Metadata-Version: 2.4
Name: basicbuster
Version: 0.1.2
Summary: CLI tool for HTTP Basic Authentication testing with wordlists.
Author: dhina016
License-Expression: MIT
Project-URL: Homepage, https://github.com/dhina016/basicbuster
Project-URL: Repository, https://github.com/dhina016/basicbuster
Project-URL: Issues, https://github.com/dhina016/basicbuster/issues
Keywords: security,http,basic-auth,pentest,cli
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.28.0
Provides-Extra: dev
Requires-Dist: build>=1.0.0; extra == "dev"
Requires-Dist: twine>=5.0.0; extra == "dev"
Dynamic: license-file

# basicbuster

**basicbuster** is a command-line tool for testing HTTP Basic Authentication with username and password wordlists. It detects Basic Auth on a target URL, runs pitchfork or clusterbomb-style attempts, and reports credentials that return HTTP `200`.

## Disclaimer

Use **only** on systems and applications you are **explicitly authorized** to test. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse.

## Installation

```bash
pip install basicbuster
```

## Usage

```text
basicbuster --url URL (--username FILE --password FILE | --userpass FILE) [OPTIONS]
```

### Options

| Flag | Description |
|------|-------------|
| `--url` | Target URL protected by HTTP Basic Auth |
| `--username FILE` | Path to username wordlist (one per line) |
| `--password FILE` | Path to password wordlist (one per line) |
| `--userpass FILE` | Combined `user:pass` file (one per line) |
| `--mode` | `clusterbomb` (all combinations, default) or `pitchfork` (zip by index) |
| `-t, --threads` | Number of concurrent threads (default: 10) |
| `--timeout` | Per-request timeout in seconds (default: 10) |
| `--proxy URL` | Route traffic through a proxy (e.g. `http://127.0.0.1:8080`) |
| `-v, --show-attempts` | Print every attempt with HTTP status |
| `--quiet` | Minimal output |

### Examples

Clusterbomb (default — all username x password combinations):

```bash
basicbuster --url https://example.com/secret --username users.txt --password passwords.txt -v
```

Pitchfork (pair line-by-line):

```bash
basicbuster --url https://example.com/secret --username users.txt --password passwords.txt --mode pitchfork -v
```

Combined `user:pass` file:

```bash
basicbuster --url https://example.com/secret --userpass combo.txt -v
```

With proxy and 20 threads:

```bash
basicbuster --url https://example.com/secret --userpass combo.txt --proxy http://127.0.0.1:8080 -t 20 -v
```

### Output

```text
[*] Target appears to use HTTP Basic Auth: https://example.com/secret
[*] Testing 400 credential pair(s) with 10 thread(s)…

[1/400] [-] admin:password → HTTP 401
[2/400] [-] admin:123456 → HTTP 401
[3/400] [+] admin:secret → HTTP 200 ✓ SUCCESS
...
```

Sample wordlists (20 common entries each) are included in [`samples/`](samples/).

## License

MIT — see [LICENSE](LICENSE).
