Patator v0.3 Brute-Forcer Released

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Patator is licensed GPLv2.

Currently it supports the following modules:

ftp_login    : Brute-force FTP
ssh_login    : Brute-force SSH
telnet_login : Brute-force Telnet
smtp_login   : Brute-force SMTP
smtp_vrfy    : Enumerate valid users using the SMTP VRFY command
smtp_rcpt    : Enumerate valid users using the SMTP RCPT TO command
http_fuzz    : Brute-force HTTP/HTTPS
pop_passd    : Brute-force poppassd (not POP3)
ldap_login   : Brute-force LDAP
smb_login    : Brute-force SMB
mssql_login  : Brute-force MSSQL
oracle_login : Brute-force Oracle
mysql_login  : Brute-force MySQL
pgsql_login  : Brute-force PostgreSQL
vnc_login    : Brute-force VNC
dns_forward  : Forward lookup subdomains
dns_reverse  : Reverse lookup subnets
snmp_login   : Brute-force SNMPv1/2 and SNMPv3
unzip_pass   : Brute-force the password of encrypted ZIP files
keystore_pass: Brute-force the password of Java keystore files


No false negatives, as it is the user that decides what results to ignore based on:

  • –  status code of response
  • –  size of response
  • –  matching string or regex in response data
  • –  … see –help

Modular design

  • –  not limited to network modules (eg. the unzip_pass module)
  • –  not limited to brute-forcing (eg. remote exploit testing, or vulnerable version probing)

Interactive runtime

  • –  show verbose progress
  • –  pause/unpause execution
  • –  increase/decrease verbosity
  • –  add new actions & conditions during runtime in order to exclude more types of response from showing
  • –  … press h to see all available interactive commands

Use persistent connections (ie. will test several passwords until the server disconnects)


Flexible user input

  • – Any part of a payload is fuzzable:
  • –  use FILE[0-9] keywords to iterate on a file
  • –  use COMBO[0-9] keywords to iterate on the combo entries of a file
  • –  use NET[0-9] keywords to iterate on every host of a network subnet

Iteration over the joined wordlists may be done in any order

Save every response (along with request) to seperate log files for later reviewing

Changelog v0.3

  • minor bugs fixed in http_fuzz
  • option -e better implemented
  • better warnings about missing dependencies

Download Patator v0.3

MaxiSoler @maxisoler