[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
- To: Andres Riancho <andres.riancho@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
- From: Mario Vilas <mvilas@xxxxxxxxx>
- Date: Thu, 23 Feb 2012 15:39:16 +0100
Indeed. It could also be very fast and not use threads at all. But IMO
it's much harder to write an efficient multithreaded program in python
than in C, at the very least you need a good understanding of the
inner workings of the python interpreter.
I find it a bit suspicious in general that a python program can
outperform a pure C program just like that. It's not impossible, but I
think I'll reserve my judgement on this until some benchmarks are
published.
On Thu, Feb 23, 2012 at 1:36 PM, Andres Riancho
<andres.riancho@xxxxxxxxx> wrote:
> Grandma,
>
> On Thu, Feb 23, 2012 at 2:52 AM, Grandma Eubanks <tborland1@xxxxxxxxx> wrote:
>> Multiprocessing is quiet a bit faster than utilizing threads (this should be
>> obvious as threads are GIL locked, while multi-processing can be spread
>> amongst cores with the kernel's scheduler).
>
> That's not always true. If the process is network bound (which seems
> to be the case with a bruteforce tool), then having multiprocessing
> will not necessarily increase speed. If the software was well written,
> it can be very fast and use python threads.
>
>> On Wed, Feb 22, 2012 at 6:51 PM, Nate Theis <nttheis@xxxxxxxxx> wrote:
>>>
>>> You might look into PyPy for a speed boost: http://pypy.org
>>>
>>> On Feb 22, 2012 6:43 AM, "lanjelot" <lanjelot@xxxxxxxxx> wrote:
>>>>
>>>> Hello FD,
>>>>
>>>> Released two months ago, and downloaded a few thousand times since, I
>>>> wanted to share with you a new multi-purpose brute-forcing tool named
>>>> Patator (http://code.google.com/p/patator/).
>>>>
>>>> I am posting here because I would like to get more feedback from
>>>> people using it, so feel free to fire me an email if you have any
>>>> queries, or rather use the issues tracker on patator project page.
>>>>
>>>> To put it bluntly, I just got tired of using Medusa, Hydra, ncrack,
>>>> metasploit auxiliary modules, nmap NSE scripts and the like because:
>>>> - they either do not work or are not reliable (got me false
>>>> negatives several times in the past)
>>>> - they are slow (not multi-threaded or not testing multiple
>>>> passwords within the same TCP connection)
>>>> - they lack very useful features that are easy to code in python
>>>> (eg. interactive runtime)
>>>>
>>>> Basically you should give Patator a try once you get disappointed by
>>>> Medusa, Hydra or other brute-forcing tools and are about to code your
>>>> own small script because Patator will allow you to:
>>>> - Not write the same code over and over, due to its a modular design
>>>> and flexible usage
>>>> - Run multi-threaded
>>>> - Benefit from useful features such as the interactive runtime
>>>> commands, automatic response logging, etc.
>>>>
>>>> Currently Patator supports the following modules :
>>>> - ftp_login : Brute-force FTP
>>>> - ssh_login : Brute-force SSH
>>>> - telnet_login : Brute-force Telnet
>>>> - smtp_login : Brute-force SMTP
>>>> - smtp_vrfy : Enumerate valid users using the SMTP 'VRFY' command
>>>> - smtp_rcpt : Enumerate valid users using the SMTP 'RCPT TO' command
>>>> - http_fuzz : Brute-force HTTP/HTTPS
>>>> - pop_passd : Brute-force poppassd (not POP3)
>>>> - ldap_login : Brute-force LDAP
>>>> - smb_login : Brute-force SMB
>>>> - mssql_login : Brute-force MSSQL
>>>> - oracle_login : Brute-force Oracle
>>>> - mysql_login : Brute-force MySQL
>>>> - pgsql_login : Brute-force PostgreSQL
>>>> - vnc_login : Brute-force VNC
>>>>
>>>> - dns_forward : Forward lookup subdomains
>>>> - dns_reverse : Reverse lookup subnets
>>>> - snmp_login : Brute-force SNMPv1/2 and SNMPv3
>>>>
>>>> - unzip_pass : Brute-force the password of encrypted ZIP files
>>>> - keystore_pass : Brute-force the password of Java keystore files
>>>>
>>>> The name "Patator" comes from the famous weapon :
>>>> http://www.youtube.com/watch?v=xoBkBvnTTjo
>>>>
>>>> Cheers!
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
“There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.”
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/