patator
patator Description
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.
Currently it supports the following modules:
- ftp_login : Brute-force FTP
- ssh_login : Brute-force SSH
- telnet_login : Brute-force Telnet
- smtp_login : Brute-force SMTP
- smtp_vrfy : Enumerate valid users using SMTP VRFY
- smtp_rcpt : Enumerate valid users using SMTP RCPT TO
- finger_lookup : Enumerate valid users using Finger
- http_fuzz : Brute-force HTTP
- ajp_fuzz : Brute-force AJP
- pop_login : Brute-force POP3
- pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)
- imap_login : Brute-force IMAP4
- ldap_login : Brute-force LDAP
- smb_login : Brute-force SMB
- smb_lookupsid : Brute-force SMB SID-lookup
- rlogin_login : Brute-force rlogin
- vmauthd_login : Brute-force VMware Authentication Daemon
- mssql_login : Brute-force MSSQL
- oracle_login : Brute-force Oracle
- mysql_login : Brute-force MySQL
- mysql_query : Brute-force MySQL queries
- rdp_login : Brute-force RDP (NLA)
- pgsql_login : Brute-force PostgreSQL
- vnc_login : Brute-force VNC
- dns_forward : Forward DNS lookup
- dns_reverse : Reverse DNS lookup
- snmp_login : Brute-force SNMP v1/2/3
- ike_enum : Enumerate IKE transforms
- unzip_pass : Brute-force the password of encrypted ZIP files
- keystore_pass : Brute-force the password of Java keystore files
- sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
- umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
- tcp_fuzz : Fuzz TCP services
- dummy_test : Testing module
Future modules to be implemented:
- rdp_login w/no NLA
FEATURES
- No false negatives, as it is the user that decides what results to ignore based on:
- status code of response
- size of response
- matching string or regex in response data
- … see --help
- Modular design
- not limited to network modules (eg. the unzip_pass module)
- not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)
- Interactive runtime
- show progress during execution (press Enter)
- pause/unpause execution (press p)
- increase/decrease verbosity
- add new actions & conditions during runtime (eg. to exclude more types of response from showing)
- … press h to see all available interactive commands
- Use persistent connections (ie. will test several passwords until the server disconnects)
- Multi-threaded
- Flexible user input
- Any module parameter can be fuzzed:
- use the FILE keyword to iterate over a file
- use the COMBO keyword to iterate over a combo file
- use the NET keyword to iterate over every hosts of a network subnet
- use the RANGE keyword to iterate over hexadecimal, decimal or alphabetical ranges
- use the PROG keyword to iterate over the output of an external program
- Iteration over the joined wordlists can be done in any order
- Save every response (along with request) to seperate log files for later reviewing
Homepage: https://github.com/lanjelot/patator
Author: Sebastien MACKE
License: GPLv2
patator Help
USAGE
python patator.py <module> -h or <module> -h (if you created the shortcuts)
There are global options and module options:
- all global options start with - or --
- all module options are of the form option=value
All module options are fuzzable:
./module host=FILE0 port=FILE1 foobar=FILE2.google.FILE3 0=hosts.txt 1=ports.txt 2=foo.txt 3=bar.txt
The keywords (FILE, COMBO, NET, …) act as place-holders. They indicate the type of wordlist and where to replace themselves with the actual words to test.
Each keyword is numbered in order to:
- match the corresponding wordlist
- and indicate in what order to iterate over all the wordlists
For example, this would be the classic order:
$ ./module host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt 10.0.0.1 root password 10.0.0.1 root 123456 10.0.0.1 root qsdfghj ... (trying all passwords before testing next login) 10.0.0.1 admin password 10.0.0.1 admin 123456 10.0.0.1 admin qsdfghj ... (trying all logins before testing next host) 10.0.0.2 root password ...
While a smarter way might be:
$ ./module host=FILE2 user=FILE1 password=FILE0 2=hosts.txt 1=logins.txt 0=passwords.txt
10.0.0.1 root password 10.0.0.2 root password 10.0.0.1 admin password 10.0.0.2 admin password 10.0.0.1 root 123456 10.0.0.2 root 123456 10.0.0.1 admin 123456 ...
patator Module Options
Global options:
--version show program's version number and exit
-h, --help show this help message and exit
Execution:
-x arg actions and conditions, see Syntax below
--start=N start from offset N in the wordlist product
--stop=N stop at offset N
--resume=r1[,rN]* resume previous run
-e arg encode everything between two tags, see Syntax below
-C str delimiter string in combo files (default is ':')
-X str delimiter string in conditions (default is ',')
--allow-ignore-failures
failures cannot be ignored with -x (this is by design
to avoid false negatives) this option overrides this
behavior
Optimization:
--rate-limit=N wait N seconds between each test (default is 0)
--timeout=N wait N seconds for a response before retrying payload
(default is 0)
--max-retries=N skip payload after N retries (default is 4) (-1 for
unlimited)
-t N, --threads=N number of threads (default is 10)
Logging:
-l DIR save output and response data into DIR
-L SFX automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX
(DIR defaults to '/tmp/patator')
Debugging:
-d, --debug enable debug messages
Syntax:
-x actions:conditions
actions := action[,action]*
action := "ignore" | "retry" | "free" | "quit" | "reset"
conditions := condition=value[,condition=value]*
condition := "code" | "size" | "time" | "mesg" | "fgrep" | "egrep"
ignore : do not report
retry : try payload again
free : dismiss future similar payloads
quit : terminate execution now
reset : close current connection in order to reconnect next time
code : match status code
size : match size (N or N-M or N- or -N)
time : match time (N or N-M or N- or -N)
mesg : match message
fgrep : search for string in mesg
egrep : search for regex in mesg
For example, to ignore all redirects to the home page:
... -x ignore:code=302,fgrep='Location: /home.html'
-e tag:encoding
tag := any unique string (eg. T@G or _@@_ or ...)
encoding := "unhex" | "sha1" | "b64" | "url" | "hex" | "md5"
unhex : decode from hexadecimal
sha1 : hash in sha1
b64 : encode in base64
url : url encode
hex : encode in hexadecimal
md5 : hash in md5
For example, to encode every password in base64:
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64
ftp_login
Usage: ftp_login <module-options ...> [global-options ...] Examples: ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 Module options: host : target host port : target port [21] user : usernames to test password : passwords to test tls : use TLS [0|1] timeout : seconds to wait for a response [10] persistent : use persistent connections [1|0]
ssh_login
Usage: ssh_login <module-options ...> [global-options ...] Examples: ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.' Module options: host : target host port : target port [22] user : usernames to test password : passwords to test auth_type : type of password authentication to use [password|keyboard-interactive|auto] keyfile : file with RSA, DSA or ECDSA private key to test persistent : use persistent connections [1|0]
telnet_login
Usage: telnet_login <module-options ...> [global-options ...] Examples: telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt persistent=0 prompt_re='Username:|Password:' -x ignore:egrep='Login incorrect.+Username:' Module options: host : target host port : target port [23] inputs : list of values to input prompt_re : regular expression to match prompts [\w+:] timeout : seconds to wait for a response and for prompt_re to match received data [20] persistent : use persistent connections [1|0]
smtp_login
Usage: smtp_login <module-options ...> [global-options ...] Examples: smtp_login host=10.0.0.1 user=f.bar@dom.com password=FILE0 0=passwords.txt [helo='ehlo its.me.com'] -x ignore:fgrep='Authentication failed' -x ignore,reset,retry:code=421 Module options: persistent : use persistent connections [1|0] timeout : seconds to wait for a response [10] host : target host port : target port [25] ssl : use SSL [0|1] helo : helo or ehlo command to send after connect [skip] starttls : send STARTTLS [0|1] user : usernames to test password : passwords to test
smtp_vrfy
Usage: smtp_vrfy <module-options ...> [global-options ...] Examples: smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt [helo='ehlo its.me.com'] -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421 Module options: persistent : use persistent connections [1|0] timeout : seconds to wait for a response [10] host : target host port : target port [25] ssl : use SSL [0|1] helo : helo or ehlo command to send after connect [skip] starttls : send STARTTLS [0|1] user : usernames to test
smtp_rcpt
Usage: smtp_rcpt <module-options ...> [global-options ...] Examples: smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt [helo='ehlo its.me.com'] [mail_from=bar@example.com] -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421 Module options: persistent : use persistent connections [1|0] timeout : seconds to wait for a response [10] host : target host port : target port [25] ssl : use SSL [0|1] helo : helo or ehlo command to send after connect [skip] starttls : send STARTTLS [0|1] user : usernames to test mail_from : sender email [test@example.org]
finger_lookup
Usage: finger_lookup <module-options ...> [global-options ...] Examples: finger_lookup host=10.0.0.1 user=FILE0 0=words.txt -x ignore:fgrep='no such user' Module options: host : target host port : target port [79] user : usernames to test timeout : seconds to wait for a response [5]
http_fuzz
Usage: http_fuzz <module-options ...> [global-options ...] Examples: http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500 http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401 http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server' Module options: url : target url (scheme://host[:port]/path?query) body : body data header : use custom headers method : method to use [GET|POST|HEAD|...] raw_request : load request from file scheme : scheme [http|https] auto_urlencode: automatically perform URL-encoding [1|0] user_pass : username and password for HTTP authentication (user:pass) auth_type : type of HTTP authentication [basic | digest | ntlm] follow : follow any Location redirect [0|1] max_follow : redirection limit [5] accept_cookie : save received cookies to issue them in future requests [0|1] http_proxy : HTTP proxy to use (host:port) ssl_cert : client SSL certificate file (cert+key in PEM format) timeout_tcp : seconds to wait for a TCP handshake [10] timeout : seconds to wait for a HTTP response [20] before_urls : comma-separated URLs to query before the main request before_header : use a custom header in the before_urls request before_egrep : extract data from the before_urls response to place in the main request after_urls : comma-separated URLs to query after the main request max_mem : store no more than N bytes of request+response data in memory [-1 (unlimited)] persistent : use persistent connections [1|0]
ajp_fuzz
Usage: ajp_fuzz <module-options ...> [global-options ...] Examples: ajp_fuzz url=ajp://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500 ajp_fuzz url=ajp://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.tx -x ignore:code=401 Module options: url : target url (ajp://host[:port]/path?query) header : use custom headers user_pass : username and password for HTTP authentication (user:pass)
pop_login
Usage: pop_login <module-options ...> [global-options ...] Examples: pop_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:code=-ERR Module options: host : target host port : target port [110] user : usernames to test password : passwords to test ssl : use SSL [0|1] timeout : seconds to wait for a response [10] persistent : use persistent connections [1|0]
pop_passd
Usage: pop_passd <module-options ...> [global-options ...] Examples: pop_passd host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:code=500 Module options: host : target host port : target port [106] user : usernames to test password : passwords to test timeout : seconds to wait for a response [10]
imap_login
Usage: imap_login <module-options ...> [global-options ...] Examples: imap_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt Module options: host : target host port : target port [143] user : usernames to test password : passwords to test ssl : use SSL [0|1]
ldap_login
Usage: imap_login <module-options ...> [global-options ...] Examples: imap_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt Module options: host : target host port : target port [143] user : usernames to test password : passwords to test ssl : use SSL [0|1]
smb_login
Usage: smb_login <module-options ...> [global-options ...]
Examples:
smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep='unknown user name or bad password'
Module options:
host : target host
port : target port [139]
user : usernames to test
password : passwords to test
password_hash : LM/NT hashes to test, at least one hash must be provided ('lm:nt' or ':nt' or 'lm:')
domain : domain to test
persistent : use persistent connections [1|0]
smb_lookupsid
Usage: smb_lookupsid <module-options ...> [global-options ...] Examples: smb_lookupsid host=10.0.0.1 sid=S-1-5-21-1234567890-1234567890-1234567890 rid=RANGE0 0=int:500-2000 -x ignore:code=1 Module options: host : target host port : target port [139] sid : SID to test rid : RID to test user : username to use if auth required password : password to use if auth required persistent : use persistent connections [1|0]
rlogin_login
Usage: rlogin_login <module-options ...> [global-options ...] Examples: Please note that rlogin requires to bind a socket to an Internet domain privileged port. rlogin_login host=10.0.0.1 user=root luser=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password: rlogin_login host=10.0.0.1 user=john password=FILE0 0=passwords.txt -x 'reset:egrep!=Login incorrect.+login:' Module options: host : target host port : target port [513] luser : client username [root] user : usernames to test password : passwords to test prompt_re : regular expression to match prompts [\w+:] timeout : seconds to wait for a response and for prompt_re to match received data [10] persistent : use persistent connections [1|0]
vmauthd_login
Usage: vmauthd_login <module-options ...> [global-options ...] Examples: vmauthd_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt Module options: host : target host port : target port [902] user : usernames to test password : passwords to test ssl : use SSL [1|0] timeout : seconds to wait for a response [10] persistent : use persistent connections [1|0]
mssql_login
Usage: mssql_login <module-options ...> [global-options ...]
Examples:
mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'
Module options:
host : target host
port : target port [1433]
user : usernames to test
password : passwords to test
windows_auth : use Windows auth [0|1]
domain : domain to test []
password_hash : LM/NT hashes to test ('lm:nt' or ':nt')
oracle_login
Usage: oracle_login <module-options ...> [global-options ...] Examples: oracle_login host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505 oracle_login host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt -x ignore:code=ORA-01017 Module options: host : hostnames or subnets to target port : ports to target [1521] user : usernames to test password : passwords to test sid : sid to test service_name : service name to test
mysql_login
Usage: mysql_login <module-options ...> [global-options ...] Examples: mysql_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep='Access denied for user' Module options: host : target host port : target port [3306] user : usernames to test password : passwords to test timeout : seconds to wait for a response [10]
mysql_query
Usage: mysql_query <module-options ...> [global-options ...]
Examples:
mysql_query host=10.0.0.1 user=root password=s3cr3t query="select length(load_file('/home/adam/FILE0'))" 0=files.txt -x ignore:size=0
Module options:
host : target host
port : target port [3306]
user : username to use
password : password to use
query : SQL query to execute
rdp_login
Usage: rdp_login <module-options ...> [global-options ...] Examples: rdp_login host=10.0.0.1 user='administrator' password=FILE0 0=passwords.txt Module options: host : target host port : target port [3389] user : usernames to test password : passwords to test
pgsql_login
Usage: pgsql_login <module-options ...> [global-options ...] Examples: pgsql_login host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt -x ignore:fgrep='password authentication failed for user' Module options: host : target host port : target port [5432] user : usernames to test password : passwords to test database : databases to test [postgres] timeout : seconds to wait for a response [10]
vnc_login
Usage: vnc_login <module-options ...> [global-options ...] Examples: vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0 Module options: host : target host port : target port [5900] password : passwords to test timeout : seconds to wait for a response [10]
dns_forward
Usage: dns_forward <module-options ...> [global-options ...] Examples: dns_forward name=FILE0.google.com 0=names.txt -x ignore:code=3 dns_forward name=google.MOD0 0=TLD -x ignore:code=3 dns_forward name=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3 Module options: name : domain names to lookup server : name server to query (directly asking the zone authoritative NS may return more results) [8.8.8.8] timeout : seconds to wait for a response [5] protocol : send queries over udp or tcp [udp] qtype : type to query [ANY] qclass : class to query [IN]
dns_reverse
Usage: dns_reverse <module-options ...> [global-options ...] Examples: dns_reverse host=NET0 0=192.168.0.0/24 -x ignore:code=3 dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239- Module options: host : IP addresses to reverse lookup server : name server to query (directly asking a zone authoritative NS may return more results) [8.8.8.8] timeout : seconds to wait for a response [5] protocol : send queries over udp or tcp [udp]
snmp_login
Usage: snmp_login <module-options ...> [global-options ...] Examples: snmp_login host=10.0.0.1 version=2 community=FILE0 0=names.txt -x ignore:mesg='No SNMP response received before timeout' snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName snmp_login host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest Module options: host : target host port : target port [161] version : SNMP version to use [2|3|1] community : SNMPv1/2c community names to test [public] user : SNMPv3 usernames to test [myuser] auth_key : SNMPv3 pass-phrases to test [my_password] timeout : seconds to wait for a response [1] retries : number of successive request retries [2]
ike_enum
Usage: ike_enum <module-options ...> [global-options ...] Examples: ike_enum host=10.0.0.1 transform=MOD0 0=TRANS -x ignore:fgrep=NO-PROPOSAL ike_enum host=10.0.0.1 transform=MOD0 0=TRANS -x ignore:fgrep=NO-PROPOSAL aggressive=RANGE1 1=int:0-1 Module options: host : target host host : target port [500] transform : transform to test [5,1,1,2] aggressive : use aggressive mode [0|1] groupname : identification value for aggressive mode [foo] vid : comma-separated vendor IDs to use
unzip_pass
Usage: unzip_pass <module-options ...> [global-options ...] Examples: unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0 Module options: zipfile : ZIP files to test password : passwords to test
keystore_pass
Usage: keystore_pass <module-options ...> [global-options ...] Examples: keystore_pass keystore=path/to/keystore.jks password=FILE0 0=passwords.txt -x ignore:fgrep='password was incorrect' Module options: keystore : keystore files to test password : passwords to test storetype : type of keystore to test
keystore_pass
Usage: keystore_pass <module-options ...> [global-options ...] Examples: keystore_pass keystore=path/to/keystore.jks password=FILE0 0=passwords.txt -x ignore:fgrep='password was incorrect' Module options: keystore : keystore files to test password : passwords to test
sqlcipher_pass
Usage: sqlcipher_pass <опции-модуля ...> [глобальные-опции ...] Examples: sqlcipher_pass database=path/to/db.sqlite password=FILE0 0=passwords.txt -x ignore:fgrep='file is encrypted' Module options: database : database files to test password : password to test
tcp_fuzz
Usage: tcp_fuzz <module-options ...> [global-options ...] Examples: tcp_fuzz host=10.0.0.1 data=RANGE0 0=hex:0x00-0xffffff Module options: host : target host port : target port timeout : seconds to wait for a response [10]
dummy_test
Usage: dummy_test <module-options ...> [global-options ...] Examples: dummy_test data=_@@_RANGE0_@@_ 0=hex:0x00-0xff -e _@@_:unhex dummy_test data=RANGE0 0=int:10-0 dummy_test data=PROG0 0='seq -w 10 -1 0' dummy_test data=PROG0 0='mp64.bin -i ?l?l?l',$(mp64.bin --combination -i ?l?l?l) Module options: data : data to test data2 : data2 to test delay : fake random delay
Keywords, Actions & Conditions, Failures
Keywords
Brute-force a list of hosts with a file containing combo entries (each line => login:password).
./module host=FILE0 user=COMBO10 password=COMBO11 0=hosts.txt 1=combos.txt
Scan subnets to just grab version banners.
./module host=NET0 0=10.0.1.0/24,10.0.2.0/24,10.0.3.128-10.0.3.255
Fuzzing a parameter by iterating over a range of values.
./module param=RANGE0 0=hex:0x00-0xffff ./module param=RANGE0 0=int:0-500 ./module param=RANGE0 0=lower:a-zzz
Fuzzing a parameter by iterating over the output of an external program.
./module param=PROG0 0='john -stdout -i' ./module param=PROG0 0='mp64.bin ?l?l?l',$(mp64.bin --combination ?l?l?l) # http://hashcat.net/wiki/doku.php?id=maskprocessor
Actions & Conditions
Use the -x option to do specific actions upon receiving expected results. For example:
To ignore responses with status code 200 *AND* a size within a specific range.
./module host=10.0.0.1 user=FILE0 -x ignore:code=200,size=57-74
To ignore responses with status code 500 *OR* containing "Internal error".
./module host=10.0.0.1 user=FILE0 -x ignore:code=500 -x ignore:fgrep='Internal error'
Remember that conditions are ANDed within the same -x option, use multiple -x options to specify ORed conditions.
Failures
During execution, failures may happen, such as a TCP connect timeout for example. By definition a failure is an exception that the module does not expect, and as a result the exception is caught upstream by the controller.
Such exceptions, or failures, are not immediately reported to the user, the controller will retry 4 more times (see --max-retries) before reporting the failed payload to the user with the logging level "FAIL".
Read carefully the following examples to get a good understanding of how patator works.
FTP
Brute-force authentication. Do not report wrong passwords.
ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:mesg='Login incorrect.'
NB0. If you get errors like "500 OOPS: priv_sock_get_cmd", use -x ignore,reset,retry:code=500 in order to retry the last login/password using a new TCP connection. Odd servers like vsftpd return this when they shut down the TCP connection (ie. max login attempts reached).
NB1. If you get errors like "too many connections from your IP address", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.
Same as before, but stop testing a user after his password is found.
ftp_login ... -x free=user:code=0
Find anonymous FTP servers on a subnet.
ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24
SSH
Brute-force authentication with password same as login (aka single mode). Do not report wrong passwords.
ssh_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:mesg='Authentication failed.'
NB. If you get errors like "Error reading SSH protocol banner … Connection reset by peer", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections (eg. MaxStartups in OpenSSH).
Brute-force several hosts and stop testing a host after a valid password is found.
ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host:code=0
Same as previous, but stop testing a user on a host after his password is found.
ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host+user:code=0
Telnet
Brute-force authentication.
(a) Enter login after first prompt is detected, enter password after second prompt.
(b) The regex to detect the login and password prompts.
(c) Reconnect when we get no login prompt back (max number of tries reached or successful login).
(a)
telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt
prompt_re='tux login:|Password:' -x reset:egrep!='Login incorrect.+tux login:'
(b) (c)
NB. If you get errors like "telnet connection closed", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.
SMTP
Enumerate valid users using the VRFY command.
(a) Do not report invalid recipients.
(b) Do not report when the server shuts us down with "421 too many errors", reconnect and resume testing.
(a)
smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt -x ignore:fgrep='User unknown in local
recipient table' -x ignore,reset,retry:code=421
(b)
Use the RCPT TO command in case the VRFY command is not available.
smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt helo='ehlo mx.fb.com' mail_from=root
Brute-force authentication.
(a) Send a fake hostname (by default your host fqdn is sent)
(a)
smtp_login host=10.0.0.1 helo='ehlo its.me.com' user=FILE0@dom.com password=FILE1 0=logins.txt 1=passwords.txt
HTTP
Find hidden web resources.
(a) Use a specific header.
(b) Follow redirects.
(c) Do not report 404 errors.
(d) Retry on 500 errors.
(a)
http_fuzz url=http://localhost/FILE0 0=words.txt header='Cookie: SESSID=A2FD8B2DA4'
follow=1 -x ignore:code=404 -x ignore,retry:code=500
(b) (c) (d)
NB. You may be able to go 10 times faster using webef (http://www.hsc.fr/ressources/outils/webef/).
It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful features that will prevent you from performing the following attacks.
Brute-force phpMyAdmin logon.
(a) Use POST requests.
(b) Follow redirects using cookies sent by server.
(c) Ignore failed authentications.
(a) (b) (b)
http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST follow=1 accept_cookie=1
body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt
-x ignore:fgrep='Cannot log in to the MySQL server'
(c)
Scan subnet for directory listings.
(a) Ignore not matching reponses.
(b) Save matching responses into directory.
http_fuzz url=http://NET0/FILE1 0=10.0.0.0/24 1=dirs.txt -x ignore:fgrep!='Index of'
-l /tmp/directory_listings (a)
(b)
Brute-force Basic authentication.
(a) Single mode (login == password).
(b) Do not report failed login attempts.
http_fuzz url=http://10.0.0.1/manager/html user_pass=FILE0:FILE0 0=logins.txt -x ignore:code=401
(a) (b)
Find hidden virtual hosts.
(a) Read template from file.
(b) Fuzz both the Host and User-Agent headers.
echo -e 'Host: FILE0\nUser-Agent: FILE1' > headers.txt
http_fuzz url=http://10.0.0.1/ header=@headers.txt 0=vhosts.txt 1=agents.txt
(a) (b)
Brute-force logon using GET requests.
(a) Encode everything surrounded by the two tags _@@_ in hexadecimal.
(b) Ignore HTTP 200 responses with a content size (header+body) within given range and that also contain the given string.
(c) Use a different delimiter string because the comma cannot be escaped.
(a) (a)
http_fuzz url='http://10.0.0.1/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex
0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X '|'
(b) (c)
Brute-force logon that enforces two random nonces to be submitted along every POST.
(a) First, request the page that provides the nonces as hidden input fields.
(b) Use regular expressions to extract the nonces that are to be submitted along the main request.
http_fuzz url=http://10.0.0.1/login method=POST body='user=admin&pass=FILE0&nonce1=_N1_&nonce2=_N2_' 0=passwords.txt accept_cookie=1
before_urls=http://10.0.0.1/index before_egrep='_N1_:<input type="hidden" name="nonce1" value="(\w+)"|_N2_:name="nonce2" value="(\w+)"'
(a) (b)
Test the OPTIONS method against a list of URLs.
(a) Ignore URLs that only allow the HEAD and GET methods.
(b) Header end of line is '\r\n'.
(c) Use a different delimiter string because the comma cannot be escaped.
http_fuzz url=FILE0 0=urls.txt method=OPTIONS -x ignore:egrep='^Allow: HEAD, GET\r$' -X '|'
(a) (b) (c)
LDAP
Brute-force authentication.
(a) Do not report wrong passwords.
(b) Talk SSL/TLS to port 636.
ldap_login host=10.0.0.1 binddn='cn=FILE0,dc=example,dc=com' 0=logins.txt bindpw=FILE1 1=passwords.txt
-x ignore:mesg='ldap_bind: Invalid credentials (49)' ssl=1 port=636
(a) (b)
SMB
Brute-force authentication.
smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep=STATUS_LOGON_FAILURE
NB. If you suddenly get STATUS_ACCOUNT_LOCKED_OUT errors for an account although it is not the first password you test on this account, then you must have locked it.
Pass-the-hash.
(a) Test a list of hosts.
(b) Test every user (each line := login:rid:LM hash:NT hash).
smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt -x ...
(a) (b)
rlogin
Brute-force usernames that root might be allowed to login as with no password (eg. a ~/.rhosts file with the line "+ root").
rlogin_login host=10.0.0.1 luser=root user=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password:
Brute-force usernames that might be allowed to login as root with no password (eg. a /root/.rhosts file with the line "+ john").
rlogin_login host=10.0.0.1 user=root luser=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password:
MSSQL
Brute-force authentication.
mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'
Oracle
Beware, by default in Oracle, accounts are permanently locked out after 10 wrong passwords, except for the SYS account.
Brute-force authentication.
oracle_login host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt sid=ORCL -x ignore:code=ORA-01017
NB0. With Oracle 10g XE (Express Edition), you do not need to pass a SID.
NB1. If you get ORA-12516 errors, it may be because you reached the limit of concurrent connections or db processes, try using "--rate-limit 0.5 -t 2" to be more polite. Also you can run "alter system set processes=150 scope=spfile;" and restart your database to get rid of this.
Brute-force SID.
oracle_login host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505
NB. Against Oracle9, it may crash (Segmentation fault) as soon as a valid SID is found (cx_Oracle bug). Sometimes, the SID gets printed out before the crash, so try running the same command again if it did not.
MySQL
Brute-force authentication.
mysql_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:fgrep='Access denied for user'
PostgresSQL
Brute-force authentication.
pgsql_login host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt -x ignore:fgrep='password authentication failed'
VNC
Some VNC servers have built-in anti-bruteforce functionnality that temporarily blacklists the attacker IP address after too many wrong passwords.
- RealVNC-4.1.3 or TightVNC-1.3.10 for example, allow 5 failed attempts and then enforce a 10 second delay. For each subsequent failed attempt that delay is doubled.
- RealVNC-3.3.7 or UltraVNC allow 6 failed attempts and then enforce a 10 second delay between each following attempt.
Brute-force authentication.
(a) No need to use more than one thread.
(b) Keep retrying the same password when we are blacklisted by the server.
(c) Exit execution as soon as a valid password is found.
(a)
vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt --threads 1
-x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0
(b) (b) (c)
DNS
Brute-force subdomains.
(a) Ignore NXDOMAIN responses (rcode 3).
dns_forward name=FILE0.google.com 0=names.txt -x ignore:code=3
(a)
Brute-force domain with every possible TLDs.
dns_forward name=google.MOD0 0=TLD -x ignore:code=3
Brute-force SRV records.
dns_forward name=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3
Grab the version of several hosts.
dns_forward server=FILE0 0=hosts.txt name=version.bind qtype=txt qclass=ch
Reverse lookup several networks.
(a) Ignore names that do not contain 'google.com'.
(b) Ignore generic PTR records.
dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
(a) (b)
SNMP
SNMPv1/2 : Find valid community names.
snmp_login host=10.0.0.1 community=FILE0 0=names.txt -x ignore:mesg='No SNMP response received before timeout'
SNMPv3 : Find valid usernames.
snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName
SNMPv3 : Find valid passwords.
snmp_login host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest
NB0. If you get "notInTimeWindow" error messages, increase the retries option.
NB1. SNMPv3 requires passphrases to be at least 8 characters long.
Unzip
Brute-force the ZIP file password (cracking older pkzip encryption used to be not supported in JtR).
unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0
patator Usage Example
- FTP : Enumerating users denied login in vsftpd/userlist
$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 19:36:06 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 19:36 AEDT 19:36:06 patator INFO - 19:36:06 patator INFO - code size time | candidate | num | mesg 19:36:06 patator INFO - ----------------------------------------------------------------------------- 19:36:07 patator INFO - 230 17 0.002 | anonymous | 7 | Login successful. 19:36:07 patator INFO - 230 17 0.001 | ftp | 10 | Login successful. 19:36:08 patator INFO - 530 18 1.000 | root | 1 | Permission denied. 19:36:17 patator INFO - 530 18 1.000 | michael | 50 | Permission denied. 19:36:36 patator INFO - 530 18 1.000 | robert | 93 | Permission denied. ...
Tested against vsftpd-3.0.2-9 on CentOS 7.0-1406
- SSH : Time-based user enumeration
$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3 17:45:20 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 17:45 AEDT 17:45:20 patator INFO - 17:45:20 patator INFO - code size time | candidate | num | mesg 17:45:20 patator INFO - ----------------------------------------------------------------------------- 17:45:30 patator FAIL - xxx 41 10.001 | root | 1 | <class '__main__.TimeoutError'> timed out 17:45:34 patator FAIL - xxx 41 10.000 | john | 23 | <class '__main__.TimeoutError'> timed out 17:45:37 patator FAIL - xxx 41 10.000 | joe | 40 | <class '__main__.TimeoutError'> timed out ...
Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8
- HTTP : Brute-force phpMyAdmin logon
$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf 11:53:47 patator INFO - Starting Patator v0.7-beta (http://code.google.com/p/patator/) at 2014-08-31 11:53 EST 11:53:47 patator INFO - 11:53:47 patator INFO - code size:clen time | candidate | num | mesg 11:53:47 patator INFO - ----------------------------------------------------------------------------- 11:53:48 patator INFO - 200 49585:0 0.150 | root:p@ssw0rd | 26 | HTTP/1.1 200 OK 11:53:51 patator INFO - 200 13215:0 0.351 | root: | 72 | HTTP/1.1 200 OK ^C 11:53:54 patator INFO - Hits/Done/Skip/Fail/Size: 2/198/0/0/3000, Avg: 29 r/s, Time: 0h 0m 6s 11:53:54 patator INFO - To resume execution, pass --resume 15,15,15,16,15,36,15,16,15,40
Payload #72 was a false positive due to an unexpected error message:
$ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt ... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)</div><noscript>
Tested against phpMyAdmin 4.2.7.1.
- IKE : Enumerate transforms supported by VPN peer
# ike_enum host=10.0.0.1 transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 -x ignore:fgrep='NO-PROPOSAL'
16:52:58 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-04-05 16:52 AEST
16:52:58 patator INFO -
16:52:58 patator INFO - code size time | candidate | num | mesg
16:52:58 patator INFO - -----------------------------------------------------------------------------
16:53:03 patator INFO - 0 70 0.034 | 5,1,1,2:0 | 1539 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Main)
16:53:03 patator INFO - 0 72 0.031 | 5,1,65001,2:0 | 1579 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Main)
16:53:03 patator INFO - 0 76 0.033 | 5,1,1,2:1 | 1540 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:03 patator INFO - 0 78 0.034 | 5,1,65001,2:1 | 1580 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Aggressive)
16:53:06 patator INFO - 0 84 0.034 | 7/128,2,1,2:0 | 2371 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Main)
16:53:06 patator INFO - 0 90 0.033 | 7/128,2,1,2:1 | 2372 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:06 patator INFO - 0 86 0.034 | 7/128,2,65001,2:0 | 2411 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Main)
16:53:06 patator INFO - 0 92 0.035 | 7/128,2,65001,2:1 | 2412 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Aggressive)
+ 10.0.0.1:500 (Main Mode)
Encryption Hash Auth Group
---------- ---------- ---------- ----------
3DES MD5 PSK modp1024
3DES MD5 XAUTH modp1024
AES128 SHA1 PSK modp1024
AES128 SHA1 XAUTH modp1024
+ 10.0.0.1:500 (Aggressive Mode)
Encryption Hash Auth Group
---------- ---------- ---------- ----------
3DES MD5 PSK modp1024
3DES MD5 XAUTH modp1024
AES128 SHA1 PSK modp1024
AES128 SHA1 XAUTH modp1024
16:53:11 patator INFO - Hits/Done/Skip/Fail/Size: 8/3840/0/0/3840, Avg: 284 r/s, Time: 0h 0m 13s
- SNMPv3 : Find valid usernames
$ snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName 17:51:06 patator INFO - Starting Patator v0.5 17:51:06 patator INFO - 17:51:06 patator INFO - code size | candidate | num | mesg 17:51:06 patator INFO - ---------------------------------------------------------------------- 17:51:11 patator INFO - 0-0 11 | robert | 55 | wrongDigest 17:51:12 patator INFO - Progress: 20% (70/345) | Speed: 10 r/s | ETC: 17:51:38 (00:00:26 remaining) 17:51:33 patator INFO - 0-0 11 | myuser | 311 | wrongDigest 17:51:36 patator INFO - Hits/Done/Skip/Fail/Size: 2/345/0/0/345, Avg: 11 r/s, Time: 0h 0m 30s
- SNMPv3 : Find valid passwords
$ snmp_login host=10.0.0.1 version=3 user=robert auth_key=FILE0 0=passwords_8+.txt -x ignore:mesg=wrongDigest 17:52:15 patator INFO - Starting Patator v0.5 17:52:15 patator INFO - 17:52:15 patator INFO - code size | candidate | num | mesg 17:52:15 patator INFO - ---------------------------------------------------------------------- 17:52:16 patator INFO - 0-0 69 | password123 | 16 | Linux thug 2.6.36-gentoo #5 SMP Fri Aug 12 14:49:51 CEST 2011 i686 17:52:17 patator INFO - Hits/Done/Skip/Fail/Size: 1/50/0/0/50, Avg: 38 r/s, Time: 0h 0m 1s
- DNS : Forward lookup
$ dns_forward name=FILE0.hsc.fr 0=names.txt -x ignore:code=3
03:18:46 patator INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:18 PMT
03:18:46 patator INFO -
03:18:46 patator INFO - code size | candidate | num | mesg
03:18:46 patator INFO - ----------------------------------------------------------------------
03:18:46 patator INFO - 0 41 | www | 4 | NOERROR [www.hsc.fr. IN A 217.174.211.25]
03:18:46 patator INFO - 0 81 | mail | 32 | NOERROR [mail.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator INFO - 0 44 | webmail | 62 | NOERROR [webmail.hsc.fr. IN A 192.70.106.95]
03:18:46 patator INFO - 0 93 | test | 54 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:46 patator INFO - 0 40 | wap | 66 | NOERROR [wap.hsc.fr. IN A 192.70.106.33]
03:18:46 patator INFO - 0 85 | extranet | 131 | NOERROR [extranet.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator INFO - 0 81 | news | 114 | NOERROR [news.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator INFO - 0 93 | mailhost | 137 | NOERROR [mailhost.hsc.fr. IN A 192.70.106.33][mailhost.hsc.fr. IN AAAA 2001:7a8:1155:2::abcd]
03:18:46 patator INFO - 0 47 | lists | 338 | NOERROR [lists.hsc.fr. IN MX 10 itesec.hsc.fr.]
03:18:46 patator INFO - 0 93 | fr | 319 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:47 patator INFO - 0 40 | gl | 586 | NOERROR [gl.hsc.fr. IN A 192.70.106.103]
Records ------------------------------------------
extranet.hsc.fr. IN CNAME itesec.hsc.fr.
gl.hsc.fr. IN A 192.70.106.103
hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600
itesec.hsc.fr. IN A 192.70.106.33
lists.hsc.fr. IN MX 10 itesec.hsc.fr.
mail.hsc.fr. IN CNAME itesec.hsc.fr.
mailhost.hsc.fr. IN A 192.70.106.33
mailhost.hsc.fr. IN AAAA 2001:7a8:1155:2::abcd
news.hsc.fr. IN CNAME itesec.hsc.fr.
wap.hsc.fr. IN A 192.70.106.33
webmail.hsc.fr. IN A 192.70.106.95
www.hsc.fr. IN A 217.174.211.25
Hostmap ------------------------------------------
mailhost.hsc.fr 2001:7a8:1155:2::abcd
mailhost.hsc.fr 192.70.106.33
wap.hsc.fr 192.70.106.33
itesec.hsc.fr 192.70.106.33
extranet.hsc.fr
mail.hsc.fr
news.hsc.fr
webmail.hsc.fr 192.70.106.95
gl.hsc.fr 192.70.106.103
www.hsc.fr 217.174.211.25
Domains ------------------------------------------
hsc.fr 10
Networks -----------------------------------------
2001:7a8:1155:2::abcd
192.70.106.x
217.174.211.25
03:18:53 patator INFO - Hits/Done/Skip/Fail/Size: 11/1000/0/0/1000, Avg: 133 r/s, Time: 0h 0m 7s
Also notice that test.hsc.fr. is the start of a new zone because we got NOERROR and no IP address.
- DNS : Reverse lookup two netblocks owned by Google
$ dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
03:24:22 patator INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:24 PMT
03:24:22 patator INFO -
03:24:22 patator INFO - code size | candidate | num | mesg
03:24:22 patator INFO - ----------------------------------------------------------------------
03:24:22 patator INFO - 0 46 | 216.239.32.10 | 11 | NOERROR [216.239.32.10 IN PTR ns1.google.com.]
03:24:22 patator INFO - 0 45 | 216.239.32.11 | 12 | NOERROR [216.239.32.11 IN PTR ns.google.com.]
03:24:22 patator INFO - 0 48 | 216.239.32.15 | 16 | NOERROR [216.239.32.15 IN PTR time1.google.com.]
03:24:23 patator INFO - 0 47 | 216.239.33.5 | 262 | NOERROR [216.239.33.5 IN PTR proxy.google.com.]
03:24:23 patator INFO - 0 47 | 216.239.33.12 | 269 | NOERROR [216.239.33.12 IN PTR dns1.google.com.]
03:24:23 patator INFO - 0 51 | 216.239.33.22 | 279 | NOERROR [216.239.33.22 IN PTR transfer.google.com.]
03:24:23 patator INFO - 0 50 | 216.239.33.20 | 277 | NOERROR [216.239.33.20 IN PTR esc-out.google.com.]
03:24:23 patator INFO - 0 46 | 216.239.34.10 | 523 | NOERROR [216.239.34.10 IN PTR ns2.google.com.]
03:24:23 patator INFO - 0 48 | 216.239.34.15 | 528 | NOERROR [216.239.34.15 IN PTR time2.google.com.]
^C
Records ------------------------------------------
216.239.32.10 IN PTR ns1.google.com.
216.239.32.11 IN PTR ns.google.com.
216.239.32.15 IN PTR time1.google.com.
216.239.33.12 IN PTR dns1.google.com.
216.239.33.20 IN PTR esc-out.google.com.
216.239.33.22 IN PTR transfer.google.com.
216.239.33.5 IN PTR proxy.google.com.
216.239.34.10 IN PTR ns2.google.com.
216.239.34.15 IN PTR time2.google.com.
Hostmap ------------------------------------------
ns1.google.com 216.239.32.10
ns.google.com 216.239.32.11
time1.google.com 216.239.32.15
proxy.google.com 216.239.33.5
dns1.google.com 216.239.33.12
esc-out.google.com 216.239.33.20
transfer.google.com 216.239.33.22
ns2.google.com 216.239.34.10
time2.google.com 216.239.34.15
Domains ------------------------------------------
google.com 9
Networks -----------------------------------------
216.239.32.x
216.239.33.x
216.239.34.x
03:24:29 patator INFO - Hits/Done/Skip/Fail/Size: 9/872/0/0/4352, Avg: 115 r/s, Time: 0h 0m 7s
03:24:29 patator INFO - To resume execution, pass --resume 91,75,93,73,84,95,94,95,83,89
- ZIP : Crack a password-protected ZIP file (older pkzip encryption used not to be supported in JtR)
$ unzip_pass zipfile=challenge1.zip password=FILE0 0=rockyou.dic -x ignore:code!=0 10:54:29 patator INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 10:54:29 PMT 10:54:29 patator INFO - 10:54:29 patator INFO - code size | candidate | num | mesg 10:54:29 patator INFO - ---------------------------------------------------------------------- 10:54:30 patator INFO - 0 82 | love | 387 | 0 [82] No errors detected in compressed data of challenge1.zip. ^C 10:54:31 patator INFO - Hits/Done/Skip/Fail/Size: 1/1589/0/0/5000, Avg: 699 r/s, Time: 0h 0m 2s 10:54:31 patator INFO - To resume execution, pass --resume 166,164,165,166,155,158,148,158,155,154
How to install patator
The program is pre-installed on Kali Linux.
Installation on Linux (Debian, Mint, Ubuntu)
Dependencies (best tested versions)
| Required for | URL | Version |
--------------------------------------------------------------------------------------------------
paramiko | SSH | http://www.lag.net/paramiko/ | 1.7.7.1 |
--------------------------------------------------------------------------------------------------
pycurl | HTTP | http://pycurl.sourceforge.net/ | 7.19.3 |
--------------------------------------------------------------------------------------------------
libcurl | HTTP | https://curl.haxx.se/ | 7.21.0 |
--------------------------------------------------------------------------------------------------
ajpy | AJP | https://github.com/hypn0s/AJPy/ | 0.0.1 |
--------------------------------------------------------------------------------------------------
openldap | LDAP | http://www.openldap.org/ | 2.4.24 |
--------------------------------------------------------------------------------------------------
impacket | SMB | https://github.com/CoreSecurity/impacket | 0.9.12 |
--------------------------------------------------------------------------------------------------
cx_Oracle | Oracle | http://cx-oracle.sourceforge.net/ | 5.1.1 |
--------------------------------------------------------------------------------------------------
mysql-python | MySQL | http://sourceforge.net/projects/mysql-python/ | 1.2.3 |
--------------------------------------------------------------------------------------------------
xfreerdp | RDP (NLA) | https://github.com/FreeRDP/FreeRDP/ | 1.2.0 |
--------------------------------------------------------------------------------------------------
psycopg | PostgreSQL | http://initd.org/psycopg/ | 2.4.5 |
--------------------------------------------------------------------------------------------------
pycrypto | VNC | http://www.dlitz.net/software/pycrypto/ | 2.3 |
--------------------------------------------------------------------------------------------------
dnspython | DNS | http://www.dnspython.org/ | 1.10.0 |
--------------------------------------------------------------------------------------------------
IPy | NET keyword | https://github.com/haypo/python-ipy | 0.75 |
--------------------------------------------------------------------------------------------------
pysnmp | SNMP | http://pysnmp.sourceforge.net/ | 4.2.1 |
--------------------------------------------------------------------------------------------------
pyasn1 | SNMP | http://sourceforge.net/projects/pyasn1/ | 0.1.2 |
--------------------------------------------------------------------------------------------------
ike-scan | IKE | http://www.nta-monitor.com/tools-resources/ | 1.9 |
--------------------------------------------------------------------------------------------------
unzip | ZIP passwords | http://www.info-zip.org/ | 6.0 |
--------------------------------------------------------------------------------------------------
Java | keystore files | http://www.oracle.com/technetwork/java/javase/ | 6 |
--------------------------------------------------------------------------------------------------
pysqlcipher | SQLCipher | https://github.com/leapcode/pysqlcipher/ | 2.6.10 |
--------------------------------------------------------------------------------------------------
python | | http://www.python.org/ | 2.7 |
--------------------------------------------------------------------------------------------------
wget https://raw.githubusercontent.com/lanjelot/patator/master/patator.py chmod +x patator.py ./patator.py
patator Screenshots
patator Tutorials
- Brute force website login page using patator
- Brute-Force Router Web Forms
- How to install all Patator dependencies
Related tools
- Hydra (98.7%)
- oclHashcat (54%)
- hashcat (Hashcat & oclHashcat) (54%)
- Medusa (52.7%)
- John the Ripper (52.7%)
- wifiphisher (RANDOM - 0.8%)
Comments are Closed