Comprehensive Guide on Medusa – A Brute Forcing Tool
Hello friends!! Today we are going to discuss – How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article, we have discussed each option available in Medusa to make a brute force attack in the various scenario.
Table Of Content
- Introduction to Medusa and its features
- Password Cracking For Specific Username
- Username Cracking for Specific Password
- Cracking Login Credential
- Making Brute Force Attack on Multiple Host
- Attacking on Specific Port Instead of Default
- NULL/Same as Login Attempt
- Save logs to Disk
- Stop on Success
- Suppress Startup Banner
- Verbose Mode
- Error Debugging Mode
- Using Combo Entries
- Resuming the Brute Force Attack
Introduction to Medusa and its features
Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers the following items as some of the key features of this application:
- Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
- Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
- Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
- Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3, MS-SQL, SSHv2, among others)
Reference Source: http://www.foofus.net]
Type “Medusa” in the terminal without any options, it will dump all the available options it accepts along with their respective description.
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module’s usage information
-v [NUM] : Verbose level [0 – 6 (more)]
-w [NUM] : Error debug level [0 – 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan
As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.
Password Cracking For Specific Username
Medusa is a very impactful tool and also quite easy to use for making a brute force attack on any protocol.
Assume you want to crack the password for FTP (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.
At that moment you should go with the following command where -u option enables username parameter and -P options enable dictionary for the password list.
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp
As you can observe it has found 1 valid password: 123 for username: raj for FTP login.
Username Cracking for Specific Password
Assume you want to crack username for FTP (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is a vice-versa situation compare to the above situation.
At that moment you should go with the following command where -U option enables dictionary for username list and -p options enable password parameter.
medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp
As you can observe it has found 1 valid username: raj for password: 123 FTP login.
Cracking Login Credential
Suppose you want to crack username and password for FTP (or any other), wish to make username and password brute force attack by using a dictionary to guess the valid combination
At that moment you should go with following command where -U option enables dictionary for username list and – P options enables dictionary for the password list.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
As you can observe it has found 1 valid username: raj for the password: 123 FTP login.
Making Brute Force Attack on Multiple Host
If you want to use a user-pass dictionary on multiple hosts in a network then you can use -M option that enables the host list parameter and make brute force attack using the same dictionary and will try the same number of login attempt on each HOST IP mention in the host list.
Here you can observe I had saved two host IP in a text file and then use the following command to make brute force attack on multiple hosts by using the same dictionary.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp
As you can observe it has found 2 valid FTP logins on each Host.
If you have multiple host IP in your host list and you want to make brute force attack only a few numbers of the host then use -T option for the total number of hosts to be tested concurrently.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1 medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2
As you can observe from given below the 1st command make brute force attack on single Host IP whereas in 2nd command it is making brute force attack on two hosts IP simultaneously.
Attacking on Specific Port Instead of Default
Due to security concern, the network admin changes the port number of a service on another port. Medusa makes brute force attack on the default port of service as you can observe in above all attacks it has automatically made an attack on port 21 for FTP login.
But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.
Suppose on scanning the target network I found SSH is running port 2222 instead of 22, therefore, I will execute the following command for ssh login attack.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222
As you can observe, in 1st command of medusa it fails to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.
NULL/Same as Login Attempt
Using option -e along with ns enables three parameters null/same as login while making brute force attack on the password field.
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns
As you can observe with every username, it is trying to match the following combination along with the password list.
User “raj” and password “” as null password
User “raj” and password “raj” as same as the login
Save logs to Disk
For the purpose of the record maintenance, better readability, and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -O of the Medusa to save the output in a text file.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -O log.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case, our location for output is /root /log.txt.
Stop on Success
Suppose while using host list you want to Stop brute force attack on the host after first valid username/password found then you can use -f option alone with command.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f
Even you can use -F option to Stop audit after first valid username/password found on any host in your command.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F
Suppress Startup Banner
If you want to hide banner of Medusa while making brute force attack then use -b option to Suppress startup banner.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b
There are six levels for the verbose mode to examine the attack details and also contain an error debug option that contains ten levels for debug mode. You can use -v option for verbose parameter and -w option for error debugging parameter.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1 medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2 medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6
Error Debugging Mode
As said above there is level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01 medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06 medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07
Debug mode is showing wait time, socket, send data size and received data size, module detail, and path.
Using Combo Entries
Using -C option enables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username: password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.
The following combinations are possible in the combo file:
As you can observe in the given below image, we have the userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.
medusa -M ftp -C userpass.txt
Resuming the Brute Force Attack
Sometimes while making brute force, the attack gets paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1st attempt.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
Now you can observe the output result from the given below image where after pressing ctrl C it stops the attack and then adds the highlighted text in your command to resume the attack and continue it.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.
Repeat same as above, now compare the result after executing all three command you will notice it has continued the brute-forcing from the last dropped attempt
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.
Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here