Brute Force with Patator

Brute Force with Patator

Today I wanted to teach you this great alternative to Medusa or Hydra, which for me, in some ways, seems better than the latter. Recently, in a test of a hacking laboratory, one of the tests was to use brute force on a service, and naturally, I threw Hydra’s hand, but what was my surprise that stopped at the first attempt or sometimes was waiting for more than The due.

The next logical step was to use Medusa, but the result was similar, it just threw some light from a Metasploit module, but the test was perpetrated, so I tried to throw a viable alternative, and therefore the Patator option appeared.

Patator is a Python script for brute force attacks, and as its creator tells us, it is for those who are frustrated by the more known Hydra or Medusa (or in my case they do not come to fruition …), which Given its flexibility incorporates a large number of modules for different types of brute force attacks.

At the moment it has 30 modules (twenty-nine of several services and one of the tests) which would be:

+ Ftp_login: Raw Force to FTP
+ Ssh_login: SSH raw force
+ Telnet_login: Telnet raw force
+ Smtp_login: SMTP raw force
+ Smtp_vrfy: List users using SMTP VRFY
+ Smtp_rcpt: Enumerate users using SMTP RCPT TO
+ Finger_lookup: List users using Finger
+ Http_fuzz: Raw force to HTTP
+ Pop_login: POP3 brute force
+ Pop_passd: brute force to popped (http://netwinsite.com/poppassd/)
+ Imap_login: Brute Force to IMAP4
+ Ldap_login: LDAP raw force
+ Smb_login: Brute Force to SMB
+ Smb_lookupsid: Brute Force to SMB SID-lookup
+ Rlogin_login: Rlogin’s raw force
+ Vmauthd_login: Raw Force to VMware Authentication Daemon
+ Mssql_login: Raw Force to MSSQL
+ Oracle_login: Raw Force to Oracle
+ Mysql_login: Raw Force to MySQL
+ Mysql_query: Raw force to MySQL through queries
+ Pgsql_login: PostgreSQL raw force
+ Vnc_login: VNC raw force
+ Dns_forward: Forward lookup names
+ Dns_reverse: Reverse lookup subnets
+ Snmp_login: Raw Force to SNMP v1 / 2/3
+ Unzip_pass: Crack zip files with password
+ Keystore_pass: Force brute to Java password keystore files
+ Umbraco_crack: Crack the Umbraco HMAC-SHA1 hashes
+ Tcp_fuzz: Fuzz the TCP services
+ Dummy_test: Test module

As you can see it covers a lot of the protocols, and it should be said with very good results.

Installation

Currently, it is available on GitHub, in the repository of lanjelot, with which we clone the repo:

Figure 1 – Downloaded from GitHub

If everything went well, it would show us the modules of the attacks to different protocols. To see the configuration options for each module, as indicated by the welcome window, patator.py <module> –help

Figure 2 – Running Patator

Already in preliminary view, we look at the multitude of script options and the power that offers us with some filters and conditions to perform the brute force attack.

Time to Play

As a demonstration of the use of the tool, we will use a couple of modules to see how it works. We will use the ssh module and the FTP module, to test and see its syntax. As shown in the catch of the modules help, Patator’s usage syntax is slightly different from the other brute force programs, but by looking at the examples, we will realize that it is very intuitive. If we use the –help parameter on a module we will see the options and an example:

Figure 3 – Help

Brute Force to SSH

For our case, we have a test server which we know the root user, but we do not know anything about the key. As we see in the output, we have as input parameters:

The message that will throw us the service when a key is incorrect. If we do not indicate this last parameter, we will show on screen all the tests with their result. It is interesting to put it so that we do not stack an enormous amount of data in the terminal.

Figure 4 – Attack in action

In case we do not know the user and want to use a wordlist, we would add another variable like this:

Figure 5 – Configure the attack with a user and wordlist

If all goes well, in the column of candidates will show us the passwords that gave a positive result.

Figure 6 – User and Password achieved by brute force

As an added, if we remove the -x ignore filter: mesg = ‘Authentication failed.’ Will show us the username and password tested with the result in the last column:

Brute Force to FTP

We continue with our test server, and for FTP we will use the patator module ftp_login. As parameters we will define the following:

The message that will throw us the service when a key is incorrect. If we do not indicate this last parameter, we will show on screen all the tests with their result. It is interesting to put it so that we do not stack an enormous amount of data in the terminal.

This is another condition, in patator can be chained several filters, or with this condition make a retry if the returned code is 500.

Figure 7 – Case study with FTP

If we want to add a word list in the parameter users we will add the following:

Figure 9 – Other examples of attack

Final Considerations

It is interesting to know that Patator offers us the option to continue the attack in case we have to interrupt, the parameter will be shown in the bottom of the attack, with the option of –resume the one that will show us the values that we have Move on to continue:

Figure 10 – Summary of implementation

The parameters to pass would be the following to continue:

Figure 11 – Summary Mode

Another important consideration is the threads or threads, by default uses 10 threads, but due to circumstances of the service to attack or the bandwidth, we are forced to reduce this number of threads to avoid errors or banned. For this we have the parameters (in green):

Figure 12 – Threads

It is interesting, as a recommendation, to limit them to 4 in the case of errors in the output or retries.

The other option that stands out (in orange), is to avoid that a DOS is done and to block the service, to avoid certain IDS or firewall, or restrictions of waiting between requests, since this option adds a delay of the seconds that we put between the Attempts. The parameter would be:

Finally, it is advisable to use the repo wordlists https://github.com/berzerk0/Probable-Wordlists that are based on reordering in the wordlists the frequency passwords that appear in the leaks of the databases read on the internet, u Other sources, so it is interesting to have it at hand.

I hope you enjoy using this program and if you have any doubts do not hesitate to contact me.

Contribution and Author: Miguel Cobas Barcala

Menu