LinuxCommandLibrary

patator

Brute-force attack web applications and services

TLDR

Brute force ssh login with rate limit and timeout options (successful login will show login banner or something similar)

$ patator ssh_login host=[ip_or_host] user=FILE0 password=FILE1 0=[path/to/users.txt] 1=[path/to/passwords.txt] --rate_limit=[seconds] --timeout=[seconds] -x ignore:mesg='Authentication failed.'
copy

Brute force encrypted zip file
$ patator unzip_pass zipfile=[path/to/file.zip] password=FILE0 0=[path/to/passwords.txt] -x ignore:code!=0
copy

Brute force http basic auth (payload file userpass.txt should be in the format username:password)
$ patator http_fuzz url=[http://host:port] auth_type=basic user_pass=COMBO00:COMBO01 0=[path/to/userpass.txt] -x ignore:code=401
copy

Brute force FTP/FTPS login
$ patator ftp_login host=[ip_or_host] user=FILE0 password=FILE1 0=[path/to/users.txt] 1=[path/to/passwords.txt] tls=[0|1] -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
copy

List all available modules
$ patator --help
copy

Show help for a particular module
$ patator [module_name] --help
copy

SYNOPSIS

patator <module> <options>

PARAMETERS

http_fuzz
    Module for HTTP brute-forcing and fuzzing.

smtp_login
    Module for SMTP login brute-forcing.

ftp_login
    Module for FTP login brute-forcing.

ssh_login
    Module for SSH login brute-forcing.

mssql_login
    Module for MS SQL Server login brute-forcing.

-x <connections>
    Number of concurrent connections. Important for performance.

-q
    Quiet mode. Suppresses output.

-d <delay>
    Delay in seconds between requests.

-t <template>
    Template string defining the request or command structure.

-u <userfile>
    File containing usernames to use.

-p <passfile>
    File containing passwords to use.

--version
    Show program's version number and exit

-v
    Verbose output

DESCRIPTION

Patator is a multi-purpose brute-forcer, designed to be highly modular and flexible.
It allows you to automate brute-forcing tasks with a wide range of modules, from basic HTTP authentication cracking to more complex tasks like SQL injection testing or even exploiting specific application vulnerabilities. Its flexibility lies in its template-based approach, allowing users to define custom attack patterns and payloads.

Patator is not just a single tool, but a framework to develop and extend functionality through modules.

CAVEATS

Patator can be resource-intensive, especially with a high number of connections. Use with caution.
Always be mindful of legal and ethical implications before using brute-forcing tools.

TEMPLATE ENGINE

The template engine is the core of Patator's flexibility. It allows users to define the exact structure of requests or commands, including placeholders for usernames, passwords, and other variables. Refer to the documentation for detailed information on using the template syntax.

HISTORY

Patator was developed as a flexible brute-forcing tool to overcome the limitations of existing tools. It's actively maintained and updated with new modules and features.

SEE ALSO

hydra(1), ncrack(1)

Copied to clipboard