- unzip_pass : Brute-force the password of encrypted ZIP files - keystore_pass : Brute-force the password of Java keystore files
Future modules to be implemented: - rdp_login
The name "Patator" comes from http://www.youtube.com/watch?v=xoBkBvnTTjo "Whatever the payload to fire, always use the same cannon"
* Why ?
Basically, I got tired of using Medusa, Hydra, Ncrack, Metasploit auxiliary modules, Nmap NSE scripts and the like because: - they either do not work or are not reliable (got me false negatives several times in the past) - they are not flexible enough (how to iterate over all wordlists, fuzz any module parameter) - they lack useful features (display progress or pause during execution)
FEATURES -------- * No false negatives, as it is the user that decides what results to ignore based on: + status code of response + size of response + matching string or regex in response data + ... see --help
* Modular design + not limited to network modules (eg. the unzip_pass module) + not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)
* Interactive runtime + show progress during execution (press Enter) + pause/unpause execution (press p) + increase/decrease verbosity + add new actions & conditions during runtime (eg. to exclude more types of response from showing) + ... press h to see all available interactive commands
* Use persistent connections (ie. will test several passwords until the server disconnects)
* Multi-threaded
* Flexible user input - Any module parameter can be fuzzed: + use the FILE keyword to iterate over a file + use the COMBO keyword to iterate over a combo file + use the NET keyword to iterate over every hosts of a network subnet + use the RANGE keyword to iterate over hexadecimal, decimal or alphabetical ranges + use the PROG keyword to iterage over the output of an external program
- Iteration over the joined wordlists can be done in any order
* Save every response (along with request) to seperate log files for later reviewing
* Shortcuts (optionnal) ln -s path/to/patator.py /usr/bin/ftp_login ln -s path/to/patator.py /usr/bin/http_fuzz so on ...
USAGE -----
$ python patator.py -h or $ -h (if you created the shortcuts)
There are global options and module options: - all global options start with - or -- - all module options are of the form option=value
All module options are fuzzable: --------- ./module host=FILE0 port=FILE1 foobar=FILE2.google.FILE3 0=hosts.txt 1=ports.txt 2=foo.txt 3=bar.txt
The keywords (FILE, COMBO, NET, ...) act as place-holders. They indicate the type of wordlist and where to replace themselves with the actual words to test.
Each keyword is numbered in order to: - match the corresponding wordlist - and indicate in what order to iterate over all the wordlists
For instance, this would be the classic order: --------- $ ./module host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt 10.0.0.1 root password 10.0.0.1 root 123456 10.0.0.1 root qsdfghj ... (trying all passwords before testing next login) 10.0.0.1 admin password 10.0.0.1 admin 123456 10.0.0.1 admin qsdfghj ... (trying all logins before testing next host) 10.0.0.2 root password ...
Brute-force a list of hosts with a file containing combo entries (each line := login:password). --------- ./module host=FILE0 user=COMBO10 password=COMBO11 0=hosts.txt 1=combos.txt
Scan subnets to just grab version banners. --------- ./module host=NET0 0=10.0.1.0/24,10.0.2.0/24,10.0.3.128-10.0.3.255
Fuzzing a parameter by iterating over a range of values. --------- ./module param=RANGE0 0=hex:0x00-0xffff ./module param=RANGE0 0=int:0-500 ./module param=RANGE0 0=lower:a-zzz
* Actions & Conditions
Use the -x option to do specific actions upon receiving expected results. For instance:
To ignore responses with status code 200 *AND* a size within a range. --------- ./module host=10.0.0.1 user=FILE0 -x ignore:code=200,size=57-74
To ignore responses with status code 500 *OR* containing "Internal error". --------- ./module host=10.0.0.1 user=FILE0 -x ignore:code=500 -x ignore:fgrep='Internal error'
Remember that conditions are ANDed within the same -x option, use multiple -x options to specify ORed conditions.
* Failures
During execution, failures may happen, such as a TCP connect timeout for instance. A failure is actually an exception that the module does not expect, and as a result the exception is caught upstream by the controller.
Such exceptions, or failures, are not immediately reported to the user, the controller will retry 4 more times (see --max-retries) before reporting the failed payload with logging level "FAIL".
* Read carefully the following examples to get a good understanding of how patator works. {{{ FTP
* Brute-force authentication. Do not report wrong passwords. --------- ftp_login host=10.0.0.1 user=FILE0 password=FILE1 0=logins.txt 1=passwords.txt -x ignore:mesg='Login incorrect.'
NB0. If you get errors like "500 OOPS: priv_sock_get_cmd", use -x ignore,reset,retry:code=500 in order to retry the last login/password using a new TCP connection. Odd servers like vsftpd return this when they shut down the TCP connection (ie. max login attempts reached).
NB1. If you get errors like "too many connections from your IP address", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.
* Same as before, but stop testing a user after his password is found. --------- ftp_login ... -x free=user:code=0
* Find anonymous FTP servers on a subnet. --------- ftp_login host=NET0 user=anonymous password=test@example.com 0=10.0.0.0/24
}}} {{{ SSH * Brute-force authentication with password same as login (aka single mode). Do not report wrong passwords. --------- ssh_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:mesg='Authentication failed.'
NB. If you get errors like "Error reading SSH protocol banner ... Connection reset by peer", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections (eg. MaxStartups in OpenSSH).
* Brute-force several hosts and stop testing a host after a valid password is found. --------- ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host:code=0
* Same as previous, but stop testing a user on a host after his password is found. --------- ssh_login host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt -x free=host+user:code=0
}}} {{{ Telnet
* Brute-force authentication. (a) Enter login after first prompt is detected, enter password after second prompt. (b) The regex to detect the login and password prompts. (c) Reconnect when we get no login prompt back (max number of tries reached or successful login). (a) telnet_login host=10.0.0.1 inputs='FILE0\nFILE1' 0=logins.txt 1=passwords.txt prompt_re='tux login:|Password:' -x reset:egrep!='Login incorrect.+tux login:' (b) (c)
NB. If you get errors like "telnet connection closed", try decreasing the number of threads, the server may be enforcing a maximum number of concurrent connections.
}}} {{{ SMTP
* Enumerate valid users using the VRFY command. (a) Do not report invalid recipients. (b) Do not report when the server shuts us down with "421 too many errors", reconnect and resume testing. (a) smtp_vrfy host=10.0.0.1 user=FILE0 0=logins.txt -x ignore:fgrep='User unknown in local recipient table' -x ignore,reset,retry:code=421 (b)
* Use the RCPT TO command in case the VRFY command is not available.
* Brute-force authentication. (a) Send a fake hostname (by default your host fqdn is sent) (a) smtp_login host=10.0.0.1 helo='ehlo its.me.com' user=FILE0@dom.com password=FILE1 0=logins.txt 1=passwords.txt
}}} {{{ HTTP
* Find hidden web resources. (a) Use a specific header. (b) Follow redirects. (c) Do not report 404 errors. (d) Retry on 500 errors. --------- (a) http_fuzz url=http://localhost/FILE0 0=words.txt header='Cookie: SESSID=A2FD8B2DA4' follow=1 -x ignore:code=404 -x ignore,retry:code=500 (b) (c) (d)
NB. You may be able to go 10 times faster using webef (http://www.hsc.fr/ressources/outils/webef/). It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful features that will prevent you from performing the following attacks.
* Brute-force phpMyAdmin logon. (a) Use POST requests. (b) Follow redirects using cookies sent by server. (c) Ignore failed authentications. (a) (b) (b) http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST follow=1 accept_cookie=1 body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt -x ignore:fgrep='Cannot log in to the MySQL server' (c)
* Scan subnet for directory listings. (a) Ignore not matching reponses. (b) Save matching responses into directory.
* Brute-force logon using GET requests. (a) Encode everything surrounded by the two tags _@@_ in hexadecimal. (b) Ignore HTTP 200 responses with a content size (header+body) within given range and that also contain the given string. (c) Use a different delimiter string because the comma cannot be escaped. (a) (a) http_fuzz url='http://10.0.0.1/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex 0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X '|' (b) (c)
* Brute-force logon that enforces two random nonces to be submitted along every POST. (a) First, request the page that provides the nonces as hidden input fields. (b) Use regular expressions to extract the nonces that are to be submitted along the main request.
* Test the OPTIONS method against a list of URLs. (a) Ignore URLs that only allow the HEAD and GET methods. (b) Header end of line is '\r\n'. (c) Use a different delimiter string because the comma cannot be escaped.
NB. If you suddenly get STATUS_ACCOUNT_LOCKED_OUT errors for an account although it is not the first password you test on this account, then you must have locked it.
* Pass-the-hash. (a) Test a list of hosts. (b) Test every user (each line := login:rid:LM hash:NT hash).
NB0. With Oracle 10g XE (Express Edition), you do not need to pass a SID.
NB1. If you get ORA-12516 errors, it may be because you reached the limit of concurrent connections or db processes, try using "--rate-limit 0.5 -t 2" to be more polite. Also you can run "alter system set processes=150 scope=spfile;" and restart your database to get rid of this.
NB. Against Oracle9, it may crash (Segmentation fault) as soon as a valid SID is found (cx_Oracle bug). Sometimes, the SID gets printed out before the crash, so try running the same command again if it did not.
}}} {{{ MySQL
* Brute-force authentication.
mysql_login host=10.0.0.1 user=FILE0 password=FILE0 0=logins.txt -x ignore:fgrep='Access denied for user'
}}} {{{ VNC Some VNC servers have built-in anti-bruteforce functionnality that temporarily blacklists the attacker IP address after too many wrong passwords. - RealVNC-4.1.3 or TightVNC-1.3.10 for example, allow 5 failed attempts and then enforce a 10 second delay. For each subsequent failed attempt that delay is doubled. - RealVNC-3.3.7 or UltraVNC allow 6 failed attempts and then enforce a 10 second delay between each following attempt.
* Brute-force authentication. (a) No need to use more than one thread. (b) Keep retrying the same password when we are blacklisted by the server. (c) Exit execution as soon as a valid password is found. --------- (a) vnc_login host=10.0.0.1 password=FILE0 0=passwords.txt --threads 1 -x retry:fgrep!='Authentication failure' --max-retries -1 -x quit:code=0 (b) (b) (c) }}} {{{ DNS
NB0. If you get "notInTimeWindow" error messages, increase the retries option. NB1. SNMPv3 requires passphrases to be at least 8 characters long.
}}} {{{ Unzip
* Brute-force the ZIP file password (cracking older pkzip encryption used to be not supported in JtR). ---------- unzip_pass zipfile=path/to/file.zip password=FILE0 0=passwords.txt -x ignore:code!=0
}}}
CHANGELOG
* v0.5 2013/07/05 - new modules: mysql_query, tcp_fuzz - new RANGE and PROG keywords (supersedes the reading from stdin feature) - switched to impacket for mssql_login - output more intuitive - fixed connection cache - minor bug fixes
