Feature/http basic auth

[goosvorbook]

Description

This PR adds native HTTP and HTTPS Basic Authentication support to NetExec.

The new http protocol allows operators to quickly validate credentials against web services protected with Basic Auth, both over plain HTTP and TLS. The implementation follows existing NetExec protocol patterns and integrates with the credential engine, database, logging, and module system.

Disclaimer: I used AI-assisted coding to bootstrap this feature and refined it iteratively through testing.
Feedback and improvements are very welcome.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

All testing was performed against local Apache containers using Docker.
Both HTTP and HTTPS (self-signed TLS) Basic Auth endpoints were used.

docker network create \
  --subnet 172.30.0.0/24 \
  http-basic-net

htpasswd -bc htpasswd user pass

httpd-wrapper-tls.conf

ServerName localhost

LoadModule mpm_event_module modules/mod_mpm_event.so

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule log_config_module modules/mod_log_config.so

Listen 443

DocumentRoot "/usr/local/apache2/htdocs"
DirectoryIndex index.html

# TLS
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/certs/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/certs/server.key"

# Enforce Basic Auth for ALL URLs
<Location "/">
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile "/usr/local/apache2/conf/htpasswd"
    Require valid-user
</Location>

ErrorLog /proc/self/fd/2
CustomLog /proc/self/fd/1 common

self-signed certs

mkdir certs
openssl req -x509 -nodes -days 365 \
  -newkey rsa:2048 \
  -keyout certs/server.key \
  -out certs/server.crt \
  -subj "/CN=localhost"

htdocs/index.html

echo "ok" > htdocs/index.html

docker run -d \
  --name https1 \
  --network http-basic-net \
  --ip 172.30.0.21 \
  -v "$PWD/htpasswd:/usr/local/apache2/conf/htpasswd:ro" \
  -v "$PWD/httpd-wrapper-tls.conf:/usr/local/apache2/conf/extra/httpd-wrapper-tls.conf:ro" \
  -v "$PWD/certs:/usr/local/apache2/conf/certs:ro" \
  -v "$PWD/htdocs:/usr/local/apache2/htdocs:ro" \
  httpd:alpine httpd-foreground -f /usr/local/apache2/conf/extra/httpd-wrapper-tls.conf

Screenshots (if appropriate):

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Hi and thanks for the PR.

So adding HTTP as a protocol was already discussed a few times. For now no one has implemented it because I don't really see a big use case for it. As far as I am aware there aren't a whole lot of services in AD that rely on HTTP (basic) auth. If you aim at targeting custom applications you would probably asses these manually or use other, more suited tools (e.g. burpsuite).

TLDR; Are there services that use basic auth?/Is there a use case or need for this protocol?

Feel free to discuss if anyone has a different opinion.

[goosvorbook]

Hi @NeffIsBack
I agree that for custom web applications, manual testing or tools like Burp are usually the right choice.
My main motivation for this PR is a different use case: infrastructure-level HTTP(S) Basic Auth, not app-level testing.

In real-world assessments I’ve seen HTTP Basic Auth used fairly often for:

• Network appliances (printers, switches, firewalls, load balancers, IP cameras)
• Internal admin panels and management endpoints
• Backup systems, monitoring endpoints, dashboards
• Dev/ops tooling (Jenkins, Git services, artifact repos, etc.)
• Legacy services exposed internally over HTTP(S)
• Temporary “quick auth” protections that never got removed

In those cases:

• Credentials are often reused AD passwords
• Logging/monitoring is minimal or nonexistent
• Rate limiting is rare
• Accounts are frequently shared or service accounts
• These endpoints are often forgotten but still reachable internally

So the goal is not to replace Burp or web testing, but to extend NetExec’s lateral movement & credential validation capabilities to a class of services that currently often fall through the cracks.
Additionally, once valid Basic Auth credentials are found, it often grants access to the vast majority of the underlying web application (often 90–95%), which drastically expands the attack surface.
At that point, a tester can switch to manual testing or tools like Burp with authenticated access, which is far more valuable than unauthenticated probing.