, https://github.com/dhina016/basicbuster/issues
+Keywords: security,http,basic-auth,pentest,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.28.0
+Provides-Extra: dev
+Requires-Dist: build>=1.0.0; extra == "dev"
+Requires-Dist: twine>=5.0.0; extra == "dev"
+Dynamic: license-file
+
+# basicbuster
+
+**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It detects Basic Auth on a target URL, runs pitchfork or clusterbomb-style attempts, and reports credentials that return HTTP `200`.
+
+## Disclaimer
+
+Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
+
+## Installation
+
+```bash
+pip install basicbuster
+```
+
+## Usage
+
+```text
+basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [OPTIONS]
+```
+
+### Options
+
+| Flag | Description |
+|------|-------------|
+| `--url` | Target URL protected by HTTP Basic Auth |
+| `--username FILE` | Path to username wordlist (one per line) |
+| `--password FILE` | Path to password wordlist (one per line) |
+| `--userpass FILE` | Combined `user:pass` file (one per line) |
+| `--mode` | `clusterbomb` (all combinations, default) or `pitchfork` (zip by index) |
+| `-t, --threads` | Number of concurrent threads (default: 10) |
+| `--timeout` | Per-request timeout in seconds (default: 10) |
+| `--proxy URL` | Route traffic through a proxy (e.g. `http://127.0.0.1:8080`) |
+| `-v, --show-attempts` | Print every attempt with HTTP status |
+| `--quiet` | Minimal output |
+
+### Examples
+
+Clusterbomb (default — all username x password combinations):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt -v
+```
+
+Pitchfork (pair line-by-line):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork -v
+```
+
+Combined `user:pass` file:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt -v
+```
+
+With proxy and 20 threads:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080 -t 20 -v
+```
+
+### Output
+
+```text
+[*] Target appears to use HTTP Basic Auth: https://example.com/secret
+[*] Testing 400 credential pair(s) with 10 thread(s)…
+
+[1/400] [-] admin:password → HTTP 401
+[2/400] [-] admin:123456 → HTTP 401
+[3/400] [+] admin:secret → HTTP 200 ✓ SUCCESS
+...
+```
+
+Sample wordlists (20 common entries each) are included in [`samples/`](samples/).
+
+## License
+
+MIT — see [LICENSE](LICENSE).

basicbuster-0.1.2/README.md

@@ -0,0 +1,78 @@
+# basicbuster
+
+**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It detects Basic Auth on a target URL, runs pitchfork or clusterbomb-style attempts, and reports credentials that return HTTP `200`.
+
+## Disclaimer
+
+Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
+
+## Installation
+
+```bash
+pip install basicbuster
+```
+
+## Usage
+
+```text
+basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [OPTIONS]
+```
+
+### Options
+
+| Flag | Description |
+|------|-------------|
+| `--url` | Target URL protected by HTTP Basic Auth |
+| `--username FILE` | Path to username wordlist (one per line) |
+| `--password FILE` | Path to password wordlist (one per line) |
+| `--userpass FILE` | Combined `user:pass` file (one per line) |
+| `--mode` | `clusterbomb` (all combinations, default) or `pitchfork` (zip by index) |
+| `-t, --threads` | Number of concurrent threads (default: 10) |
+| `--timeout` | Per-request timeout in seconds (default: 10) |
+| `--proxy URL` | Route traffic through a proxy (e.g. `http://127.0.0.1:8080`) |
+| `-v, --show-attempts` | Print every attempt with HTTP status |
+| `--quiet` | Minimal output |
+
+### Examples
+
+Clusterbomb (default — all username x password combinations):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt -v
+```
+
+Pitchfork (pair line-by-line):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork -v
+```
+
+Combined `user:pass` file:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt -v
+```
+
+With proxy and 20 threads:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080 -t 20 -v
+```
+
+### Output
+
+```text
+[*] Target appears to use HTTP Basic Auth: https://example.com/secret
+[*] Testing 400 credential pair(s) with 10 thread(s)…
+
+[1/400] [-] admin:password → HTTP 401
+[2/400] [-] admin:123456 → HTTP 401
+[3/400] [+] admin:secret → HTTP 200 ✓ SUCCESS
+...
+```
+
+Sample wordlists (20 common entries each) are included in [`samples/`](samples/).
+
+## License
+
+MIT — see [LICENSE](LICENSE).

{basicbuster-0.1.0 → basicbuster-0.1.2}/basicbuster/__init__.py

@@ -1,3 +1,3 @@
 """HTTP Basic Authentication testing CLI."""
 
-__version__ = "0.1.0"
+__version__ = "0.1.2"

{basicbuster-0.1.0 → basicbuster-0.1.2}/basicbuster/cli.py

@@ -4,7 +4,7 @@ import argparse
 import sys
 
 from basicbuster import __version__
-from basicbuster.core import DEFAULT_TIMEOUT, run_attack
+from basicbuster.core import DEFAULT_THREADS, DEFAULT_TIMEOUT, run_attack
 
 
 def build_parser() -> argparse.ArgumentParser:
@@ -51,6 +51,20 @@ def build_parser() -> argparse.ArgumentParser:
         action="store_true",
         help="Less verbose output (no probe line, no summary).",
     )
+    p.add_argument(
+        "-v",
+        "--show-attempts",
+        dest="show_attempts",
+        action="store_true",
+        help="Print each user:pass attempt with HTTP status or error.",
+    )
+    p.add_argument(
+        "-t",
+        "--threads",
+        type=int,
+        default=DEFAULT_THREADS,
+        help=f"Number of concurrent threads (default: {DEFAULT_THREADS}).",
+    )
     return p
 
 

basicbuster-0.1.2/basicbuster/core.py

@@ -0,0 +1,195 @@
+from __future__ import annotations
+
+import itertools
+import sys
+import threading
+from argparse import Namespace
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from pathlib import Path
+from typing import Iterable
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+DEFAULT_TIMEOUT = 10.0
+DEFAULT_THREADS = 10
+
+_print_lock = threading.Lock()
+
+
+def _safe_print(msg: str) -> None:
+    with _print_lock:
+        print(msg, flush=True)
+
+
+def _proxy_dict(proxy: str | None) -> dict[str, str] | None:
+    if not proxy:
+        return None
+    return {"http": proxy, "https": proxy}
+
+
+def _read_lines(path: Path) -> list[str]:
+    text = path.read_text(encoding="utf-8", errors="replace")
+    return [line.strip() for line in text.splitlines() if line.strip()]
+
+
+def check_basic_auth(
+    url: str,
+    timeout: float = DEFAULT_TIMEOUT,
+    proxies: dict[str, str] | None = None,
+) -> bool:
+    try:
+        r = requests.get(url, timeout=timeout, allow_redirects=False, proxies=proxies)
+    except requests.RequestException:
+        return False
+    if r.status_code != 401:
+        return False
+    www_auth = r.headers.get("WWW-Authenticate") or ""
+    return "basic" in www_auth.lower()
+
+
+def try_login(
+    url: str,
+    username: str,
+    password: str,
+    timeout: float = DEFAULT_TIMEOUT,
+    proxies: dict[str, str] | None = None,
+) -> tuple[str, str, int | None, str | None]:
+    try:
+        r = requests.get(
+            url,
+            auth=HTTPBasicAuth(username, password),
+            timeout=timeout,
+            allow_redirects=False,
+            proxies=proxies,
+        )
+        return (username, password, r.status_code, None)
+    except requests.RequestException as e:
+        return (username, password, None, str(e))
+
+
+def _build_pairs(
+    usernames: Iterable[str],
+    passwords: Iterable[str],
+    mode: str,
+) -> list[tuple[str, str]]:
+    u = list(usernames)
+    p = list(passwords)
+    if not u or not p:
+        return []
+    if mode == "pitchfork":
+        return list(zip(u, p))
+    return list(itertools.product(u, p))
+
+
+def _run_pairs(
+    url: str,
+    pairs: list[tuple[str, str]],
+    *,
+    timeout: float,
+    proxies: dict[str, str] | None,
+    threads: int,
+    show_attempts: bool,
+    verbose: bool,
+) -> bool:
+    if not pairs:
+        _safe_print("[!] No credential pairs to test.")
+        return False
+
+    total = len(pairs)
+    _safe_print(f"[*] Testing {total} credential pair(s) with {threads} thread(s)…\n")
+
+    found = False
+    done = 0
+
+    def _on_result(user: str, pw: str, code: int | None, err: str | None) -> None:
+        nonlocal found, done
+        done += 1
+        tag = f"[{done}/{total}]"
+
+        if code is None:
+            if show_attempts or verbose:
+                _safe_print(f"{tag} [-] {user}:{pw} → error ({err})")
+            return
+
+        if code == 200:
+            found = True
+            _safe_print(f"{tag} [+] {user}:{pw} → HTTP {code} ✓ SUCCESS")
+        elif show_attempts:
+            _safe_print(f"{tag} [-] {user}:{pw} → HTTP {code}")
+
+    with ThreadPoolExecutor(max_workers=threads) as pool:
+        futures = {
+            pool.submit(try_login, url, user, pw, timeout, proxies): (user, pw)
+            for user, pw in pairs
+        }
+        for future in as_completed(futures):
+            user, pw, code, err = future.result()
+            _on_result(user, pw, code, err)
+
+    return found
+
+
+def run_attack(args: Namespace) -> int:
+    url: str = args.url
+    timeout = float(args.timeout)
+    verbose = not args.quiet
+    show_attempts = bool(getattr(args, "show_attempts", False))
+    threads = int(getattr(args, "threads", DEFAULT_THREADS))
+    proxies = _proxy_dict(args.proxy)
+
+    uses_basic = check_basic_auth(url, timeout=timeout, proxies=proxies)
+    if verbose:
+        if uses_basic:
+            _safe_print(f"[*] Target appears to use HTTP Basic Auth: {url}")
+        else:
+            _safe_print(f"[!] Target may not require HTTP Basic Auth (or unreachable): {url}")
+
+    pairs: list[tuple[str, str]]
+
+    if args.userpass:
+        path = Path(args.userpass)
+        if not path.is_file():
+            _safe_print(f"[!] File not found: {path}")
+            return 2
+        lines = _read_lines(path)
+        combos: list[tuple[str, str]] = []
+        for line in lines:
+            if ":" not in line:
+                _safe_print(f"[!] Invalid line (expected user:pass): {line!r}")
+                return 2
+            user, _, rest = line.partition(":")
+            combos.append((user, rest))
+        pairs = _build_pairs(
+            [u for u, _ in combos],
+            [p for _, p in combos],
+            args.mode,
+        )
+    else:
+        if not args.username or not args.password:
+            _safe_print("[!] Provide --userpass or both --username and --password files.")
+            return 2
+        up = Path(args.username)
+        pp = Path(args.password)
+        if not up.is_file() or not pp.is_file():
+            _safe_print("[!] Username or password file not found.")
+            return 2
+        users = _read_lines(up)
+        pws = _read_lines(pp)
+        pairs = _build_pairs(users, pws, args.mode)
+
+    found = _run_pairs(
+        url,
+        pairs,
+        timeout=timeout,
+        proxies=proxies,
+        threads=threads,
+        show_attempts=show_attempts,
+        verbose=verbose,
+    )
+
+    if not found and verbose:
+        _safe_print("\n[*] No credentials returned HTTP 200.")
+
+    return 0 if found else 1

basicbuster-0.1.2/basicbuster.egg-info/PKG-INFO

@@ -0,0 +1,108 @@
+Metadata-Version: 2.4
+Name: basicbuster
+Version: 0.1.2
+Summary: CLI tool for HTTP Basic Authentication testing with wordlists.
+Author: dhina016
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/dhina016/basicbuster
+Project-URL: Repository, https://github.com/dhina016/basicbuster
+Project-URL: Issues, https://github.com/dhina016/basicbuster/issues
+Keywords: security,http,basic-auth,pentest,cli
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.28.0
+Provides-Extra: dev
+Requires-Dist: build>=1.0.0; extra == "dev"
+Requires-Dist: twine>=5.0.0; extra == "dev"
+Dynamic: license-file
+
+# basicbuster
+
+**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It detects Basic Auth on a target URL, runs pitchfork or clusterbomb-style attempts, and reports credentials that return HTTP `200`.
+
+## Disclaimer
+
+Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
+
+## Installation
+
+```bash
+pip install basicbuster
+```
+
+## Usage
+
+```text
+basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [OPTIONS]
+```
+
+### Options
+
+| Flag | Description |
+|------|-------------|
+| `--url` | Target URL protected by HTTP Basic Auth |
+| `--username FILE` | Path to username wordlist (one per line) |
+| `--password FILE` | Path to password wordlist (one per line) |
+| `--userpass FILE` | Combined `user:pass` file (one per line) |
+| `--mode` | `clusterbomb` (all combinations, default) or `pitchfork` (zip by index) |
+| `-t, --threads` | Number of concurrent threads (default: 10) |
+| `--timeout` | Per-request timeout in seconds (default: 10) |
+| `--proxy URL` | Route traffic through a proxy (e.g. `http://127.0.0.1:8080`) |
+| `-v, --show-attempts` | Print every attempt with HTTP status |
+| `--quiet` | Minimal output |
+
+### Examples
+
+Clusterbomb (default — all username x password combinations):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt -v
+```
+
+Pitchfork (pair line-by-line):
+
+```bash
+basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork -v
+```
+
+Combined `user:pass` file:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt -v
+```
+
+With proxy and 20 threads:
+
+```bash
+basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080 -t 20 -v
+```
+
+### Output
+
+```text
+[*] Target appears to use HTTP Basic Auth: https://example.com/secret
+[*] Testing 400 credential pair(s) with 10 thread(s)…
+
+[1/400] [-] admin:password → HTTP 401
+[2/400] [-] admin:123456 → HTTP 401
+[3/400] [+] admin:secret → HTTP 200 ✓ SUCCESS
+...
+```
+
+Sample wordlists (20 common entries each) are included in [`samples/`](samples/).
+
+## License
+
+MIT — see [LICENSE](LICENSE).

{basicbuster-0.1.0 → basicbuster-0.1.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "basicbuster"
-version = "0.1.0"
+version = "0.1.2"
 description = "CLI tool for HTTP Basic Authentication testing with wordlists."
 readme = "README.md"
 license = "MIT"

basicbuster-0.1.0/PKG-INFO

@@ -1,133 +0,0 @@
-Metadata-Version: 2.4
-Name: basicbuster
-Version: 0.1.0
-Summary: CLI tool for HTTP Basic Authentication testing with wordlists.
-Author: dhina016
-License-Expression: MIT
-Project-URL: Homepage, https://github.com/dhina016/basicbuster
-Project-URL: Repository, https://github.com/dhina016/basicbuster
-Project-URL: Issues, https://github.com/dhina016/basicbuster/issues
-Keywords: security,http,basic-auth,pentest,cli
-Classifier: Development Status :: 4 - Beta
-Classifier: Environment :: Console
-Classifier: Intended Audience :: Developers
-Classifier: Intended Audience :: Information Technology
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Topic :: Internet :: WWW/HTTP
-Classifier: Topic :: Security
-Requires-Python: >=3.10
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: requests>=2.28.0
-Provides-Extra: dev
-Requires-Dist: build>=1.0.0; extra == "dev"
-Requires-Dist: twine>=5.0.0; extra == "dev"
-Dynamic: license-file
-
-# basicbuster
-
-**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It can detect Basic Auth on a target URL, run pitchfork or clusterbomb-style attempts, and report credentials that return HTTP `200`.
-
-## Disclaimer
-
-Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
-
-## Requirements
-
-- Python 3.10+
-
-## Installation
-
-After the package is [published on PyPI](https://pypi.org/project/basicbuster/), install from any machine:
-
-```bash
-pip install basicbuster
-```
-
-From a git checkout (repository root):
-
-```bash
-pip install .
-```
-
-Editable install while developing:
-
-```bash
-pip install -e .
-```
-
-### Publishing to PyPI (maintainers)
-
-The name **basicbuster** is available on PyPI. Two common options:
-
-**A — GitHub Release (recommended)**  
-After you [enable trusted publishing](https://docs.pypi.org/trusted-publishers/) for this repo on PyPI:
-
-1. In PyPI: your account → **Publishing** → add a pending publisher for `dhina016/basicbuster`, workflow file `publish.yml`.
-2. On GitHub: create a **Release** (tag `v0.1.0` or similar) and publish it. The **Publish to PyPI** workflow uploads the built sdist and wheel automatically.
-
-**B — Manual upload**
-
-```bash
-pip install build twine
-python -m build
-twine upload dist/*
-```
-
-Use a [PyPI API token](https://pypi.org/help/#apitoken) when `twine` prompts for credentials (or set `TWINE_USERNAME=__token__` and `TWINE_PASSWORD=pypi-...`).
-
-## Usage
-
-```text
-basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [--mode MODE] [--timeout SECONDS] [--proxy URL]
-```
-
-- **`--url`**: Target URL (resource protected by HTTP Basic Auth).
-- **`--username` / `--password`**: Separate wordlists, one value per line.
-- **`--userpass`**: Combined file with `user:pass` per line (password may contain `:`; only the first `:` separates user and password).
-- **`--mode`**:
-  - `pitchfork` — pair `username[i]` with `password[i]`.
-  - `clusterbomb` — try every username with every password (default).
-- **`--timeout`**: Request timeout in seconds (default: `15`).
-- **`--quiet`**: Minimal output.
-- **`--proxy`**: Forward all traffic through an HTTP(S) proxy (e.g. Burp: `http://127.0.0.1:8080`).
-
-Successful guesses print as:
-
-```text
-[+] SUCCESS user:pass (HTTP 200)
-```
-
-### Examples
-
-Separate wordlists, clusterbomb (default):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt
-```
-
-Pitchfork (zip by line index):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork
-```
-
-Combined user:pass file:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt
-```
-
-Through a local intercepting proxy:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080
-```
-
-## License
-
-MIT — see [LICENSE](LICENSE).

basicbuster-0.1.0/README.md

@@ -1,103 +0,0 @@
-# basicbuster
-
-**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It can detect Basic Auth on a target URL, run pitchfork or clusterbomb-style attempts, and report credentials that return HTTP `200`.
-
-## Disclaimer
-
-Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
-
-## Requirements
-
-- Python 3.10+
-
-## Installation
-
-After the package is [published on PyPI](https://pypi.org/project/basicbuster/), install from any machine:
-
-```bash
-pip install basicbuster
-```
-
-From a git checkout (repository root):
-
-```bash
-pip install .
-```
-
-Editable install while developing:
-
-```bash
-pip install -e .
-```
-
-### Publishing to PyPI (maintainers)
-
-The name **basicbuster** is available on PyPI. Two common options:
-
-**A — GitHub Release (recommended)**  
-After you [enable trusted publishing](https://docs.pypi.org/trusted-publishers/) for this repo on PyPI:
-
-1. In PyPI: your account → **Publishing** → add a pending publisher for `dhina016/basicbuster`, workflow file `publish.yml`.
-2. On GitHub: create a **Release** (tag `v0.1.0` or similar) and publish it. The **Publish to PyPI** workflow uploads the built sdist and wheel automatically.
-
-**B — Manual upload**
-
-```bash
-pip install build twine
-python -m build
-twine upload dist/*
-```
-
-Use a [PyPI API token](https://pypi.org/help/#apitoken) when `twine` prompts for credentials (or set `TWINE_USERNAME=__token__` and `TWINE_PASSWORD=pypi-...`).
-
-## Usage
-
-```text
-basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [--mode MODE] [--timeout SECONDS] [--proxy URL]
-```
-
-- **`--url`**: Target URL (resource protected by HTTP Basic Auth).
-- **`--username` / `--password`**: Separate wordlists, one value per line.
-- **`--userpass`**: Combined file with `user:pass` per line (password may contain `:`; only the first `:` separates user and password).
-- **`--mode`**:
-  - `pitchfork` — pair `username[i]` with `password[i]`.
-  - `clusterbomb` — try every username with every password (default).
-- **`--timeout`**: Request timeout in seconds (default: `15`).
-- **`--quiet`**: Minimal output.
-- **`--proxy`**: Forward all traffic through an HTTP(S) proxy (e.g. Burp: `http://127.0.0.1:8080`).
-
-Successful guesses print as:
-
-```text
-[+] SUCCESS user:pass (HTTP 200)
-```
-
-### Examples
-
-Separate wordlists, clusterbomb (default):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt
-```
-
-Pitchfork (zip by line index):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork
-```
-
-Combined user:pass file:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt
-```
-
-Through a local intercepting proxy:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080
-```
-
-## License
-
-MIT — see [LICENSE](LICENSE).

basicbuster-0.1.0/basicbuster/core.py

@@ -1,191 +0,0 @@
-from __future__ import annotations
-
-import itertools
-from argparse import Namespace
-from pathlib import Path
-from typing import Iterable
-
-import requests
-from requests import Response
-from requests.auth import HTTPBasicAuth
-
-
-DEFAULT_TIMEOUT = 15.0
-
-
-def _proxy_dict(proxy: str | None) -> dict[str, str] | None:
-    if not proxy:
-        return None
-    return {"http": proxy, "https": proxy}
-
-
-def _read_lines(path: Path) -> list[str]:
-    text = path.read_text(encoding="utf-8", errors="replace")
-    return [line.strip() for line in text.splitlines() if line.strip()]
-
-
-def check_basic_auth(
-    url: str,
-    timeout: float = DEFAULT_TIMEOUT,
-    proxies: dict[str, str] | None = None,
-) -> bool:
-    try:
-        r = requests.get(
-            url,
-            timeout=timeout,
-            allow_redirects=False,
-            proxies=proxies,
-        )
-    except requests.RequestException:
-        return False
-    if r.status_code != 401:
-        return False
-    www_auth = r.headers.get("WWW-Authenticate") or ""
-    return "basic" in www_auth.lower()
-
-
-def try_login(
-    url: str,
-    username: str,
-    password: str,
-    timeout: float = DEFAULT_TIMEOUT,
-    proxies: dict[str, str] | None = None,
-) -> requests.Response:
-    return requests.get(
-        url,
-        auth=HTTPBasicAuth(username, password),
-        timeout=timeout,
-        allow_redirects=False,
-        proxies=proxies,
-    )
-
-
-def pitchfork(
-    url: str,
-    usernames: Iterable[str],
-    passwords: Iterable[str],
-    timeout: float = DEFAULT_TIMEOUT,
-    proxies: dict[str, str] | None = None,
-) -> list[tuple[str, str, Response | None, str | None]]:
-    u = list(usernames)
-    p = list(passwords)
-    if not u or not p:
-        return []
-    n = min(len(u), len(p))
-    results: list[tuple[str, str, Response | None, str | None]] = []
-    for i in range(n):
-        try:
-            resp = try_login(url, u[i], p[i], timeout=timeout, proxies=proxies)
-            results.append((u[i], p[i], resp, None))
-        except requests.RequestException as e:
-            results.append((u[i], p[i], None, str(e)))
-    return results
-
-
-def clusterbomb(
-    url: str,
-    usernames: Iterable[str],
-    passwords: Iterable[str],
-    timeout: float = DEFAULT_TIMEOUT,
-    proxies: dict[str, str] | None = None,
-) -> list[tuple[str, str, Response | None, str | None]]:
-    results: list[tuple[str, str, Response | None, str | None]] = []
-    for user, pw in itertools.product(usernames, passwords):
-        try:
-            resp = try_login(url, user, pw, timeout=timeout, proxies=proxies)
-            results.append((user, pw, resp, None))
-        except requests.RequestException as e:
-            results.append((user, pw, None, str(e)))
-    return results
-
-
-def userpass_mode(
-    url: str,
-    combos: Iterable[tuple[str, str]],
-    mode: str,
-    timeout: float = DEFAULT_TIMEOUT,
-    proxies: dict[str, str] | None = None,
-) -> list[tuple[str, str, Response | None, str | None]]:
-    pairs = list(combos)
-    if not pairs:
-        return []
-    if mode == "pitchfork":
-        users = [u for u, _ in pairs]
-        pws = [p for _, p in pairs]
-        return pitchfork(url, users, pws, timeout=timeout, proxies=proxies)
-    users = [u for u, _ in pairs]
-    pws = [p for _, p in pairs]
-    return clusterbomb(url, users, pws, timeout=timeout, proxies=proxies)
-
-
-def _emit_success(user: str, pw: str, status: int) -> None:
-    print(f"[+] SUCCESS {user}:{pw} (HTTP {status})")
-
-
-def _emit_probe(ok: bool, url: str) -> None:
-    if ok:
-        print(f"[*] Target appears to use HTTP Basic Auth: {url}")
-    else:
-        print(f"[!] Target may not require HTTP Basic Auth (or unreachable): {url}")
-
-
-def run_attack(args: Namespace) -> int:
-    url = args.url
-    timeout = float(args.timeout)
-    verbose = not args.quiet
-    proxies = _proxy_dict(args.proxy)
-
-    uses_basic = check_basic_auth(url, timeout=timeout, proxies=proxies)
-    if verbose:
-        _emit_probe(uses_basic, url)
-
-    results: list[tuple[str, str, Response | None, str | None]]
-
-    if args.userpass:
-        path = Path(args.userpass)
-        if not path.is_file():
-            print(f"[!] File not found: {path}")
-            return 2
-        lines = _read_lines(path)
-        combos: list[tuple[str, str]] = []
-        for line in lines:
-            if ":" not in line:
-                print(f"[!] Invalid line (expected user:pass): {line!r}")
-                return 2
-            user, _, rest = line.partition(":")
-            combos.append((user, rest))
-        results = userpass_mode(
-            url, combos, args.mode, timeout=timeout, proxies=proxies
-        )
-    else:
-        if not args.username or not args.password:
-            print("[!] Provide --userpass or both --username and --password files.")
-            return 2
-        up = Path(args.username)
-        pp = Path(args.password)
-        if not up.is_file() or not pp.is_file():
-            print("[!] Username or password file not found.")
-            return 2
-        users = _read_lines(up)
-        pws = _read_lines(pp)
-        if args.mode == "pitchfork":
-            results = pitchfork(url, users, pws, timeout=timeout, proxies=proxies)
-        else:
-            results = clusterbomb(
-                url, users, pws, timeout=timeout, proxies=proxies
-            )
-
-    found = False
-    for user, pw, resp, err in results:
-        if resp is None:
-            if verbose and err:
-                print(f"[-] request failed for {user}:{pw} — {err}")
-            continue
-        if resp.status_code == 200:
-            _emit_success(user, pw, resp.status_code)
-            found = True
-
-    if not found and verbose:
-        print("[*] No credentials returned HTTP 200.")
-
-    return 0 if found else 1

basicbuster-0.1.0/basicbuster.egg-info/PKG-INFO

@@ -1,133 +0,0 @@
-Metadata-Version: 2.4
-Name: basicbuster
-Version: 0.1.0
-Summary: CLI tool for HTTP Basic Authentication testing with wordlists.
-Author: dhina016
-License-Expression: MIT
-Project-URL: Homepage, https://github.com/dhina016/basicbuster
-Project-URL: Repository, https://github.com/dhina016/basicbuster
-Project-URL: Issues, https://github.com/dhina016/basicbuster/issues
-Keywords: security,http,basic-auth,pentest,cli
-Classifier: Development Status :: 4 - Beta
-Classifier: Environment :: Console
-Classifier: Intended Audience :: Developers
-Classifier: Intended Audience :: Information Technology
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Topic :: Internet :: WWW/HTTP
-Classifier: Topic :: Security
-Requires-Python: >=3.10
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: requests>=2.28.0
-Provides-Extra: dev
-Requires-Dist: build>=1.0.0; extra == "dev"
-Requires-Dist: twine>=5.0.0; extra == "dev"
-Dynamic: license-file
-
-# basicbuster
-
-**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It can detect Basic Auth on a target URL, run pitchfork or clusterbomb-style attempts, and report credentials that return HTTP `200`.
-
-## Disclaimer
-
-Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.
-
-## Requirements
-
-- Python 3.10+
-
-## Installation
-
-After the package is [published on PyPI](https://pypi.org/project/basicbuster/), install from any machine:
-
-```bash
-pip install basicbuster
-```
-
-From a git checkout (repository root):
-
-```bash
-pip install .
-```
-
-Editable install while developing:
-
-```bash
-pip install -e .
-```
-
-### Publishing to PyPI (maintainers)
-
-The name **basicbuster** is available on PyPI. Two common options:
-
-**A — GitHub Release (recommended)**  
-After you [enable trusted publishing](https://docs.pypi.org/trusted-publishers/) for this repo on PyPI:
-
-1. In PyPI: your account → **Publishing** → add a pending publisher for `dhina016/basicbuster`, workflow file `publish.yml`.
-2. On GitHub: create a **Release** (tag `v0.1.0` or similar) and publish it. The **Publish to PyPI** workflow uploads the built sdist and wheel automatically.
-
-**B — Manual upload**
-
-```bash
-pip install build twine
-python -m build
-twine upload dist/*
-```
-
-Use a [PyPI API token](https://pypi.org/help/#apitoken) when `twine` prompts for credentials (or set `TWINE_USERNAME=__token__` and `TWINE_PASSWORD=pypi-...`).
-
-## Usage
-
-```text
-basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [--mode MODE] [--timeout SECONDS] [--proxy URL]
-```
-
-- **`--url`**: Target URL (resource protected by HTTP Basic Auth).
-- **`--username` / `--password`**: Separate wordlists, one value per line.
-- **`--userpass`**: Combined file with `user:pass` per line (password may contain `:`; only the first `:` separates user and password).
-- **`--mode`**:
-  - `pitchfork` — pair `username[i]` with `password[i]`.
-  - `clusterbomb` — try every username with every password (default).
-- **`--timeout`**: Request timeout in seconds (default: `15`).
-- **`--quiet`**: Minimal output.
-- **`--proxy`**: Forward all traffic through an HTTP(S) proxy (e.g. Burp: `http://127.0.0.1:8080`).
-
-Successful guesses print as:
-
-```text
-[+] SUCCESS user:pass (HTTP 200)
-```
-
-### Examples
-
-Separate wordlists, clusterbomb (default):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt
-```
-
-Pitchfork (zip by line index):
-
-```bash
-basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork
-```
-
-Combined user:pass file:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt
-```
-
-Through a local intercepting proxy:
-
-```bash
-basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080
-```
-
-## License
-
-MIT — see [LICENSE](LICENSE).