[Pentesting] HTTP auth, part I: basic

Have you seen this?

This is HTTP auth.

Let's setup a login/password section on your website.

Run this: 

% htpasswd -c .htpasswd_test_basic testrealm testuser

Enter a password like 'testpass'.

The htpasswd utility will create a file like: 

testuser:$apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.

Create .htaccess: 

AuthUserFile /home/i/web/.htpasswd_test_basic
AuthName "Private Area"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

Now try to access that page, and the web server will respond with: 

HTTP/1.1 401 Unauthorized
Date: Fri, 13 Jun 2025 09:07:54 GMT
Server: Apache/2.4.52 (Ubuntu)
WWW-Authenticate: Basic realm="Private Area"
Content-Length: 457
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

A web browser, after entering (correct) testuser/testpass, would send to server: 

GET /test2 HTTP/1.1
Host: conus.info
User-Agent: Links (2.29; Linux 6.11.0-26-generic x86_64; GNU C 13.2; text)
Accept: */*
...
Connection: keep-alive
Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=

This is a very weak protection (if TLS is not used). That base64 obfuscation would stop only small kids. Because it's no better then passing password in plain text: 

% echo dGVzdHVzZXI6dGVzdHBhc3M= | base64 -d | xxd -g1
00000000: 74 65 73 74 75 73 65 72 3a 74 65 73 74 70 61 73  testuser:testpas
00000010: 73                                               s

As of that string from htpasswd, it protected better. https://httpd.apache.org/docs/2.4/misc/password_encryptions.html Contains salt. But can be cracked with hashcat, if a password is small/simple enough: 

% hashcat -m 1600 for-hashcat

(Tune it with -a option...)

Where the for-hashcat file is: 

$apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.

Also, openssl supports this encryption method: 

 % openssl passwd -apr1 -salt .5ud0fec testpass
$apr1$.5ud0fec$13M3RblAqJpxQH2P7WjTH.

(the post first published at 20251121.)

List of my other blog posts.

Subscribe to my news feed,

Some time ago (before 24-Mar-2025) there was Disqus JS script for comments. I dropped it --- it was so motley, distracting, animated, with too much ads. I never liked it. Also, comments didn"t appeared correctly (Disqus was buggy). Also, my blog is too chamberlike --- not many people write comments here. So I decided to switch to the model I once had at least in 2020 --- send me your comments by email (don"t forget to include URL to this blog post) and I"ll copy&paste it here manually.

Let"s party like it"s ~1993-1996, in this ultimate, radical and uncompromisingly primitive pre-web1.0-style blog and website.