Dictionary and brute forcing web authentication?

["Mark G. Spencer" <mspencer () evidentdata com>]

I'm looking for advice on dictionary and brute forcing web authentication.
Most of the websites I have access to at work have various kinds of forms
based authentication.  I've been playing with a plugin for Sleuth
(httpbrute_plugin.zip) and am having difficulty.

At a minimum I need to give the plugin the user and password fields from the
source of the webpage so it knows where to perform the dictionary attack.  I
also need a failure string so the plugin knows when it has failed (and if it
hasn't failed, theoretically succeeded), but herein lies the problem.  I'm
looking at a page called "securedefault.asp" .. When I enter a bogus
username and password, the login screen just displays again .. No special
failure message.

Any ideas how to handle this?

Also .. I noticed on some websites that as soon as you go to them, a user
and password box pops up.  I am not able to view source on these, either in
IE or Sleuth.  In IE the user and password box opens immediately, and in
Sleuth I get a Windows username and password box.  I'm assuming these are
*not* basic http authentication?  Any advice on how to dictionary attack
these things?

Thanks!

Mark