http basic access authentication

[arkancity]

Hey guys (and girls lol)!

There is a webpage using only http basic access authentication for some files. I know the username, the name of the files and the exact path.   

Just a fictive example: http://fictive.site.com/u/JhonnyR/Mathtest/test1.JPG

User JhonnyR has the Mathtest folder. The Mathtest folder is protected by the BAA.
I'd like to reach the files by bypassing the authentication process or if there is a chance with a password (without the option of bruteforce).

I'd like to ask you for possible solutions or advice for learning reasons. How would you start to solve it?
Maybe it's easy for most of the users here but I'm a newbie. 


 
 

[Kulverstukas]

Only possible way is to break into the server, or try to bruteforce your way in (if you're feeling lucky...).

[madf0x]

one of the main uses of http basic auth is restricting access to files, so knowing the file path and username doesn't help. As Kulverstukas stated this leaves you with the two options of breaking in, or bruteforcing the password.

Since you don't want to bruteforce, your next steps would be to do a little bit of recon. Theres the chance that there may be a known weakness in the http server that can bypass the basic auth. May be able to use some sort of LFI or abuse bad configuration to obtain the .htpasswd, or perhaps find a way to overwrite that file or .htaccess.

And of course if you manage to root the server than getting the file in question is trivial

Baring brute-force your available options are very broad and situational to the target in question.

[2d8]

That is just my 2 cents.If there is no SSL and you can wiretap connection between server and client it is easy to retrieve user's credentials.
In each HTTP packet of authenticated user there will be HTTP-header like Authorization: Basic YWRtaW46YWRtaW4=
And simple base64 decoding will give you user:password pair.

[arkancity]

Thank you guys for the suggestions. I really appreciate your support. 

[BaconBACON]

You could use a key logger on the machine of someone whom you know accesses the server in question. You could quickly code one that activites when the user types in the address you want to compromise. A less easy klogger would implement a listener on outbound HTTP/S requests and activates when a GET request is made for the resource in question and deactivates after successful authentication.

Not sure if there are premade tools for this, though I have always hated the concept of key logging without some sort of activation/shutdown mechanism to reduce captured content.