Archives
/
patator
mirror of https://github.com/lanjelot/patator
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

added OPTIONS example and multiline egrep matching in http_fuzz

Browse Source
pull/4/merge
Lanjelot 13 years ago
parent 69b04cf54b
commit 113fad14b3
1 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File

55
patator.py
Unescape Escape View File

@ -341,9 +341,9 @@ http_fuzz url=http://localhost/FILE0 0=words.txt header='Cookie: SESSID=A2FD8B2D
follow=1 -x ignore:code=404 -x ignore,retry:code=500 follow=1 -x ignore:code=404 -x ignore,retry:code=500
(b) (c) (d) (b) (c) (d)
NB. To go 10 times faster, you should use webef (http://www.hsc.fr/ressources/outils/webef/). NB. You may be able to go 10 times faster using webef (http://www.hsc.fr/ressources/outils/webef/).
It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful It is the fastest HTTP brute-forcer I know, yet at the moment it still lacks useful features
features, that will prevent you from performing the following attacks. that will prevent you from performing the following attacks.
* Brute-force phpMyAdmin logon. * Brute-force phpMyAdmin logon.
(a) Use POST requests. (a) Use POST requests.
@ -360,35 +360,41 @@ http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST follow=1 accept_c
(b) Save matching responses into directory. (b) Save matching responses into directory.
--------- ---------
http_fuzz url=http://NET0/FILE1 0=10.0.0.0/24 1=dirs.txt -x ignore:fgrep!='Index of' http_fuzz url=http://NET0/FILE1 0=10.0.0.0/24 1=dirs.txt -x ignore:fgrep!='Index of'
-l /tmp/dirlist (a) -l /tmp/directory_listings (a)
(b) (b)
* Brute-force Basic authentication. * Brute-force Basic authentication.
(a) Single mode (login == password). (a) Single mode (login == password).
(b) Do not use persistent connections (otherwise the Tomcat will crash). (b) Do not report failed login attempts.
--------- ---------
http_fuzz url=http://10.0.0.1/manager/html user_pass=FILE0:FILE0 0=logins.txt http_fuzz url=http://10.0.0.1/manager/html user_pass=FILE0:FILE0 0=logins.txt -x ignore:code=401
-x ignore:code=401 persistent=0 (a) (a) (b)
(b)
* Find hidden virtual hosts. * Find hidden virtual hosts.
(a) Read template from file. (a) Read template from file.
(b) Fuzz both the Host and User-Agent headers. (b) Fuzz both the Host and User-Agent headers.
--------- ---------
echo -e 'Host: FILE0\nUser-Agent: FILE1' > headers.txt echo -e 'Host: FILE0\nUser-Agent: FILE1' > headers.txt
(a) (b)
http_fuzz url=http://10.0.0.1/ header=@headers.txt 0=vhosts.txt 1=agents.txt http_fuzz url=http://10.0.0.1/ header=@headers.txt 0=vhosts.txt 1=agents.txt
(a) (b)
* Brute-force logon using GET requests. * Brute-force logon using GET requests.
(a) Encode everything surrounded by the two tags _@@_ in hexadecimal. (a) Encode everything surrounded by the two tags _@@_ in hexadecimal.
(b) Ignore HTTP 200 responses with a content size (header+body) within given range (b) Ignore HTTP 200 responses with a content size (header+body) within given range
and that also contain the given string. and that also contain the given string.
(c) Use a different delimiter string (the comma cannot be escaped, yet). (c) Use a different delimiter string because the comma cannot be escaped.
--------- (a) (a) --------- (a) (a)
http_fuzz url='http://localhost/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex http_fuzz url='http://localhost/login?username=admin&password=_@@_FILE0_@@_' -e _@@_:hex
0=words.txt follow=1 -x ignore:'code=200|size=100-500|fgrep=Welcome, unauthenticated user' -X'|' 0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X'|'
(b) (c) (b) (c)
* Test the OPTIONS method against a list of URLs.
(a) Ignore URLs that only allow the HEAD and GET methods.
(b) Header end of line is '\r\n'.
(c) Use a different delimiter string because the comma cannot be escaped.
---------
http_fuzz url=FILE0 0=urls.txt method=OPTIONS -x ignore:egrep='^Allow: HEAD, GET\r$' -X '|'
(a) (b) (c)
}}} }}}
{{{ LDAP {{{ LDAP
@ -802,9 +808,6 @@ For example, to encode every password in base64:
self.module = module self.module = module
opts, args = self.parse_usage(argv) opts, args = self.parse_usage(argv)
logger.info('Starting Patator v%s (%s) at %s'
% (__version__, __git__, strftime('%Y-%m-%d %H:%M %Z', localtime())))
self.combo_delim = opts.combo_delim self.combo_delim = opts.combo_delim
self.condition_delim = opts.condition_delim self.condition_delim = opts.condition_delim
self.rate_reset = opts.rate_reset self.rate_reset = opts.rate_reset
@ -830,10 +833,8 @@ For example, to encode every password in base64:
kargs.append((k, v)) kargs.append((k, v))
iter_vals = [v for k, v in sorted(wlists.iteritems())] iter_vals = [v for k, v in sorted(wlists.iteritems())]
logger.debug('iter_vals: %s' % iter_vals) logger.debug('iter_vals: %s' % iter_vals) # ['10.0.0.0/24', 'combos.txt', 'TLD']
logger.debug('kargs: %s' % kargs) logger.debug('kargs: %s' % kargs) # [('host', 'NET0'), ('user', 'COMBO10'), ('password', 'COMBO11'), ('domain', 'MOD2')]
# iter_vals == ['10.0.0.0/24', 'combos.txt', 'TLD']
# kargs == [('host', 'NET0'), ('user', 'COMBO10'), ('password', 'COMBO11'), ('domain', 'MOD2')]
for k, v in kargs: for k, v in kargs:
@ -873,10 +874,9 @@ For example, to encode every password in base64:
else: else:
self.payload[k] = v self.payload[k] = v
# { 0: ('NET', '10.0.0.0/24', ['host']), 1: ('COMBO', 'combos.txt', [(0, 'user'), (1, 'password')]), 2: ('MOD', 'TLD', ['domain'])
logger.debug('iter_keys: %s' % self.iter_keys) logger.debug('iter_keys: %s' % self.iter_keys)
# { 0: ('NET', '10.0.0.0/24', ['host']), 1: ('COMBO', 'combos.txt', [(0, 'user'), (1, 'password')]), 2: ('MOD', 'TLD', ['domain']) logger.debug('enc_keys: %s' % self.enc_keys) # [('password', 'ENC', hexlify), ('header', 'B64', b64encode), ...
logger.debug('enc_keys: %s' % self.enc_keys)
# [('password', 'ENC', hexlify), ('header', 'B64', b64encode), ...
logger.debug('payload: %s' % self.payload) logger.debug('payload: %s' % self.payload)
for k, _ in self.builtin_actions: for k, _ in self.builtin_actions:
@ -934,6 +934,9 @@ For example, to encode every password in base64:
return actions return actions
def fire(self): def fire(self):
logger.info('Starting Patator v%s (%s) at %s'
% (__version__, __git__, strftime('%Y-%m-%d %H:%M %Z', localtime())))
try: try:
self.start_threads() self.start_threads()
self.monitor_progress() self.monitor_progress()
@ -1274,7 +1277,7 @@ class Response_Base:
available_conditions = ( available_conditions = (
('code', 'match status code'), ('code', 'match status code'),
('size', 'match size (N or N-M)'), ('size', 'match size (N or N-M or N- or -N)'),
('mesg', 'match message'), ('mesg', 'match message'),
('fgrep', 'search for string'), ('fgrep', 'search for string'),
('egrep', 'search for regex'), ('egrep', 'search for regex'),
@ -2122,11 +2125,11 @@ class Response_HTTP(Response_Base):
return val in self.response return val in self.response
def match_egrep(self, val): def match_egrep(self, val):
return re.search(val, self.response) return re.search(val, self.response, re.M)
available_conditions = Response_Base.available_conditions available_conditions = Response_Base.available_conditions
available_conditions += ( available_conditions += (
('clen', 'match Content-Length header (N or N-M)'), ('clen', 'match Content-Length header (N or N-M or N- or -N)'),
) )
class HTTP_fuzz(TCP_Cache): class HTTP_fuzz(TCP_Cache):

Write Preview
Loading…
Cancel
Save