patator

Brute force ssh login with rate limit and timeout options (successful login will show login banner or something similar)

$ patator ssh_login host=[ip_or_host] user=FILE0 password=FILE1 0=[path/to/users.txt] 1=[path/to/passwords.txt] --rate_limit=[seconds] --timeout=[seconds] -x ignore:mesg='Authentication failed.'

$ patator unzip_pass zipfile=[path/to/file.zip] password=FILE0 0=[path/to/passwords.txt] -x ignore:code!=0

$ patator http_fuzz url=[http://host:port] auth_type=basic user_pass=COMBO00:COMBO01 0=[path/to/userpass.txt] -x ignore:code=401

$ patator ftp_login host=[ip_or_host] user=FILE0 password=FILE1 0=[path/to/users.txt] 1=[path/to/passwords.txt] tls=[0|1] -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500

$ patator --help

$ patator [module_name] --help

patator <module> [keyword=value ...] [--options]

module
    Required module name, e.g., ssh_login, ftp_login, http_fuzz, smb_login

host=FILE0|STR
    Target host(s) from file or string; supports 0=host.txt for indexing

user=FILE1|STR
    Username(s) from file or string

password=FILE2|STR
    Password(s) from file or string; pairs with user via indexing

port=INT
    Target port, e.g., 22 for SSH

threads=INT
    Number of concurrent threads (default: 10)

timeout=INT
    Socket timeout in seconds (default: 10)

-x rule
    Exclusion rules, e.g., -x ignore:fgrep='403 Forbidden', ignore:mesg='Login failed'

--delay=FLT
    Delay between requests in seconds for stealth

--rate-limit=INT
    Max requests per second

-o FILE
    Output results to file (JSON/CSV)

--persistent
    Keep connections open for reuse

--encoding=STR
    Encode payloads (base64, urlencode, etc.)

-r INT
    Max retries per payload (default: 0)

--help
    Show module-specific help

Patator is a flexible, Python-based tool designed for brute-force attacks and fuzzing against network services on Linux/Unix systems. It supports numerous modules for protocols like SSH, FTP, HTTP, SMB, SQL, and more, allowing automated dictionary attacks, credential stuffing, and parameter fuzzing.

Key features include multi-threading for speed, payload encoding/decoding, conditional skipping, and advanced post-processing with plugins. Users define inputs via files (e.g., wordlists for usernames/passwords) and specify targets dynamically. Its syntax uses placeholders like FILE0, NUM0 for sequential or file-based payloads, enabling complex scenarios like combining user/pass lists.

Patator emphasizes stealth with delays, retries, and response filtering (e.g., ignore 403s via -x ignore:code=403). It's ideal for pentesters but requires ethical use, as misuse violates laws. Output logs hits to files, with options for resuming sessions. Compared to Hydra, it's more scriptable and extensible via Python plugins.

Intended for authorized penetration testing only; illegal use risks legal consequences.
High thread counts may trigger IDS/IPS. Not for production systems. Requires Python 2.6+ (legacy; modern forks exist). No built-in proxy support.

ssh_login, ftp_login, smtp_login, http_fuzz, smb_login, mysql_login. List all with patator --list-modules.

patator ssh_login host=192.168.1.1 user=FILE0 password=FILE1 0=users.txt 1=pass.txt threads=50 -x ignore:mesg='Authentication failed'

Available in Kali: apt install patator. Or git clone https://github.com/lanjelot/patator.git.

Developed by Philippe 'fofao' Arteau starting ~2011. Open-sourced on GitHub as a faster Hydra alternative. Actively maintained until ~2017; community forks continue support for Python 3. Widely used in Kali Linux pentesting distros.

hydra(1), medusa(1), nmap(1), nc(1)