Fix #205: pin FreeRDP version 2.9.0

Write XML ending to correct file when using --xml

Dockerfile

@@ -0,0 +1,69 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive 
+
+# dependencies
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+  build-essential python3-setuptools \
+  libcurl4-openssl-dev python3-dev libssl-dev \
+  ldap-utils \
+  libmysqlclient-dev \
+  libpq-dev \
+  ike-scan unzip default-jdk \
+  libsqlite3-dev \
+  libsqlcipher-dev \
+  python3-pip \
+ && rm -rf /var/lib/apt/lists/*
+
+## cx_oracle
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends libaio1 wget unzip git \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/oracle
+RUN wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basiclite-linuxx64.zip \
+ && wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-sdk-linuxx64.zip \
+ && unzip instantclient-basiclite-linuxx64.zip \
+ && rm -f instantclient-basiclite-linuxx64.zip \
+ && unzip instantclient-sdk-linuxx64.zip \
+ && rm -f instantclient-sdk-linuxx64.zip \
+ && cd /opt/oracle/instantclient_* \
+ && rm -f *jdbc* *occi* *mysql* *README *jar uidrvci genezi adrci \
+ && echo /opt/oracle/instantclient_* > /etc/ld.so.conf.d/oracle-instantclient.conf \
+ && ldconfig
+
+## xfreerdp (see https://github.com/FreeRDP/FreeRDP/wiki/Compilation)
+WORKDIR /opt/FreeRDP
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ninja-build build-essential git-core debhelper cdbs dpkg-dev autotools-dev cmake pkg-config xmlto libssl-dev docbook-xsl xsltproc libxkbfile-dev libx11-dev libwayland-dev libxrandr-dev libxi-dev libxrender-dev libxext-dev libxinerama-dev libxfixes-dev libxcursor-dev libxv-dev libxdamage-dev libxtst-dev libcups2-dev libpcsclite-dev libasound2-dev libpulse-dev libjpeg-dev libgsm1-dev libusb-1.0-0-dev libudev-dev libdbus-glib-1-dev uuid-dev libxml2-dev libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libfaad-dev libfaac-dev libsdl2-dev libcjson-dev libpkcs11-helper1-dev \
+ && apt-get install -y --no-install-recommends libavutil-dev libavcodec-dev libswresample-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && git clone --depth 1 --branch 2.9.0 https://github.com/freerdp/freerdp.git \
+ && cmake -B freerdp-build -S freerdp -DCMAKE_BUILD_TYPE=Debug -DWITH_CLIENT_SDL=OFF -DWITH_KRB5=OFF -DWITH_SWSCALE=OFF -DWITTH_SSE2=ON -DWITH_FUSE=OFF \
+ && cmake --build freerdp-build \
+ && cmake --install freerdp-build \
+ && rm -rf /opt/FreeRDP
+
+# patator
+WORKDIR /opt/patator
+COPY ./requirements.txt ./
+RUN python3 -m pip install --upgrade pip \
+  && python3 -m pip install -r requirements.txt
+
+# uncomment for python2
+# RUN apt-get update \
+#  && apt-get install -y --no-install-recommends python-pip ipython \
+#  && rm -rf /var/lib/apt/lists/* \
+#  && sed -e '/cx_Oracle/d' -e 's,pysqlcipher3,pysqlcipher,' requirements.txt | python2 -m pip install -r /dev/stdin \
+#  && git clone --branch 5.3 https://github.com/oracle/python-cx_Oracle \
+#  && cd python-cx_Oracle && export ORACLE_HOME=$(echo /opt/oracle/instantclient_*) && python2 setup.py build && python2 setup.py install
+
+# utils
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ipython3 iputils-ping iproute2 netcat curl rsh-client telnet vim mlocate nmap \
+ && rm -rf /var/lib/apt/lists/* \
+ && echo 'set bg=dark' > /root/.vimrc
+
+COPY ./patator.py ./
+ENTRYPOINT ["python3", "./patator.py"]

README.md

@@ -1,3 +1,5 @@
+# Patator
+
 Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.
 
 Currently it supports the following modules:
@@ -11,11 +13,13 @@ Currently it supports the following modules:
 * smtp_rcpt      : Enumerate valid users using the SMTP RCPT TO command
 * finger_lookup  : Enumerate valid users using Finger
 * http_fuzz      : Brute-force HTTP/HTTPS
+* rdp_gateway    : Brute-force RDP Gateway
 * ajp_fuzz       : Brute-force AJP
 * pop_login      : Brute-force POP
 * pop_passd      : Brute-force poppassd (not POP3)
 * imap_login     : Brute-force IMAP
 * ldap_login     : Brute-force LDAP
+* dcom_login     : Brute-force DCOM
 * smb_login      : Brute-force SMB
 * smb_lookupsid  : Brute-force SMB SID-lookup
 * rlogin_login   : Brute-force rlogin
@@ -37,15 +41,28 @@ Currently it supports the following modules:
 * umbraco_crack  : Crack Umbraco HMAC-SHA1 password hashes
 ```
 
-The name "Patator" comes from https://www.youtube.com/watch?v=kU2yPJJdpag
+The name "Patator" comes from [this](https://www.youtube.com/watch?v=9sF9fTALhVA).
+
+Patator is NOT script-kiddie friendly, please read the full README inside [patator.py](patator.py) before reporting.
+
+Please donate if you like this project! :)
+
+[![paypal](https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=SB36VJH4EM5WG&lc=AU&item_name=lanjelot&item_number=patator&currency_code=AUD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted)
 
-Patator is NOT script-kiddie friendly, please read the README inside `patator.py` before reporting.
+Many thanks! [@lanjelot](https://twitter.com/lanjelot)
 
-@lanjelot
+## Install
+
+```
+git clone https://github.com/lanjelot/patator.git
+git clone https://github.com/danielmiessler/SecLists.git
+docker build -t patator patator/
+docker run -it --rm -v $PWD/SecLists/Passwords:/mnt patator dummy_test data=FILE0 0=/mnt/richelieu-french-top5000.txt
+```
 
 ## Usage Examples
 
-* FTP : Enumerating users denied login in vsftpd/userlist
+* FTP : Enumerating users denied login in `vsftpd/userlist`
 
 ```
 $ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500
@@ -61,7 +78,7 @@ $ ftp_login host=10.0.0.1 user=FILE0 0=logins.txt password=asdf -x ignore:mesg='
 ...
 ```
 
-Tested against `vsftpd-3.0.2-9` on `CentOS 7.0-1406`
+Tested against `vsftpd-3.0.2-9` on `CentOS 7.0-1406`.
 
 * SSH : Time-based user enumeration
 
@@ -77,7 +94,7 @@ $ ssh_login host=10.0.0.1 user=FILE0 0=logins.txt password=$(perl -e "print 'A'x
 ...
 ```
 
-Tested against openssh-server 1:6.0p1-4+deb7u2 on Debian 7.8
+Tested against `openssh-server 1:6.0p1-4+deb7u2` on `Debian 7.8`.
 
 * HTTP : Brute-force phpMyAdmin logon
 
@@ -101,9 +118,9 @@ $ grep AllowNoPassword /tmp/qsdf/72_200\:13215\:0\:0.351.txt
 ... class="icon ic_s_error" /> Login without a password is forbidden by configuration (see AllowNoPassword)</div><noscript>
 ```
 
-Tested against phpMyAdmin 4.2.7.1.
+Tested against `phpMyAdmin 4.2.7.1`.
 
-* IKE : Enumerate transforms supported by VPN peer
+* IKEv1 : Enumerate transforms supported by VPN peer
 
 ```
 # ike_enum host=10.0.0.1 transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 -x ignore:fgrep='NO-PROPOSAL'
@@ -112,29 +129,29 @@ Tested against phpMyAdmin 4.2.7.1.
 16:52:58 patator    INFO - code  size    time | candidate                          |   num | mesg
 16:52:58 patator    INFO - -----------------------------------------------------------------------------
 16:53:03 patator    INFO - 0     70     0.034 | 5,1,1,2:0                          |  1539 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Main)
-16:53:03 patator    INFO - 0     72     0.031 | 5,1,65001,2:0                      |  1579 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Main)
+16:53:03 patator    INFO - 0     72     0.031 | 5,1,65001,2:0                      |  1579 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH&PSK (Main)
 16:53:03 patator    INFO - 0     76     0.033 | 5,1,1,2:1                          |  1540 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK (Aggressive)
-16:53:03 patator    INFO - 0     78     0.034 | 5,1,65001,2:1                      |  1580 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH (Aggressive)
+16:53:03 patator    INFO - 0     78     0.034 | 5,1,65001,2:1                      |  1580 | Handshake returned: Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH&PSK (Aggressive)
 16:53:06 patator    INFO - 0     84     0.034 | 7/128,2,1,2:0                      |  2371 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Main)
 16:53:06 patator    INFO - 0     90     0.033 | 7/128,2,1,2:1                      |  2372 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK (Aggressive)
-16:53:06 patator    INFO - 0     86     0.034 | 7/128,2,65001,2:0                  |  2411 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Main)
-16:53:06 patator    INFO - 0     92     0.035 | 7/128,2,65001,2:1                  |  2412 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH (Aggressive)
+16:53:06 patator    INFO - 0     86     0.034 | 7/128,2,65001,2:0                  |  2411 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH&PSK (Main)
+16:53:06 patator    INFO - 0     92     0.035 | 7/128,2,65001,2:1                  |  2412 | Handshake returned: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=XAUTH&PSK (Aggressive)
 
 + 10.0.0.1:500 (Main Mode)
-    Encryption       Hash         Auth      Group
-    ---------- ----------   ---------- ----------
-          3DES        MD5          PSK   modp1024
-          3DES        MD5        XAUTH   modp1024
-        AES128       SHA1          PSK   modp1024
-        AES128       SHA1        XAUTH   modp1024
+    Encryption       Hash             Auth       Group
+    ---------- ----------       ----------  ----------
+          3DES        MD5              PSK    modp1024
+          3DES        MD5        XAUTH&PSK    modp1024
+        AES128       SHA1              PSK    modp1024
+        AES128       SHA1        XAUTH&PSK    modp1024
 
 + 10.0.0.1:500 (Aggressive Mode)
-    Encryption       Hash         Auth      Group
-    ---------- ----------   ---------- ----------
-          3DES        MD5          PSK   modp1024
-          3DES        MD5        XAUTH   modp1024
-        AES128       SHA1          PSK   modp1024
-        AES128       SHA1        XAUTH   modp1024
+    Encryption       Hash             Auth       Group
+    ---------- ----------       ----------  ----------
+          3DES        MD5              PSK    modp1024
+          3DES        MD5        XAUTH&PSK    modp1024
+        AES128       SHA1              PSK    modp1024
+        AES128       SHA1        XAUTH&PSK    modp1024
 16:53:11 patator    INFO - Hits/Done/Skip/Fail/Size: 8/3840/0/0/3840, Avg: 284 r/s, Time: 0h 0m 13s
 ```
 
@@ -216,7 +233,7 @@ Networks -----------------------------------------
 03:18:53 patator    INFO - Hits/Done/Skip/Fail/Size: 11/1000/0/0/1000, Avg: 133 r/s, Time: 0h 0m 7s
 ```
 
-Also notice that test.hsc.fr. is the start of a new zone because we got NOERROR and no IP address.
+Also notice that `test.hsc.fr.` is the start of a new zone because we got NOERROR and no IP address.
 
 * DNS : Reverse lookup two netblocks owned by Google
 

Vagrantfile

@@ -13,13 +13,28 @@ apt-get install -y tmux git wget build-essential vim
 # requirements.txt deps
 apt-get install -y libcurl4-openssl-dev python3-dev libssl-dev # pycurl
 apt-get install -y ldap-utils # ldapsearch
-apt-get install -y libmysqlclient-dev # mysqlclient-python
+apt-get install -y libmariadbclient-dev # mysqlclient-python
+apt-get install -y libpq-dev # psycopg2
 apt-get install -y ike-scan unzip default-jdk
 apt-get install -y libsqlite3-dev libsqlcipher-dev # pysqlcipher
 
-# xfreerdp
-apt-get install -y git-core cmake xsltproc libssl-dev libx11-dev libxext-dev libxinerama-dev libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev libxrandr-dev libxi-dev libgstreamer-plugins-base1.0-dev
-git clone https://github.com/FreeRDP/FreeRDP/ /tmp/FreeRDP && (cd /tmp/FreeRDP && cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSE2=ON . && make && sudo make install)
+# cx_oracle
+apt-get install -y libaio1 wget unzip
+rm -fr /opt/oracle
+mkdir /opt/oracle && cd /opt/oracle
+wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basiclite-linuxx64.zip
+unzip instantclient-basiclite-linuxx64.zip
+rm -f instantclient-basiclite-linuxx64.zip
+cd /opt/oracle/instantclient*
+rm -f *jdbc* *occi* *mysql* *README *jar uidrvci genezi adrci
+echo /opt/oracle/instantclient* > /etc/ld.so.conf.d/oracle-instantclient.conf
+ldconfig
+
+# xfreerdp (see https://github.com/FreeRDP/FreeRDP/wiki/Compilation)
+apt-get install -y ninja-build build-essential git-core debhelper cdbs dpkg-dev autotools-dev cmake pkg-config xmlto libssl-dev docbook-xsl xsltproc libxkbfile-dev libx11-dev libwayland-dev libxrandr-dev libxi-dev libxrender-dev libxext-dev libxinerama-dev libxfixes-dev libxcursor-dev libxv-dev libxdamage-dev libxtst-dev libcups2-dev libpcsclite-dev libasound2-dev libpulse-dev libjpeg-dev libgsm1-dev libusb-1.0-0-dev libudev-dev libdbus-glib-1-dev uuid-dev libxml2-dev libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev libfaad-dev libfaac-dev
+apt-get install -y libavutil-dev libavcodec-dev libavresample-dev
+rm -fr /tmp/FreeRDP
+git clone https://github.com/FreeRDP/FreeRDP/ /tmp/FreeRDP && (cd /tmp/FreeRDP && cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSE2=ON . && cmake --build . && sudo cmake --build . --target install)
 
 SCRIPT
 
@@ -27,12 +42,12 @@ $patator = <<SCRIPT
 python3 -m venv patatorenv --without-pip
 source patatorenv/bin/activate
 wget --quiet -O - https://bootstrap.pypa.io/get-pip.py | python3
-pip install patator
+python3 -m pip install patator
 
 SCRIPT
 
 Vagrant.configure(2) do |config|
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/bionic64"
   config.vm.box_check_update = false
  
   # prevent TTY error messages

docker-compose.yml

@@ -0,0 +1,59 @@
+version: "3"
+services:
+  unix:
+    build: testing/unix
+    image: patator-unix-testing
+#   ports:
+#      - "21:21"
+#      - "22:22"
+#      - "23:23"
+#      - "25:25"
+#      - "79:79"
+#      - "80:80"
+#      - "106:106"
+#      - "110:110"
+#      - "139:139"
+#      - "143:143"
+#      - "389:389"
+#      - "445:445"
+#      - "513:513"
+#      - "636:636"
+#      - "993:993"
+#      - "995:995"
+#      - "3306:3306"
+#      - "4444:4444"
+#      - "5432:5432"
+#      - "5900:5900"
+#      - "8009:8009"
+#      - "8080:8080"
+#      - "161:161/udp"
+    volumes:
+      - .:/opt/patator
+
+  oracle:
+    image: oracleinanutshell/oracle-xe-11g
+    environment:
+       - ORACLE_ENABLE_XDB=true
+    ports:
+      - "1521:1521"
+
+  mssql:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=Password1
+    ports:
+      - "1433:1433"
+
+  patator:
+    build: .
+    image: patator
+    depends_on:
+      - unix
+      - oracle
+      - mssql
+    environment:
+      - DISPLAY
+    volumes:
+      - .:/opt/patator
+      - /tmp/.X11-unix:/tmp/.X11-unix

release.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+DOCKER_IMAGE='lanjelot/patator'
+GIT_REPO='https://github.com/lanjelot/patator'
+TMP_COPY=$(mktemp -d)
+
+git clone -b master $GIT_REPO $TMP_COPY
+cd $TMP_COPY
+VERSION=$(echo `git tag|sort -V|tail -1`-`git rev-parse --verify HEAD|cut -b -7`)
+sed -i -e "s,^__version__.*$,__version__ = '$VERSION'," patator.py
+docker build . -t $DOCKER_IMAGE:$VERSION -t $DOCKER_IMAGE:latest
+
+docker login
+docker push $DOCKER_IMAGE

requirements.txt

@@ -1,14 +1,14 @@
 paramiko
 pycurl
 ajpy
-#impacket # no python3 compatibility
+impacket
 pyopenssl
 cx_Oracle
 mysqlclient
-psycopg2
-pycrypto
+psycopg2-binary
+pycryptodomex
 dnspython
 IPy
-pysnmp
-pyasn1
-#pysqlcipher # no python3 compatibility
+pysnmp==4.4.12
+pyasn1==0.4.8
+pysqlcipher3

run-tests.sh

@@ -0,0 +1,131 @@
+#!/bin/bash
+
+if ! docker compose version &>/dev/null; then
+  echo 'docker compose is required'
+  exit 1
+fi
+
+docker compose up -d --build
+
+case "$1" in
+  python2|python3)
+    PYTHON=$1
+    ;;
+  *)
+    PYTHON='python3'
+  ;;
+esac
+
+UNIX='unix'
+ORACLE='oracle'
+MSSQL='mssql'
+WIN10='' # 192.168.1.5 # vagrant add senglin/win-7-enterprise
+VPN=''   #
+
+LOGS='-l ./asdf -y --hits ./hits.txt'
+
+run()
+{
+  echo
+  echo "$ $@"
+  docker compose run --no-deps --rm --entrypoint "$PYTHON patator.py" patator "$@"
+}
+
+echo
+echo ">>> $PYTHON"
+
+run ftp_login host=$UNIX
+run ftp_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run ssh_login host=$UNIX
+run ssh_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run telnet_login host=$UNIX
+run telnet_login host=$UNIX inputs='userRANGE0\nPasswordRANGE0' 0=int:0-9 prompt_re='login:|Password:' timeout=5
+
+run smtp_vrfy host=$UNIX
+run smtp_vrfy host=$UNIX user=userRANGE0 0=int:1-500 -x ignore:fgrep='User unknown' -x ignore,reset,retry:code=421 --auto-progress 10
+
+run smtp_rcpt host=$UNIX
+run smtp_rcpt host=$UNIX mail_from=root@localhost user=userRANGE0@localhost 0=int:1-200 -x ignore:fgrep='User unknown'
+
+run smtp_login host=$UNIX
+run smtp_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-30 starttls=1 #-x ignore,reset,retry:code=421
+
+run finger_lookup host=$UNIX
+run finger_lookup host=$UNIX user=userRANGE0 0=int:0-20 -x ignore:fgrep='no such user'
+
+run ldap_login host=$UNIX
+run ldap_login host=$UNIX binddn='cn=admin,dc=example,dc=com' bindpw=PasswordRANGE0 0=int:0-9 basedn='dc=example,dc=com'
+
+run smb_login host=$UNIX
+run smb_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+if [[ ! -z $WIN10 ]]; then
+  run smb_login host=$WIN10 user=vagranRANGE0 password=vagranRANGE0 0=lower:r-v
+  run smb_lookupsid host=$WIN10 user=vagrant password=vagrant rid=RANGE0 0=int:500-2000 -x ignore:code=1
+  run dcom_login host=$WIN10 user=vagranRANGE0 password=vagranRANGE0 0=lower:r-v
+
+  xhost +si:localuser:root
+  run rdp_login host=$WIN10 user=vagranRANGE0 password=vagranRANGE0 0=lower:r-v
+  xhost -si:localuser:root
+fi
+
+run pop_login host=$UNIX
+run pop_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run pop_passd host=$UNIX
+run pop_passd host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run imap_login host=$UNIX
+run imap_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run rlogin_login host=$UNIX user=userRANGE0 password=PasswordRANGE0 0=int:0-9
+
+run mysql_login host=$UNIX
+run mysql_login host=$UNIX user=root password=PasswordRANGE0 0=int:0-9
+
+run mysql_query host=$UNIX user=root password=Password1 query='select host, user from mysql.user'
+run mysql_query host=$UNIX user=root password=Password1 query='select load_file("/etc/hosts")'
+
+run mssql_login host=$MSSQL user=sa password=PasswordRANGE0 0=int:0-9
+
+run oracle_login host=$ORACLE sid=xRANGE0 0=lower:a-f -t 1
+run oracle_login host=$ORACLE sid=xe user=sys password=oraclRANGE0 0=lower:a-f
+
+run pgsql_login host=$UNIX
+run pgsql_login host=$UNIX user=postgres password=PasswordRANGE0 0=int:0-9
+
+run http_fuzz url="http://$UNIX/RANGE0" 0=lower:a-zzz -x ignore:code=404
+run http_fuzz url=http://$UNIX:8080/manager/html user_pass=tomcat:PasswordRANGE0 0=int:0-9
+
+run ajp_fuzz url=ajp://$UNIX/manager/html user_pass=tomcat:PasswordRANGE0 0=int:0-9
+
+run vnc_login host=$UNIX port=5900 password=PassworRANGE0 0=lower:a-f
+
+run dns_reverse host=NET0 0=216.239.32.0-216.239.32.255,8.8.8.0/24 -x ignore:code=3 -x ignore:fgrep!=google.com -x ignore:fgrep=216-239-
+run dns_forward name=MOD0.microsoft.com 0=SRV qtype=SRV -x ignore:code=3 --auto-progress 15
+
+run snmp_login host=$UNIX community=publiRANGE0 0=lower:a-f
+run snmp_login host=$UNIX community=public version=3 user=userRANGE0 0=int:0-5 auth_key=whatever
+run snmp_login host=$UNIX community=public version=3 user=user3 auth_proto=sha auth_key=authPasRANGE0 0=lower:q-v
+run snmp_login host=$UNIX community=public version=3 user=user3 auth_proto=sha auth_key=authPass priv_proto=aes priv_key=privPasRANGE0 0=lower:q-v
+
+if [[ ! -z $VPN ]]; then
+  run ike_enum host=$VPN transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 -x ignore:fgrep=NO-PROPOSAL
+fi
+
+run unzip_pass zipfile=enc.zip password=PasswordRANGE0 0=int:0-9
+run keystore_pass keystore=keystore.jks password=PasswordRANGE0 0=int:0-9
+run sqlcipher_pass database=enc.db password=PasswordRANGE0 0=int:0-9
+run umbraco_crack hashlist=@umbraco_users.pw password=PasswordRANGE0 0=int:0-9
+
+run tcp_fuzz host=$UNIX port=4444 data=RANGE0 0=hex:0xf0-0xf9 # $LOGS
+
+echo -e '\xde\xad\xbe\xef\nprintable ascii' > dummy.txt
+run dummy_test delay=0 data=FILE0 0=dummy.txt data2=RANGE1 1=lower:a-b
+
+echo -e 'wrong pass\np\x1fssw\x09rd' > user9.pass
+run ssh_login host=unix user=user9 password=FILE0 0=user9.pass
+
+rm -f dummy.txt user9.pass

setup.py

@@ -13,12 +13,12 @@ long_description = "Patator was written out of frustration from using Hydra, Med
 
 setup(
     name="patator",
-    version="0.7",
+    version="1.0",
     description="multi-purpose brute-forcer",
     long_description=long_description,
     url="https://github.com/lanjelot/patator",
     author="Sebastien Macke",
-    author_email="pastor@hsc.fr",
+    author_email="patator@hsc.fr",
     license="GPLv2",
 
     classifiers=[

testing/unix/Dockerfile

@@ -0,0 +1,149 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN { for i in {3..5}; do useradd -m -s /bin/bash user$i; echo -e "Password$i\nPassword$i" | passwd user$i; done; } \
+ && useradd -m user9 && echo -e 'p\x1fssw\x09rd\np\x1fssw\x09rd' | passwd user9
+
+# utils
+RUN sed -i 's:^path-exclude=/usr/share/man:#path-exclude=/usr/share/man:' /etc/dpkg/dpkg.cfg.d/excludes \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends man manpages-posix iproute2 mlocate lsof sudo vim less telnet finger rsh-client smbclient \
+  && rm -rf /var/lib/apt/lists/* \
+  && echo 'set bg=dark' > /root/.vimrc \
+  && usermod -aG sudo user3
+
+# services
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends vsftpd openssh-server telnetd rsh-redone-server fingerd apache2 socat \
+  && rm -rf /var/lib/apt/lists/* \
+  && echo 'background=YES' >> /etc/vsftpd.conf \
+  && sed -i -e 's,start-stop-daemon --start --background,start-stop-daemon --start,' /etc/init.d/vsftpd
+
+RUN { echo "postfix postfix/mailname string ubuntu-blah"; \
+      echo "postfix postfix/main_mailer_type string 'Internet Site'"; \
+    } | debconf-set-selections \
+  && apt-get update && apt-get install -y --no-install-recommends postfix dovecot-pop3d dovecot-imapd \
+  && rm -rf /var/lib/apt/lists/* \
+  && postconf 'smtpd_sasl_exceptions_networks=' 'smtpd_sasl_auth_enable=yes' 'smtpd_sasl_type=dovecot' 'smtpd_sasl_path=private/dovecot-auth' \
+  && echo -e 'auth_mechanisms = plain login\n\
+service auth {\n\
+  unix_listener /var/spool/postfix/private/dovecot-auth {\n\
+    mode = 0660\n\
+    user = postfix\n\
+    group = postfix\n\
+  }\n\
+}\n' > /etc/dovecot/conf.d/99-blah.conf
+
+RUN echo 'ServerName localhost' >> /etc/apache2/apache2.conf \
+  && mkdir /var/www/html/{wp,pma,bak} && echo secret > /var/www/html/key
+
+RUN LDAPPW=Password1; \
+  { \
+    echo slapd slapd/internal/generated_adminpw password $LDAPPW; \
+    echo slapd slapd/password2 password $LDAPPW; \
+    echo slapd slapd/internal/adminpw password $LDAPPW; \
+    echo slapd slapd/password1 password $LDAPPW; \
+    echo slapd slapd/domain string example.com; \
+    echo slapd shared/organization string example.com;  \
+  } | debconf-set-selections \
+  && apt-get update && apt-get install -y --no-install-recommends slapd ldap-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN MYSRP=Password1; \
+  { echo "mysql-server mysql-server/root_password password $MYSRP"; \
+    echo "mysql-server mysql-server/root_password_again password $MYSRP"; \
+  } | debconf-set-selections \
+  && apt-get update && apt-get install -y --no-install-recommends mysql-server \
+  && rm -rf /var/lib/apt/lists/* \
+  && sed -i "s/bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mysql.conf.d/mysqld.cnf \
+  && echo secure_file_priv= >> /etc/mysql/mysql.conf.d/mysqld.cnf \
+  && rm -f /etc/apparmor.d/usr.sbin.mysqld \
+  && service mysql start \
+  && Q1="CREATE USER 'root'@'%' identified by 'Password1';" \
+  && Q2="GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';" \
+  && Q3="FLUSH PRIVILEGES;" \
+  && SQL="${Q1}${Q2}${Q3}" \
+  && mysql -uroot -p"$MYSRP" -e "$SQL"
+
+RUN PGPW=Password1 \
+  && apt-get update && apt-get install -y --no-install-recommends postgresql \
+  && rm -rf /var/lib/apt/lists/* \
+  && sed -ie 's,127.0.0.1/32,0.0.0.0/0,' /etc/postgresql/14/main/pg_hba.conf \
+  && sed -ie "s,^#listen_addresses = 'localhost',listen_addresses = '*'," /etc/postgresql/14/main/postgresql.conf \
+  && service postgresql start \
+  && su - postgres -c "psql -c \"ALTER USER postgres WITH PASSWORD '$PGPW';\" -c '\\q'" \
+  && su - postgres -c "PGPASSWORD='$PGPW' psql -d postgres -w --no-password -h localhost -p 5432 -t -c 'SELECT version()'"
+
+RUN apt-get update && apt-get install -y --no-install-recommends tomcat9 tomcat9-admin \
+  && rm -rf /var/lib/apt/lists/* \
+  && echo '<?xml version="1.0" encoding="UTF-8"?><tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"><user username="tomcat" password="Password1" roles="manager-gui"/></tomcat-users>' > /etc/tomcat9/tomcat-users.xml \
+  && sed -ie 's,^.*Define an AJP .* Connector on port.*$,<Connector protocol="AJP/1.3" address="0.0.0.0" port="8009" redirectPort="8443" secretRequired="false"/>,' /etc/tomcat9/server.xml \
+  && sed -ie 's,catalina.realm.LockOutRealm",catalina.realm.LockOutRealm" lockOutTime="0",' /etc/tomcat9/server.xml \
+  && echo -e "#!/bin/sh\n\
+export CATALINA_HOME=/usr/share/tomcat9\n\
+export CATALINA_BASE=/var/lib/tomcat9\n\
+export CATALINA_TMPDIR=/tmp\n\
+export SECURITY_MANAGER=true\n\
+export JAVA_OPTS=-Djava.awt.headless=true\n\
+/usr/libexec/tomcat9/tomcat-update-policy.sh\n\
+/usr/libexec/tomcat9/tomcat-start.sh &\n" > /usr/local/sbin/start-tomcat.sh
+
+RUN apt-get update && apt-get install -y --no-install-recommends dovecot-imapd dovecot-pop3d poppassd \
+  && rm -rf /var/lib/apt/lists/* \
+  && sed -ie 's,^#login_trusted_networks = *$,login_trusted_networks = 0.0.0.0/0,' /etc/dovecot/dovecot.conf
+
+RUN apt-get update && apt-get install -y --no-install-recommends p7zip-full \
+  && rm -rf /var/lib/apt/lists/* \
+ && 7za a -pPassword1 /root/enc.zip /etc/passwd
+
+RUN apt-get update && apt-get install -y --no-install-recommends openjdk-18-jre-headless \
+  && rm -rf /var/lib/apt/lists/* \
+  && keytool -genkey -alias test -storepass Password1 -keypass Password1 -keystore /root/keystore.jks -dname "CN=a,OU=b,O=c,L=d,ST=e,C=f" -keyalg RSA
+
+RUN apt-get update && apt-get install -y --no-install-recommends sqlcipher \
+  && rm -rf /var/lib/apt/lists/* \
+  && sqlcipher /root/enc.db "PRAGMA key = 'Password1';create table a(id int);"
+
+RUN echo -e 'user1:kW+7AlKMnSZQIRluNxwJOMiohAw=\nuser2:oBk37hmkFgZdZ247+g6c0Ay6Vw8=\nuser3:kW+7AlKMnSZQIRluNxwJOMiohAw=' > /root/umbraco_users.pw
+
+RUN apt-get update && apt-get install -y --no-install-recommends tightvncserver xfonts-base \
+  && rm -rf /var/lib/apt/lists/* \
+  && useradd -m vncuser && mkdir ~vncuser/.vnc && echo Password | vncpasswd -f > ~vncuser/.vnc/passwd \
+  && chmod 400 ~vncuser/.vnc/passwd && chown -R vncuser:vncuser ~vncuser/.vnc
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends samba \
+  && rm -rf /var/lib/apt/lists/* \
+  && { for i in {3..5}; do echo -e "Password$i\nPassword$i" | smbpasswd -a "user$i"; done; } \
+  && sed -ie 's,map to guest =,#map to guest =,' /etc/samba/smb.conf
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends snmpd snmp \
+  && rm -rf /var/lib/apt/lists/* \
+  && sed -ie 's,^agentaddress .*$,agentaddress udp:161,' /etc/snmp/snmpd.conf \
+  && echo 'createUser user3 SHA authPass AES privPass' >> /var/lib/snmp/snmpd.conf \
+  && echo 'rouser user3 priv .1' >> /etc/snmp/snmpd.conf
+
+RUN echo -e "echo Starting services\n\
+service vsftpd start\n\
+service ssh start\n\
+/usr/sbin/inetd\n\
+service postfix start\n\
+service dovecot start\n\
+service apache2 start\n\
+ulimit -n 1024; service slapd start\n\
+service mysql start\n\
+service postgresql start\n\
+sh /usr/local/sbin/start-tomcat.sh\n\
+socat tcp-l:106,fork,reuseaddr exec:/usr/sbin/poppassd &\n\
+socat tcp-l:4444,fork,reuseaddr exec:\"echo -e 'W\xe1\xc0me'\" &\n\
+cp -v /root/enc.zip /root/keystore.jks /root/enc.db /root/umbraco_users.pw /opt/patator/\n\
+su - vncuser -c 'vncserver -rfbport 5900'\n\
+service smbd start\n\
+service snmpd start\n\
+tail -f /dev/null\n" > /usr/local/sbin/start-all-services.sh
+
+CMD ["sh", "/usr/local/sbin/start-all-services.sh"]