Sign in to follow this  
Eminem

Medusa 2.1.1 ( Speedy, massively parallel, modular, login brute-forcer for Network )

Recommended Posts

Medusa Parallel Network Login Auditor

 

 

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

 

Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.

Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.

Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

 

 

Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.

Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.

Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.

Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others.

 

For a quick comparison of Medusa, Ncrack, and THC-Hydra see: medusa-compare.html

 

How do I use this thing? Simply running "medusa" without any options will dump all the parameters it accepts along with their respective description. Here are several example uses:

 

Display all modules currently installed:

% medusa -d

 

Medusa v1.0-rc1 [

http://www.foofus.net] © JoMo-Kun / Foofus Networks

 

  Available modules in "." :

  Available modules in "/usr/local/lib/medusa/modules" :

    + mssql.mod :

      Brute force module for M$-SQL sessions : version 0.1.0

    + http.mod :

      Brute force module for HTTP : version 0.1.1

    + ssh.mod :

      Brute force module for SSH v2 sessions : version 0.1.1

    + smbnt.mod :

      Brute force module for SMB/NTLMv1 sessions : version 0.1.1

    + telnet.mod :

      Brute force module for telnet sessions : version 0.1.4

Display specific options for a given module:

% medusa -M smbnt -q 

Medusa v1.0-rc1 [

http://www.foofus.net] © JoMo-Kun / Foofus Networks

 

smbnt.mod (0.1.1) JoMo-Kun :: Brute force module for SMB/NTLMv1 sessions

 

Available module options:

  GROUP:? (DOMAIN, LOCAL*, BOTH)

    Option sets NetBIOS workgroup field.

    DOMAIN: Check credentials against this hosts primary domain controller via this host.

    LOCAL:  Check local account.

    BOTH:   Check both. This leaves the workgroup field set blank and then attempts to check

            the credentials against the host. If the account does not exist locally on the

            host being tested, that host then queries its domain controller.

  GROUP_OTHER:?

    Option allows manual setting of domain to check against. Use instead of GROUP.

  PASS:?  (PASSWORD*, HASH, MACHINE)

    PASSWORD: Use normal password.

    HASH:     Use a NTLM hash rather than a password.

    MACHINE:  Use the machine's NetBIOS name as the password.

  NETBIOS

    Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default.

    Default mode is to test TCP/445 using Native Win2000. If this fails, module will

    fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following:

    medusa -M smbnt -m NETBIOS -n 139

 

(*) Default value

Usage example: "-M smbnt -m GROUP:DOMAIN -m PASS:HASH"

The following command instructs Medusa to test all passwords listed in passwords.txt against a single user (administrator) on the host 192.168.0.20 via the SMB service. The "-e ns" instructs Medusa to additionally check if the administrator account has either a blank password or has its password set to match its username (administrator).

 

% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt

 

 

 

[hide]    http://foofus.net/goons/jmk/medusa/medusa.html  [/hide]

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this