wwwhack - for HTTP basic authentication

wwwhack for Win95 / Win98 / WinNT

Sysadmins: Use this program to see how secure your "members-only" area really is! Chances are this program can get into your site in less than 120 seconds, and if that's the case you need to do something about it.

NOTICE: Using this program to "hack" into a password-protected web site without permission is ILLEGAL. If you are a system administrator you may use this program on your own site to check your site's security. If you use it on someone else's site you must have permission first. By downloading this program you agree that you will not use it for any illegal purpose.

What's been going on recently?
As most of you know, I had some problems with the site a few weeks ago. Since you're reading this now the site's obviously back up, but I haven't had time to enhance the program whatsoever during this time. Furthermore, a few dishonest individuals out there have decided to put up their own 'wwwhack' pages for advertising dollars or whatever reason. BEWARE of who you download this from.

Looking for the update.exe file? Download update.exe. Place it in wwwhack's directory and start wwwhack as usual. Do not run update.exe; it is only an .exe file due to a mime type problem I have not resolved yet.

Updates:

31-May-1998	Password browse feature lets you easily see a list of passwords you have found.
30-May-1998	Random user agent selection! When you start up wwwhack it will pick a random browser type to confuse log anayzers.
30-May-1998	WWWhack will now check for software updates and let you know if something cool has been added.
30-May-1998	Annoying 7-day reminder has been eliminated.
29-May-1998	Now easier than ever on sysem resources when starting up. Unfortunately it still hogs a lot of CPU time during password guessing. I'm working on it.
27-May-1998	Password list enhancement thanks to Voxmorra.
22-May-1998	Automatically grabs current URL from Netscape so you don't have to paste/type it.
22-May-1998	When password is found, wwwhack will automatically tell Netscape to load that page and supply password.
22-May-1998	Bug fix in password save function.
21-May-1998	Now stores the passwords it finds so you don't waste time on the same URL twice.
20-May-1998	Delay before first URL attempt fixed

The program is improved relatively frequently. I recommend returning to this page every few days to see what has been improved. Better yet, just bookmark the location of the zip file and just download the new version often. I'd welcome any comments or suggestions. See the email link below.

I am using this project to learn the winsock API and improve the security of web sites, NOT to provide a way for dishonest individuals to cheat online services. You must not use this program on other people's sites without their permission.

wwwhack can find a password for most sites in under 120 seconds!!!
See if YOUR site is one of them!

In order for this to work, you must ensure that you are working with the right kind of site. This only works with HTTP basic authentication (which is used just about everywhere). You know you have a site that uses basic authentication when your browser pops up a dialog box asking you for a username and a password. If the site asks you for your password right on the HTML page this will not work.

You also need to make sure that your site allows the username and password to be the same. The key here is some people simply use their first name as their username and password. The wwwhack zip below comes with a list of popular male first names. You can modify this file or use your own.

Download wwwhack.zip - 130k
Bookmark this page because there is no help file as of yet!

Contribute to the wwwhack project
I need suggestions for the next version of wwwhack! Please email me if you'd like a feature added or have better icons for me! All who contribute to the wwwhack project will have their name and a link listed.

How to use it (after installation)

Start the program. That's always a good first step.
Use your web browser to go to your password-protected URL. When your browser asks you for a password, click cancel and you should get an unauthorized message. While viewing the error message, copy the URL from your browser to the clipboard.
Go back to wwwhack and select Access a protected site from the File menu.
Paste the URL into the dialog box and click Ok.
Wait until wwwhack finds you a password. It's that simple.
If your site is popular and wwwhack hasn't found a password after about 10 minutes I'd give up and close the window. Your site is probably reasonably secure from so-called "hackers".

Notes:

To install, unzip the files into the same directory. When starting wwwhack you must make sure that the password.txt file is in the current working directory. If you start wwwhack from Windows Explorer you'll be fine.
Ports other than 80 are not supported in this version.
The copy you download today will expire in approximately 30 days since it is improved almost daily. Just return to this page at that time to download the updated version. Feel free to set your computer's clock backwards if you really don't want to come back here.
I apologize for the lack of a help file and the crappy-looking icons. Any good programmer puts those tasks off until the very end. If you want to draw some better icons feel free to email them to me.
If you close a child window before it's done guessing passwords it may take a few seconds to actually close down. You may have to press Alt-F4 twice to close the app if you have child windows open.
If the server doesn't answer (down or whatever) you'll probably have to tell Windows to ungracefully close down the app. I'm still learning non-blocking socket calls.