You are here: Home » Password Attacks » patator

patator

patator Description

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.

Currently it supports the following modules:

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using SMTP VRFY
  • smtp_rcpt : Enumerate valid users using SMTP RCPT TO
  • finger_lookup : Enumerate valid users using Finger
  • http_fuzz : Brute-force HTTP
  • ajp_fuzz : Brute-force AJP
  • pop_login : Brute-force POP3
  • pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)
  • imap_login : Brute-force IMAP4
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • smb_lookupsid : Brute-force SMB SID-lookup
  • rlogin_login : Brute-force rlogin
  • vmauthd_login : Brute-force VMware Authentication Daemon
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • mysql_query : Brute-force MySQL queries
  • rdp_login : Brute-force RDP (NLA)
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  •  
  • dns_forward : Forward DNS lookup
  • dns_reverse : Reverse DNS lookup
  • snmp_login : Brute-force SNMP v1/2/3
  • ike_enum : Enumerate IKE transforms
  •  
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files
  • sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
  • umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
  •  
  • tcp_fuzz : Fuzz TCP services
  • dummy_test : Testing module

Future modules to be implemented:

  • rdp_login w/no NLA

FEATURES

  • No false negatives, as it is the user that decides what results to ignore based on:
  • status code of response
  • size of response
  • matching string or regex in response data
  • … see --help
  • Modular design
  • not limited to network modules (eg. the unzip_pass module)
  • not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)
  • Interactive runtime
  • show progress during execution (press Enter)
  • pause/unpause execution (press p)
  • increase/decrease verbosity
  • add new actions & conditions during runtime (eg. to exclude more types of response from showing)
  • … press h to see all available interactive commands
  • Use persistent connections (ie. will test several passwords until the server disconnects)
  • Multi-threaded
  • Flexible user input
  • Any module parameter can be fuzzed:
  • use the FILE keyword to iterate over a file
  • use the COMBO keyword to iterate over a combo file
  • use the NET keyword to iterate over every hosts of a network subnet
  • use the RANGE keyword to iterate over hexadecimal, decimal or alphabetical ranges
  • use the PROG keyword to iterate over the output of an external program
  • Iteration over the joined wordlists can be done in any order
  • Save every response (along with request) to seperate log files for later reviewing

Homepage: https://github.com/lanjelot/patator

Author: Sebastien MACKE

License: GPLv2

patator Help

USAGE

python patator.py <module> -h
or
<module> -h (if you created the shortcuts)

There are global options and module options:

  • all global options start with - or --
  • all module options are of the form option=value

All module options are fuzzable:

./module host=FILE0 port=FILE1 foobar=FILE2.google.FILE3 0=hosts.txt 1=ports.txt 2=foo.txt 3=bar.txt

The keywords (FILE, COMBO, NET, …) act as place-holders. They indicate the type of wordlist and where to replace themselves with the actual words to test.

Each keyword is numbered in order to:

  • match the corresponding wordlist
  • and indicate in what order to iterate over all the wordlists

For example, this would be the classic order:

$ ./module host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt
10.0.0.1 root password
10.0.0.1 root 123456
10.0.0.1 root qsdfghj
... (trying all passwords before testing next login)
10.0.0.1 admin password
10.0.0.1 admin 123456
10.0.0.1 admin qsdfghj
... (trying all logins before testing next host)
10.0.0.2 root password
...

While a smarter way might be:

$ ./module host=FILE2 user=FILE1 password=FILE0 2=hosts.txt 1=logins.txt 0=passwords.txt

10.0.0.1 root password
10.0.0.2 root password
10.0.0.1 admin password
10.0.0.2 admin password
10.0.0.1 root 123456
10.0.0.2 root 123456
10.0.0.1 admin 123456
...

patator Module Options

Global options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Execution:
    -x arg              actions and conditions, see Syntax below
    --start=N           start from offset N in the wordlist product
    --stop=N            stop at offset N
    --resume=r1[,rN]*   resume previous run
    -e arg              encode everything between two tags, see Syntax below
    -C str              delimiter string in combo files (default is ':')
    -X str              delimiter string in conditions (default is ',')
    --allow-ignore-failures
                        failures cannot be ignored with -x (this is by design
                        to avoid false negatives) this option overrides this
                        behavior

  Optimization:
    --rate-limit=N      wait N seconds between each test (default is 0)
    --timeout=N         wait N seconds for a response before retrying payload
                        (default is 0)
    --max-retries=N     skip payload after N retries (default is 4) (-1 for
                        unlimited)
    -t N, --threads=N   number of threads (default is 10)

  Logging:
    -l DIR              save output and response data into DIR
    -L SFX              automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX
                        (DIR defaults to '/tmp/patator')

  Debugging:
    -d, --debug         enable debug messages

Syntax:
 -x actions:conditions

    actions    := action[,action]*
    action     := "ignore" | "retry" | "free" | "quit" | "reset"
    conditions := condition=value[,condition=value]*
    condition  := "code" | "size" | "time" | "mesg" | "fgrep" | "egrep"

    ignore      : do not report
    retry       : try payload again
    free        : dismiss future similar payloads
    quit        : terminate execution now
    reset       : close current connection in order to reconnect next time

    code        : match status code
    size        : match size (N or N-M or N- or -N)
    time        : match time (N or N-M or N- or -N)
    mesg        : match message
    fgrep       : search for string in mesg
    egrep       : search for regex in mesg

For example, to ignore all redirects to the home page:
... -x ignore:code=302,fgrep='Location: /home.html'

 -e tag:encoding

    tag        := any unique string (eg. T@G or _@@_ or ...)
    encoding   := "unhex" | "sha1" | "b64" | "url" | "hex" | "md5"

    unhex       : decode from hexadecimal
    sha1        : hash in sha1
    b64         : encode in base64
    url         : url encode
    hex         : encode in hexadecimal
    md5         : hash in md5

For example, to encode every password in base64:
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64

ftp_login

Usage: ftp_login <module-options ...> [global-options ...]

Examples:
  ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500

Module options:
  host          : target host
  port          : target port [21]
  user          : usernames to test
  password      : passwords to test
  tls           : use TLS [0|1]
  timeout       : seconds to wait for a response [10]
  persistent    : use persistent connections [1|0] 

ssh_login

Usage: ssh_login <module-options ...> [global-options ...]

Examples:
  ssh_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt -x ignore:mesg='Authentication failed.'

Module options:
  host          : target host
  port          : target port [22]
  user          : usernames to test
  password      : passwords to test
  auth_type     : type of password authentication to use [password|keyboard-interactive|auto]
  keyfile       : file with RSA, DSA or ECDSA private key to test
  persistent    : use persistent connections [1|0] 

telnet_login

Usage: telnet_login <module-options ...> [global-options ...]

Examples:
  telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt persistent=0 prompt_re='Username:|Password:' -x ignore:egrep='Login incorrect.+Username:'

Module options:
  host          : target host
  port          : target port [23]
  inputs        : list of values to input
  prompt_re     : regular expression to match prompts [\w+:]
  timeout       : seconds to wait for a response and for prompt_re to match received data [20]
  persistent    : use persistent connections [1|0] 

smtp_login

Usage: smtp_login <module-options ...> [global-options ...]

Examples:
  smtp_login host=10.0.0.1 user=f.bar@dom.com password=FILE0 0=passwords.txt [helo='ehlo its.me.com'] -x ignore:fgrep='Authentication failed' -x ignore,reset,retry:code=421

Module options:
  persistent    : use persistent connections [1|0]
  timeout       : seconds to wait for a response [10]
  host          : target host
  port          : target port [25]
  ssl           : use SSL [0|1]
  helo          : helo or ehlo command to send after connect [skip]
  starttls      : send STARTTLS [0|1]
  user          : usernames to test
  password      : passwords to test 

smtp_vrfy

Usage: smtp_vrfy <module-options ...> [global-options ...]

Examples:
  smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt [helo='ehlo its.me.com'] -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421

Module options:
  persistent    : use persistent connections [1|0]
  timeout       : seconds to wait for a response [10]
  host          : target host
  port          : target port [25]
  ssl           : use SSL [0|1]
  helo          : helo or ehlo command to send after connect [skip]
  starttls      : send STARTTLS [0|1]
  user          : usernames to test 

smtp_rcpt

Usage: smtp_rcpt <module-options ...> [global-options ...]

Examples:
  smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt [helo='ehlo its.me.com'] [mail_from=bar@example.com] -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421

Module options:
  persistent    : use persistent connections [1|0]
  timeout       : seconds to wait for a response [10]
  host          : target host
  port          : target port [25]
  ssl           : use SSL [0|1]
  helo          : helo or ehlo command to send after connect [skip]
  starttls      : send STARTTLS [0|1]
  user          : usernames to test
  mail_from     : sender email [test@example.org] 

finger_lookup

Usage: finger_lookup <module-options ...> [global-options ...]

Examples:
  finger_lookup host=10.0.0.1 user=FILE0 0=words.txt -x ignore:fgrep='no such user'

Module options:
  host          : target host
  port          : target port [79]
  user          : usernames to test
  timeout       : seconds to wait for a response [5] 

http_fuzz

Usage: http_fuzz <module-options ...> [global-options ...]

Examples:
  http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
  http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
  http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server'

Module options:
  url           : target url (scheme://host[:port]/path?query)
  body          : body data
  header        : use custom headers
  method        : method to use [GET|POST|HEAD|...]
  raw_request   : load request from file
  scheme        : scheme [http|https]
  auto_urlencode: automatically perform URL-encoding [1|0]
  user_pass     : username and password for HTTP authentication (user:pass)
  auth_type     : type of HTTP authentication [basic | digest | ntlm]
  follow        : follow any Location redirect [0|1]
  max_follow    : redirection limit [5]
  accept_cookie : save received cookies to issue them in future requests [0|1]
  http_proxy    : HTTP proxy to use (host:port)
  ssl_cert      : client SSL certificate file (cert+key in PEM format)
  timeout_tcp   : seconds to wait for a TCP handshake [10]
  timeout       : seconds to wait for a HTTP response [20]
  before_urls   : comma-separated URLs to query before the main request
  before_header : use a custom header in the before_urls request
  before_egrep  : extract data from the before_urls response to place in the main request
  after_urls    : comma-separated URLs to query after the main request
  max_mem       : store no more than N bytes of request+response data in memory [-1 (unlimited)]
  persistent    : use persistent connections [1|0] 

ajp_fuzz

Usage: ajp_fuzz <module-options ...> [global-options ...]

Examples:
  ajp_fuzz url=ajp://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
  ajp_fuzz url=ajp://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.tx -x ignore:code=401

Module options:
  url           : target url (ajp://host[:port]/path?query)
  header        : use custom headers
  user_pass     : username and password for HTTP authentication (user:pass)

pop_login

Usage: pop_login <module-options ...> [global-options ...]

Examples:
  pop_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:code=-ERR

Module options:
  host          : target host
  port          : target port [110]
  user          : usernames to test
  password      : passwords to test
  ssl           : use SSL [0|1]
  timeout       : seconds to wait for a response [10]
  persistent    : use persistent connections [1|0] 

pop_passd

Usage: pop_passd <module-options ...> [global-options ...]

Examples:
  pop_passd host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:code=500

Module options:
  host          : target host
  port          : target port [106]
  user          : usernames to test
  password      : passwords to test
  timeout       : seconds to wait for a response [10] 

imap_login

Usage: imap_login <module-options ...> [global-options ...]

Examples:
  imap_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt

Module options:
  host          : target host
  port          : target port [143]
  user          : usernames to test
  password      : passwords to test
  ssl           : use SSL [0|1] 

ldap_login

Usage: imap_login <module-options ...> [global-options ...]

Examples:
  imap_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt

Module options:
  host          : target host
  port          : target port [143]
  user          : usernames to test
  password      : passwords to test
  ssl           : use SSL [0|1] 

smb_login

Usage: smb_login <module-options ...> [global-options ...]

Examples:
  smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep='unknown user name or bad password'

Module options:
  host          : target host
  port          : target port [139]
  user          : usernames to test
  password      : passwords to test
  password_hash : LM/NT hashes to test, at least one hash must be provided ('lm:nt' or ':nt' or 'lm:')
  domain        : domain to test
  persistent    : use persistent connections [1|0] 

smb_lookupsid

Usage: smb_lookupsid <module-options ...> [global-options ...]

Examples:
  smb_lookupsid host=10.0.0.1 sid=S-1-5-21-1234567890-1234567890-1234567890 rid=RANGE0 0=int:500-2000 -x ignore:code=1

Module options:
  host          : target host
  port          : target port [139]
  sid           : SID to test
  rid           : RID to test
  user          : username to use if auth required
  password      : password to use if auth required
  persistent    : use persistent connections [1|0] 

rlogin_login

Usage: rlogin_login <module-options ...> [global-options ...]

Examples:
  Please note that rlogin requires to bind a socket to an Internet domain privileged port.
  rlogin_login host=10.0.0.1 user=root luser=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password:
  rlogin_login host=10.0.0.1 user=john password=FILE0 0=passwords.txt -x 'reset:egrep!=Login incorrect.+login:'

Module options:
  host          : target host
  port          : target port [513]
  luser         : client username [root]
  user          : usernames to test
  password      : passwords to test
  prompt_re     : regular expression to match prompts [\w+:]
  timeout       : seconds to wait for a response and for prompt_re to match received data [10]
  persistent    : use persistent connections [1|0] 

vmauthd_login

Usage: vmauthd_login <module-options ...> [global-options ...]

Examples:
  vmauthd_login host=10.0.0.1 user=root password=FILE0 0=passwords.txt

Module options:
  host          : target host
  port          : target port [902]
  user          : usernames to test
  password      : passwords to test
  ssl           : use SSL [1|0]
  timeout       : seconds to wait for a response [10]
  persistent    : use persistent connections [1|0] 

mssql_login

Usage: mssql_login <module-options ...> [global-options ...]

Examples:
  mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'

Module options:
  host          : target host
  port          : target port [1433]
  user          : usernames to test
  password      : passwords to test
  windows_auth  : use Windows auth [0|1]
  domain        : domain to test []
  password_hash : LM/NT hashes to test ('lm:nt' or ':nt') 

oracle_login

Usage: oracle_login <module-options ...> [global-options ...]

Examples:

oracle_login host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505
oracle_login host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt -x ignore:code=ORA-01017

Module options:
  host          : hostnames or subnets to target
  port          : ports to target [1521]
  user          : usernames to test
  password      : passwords to test
  sid  : sid to test
  service_name        : service name to test

mysql_login

Usage: mysql_login <module-options ...> [global-options ...]

Examples:
  mysql_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep='Access denied for user'

Module options:
  host          : target host
  port          : target port [3306]
  user          : usernames to test
  password      : passwords to test
  timeout       : seconds to wait for a response [10] 

mysql_query

Usage: mysql_query <module-options ...> [global-options ...]

Examples:
  mysql_query host=10.0.0.1 user=root password=s3cr3t query="select length(load_file('/home/adam/FILE0'))" 0=files.txt -x ignore:size=0

Module options:
  host          : target host
  port          : target port [3306]
  user          : username to use
  password      : password to use
  query         : SQL query to execute 

rdp_login

Usage: rdp_login <module-options ...> [global-options ...]

Examples:
  rdp_login host=10.0.0.1 user='administrator' password=FILE0 0=passwords.txt

Module options:
  host          : target host
  port          : target port [3389]
  user          : usernames to test
  password      : passwords to test 

pgsql_login

Usage: pgsql_login <module-options ...> [global-options ...]

Examples:
  pgsql_login host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt -x ignore:fgrep='password authentication failed for user'

Module options:
  host          : target host
  port          : target port [5432]
  user          : usernames to test
  password      : passwords to test
  database      : databases to test [postgres]
  timeout       : seconds to wait for a response [10] 

vnc_login

Usage: vnc_login <module-options ...> [global-options ...]

Examples:
  vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt -t 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0

Module options:
  host          : target host
  port          : target port [5900]
  password      : passwords to test
  timeout       : seconds to wait for a response [10] 

dns_forward

Usage: dns_forward <module-options ...> [global-options ...]

Examples:
  dns_forward name=FILE0.google.com 0=names.txt -x ignore:code=3
  dns_forward name=google.MOD0 0=TLD -x ignore:code=3
  dns_forward name=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3

Module options:
  name          : domain names to lookup
  server        : name server to query (directly asking the zone authoritative NS may return more results) [8.8.8.8]
  timeout       : seconds to wait for a response [5]
  protocol      : send queries over udp or tcp [udp]
  qtype         : type to query [ANY]
  qclass        : class to query [IN] 

dns_reverse

Usage: dns_reverse <module-options ...> [global-options ...]

Examples:
  dns_reverse host=NET0 0=192.168.0.0/24 -x ignore:code=3
  dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-

Module options:
  host          : IP addresses to reverse lookup
  server        : name server to query (directly asking a zone authoritative NS may return more results) [8.8.8.8]
  timeout       : seconds to wait for a response [5]
  protocol      : send queries over udp or tcp [udp] 

snmp_login

Usage: snmp_login <module-options ...> [global-options ...]

Examples:
  snmp_login host=10.0.0.1 version=2 community=FILE0 0=names.txt -x ignore:mesg='No SNMP response received before timeout'
  snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName
  snmp_login host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest

Module options:
  host          : target host
  port          : target port [161]
  version       : SNMP version to use [2|3|1]
  community     : SNMPv1/2c community names to test [public]
  user          : SNMPv3 usernames to test [myuser]
  auth_key      : SNMPv3 pass-phrases to test [my_password]
  timeout       : seconds to wait for a response [1]
  retries       : number of successive request retries [2] 

ike_enum

Usage: ike_enum <module-options ...> [global-options ...]

Examples:
  ike_enum host=10.0.0.1 transform=MOD0 0=TRANS -x ignore:fgrep=NO-PROPOSAL
  ike_enum host=10.0.0.1 transform=MOD0 0=TRANS -x ignore:fgrep=NO-PROPOSAL aggressive=RANGE1 1=int:0-1

Module options:
  host          : target host
  host          : target port [500]
  transform     : transform to test [5,1,1,2]
  aggressive    : use aggressive mode [0|1]
  groupname     : identification value for aggressive mode [foo]
  vid           : comma-separated vendor IDs to use 

unzip_pass

Usage: unzip_pass <module-options ...> [global-options ...]

Examples:
  unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0

Module options:
  zipfile       : ZIP files to test
  password      : passwords to test 

keystore_pass

Usage: keystore_pass <module-options ...> [global-options ...]

Examples:
  keystore_pass keystore=path/to/keystore.jks password=FILE0 0=passwords.txt -x ignore:fgrep='password was incorrect'

Module options:
  keystore      : keystore files to test
  password      : passwords to test
  storetype     : type of keystore to test 

keystore_pass

Usage: keystore_pass <module-options ...> [global-options ...]

Examples:
  keystore_pass keystore=path/to/keystore.jks password=FILE0 0=passwords.txt -x ignore:fgrep='password was incorrect'

Module options:
  keystore      : keystore files to test
  password      : passwords to test

sqlcipher_pass

Usage: sqlcipher_pass <опции-модуля ...> [глобальные-опции ...]

Examples:
  sqlcipher_pass database=path/to/db.sqlite password=FILE0 0=passwords.txt -x ignore:fgrep='file is encrypted'

Module options:
  database      : database files to test
  password      : password to test 

tcp_fuzz

Usage: tcp_fuzz <module-options ...> [global-options ...]

Examples:
  tcp_fuzz host=10.0.0.1 data=RANGE0 0=hex:0x00-0xffffff

Module options:
  host          : target host
  port          : target port
  timeout       : seconds to wait for a response [10] 

dummy_test

Usage: dummy_test <module-options ...> [global-options ...]

Examples:
  dummy_test data=_@@_RANGE0_@@_ 0=hex:0x00-0xff -e _@@_:unhex
  dummy_test data=RANGE0 0=int:10-0
  dummy_test data=PROG0 0='seq -w 10 -1 0'
  dummy_test data=PROG0 0='mp64.bin -i ?l?l?l',$(mp64.bin --combination -i ?l?l?l)

Module options:
  data          : data to test
  data2         : data2 to test
  delay         : fake random delay 

Keywords, Actions & Conditions, Failures

Keywords

Brute-force a list of hosts with a file containing combo entries (each line => login:password).

./module host=FILE0 user=COMBO10 password=COMBO11 0=hosts.txt 1=combos.txt

Scan subnets to just grab version banners.

./module host=NET0 0=10.0.1.0/24,10.0.2.0/24,10.0.3.128-10.0.3.255

Fuzzing a parameter by iterating over a range of values.

./module param=RANGE0 0=hex:0x00-0xffff
./module param=RANGE0 0=int:0-500
./module param=RANGE0 0=lower:a-zzz

Fuzzing a parameter by iterating over the output of an external program.

./module param=PROG0 0='john -stdout -i'
./module param=PROG0 0='mp64.bin ?l?l?l',$(mp64.bin --combination ?l?l?l) # http://hashcat.net/wiki/doku.php?id=maskprocessor

Actions & Conditions

Use the -x option to do specific actions upon receiving expected results. For example:

To ignore responses with status code 200 *AND* a size within a specific range.

./module host=10.0.0.1 user=FILE0 -x ignore:code=200,size=57-74

To ignore responses with status code 500 *OR* containing "Internal error".

./module host=10.0.0.1 user=FILE0 -x ignore:code=500 -x ignore:fgrep='Internal error'

Remember that conditions are ANDed within the same -x option, use multiple -x options to specify ORed conditions.

Failures

During execution, failures may happen, such as a TCP connect timeout for example. By definition a failure is an exception that the module does not expect, and as a result the exception is caught upstream by the controller.

Such exceptions, or failures, are not immediately reported to the user, the controller will retry 4 more times (see --max-retries) before reporting the failed payload to the user with the logging level "FAIL".

Read carefully the following examples to get a good understanding of how patator works.

FTP

Brute-force authentication. Do not report wrong passwords.

ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:mesg='Login incorrect.'

NB0. If you get errors like "500 OOPS: priv_sock_get_cmd", use -x ignore,reset,retry:code=500 in order to retry the last login/password using a new TCP connection. Odd servers like vsftpd return this when they shut down the TCP connection (ie. max login attempts reached).

NB1. If you get errors like "too many connections from your IP address", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.

Same as before, but stop testing a user after his password is found.

ftp_login ... -x free=user:code=0

Find anonymous FTP servers on a subnet.

ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24

SSH

Brute-force authentication with password same as login (aka single mode). Do not report wrong passwords.

ssh_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:mesg='Authentication failed.'

NB. If you get errors like "Error reading SSH protocol banner … Connection reset by peer", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections (eg. MaxStartups in OpenSSH).

Brute-force several hosts and stop testing a host after a valid password is found.

ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host:code=0

Same as previous, but stop testing a user on a host after his password is found.

ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host+user:code=0

Telnet

Brute-force authentication.

(a) Enter login after first prompt is detected, enter password after second prompt.

(b) The regex to detect the login and password prompts.

(c) Reconnect when we get no login prompt back (max number of tries reached or successful login).

                                (a)
telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt
 prompt_re='tux login:|Password:' -x reset:egrep!='Login incorrect.+tux login:'
 (b)                             (c)

NB. If you get errors like "telnet connection closed", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.

SMTP

Enumerate valid users using the VRFY command.

(a) Do not report invalid recipients.

(b) Do not report when the server shuts us down with "421 too many errors", reconnect and resume testing.

                                                        (a)
smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt -x ignore:fgrep='User unknown in local
 recipient table' -x ignore,reset,retry:code=421
                             (b)

Use the RCPT TO command in case the VRFY command is not available.

smtp_rcpt host=10.0.0.1 user=FILE0@localhost 0=logins.txt helo='ehlo mx.fb.com' mail_from=root

Brute-force authentication.

(a) Send a fake hostname (by default your host fqdn is sent)

                         (a)
smtp_login host=10.0.0.1 helo='ehlo its.me.com' user=FILE0@dom.com password=FILE1 0=logins.txt 1=passwords.txt

HTTP

Find hidden web resources.

(a) Use a specific header.

(b) Follow redirects.

(c) Do not report 404 errors.

(d) Retry on 500 errors.

                                                      (a)
http_fuzz url=http://localhost/FILE0 0=words.txt header='Cookie: SESSID=A2FD8B2DA4'
 follow=1 -x ignore:code=404 -x ignore,retry:code=500
 (b)            (c)                  (d)

NB. You may be able to go 10 times faster using webef (http://www.hsc.fr/ressources/outils/webef/).

It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful features that will prevent you from performing the following attacks.

Brute-force phpMyAdmin logon.

(a) Use POST requests.

(b) Follow redirects using cookies sent by server.

(c) Ignore failed authentications.

                                                      (a)         (b)        (b)
http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST follow=1 accept_cookie=1
 body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt
 -x ignore:fgrep='Cannot log in to the MySQL server'
             (c)

Scan subnet for directory listings.

(a) Ignore not matching reponses.

(b) Save matching responses into directory.

http_fuzz url=http://NET0/FILE1 0=10.0.0.0/24 1=dirs.txt -x ignore:fgrep!='Index of'
 -l /tmp/directory_listings                                             (a)
      (b)

Brute-force Basic authentication.

(a) Single mode (login == password).

(b) Do not report failed login attempts.

http_fuzz url=http://10.0.0.1/manager/html user_pass=FILE0:FILE0 0=logins.txt -x ignore:code=401
                                                   (a)                                (b)

Find hidden virtual hosts.

(a) Read template from file.

(b) Fuzz both the Host and User-Agent headers.

echo -e 'Host: FILE0\nUser-Agent: FILE1' > headers.txt
http_fuzz url=http://10.0.0.1/ header=@headers.txt 0=vhosts.txt 1=agents.txt
                                    (a)                       (b)

Brute-force logon using GET requests.

(a) Encode everything surrounded by the two tags _@@_ in hexadecimal.

(b) Ignore HTTP 200 responses with a content size (header+body) within given range and that also contain the given string.

(c) Use a different delimiter string because the comma cannot be escaped.

                                                                  (a)             (a)
http_fuzz url='http://10.0.0.1/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex
 0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X '|'
                (b)                                                              (c)

Brute-force logon that enforces two random nonces to be submitted along every POST.

(a) First, request the page that provides the nonces as hidden input fields.

(b) Use regular expressions to extract the nonces that are to be submitted along the main request.

http_fuzz url=http://10.0.0.1/login method=POST body='user=admin&pass=FILE0&nonce1=_N1_&nonce2=_N2_' 0=passwords.txt accept_cookie=1
 before_urls=http://10.0.0.1/index before_egrep='_N1_:<input type="hidden" name="nonce1" value="(\w+)"|_N2_:name="nonce2" value="(\w+)"'
           (a)                                (b)

Test the OPTIONS method against a list of URLs.

(a) Ignore URLs that only allow the HEAD and GET methods.

(b) Header end of line is '\r\n'.

(c) Use a different delimiter string because the comma cannot be escaped.

http_fuzz url=FILE0 0=urls.txt method=OPTIONS -x ignore:egrep='^Allow: HEAD, GET\r$' -X '|'
                                                            (a)                 (b)  (c)

LDAP

Brute-force authentication.

(a) Do not report wrong passwords.

(b) Talk SSL/TLS to port 636.

ldap_login host=10.0.0.1 binddn='cn=FILE0,dc=example,dc=com' 0=logins.txt bindpw=FILE1 1=passwords.txt
 -x ignore:mesg='ldap_bind: Invalid credentials (49)' ssl=1 port=636
         (a)                                              (b)

SMB

Brute-force authentication.

smb_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:fgrep=STATUS_LOGON_FAILURE

NB. If you suddenly get STATUS_ACCOUNT_LOCKED_OUT errors for an account although it is not the first password you test on this account, then you must have locked it.

Pass-the-hash.

(a) Test a list of hosts.

(b) Test every user (each line := login:rid:LM hash:NT hash).

smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt -x ...
             (a)                                         (b)

rlogin

Brute-force usernames that root might be allowed to login as with no password (eg. a ~/.rhosts file with the line "+ root").

rlogin_login host=10.0.0.1 luser=root user=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password:

Brute-force usernames that might be allowed to login as root with no password (eg. a /root/.rhosts file with the line "+ john").

rlogin_login host=10.0.0.1 user=root luser=FILE0 0=logins.txt persistent=0 -x ignore:fgrep=Password:

MSSQL

Brute-force authentication.

mssql_login host=10.0.0.1 user=sa password=FILE0 0=passwords.txt -x ignore:fgrep='Login failed for user'

Oracle

Beware, by default in Oracle, accounts are permanently locked out after 10 wrong passwords, except for the SYS account.

Brute-force authentication.

oracle_login host=10.0.0.1 user=SYS password=FILE0 0=passwords.txt sid=ORCL -x ignore:code=ORA-01017

NB0. With Oracle 10g XE (Express Edition), you do not need to pass a SID.

NB1. If you get ORA-12516 errors, it may be because you reached the limit of concurrent connections or db processes, try using "--rate-limit 0.5 -t 2" to be more polite. Also you can run "alter system set processes=150 scope=spfile;" and restart your database to get rid of this.

Brute-force SID.

oracle_login host=10.0.0.1 sid=FILE0 0=sids.txt -x ignore:code=ORA-12505

NB. Against Oracle9, it may crash (Segmentation fault) as soon as a valid SID is found (cx_Oracle bug). Sometimes, the SID gets printed out before the crash, so try running the same command again if it did not.

MySQL

Brute-force authentication.

mysql_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:fgrep='Access denied for user'

PostgresSQL

Brute-force authentication.

pgsql_login host=10.0.0.1 user=postgres password=FILE0 0=passwords.txt -x ignore:fgrep='password authentication failed'

VNC

Some VNC servers have built-in anti-bruteforce functionnality that temporarily blacklists the attacker IP address after too many wrong passwords.

  • RealVNC-4.1.3 or TightVNC-1.3.10 for example, allow 5 failed attempts and then enforce a 10 second delay. For each subsequent failed attempt that delay is doubled.
  • RealVNC-3.3.7 or UltraVNC allow 6 failed attempts and then enforce a 10 second delay between each following attempt.

Brute-force authentication.

(a) No need to use more than one thread.

(b) Keep retrying the same password when we are blacklisted by the server.

(c) Exit execution as soon as a valid password is found.

                                                        (a)
vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt --threads 1
 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0
        (b)                                 (b)                 (c)

DNS

Brute-force subdomains.

(a) Ignore NXDOMAIN responses (rcode 3).

dns_forward name=FILE0.google.com 0=names.txt -x ignore:code=3
                                              (a)

Brute-force domain with every possible TLDs.

dns_forward name=google.MOD0 0=TLD -x ignore:code=3

Brute-force SRV records.

dns_forward name=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3

Grab the version of several hosts.

dns_forward server=FILE0 0=hosts.txt name=version.bind qtype=txt qclass=ch

Reverse lookup several networks.

(a) Ignore names that do not contain 'google.com'.

(b) Ignore generic PTR records.

dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
                                                                                (a)                         (b)

SNMP

SNMPv1/2 : Find valid community names.

snmp_login host=10.0.0.1 community=FILE0 0=names.txt -x ignore:mesg='No SNMP response received before timeout'

SNMPv3 : Find valid usernames.

snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName

SNMPv3 : Find valid passwords.

snmp_login host=10.0.0.1 version=3 user=myuser auth_key=FILE0 0=passwords.txt -x ignore:mesg=wrongDigest

NB0. If you get "notInTimeWindow" error messages, increase the retries option.

NB1. SNMPv3 requires passphrases to be at least 8 characters long.

Unzip

Brute-force the ZIP file password (cracking older pkzip encryption used to be not supported in JtR).

unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0

patator Usage Example

  • FTP : Enumerating users denied login in vsftpd/userlist
$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
19:36:06 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 19:36 AEDT
19:36:06 patator    INFO -
19:36:06 patator    INFO - code  size    time | candidate                          |   num | mesg
19:36:06 patator    INFO - -----------------------------------------------------------------------------
19:36:07 patator    INFO - 230   17     0.002 | anonymous                          |     7 | Login successful.
19:36:07 patator    INFO - 230   17     0.001 | ftp                                |    10 | Login successful.
19:36:08 patator    INFO - 530   18     1.000 | root                               |     1 | Permission denied.
19:36:17 patator    INFO - 530   18     1.000 | michael                            |    50 | Permission denied.
19:36:36 patator    INFO - 530   18     1.000 | robert                             |    93 | Permission denied.
...

Tested against vsftpd-3.0.2-9 on CentOS 7.0-1406

  • SSH : Time-based user enumeration
$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
17:45:20 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 17:45 AEDT
17:45:20 patator    INFO -
17:45:20 patator    INFO - code  size    time | candidate                          |   num | mesg
17:45:20 patator    INFO - -----------------------------------------------------------------------------
17:45:30 patator    FAIL - xxx   41    10.001 | root                               |     1 | <class '__main__.TimeoutError'> timed out
17:45:34 patator    FAIL - xxx   41    10.000 | john                               |    23 | <class '__main__.TimeoutError'> timed out
17:45:37 patator    FAIL - xxx   41    10.000 | joe                                |    40 | <class '__main__.TimeoutError'> timed out
...

Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8

  • HTTP : Brute-force phpMyAdmin logon
$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf
11:53:47 patator    INFO - Starting Patator v0.7-beta (http://code.google.com/p/patator/) at 2014-08-31 11:53 EST
11:53:47 patator    INFO -
11:53:47 patator    INFO - code size:clen       time | candidate                          |   num | mesg
11:53:47 patator    INFO - -----------------------------------------------------------------------------
11:53:48 patator    INFO - 200  49585:0        0.150 | root:p@ssw0rd                      |    26 | HTTP/1.1 200 OK
11:53:51 patator    INFO - 200  13215:0        0.351 | root:                              |    72 | HTTP/1.1 200 OK
^C
11:53:54 patator    INFO - Hits/Done/Skip/Fail/Size: 2/198/0/0/3000, Avg: 29 r/s, Time: 0h 0m 6s
11:53:54 patator    INFO - To resume execution, pass --resume 15,15,15,16,15,36,15,16,15,40

Payload #72 was a false positive due to an unexpected error message:

$ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt
... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)</div><noscript>

Tested against phpMyAdmin 4.2.7.1.

  • IKE : Enumerate transforms supported by VPN peer
# ike_enum host=10.0.0.1 transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 -x ignore:fgrep='NO-PROPOSAL'
16:52:58 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-04-05 16:52 AEST
16:52:58 patator    INFO -
16:52:58 patator    INFO - code  size    time | candidate                          |   num | mesg
16:52:58 patator    INFO - -----------------------------------------------------------------------------
16:53:03 patator    INFO - 0     70     0.034 | 5,1,1,2:0                          |  1539 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Main)
16:53:03 patator    INFO - 0     72     0.031 | 5,1,65001,2:0                      |  1579 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Main)
16:53:03 patator    INFO - 0     76     0.033 | 5,1,1,2:1                          |  1540 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:03 patator    INFO - 0     78     0.034 | 5,1,65001,2:1                      |  1580 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Aggressive)
16:53:06 patator    INFO - 0     84     0.034 | 7/128,2,1,2:0                      |  2371 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Main)
16:53:06 patator    INFO - 0     90     0.033 | 7/128,2,1,2:1                      |  2372 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:06 patator    INFO - 0     86     0.034 | 7/128,2,65001,2:0                  |  2411 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Main)
16:53:06 patator    INFO - 0     92     0.035 | 7/128,2,65001,2:1                  |  2412 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Aggressive)

+ 10.0.0.1:500 (Main Mode)
    Encryption       Hash         Auth      Group
    ---------- ----------   ---------- ----------
          3DES        MD5          PSK   modp1024
          3DES        MD5        XAUTH   modp1024
        AES128       SHA1          PSK   modp1024
        AES128       SHA1        XAUTH   modp1024

+ 10.0.0.1:500 (Aggressive Mode)
    Encryption       Hash         Auth      Group
    ---------- ----------   ---------- ----------
          3DES        MD5          PSK   modp1024
          3DES        MD5        XAUTH   modp1024
        AES128       SHA1          PSK   modp1024
        AES128       SHA1        XAUTH   modp1024
16:53:11 patator    INFO - Hits/Done/Skip/Fail/Size: 8/3840/0/0/3840, Avg: 284 r/s, Time: 0h 0m 13s
  • SNMPv3 : Find valid usernames
$ snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName
17:51:06 patator    INFO - Starting Patator v0.5
17:51:06 patator    INFO - 
17:51:06 patator    INFO - code  size | candidate                          |   num | mesg
17:51:06 patator    INFO - ----------------------------------------------------------------------
17:51:11 patator    INFO - 0-0   11   | robert                             |    55 | wrongDigest
17:51:12 patator    INFO - Progress:  20% (70/345) | Speed: 10 r/s | ETC: 17:51:38 (00:00:26 remaining)
17:51:33 patator    INFO - 0-0   11   | myuser                             |   311 | wrongDigest
17:51:36 patator    INFO - Hits/Done/Skip/Fail/Size: 2/345/0/0/345, Avg: 11 r/s, Time: 0h 0m 30s
  • SNMPv3 : Find valid passwords
$ snmp_login host=10.0.0.1 version=3 user=robert auth_key=FILE0 0=passwords_8+.txt -x ignore:mesg=wrongDigest
17:52:15 patator    INFO - Starting Patator v0.5
17:52:15 patator    INFO - 
17:52:15 patator    INFO - code  size | candidate                          |   num | mesg
17:52:15 patator    INFO - ----------------------------------------------------------------------
17:52:16 patator    INFO - 0-0   69   | password123                        |    16 | Linux thug 2.6.36-gentoo #5 SMP Fri Aug 12 14:49:51 CEST 2011 i686
17:52:17 patator    INFO - Hits/Done/Skip/Fail/Size: 1/50/0/0/50, Avg: 38 r/s, Time: 0h 0m 1s
  • DNS : Forward lookup
$ dns_forward name=FILE0.hsc.fr 0=names.txt -x ignore:code=3
03:18:46 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:18 PMT
03:18:46 patator    INFO - 
03:18:46 patator    INFO - code  size | candidate                          |   num | mesg
03:18:46 patator    INFO - ----------------------------------------------------------------------
03:18:46 patator    INFO - 0     41   | www                                |     4 | NOERROR [www.hsc.fr. IN A 217.174.211.25]
03:18:46 patator    INFO - 0     81   | mail                               |    32 | NOERROR [mail.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     44   | webmail                            |    62 | NOERROR [webmail.hsc.fr. IN A 192.70.106.95]
03:18:46 patator    INFO - 0     93   | test                               |    54 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:46 patator    INFO - 0     40   | wap                                |    66 | NOERROR [wap.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     85   | extranet                           |   131 | NOERROR [extranet.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     81   | news                               |   114 | NOERROR [news.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     93   | mailhost                           |   137 | NOERROR [mailhost.hsc.fr. IN A 192.70.106.33][mailhost.hsc.fr. IN AAAA 2001:7a8:1155:2::abcd]
03:18:46 patator    INFO - 0     47   | lists                              |   338 | NOERROR [lists.hsc.fr. IN MX 10 itesec.hsc.fr.]
03:18:46 patator    INFO - 0     93   | fr                                 |   319 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:47 patator    INFO - 0     40   | gl                                 |   586 | NOERROR [gl.hsc.fr. IN A 192.70.106.103]
Records ------------------------------------------
                  extranet.hsc.fr.   IN CNAME   itesec.hsc.fr.
                        gl.hsc.fr.   IN A       192.70.106.103
                           hsc.fr.   IN SOA     itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600
                    itesec.hsc.fr.   IN A       192.70.106.33
                     lists.hsc.fr.   IN MX      10 itesec.hsc.fr.
                      mail.hsc.fr.   IN CNAME   itesec.hsc.fr.
                  mailhost.hsc.fr.   IN A       192.70.106.33
                  mailhost.hsc.fr.   IN AAAA    2001:7a8:1155:2::abcd
                      news.hsc.fr.   IN CNAME   itesec.hsc.fr.
                       wap.hsc.fr.   IN A       192.70.106.33
                   webmail.hsc.fr.   IN A       192.70.106.95
                       www.hsc.fr.   IN A       217.174.211.25
Hostmap ------------------------------------------
                   mailhost.hsc.fr 2001:7a8:1155:2::abcd
                   mailhost.hsc.fr 192.70.106.33
                        wap.hsc.fr 192.70.106.33
                     itesec.hsc.fr 192.70.106.33
                   extranet.hsc.fr
                       mail.hsc.fr
                       news.hsc.fr
                    webmail.hsc.fr 192.70.106.95
                         gl.hsc.fr 192.70.106.103
                        www.hsc.fr 217.174.211.25
Domains ------------------------------------------
                            hsc.fr 10
Networks -----------------------------------------
                                   2001:7a8:1155:2::abcd
                                   192.70.106.x
                                   217.174.211.25
03:18:53 patator    INFO - Hits/Done/Skip/Fail/Size: 11/1000/0/0/1000, Avg: 133 r/s, Time: 0h 0m 7s

Also notice that test.hsc.fr. is the start of a new zone because we got NOERROR and no IP address.

  • DNS : Reverse lookup two netblocks owned by Google
$ dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
03:24:22 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:24 PMT
03:24:22 patator    INFO - 
03:24:22 patator    INFO - code  size | candidate                          |   num | mesg
03:24:22 patator    INFO - ----------------------------------------------------------------------
03:24:22 patator    INFO - 0     46   | 216.239.32.10                      |    11 | NOERROR [216.239.32.10 IN PTR ns1.google.com.]
03:24:22 patator    INFO - 0     45   | 216.239.32.11                      |    12 | NOERROR [216.239.32.11 IN PTR ns.google.com.]
03:24:22 patator    INFO - 0     48   | 216.239.32.15                      |    16 | NOERROR [216.239.32.15 IN PTR time1.google.com.]
03:24:23 patator    INFO - 0     47   | 216.239.33.5                       |   262 | NOERROR [216.239.33.5 IN PTR proxy.google.com.]
03:24:23 patator    INFO - 0     47   | 216.239.33.12                      |   269 | NOERROR [216.239.33.12 IN PTR dns1.google.com.]
03:24:23 patator    INFO - 0     51   | 216.239.33.22                      |   279 | NOERROR [216.239.33.22 IN PTR transfer.google.com.]
03:24:23 patator    INFO - 0     50   | 216.239.33.20                      |   277 | NOERROR [216.239.33.20 IN PTR esc-out.google.com.]
03:24:23 patator    INFO - 0     46   | 216.239.34.10                      |   523 | NOERROR [216.239.34.10 IN PTR ns2.google.com.]
03:24:23 patator    INFO - 0     48   | 216.239.34.15                      |   528 | NOERROR [216.239.34.15 IN PTR time2.google.com.]
^C
Records ------------------------------------------
                     216.239.32.10       IN PTR      ns1.google.com.
                     216.239.32.11       IN PTR      ns.google.com.
                     216.239.32.15       IN PTR      time1.google.com.
                     216.239.33.12       IN PTR      dns1.google.com.
                     216.239.33.20       IN PTR      esc-out.google.com.
                     216.239.33.22       IN PTR      transfer.google.com.
                      216.239.33.5       IN PTR      proxy.google.com.
                     216.239.34.10       IN PTR      ns2.google.com.
                     216.239.34.15       IN PTR      time2.google.com.
Hostmap ------------------------------------------
                    ns1.google.com 216.239.32.10
                     ns.google.com 216.239.32.11
                  time1.google.com 216.239.32.15
                  proxy.google.com 216.239.33.5
                   dns1.google.com 216.239.33.12
                esc-out.google.com 216.239.33.20
               transfer.google.com 216.239.33.22
                    ns2.google.com 216.239.34.10
                  time2.google.com 216.239.34.15
Domains ------------------------------------------
                        google.com 9
Networks -----------------------------------------
                                   216.239.32.x
                                   216.239.33.x
                                   216.239.34.x
03:24:29 patator    INFO - Hits/Done/Skip/Fail/Size: 9/872/0/0/4352, Avg: 115 r/s, Time: 0h 0m 7s
03:24:29 patator    INFO - To resume execution, pass --resume 91,75,93,73,84,95,94,95,83,89
  • ZIP : Crack a password-protected ZIP file (older pkzip encryption used not to be supported in JtR)
$ unzip_pass zipfile=challenge1.zip password=FILE0 0=rockyou.dic -x ignore:code!=0 
10:54:29 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 10:54:29 PMT
10:54:29 patator    INFO - 
10:54:29 patator    INFO - code  size | candidate                          |   num | mesg
10:54:29 patator    INFO - ----------------------------------------------------------------------
10:54:30 patator    INFO - 0     82   | love                               |   387 | 0 [82] No errors detected in compressed data of challenge1.zip.
^C
10:54:31 patator    INFO - Hits/Done/Skip/Fail/Size: 1/1589/0/0/5000, Avg: 699 r/s, Time: 0h 0m 2s
10:54:31 patator    INFO - To resume execution, pass --resume 166,164,165,166,155,158,148,158,155,154

How to install patator

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

Dependencies (best tested versions)

                 |  Required for  |                        URL                         | Version |
--------------------------------------------------------------------------------------------------
paramiko         | SSH            | http://www.lag.net/paramiko/                       | 1.7.7.1 |
--------------------------------------------------------------------------------------------------
pycurl           | HTTP           | http://pycurl.sourceforge.net/                     |  7.19.3 |
--------------------------------------------------------------------------------------------------
libcurl          | HTTP           | https://curl.haxx.se/                              |  7.21.0 |
--------------------------------------------------------------------------------------------------
ajpy             | AJP            | https://github.com/hypn0s/AJPy/                    |   0.0.1 |
--------------------------------------------------------------------------------------------------
openldap         | LDAP           | http://www.openldap.org/                           |  2.4.24 |
--------------------------------------------------------------------------------------------------
impacket         | SMB            | https://github.com/CoreSecurity/impacket           |  0.9.12 |
--------------------------------------------------------------------------------------------------
cx_Oracle        | Oracle         | http://cx-oracle.sourceforge.net/                  |   5.1.1 |
--------------------------------------------------------------------------------------------------
mysql-python     | MySQL          | http://sourceforge.net/projects/mysql-python/      |   1.2.3 |
--------------------------------------------------------------------------------------------------
xfreerdp         | RDP (NLA)      | https://github.com/FreeRDP/FreeRDP/                |   1.2.0 |
--------------------------------------------------------------------------------------------------
psycopg          | PostgreSQL     | http://initd.org/psycopg/                          |   2.4.5 |
--------------------------------------------------------------------------------------------------
pycrypto         | VNC            | http://www.dlitz.net/software/pycrypto/            |     2.3 |
--------------------------------------------------------------------------------------------------
dnspython        | DNS            | http://www.dnspython.org/                          |  1.10.0 |
--------------------------------------------------------------------------------------------------
IPy              | NET keyword    | https://github.com/haypo/python-ipy                |    0.75 |
--------------------------------------------------------------------------------------------------
pysnmp           | SNMP           | http://pysnmp.sourceforge.net/                     |   4.2.1 |
--------------------------------------------------------------------------------------------------
pyasn1           | SNMP           | http://sourceforge.net/projects/pyasn1/            |   0.1.2 |
--------------------------------------------------------------------------------------------------
ike-scan         | IKE            | http://www.nta-monitor.com/tools-resources/        |     1.9 |
--------------------------------------------------------------------------------------------------
unzip            | ZIP passwords  | http://www.info-zip.org/                           |     6.0 |
--------------------------------------------------------------------------------------------------
Java             | keystore files | http://www.oracle.com/technetwork/java/javase/     |       6 |
--------------------------------------------------------------------------------------------------
pysqlcipher      | SQLCipher      | https://github.com/leapcode/pysqlcipher/           |  2.6.10 |
--------------------------------------------------------------------------------------------------
python           |                | http://www.python.org/                             |     2.7 |
--------------------------------------------------------------------------------------------------
wget https://raw.githubusercontent.com/lanjelot/patator/master/patator.py
chmod +x patator.py
./patator.py

patator Screenshots

patator Tutorials

Related tools