Patator was developed out of frustration with existing tools like Hydra, Medusa, and Ncrack, which often fall short in reliability and flexibility. Aiming to provide a fresh approach, Patator is a multi-threaded tool written in Python designed for conducting password guessing attacks effectively.
Supported Modules
Patator supports a wide range of modules for different protocols, including:
- ftp_login: Brute-force FTP
- ssh_login: Brute-force SSH
- telnet_login: Brute-force Telnet
- smtp_login: Brute-force SMTP
- smtp_vrfy: Enumerate valid users using SMTP VRFY
- smtp_rcpt: Enumerate valid users using SMTP RCPT TO
- finger_lookup: Enumerate valid users using Finger
- http_fuzz: Brute-force HTTP/HTTPS
- rdp_gateway: Brute-force RDP Gateway
- ajp_fuzz: Brute-force AJP
- pop_login: Brute-force POP
- imap_login: Brute-force IMAP
- ldap_login: Brute-force LDAP
- ...and many more.
The name "Patator" is inspired by a humorous video reference, making it a memorable choice for this tool.
Installation
To install Patator, follow these steps:
git clone https://github.com/lanjelot/patator.git
git clone https://github.com/danielmiessler/SecLists.git
docker build -t patator patator/
docker run -it --rm -v $PWD/SecLists/Passwords:/mnt patator dummy_test data=FILE0 0=/mnt/richelieu-french-top5000.txt
Usage Examples
Patator can be used across various platforms with numerous scenarios. Here are some examples:
- FTP: Identifying users denied login in
vsftpd/userlist
.
$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
Tested against vsftpd-3.0.2-9
on CentOS 7.0-1406
.
- SSH: Time-based user enumeration.
$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3
Tested against openssh-server 1:6.0p1-4+deb7u2
on Debian 7.8
.
- HTTP: Brute-force phpMyAdmin logon.
$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server'.
Tested against phpMyAdmin 4.2.7.1
.
PyInstaller Bundling
Bundling Patator on Windows using PyInstaller involves several straightforward steps, beginning with installing Python and dependencies:
pip install pycrypto pyopenssl
pip install paramiko
pip install pysnmp
After preparing the environment, clone Patator and run PyInstaller:
cd c:\
git clone https://github.com/lanjelot/patator
git clone https://github.com/pyinstaller/pyinstaller
cd pyinstaller
python pyinstaller.py --clean --onefile c:\patator\patator.py
Conclusion
Patator is a versatile and efficient tool for password guessing attacks, boasting a variety of supported modules and ease of use. It is essential that users familiarize themselves with its capabilities and best practices to maximize its potential. By understanding how to use Patator effectively, users can conduct necessary security assessments and improve the security posture of their systems.
To enhance your security measures, consider registering for BitNinja.
Sign Up Today and Start Your Free Trial.