Patator was developed out of frustration with existing tools for password guessing attacks such as Hydra, Medusa, and Metasploit modules. It aims to offer a more reliable and flexible approach without merely repeating the shortcomings of its predecessors. Patator is a multi-threaded tool written in Python, designed to facilitate various types of password brute-forcing attacks.
Supported Modules
Patator supports a diverse range of modules for conducting password attacks, including:
- ftp_login: Brute-force FTP
- ssh_login: Brute-force SSH
- telnet_login: Brute-force Telnet
- smtp_login: Brute-force SMTP
- smtp_vrfy: Enumerate valid users using the SMTP VRFY command
- smtp_rcpt: Enumerate valid users using the SMTP RCPT TO command
- finger_lookup: Enumerate valid users using Finger
- http_fuzz: Brute-force HTTP/HTTPS
- rdp_gateway: Brute-force RDP Gateway
- pop_login: Brute-force POP
- imap_login: Brute-force IMAP
- ldap_login: Brute-force LDAP
- mysql_login: Brute-force MySQL
- pgsql_login: Brute-force PostgreSQL
- unzip_pass: Brute-force passwords of encrypted ZIP files
- sqlcipher_pass: Brute-force passwords of SQLCipher-encrypted databases
The tool encompasses many other modules aimed at brute-forcing and enumeration tasks across various services and protocols.
Installation
To install Patator, use the following commands:
git clone https://github.com/lanjelot/patator.git
git clone https://github.com/danielmiessler/SecLists.git
docker build -t patator patator/
docker run -it --rm -v $PWD/SecLists/Passwords:/mnt patator
dummy_test data=FILE0 0=/mnt/richelieu-french-top5000.txt
Usage Examples
Here are some example commands demonstrating how to use Patator:
- FTP Login: Enumerating users denied login in
vsftpd/userlist
$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf
-x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
- SSH Login: Time-based user enumeration
$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl
-e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
- HTTP Fuzz: Brute-force phpMyAdmin logon
$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST
body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=
index.php&lang=en&token=' 0=combos.txt accept_cookie=1 follow=1
Conclusion and Prevention Tips
While Patator is a powerful tool for penetration testing and security assessment, it is important to remember that such tools should be used responsibly and ethically. Always seek permission before attempting any kind of password attack on a system. Organizations can enhance their security posture by implementing measures such as using strong, unique passwords and enabling two-factor authentication (2FA).
Stay protected and consider registering with BitNinja for enhanced security measures.
Sign Up Today and Start Your Free Trial.