Medusa
Jump to navigation
Jump to search
Description
Medusa is a speedy, massively parallel, modular, login brute-forcer that supports many services which allow remote authentication.
Here is the list of available services:
| Module | Description | Avail. in ver |
|---|---|---|
| AFP | The AFP module tests accounts against the Apple Filing Protocol service. This AFP module leverages the afpfs-ng FUSE-based client (http://alexthepuffin.googlepages.com/home). | 2.0+ |
| CVS | The CVS module tests accounts against the CVS version control system via the pserver protocol. | 1.5+ |
| FTP | The FTP module tests accounts against the FTP and FTPS services. This includes both Explicit FTPS (AUTH TLS Mode as defined in RFC 4217) and Implicit (FTP over SSL (990/tcp)). | 1.5+ |
| HTTP | The HTTP module tests accounts against HTTP/HTTPS services using BASIC-AUTH, integrated windows authentication (NTLM) and digest (MD5 and MD5-sess). | 1.5+ |
| IMAP | The IMAP module tests accounts against the IMAP service. This module supports both imap (143) and imaps (993). The IMAP module asks for the server's capabilities and then does either a LOGIN or an AUTHENTICATE PLAIN, depending on its response. | 1.5+ |
| MS-SQL | The MSSQL module tests accounts against Microsoft MS-SQL service. | 1.5+ |
| MySQL | The MySQL module tests accounts against the MySQL service. | 1.5+ |
| NetWare NCP | The NCP module tests accounts against the NetWare NCP service. This module was developed using a NetWare 5.1 host as the target. | 1.5+ |
| NNTP | The NNTP module tests accounts against the Network News Transfer Protocol via AUTHINFO. | 1.5+ |
| PcAnywhere | The PcAnywhere module tests accounts against the Symantec PcAnywhere service. | 1.5+ |
| POP3 | The POP3 module tests accounts against the POP3 service. | 1.5+ |
| PostgreSQL | The POP3 module tests accounts against the POP3 service. | 1.5+ |
| REXEC | The REXEC module tests accounts against the REXEC service. | 1.5+ |
| RLOGIN | The RLOGIN module tests accounts against the RLOGIN service. | 1.5+ |
| RSH | The RSH module tests accounts against the RSH service. | 1.5+ |
| SMBNT | The SMBNT module tests accounts against the Microsoft netbios-ssn (TCP/139) and microsoft-ds (TCP/445) services. Besides testing normal passwords, this module allows Medusa to directly test NTLM hashes against a Windows host. This may be useful for an auditor who has aquired a sam._ or pwdump file and would like to quickly determine which are valid entries. | 1.5+ |
| SMTP-AUTH | Brute force module for SMTP Authentication with TLS (STARTTLS extension). Called smtp.mod under version 1.5. | 1.5+ |
| SMTP-VRFY | The SMTP-VRFY module can be used to enumerate which accounts are valid on a mail server. | 1.5+ |
| SNMP | The SNMP module tests community strings against the Simple Network Management Protocol (SNMP) service. | 1.5+ |
| SSH | The SSH module tests accounts against SSH service using SSH version 2. The module currently supports brute-forcing SSH Keyboard-interactive and Password authentication modes. | 1.5+ |
| Subversion (SVN) | The SVN module tests accounts against the Subversion (SVN) service. | 1.5+ |
| TELNET | The TELNET module tests accounts against the TELNET service. This module supports both telnet (23) and telnets (992). | 1.5+ |
| VMware Authentication Daemon (vmauthd) | The VMWAUTHD module tests accounts against the VMware Authentication Daemon. It supports both non-SSL and SSL encrypted installations of the service. | 1.5+ |
| VNC | The VNC module tests accounts against the VNC service. | 1.5+ |
| WEB-FORM | Basic web form brute force module which handles GET/POST requests. Supports customizable submit parameters and server response text. | 1.5+ |
| Generic-Wrapper | The purpose of the wrapper module is to allow the user to execute arbitrary scripts while taking advantage of Medusa managing hosts/users/passwords. Two sample scripts have been included in the wrapper directory. | 1.5+ |
Installation
Installation from packages
It will install Medusa 1.5. For a more recent version, see installation from sources.
Installation from sources
Pre-requisites
OpenSSL
See installation of OpenSSL from sources
Libssh2
$ cd /data/src/ $ wget http://libssh2.org/download/libssh2-1.2.7.tar.gz $ tar xzvf libssh2-1.2.7.tar.gz $ cd libssh2-1.2.7/ $ ./configure $ make $ sudo make install
NCPFS
$ sudo apt-get install ncpfs
LibPQ
libPQ packages installs necssary postgreSQL libraries.
$ sudo apt-get install libpq-dev
Subversion
Subversion is a version control system. To install this pre-requisity, just type:
$ sudo apt-get install subversion
afpfs-ng
afpfs is an open source client for Apple Filing Protocol. Before you install it, check that you have following dependancies:
$ sudo apt-get install libgcrypt11-dev libreadline6-dev libfuse-dev
To afpfs-ng it, type:
$ cd /data/src/ $ wget http://downloads.sourceforge.net/project/afpfs-ng/afpfs-ng/0.8.1/afpfs-ng-0.8.1.tar.bz2 $ bzip2 -cd afpfs-ng-0.8.1.tar.bz2 | tar xf - $ ./configure $ make $ sudo make install
Installation of Medusa
$ cd /data/src/ $ wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz $ tar xzvf medusa-2.0.tar.gz $ cd medusa-2.0/ $ ./configure $ make $ sudo make install
Usage
Syntax
Basic syntax is:
medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
To list all available modules, issue following command:
$ medusa -d Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]> Available modules in "." : Available modules in "/usr/lib/medusa/modules" : + cvs.mod : Brute force module for CVS sessions : version 1.0.0 + ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0 + http.mod : Brute force module for HTTP : version 1.3.0 + imap.mod : Brute force module for IMAP sessions : version 1.2.0 + mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1 + mysql.mod : Brute force module for MySQL sessions : version 1.2 + ncp.mod : Brute force module for NCP sessions : version 1.0.0 + nntp.mod : Brute force module for NNTP sessions : version 1.0.0 + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2 + pop3.mod : Brute force module for POP3 sessions : version 1.2 + postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0 + rexec.mod : Brute force module for REXEC sessions : version 1.1.1 + rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2 + rsh.mod : Brute force module for RSH sessions : version 1.0.1 + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5 + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0 + smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0 + snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0 + ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2 + svn.mod : Brute force module for Subversion sessions : version 1.0.0 + telnet.mod : Brute force module for telnet sessions : version 1.2.2 + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1 + vnc.mod : Brute force module for VNC sessions : version 1.0.1 + web-form.mod : Brute force module for web forms : version 1.0.0 + wrapper.mod : Generic Wrapper Module : version 1.0.1
To get help on a specific module (without .mod extension), issue:
$ medusa -M <module> -q
Example for web-form:
$ medusa -M web-form -q Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]> web-form.mod (1.0.0) Luciano Bello <[email protected]> :: Brute force module for web forms Available module options: USER-AGENT:? User-agent value. Default: "I'm not Mozilla, I'm Ming Mong". FORM:? Target form to request. Default: "/" DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in server response. Default: "Login incorrect" FORM-DATA:<METHOD>?<FIELDS> Methods and fields to send to web service. Valid methods are GET and POST. The actual form data to be submitted should also be defined here. Specifically, the fields: username and password. The username field must be the first, followed by the password field. Default: "post?username=&password=" Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!" -m FORM-DATA:"post?user=&pass=&submit=True"
Specific syntax
See examples section.
Example
form-web
Consider the following PHP form:
<html>
<body>
<?php
if(isset($_POST['u']) && isset($_POST['p'])) {
if($_POST['u']=='admin' && $_POST['p']=='password') {
echo('ACCESS GRANTED');
} else {
echo('ACCESS DENIED');
}
}
?>
<form name="f1" method="post" action="test.php">
<p>Login: <input type="text" name="u" /></p>
<p>Password: <input type="password" name="p" /></p>
<p><input type="submit" name="Login" value="Login" /></p>
</form>
</body>
</html>
Given the fact that we know there is a valid "admin" account, we can use Medusa to brute-force the form. We will use following command:
$ medusa \ -h 127.0.0.1 \ -u admin \ -P /data/dict/dict.txt \ -M web-form \ -m FORM:"admin/test.php" \ -m DENY-SIGNAL:"ACCESS DENIED" \ -m FORM-DATA:"post?u=&p=&Login=Login"
It will produce following results:
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: oops (1 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: 123 (2 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: 1234 (3 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: all (4 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: nimda (5 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: administrator (6 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: admin (7 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: pass (8 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: passwd (9 of 15 complete) ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: password (10 of 15 complete) ACCOUNT FOUND: [web-form] Host: 127.0.0.1 User: admin Password: password [SUCCESS]
Comments
<disqus><disqus>