Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:
How do I use this thing? Simply running "medusa" without any options will dump all the parameters it accepts along with their respective description. Here are several example uses:
% medusa -d
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
Available modules in "." :
Available modules in "/usr/local/lib/medusa/modules" :
+ mssql.mod :
Brute force module for M$-SQL sessions : version 0.1.0
+ http.mod :
Brute force module for HTTP : version 0.1.1
+ ssh.mod :
Brute force module for SSH v2 sessions : version 0.1.1
+ smbnt.mod :
Brute force module for SMB/NTLMv1 sessions : version 0.1.1
+ telnet.mod :
Brute force module for telnet sessions : version 0.1.4
% medusa -M smbnt -q
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
smbnt.mod (0.1.1) JoMo-Kun :: Brute force module for SMB/NTLMv1 sessions
Available module options:
GROUP:? (DOMAIN, LOCAL*, BOTH)
Option sets NetBIOS workgroup field.
DOMAIN: Check credentials against this hosts primary domain controller via this host.
LOCAL: Check local account.
BOTH: Check both. This leaves the workgroup field set blank and then attempts to check
the credentials against the host. If the account does not exist locally on the
host being tested, that host then queries its domain controller.
GROUP_OTHER:?
Option allows manual setting of domain to check against. Use instead of GROUP.
PASS:? (PASSWORD*, HASH, MACHINE)
PASSWORD: Use normal password.
HASH: Use a NTLM hash rather than a password.
MACHINE: Use the machine's NetBIOS name as the password.
NETBIOS
Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default.
Default mode is to test TCP/445 using Native Win2000. If this fails, module will
fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following:
medusa -M smbnt -m NETBIOS -n 139
(*) Default value
Usage example: "-M smbnt -m GROUP:DOMAIN -m PASS:HASH"
% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: (1/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)
% medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt
The following combinations are possible in the combo file:
The following example will check each entry in the file combo.txt
% medusa -M smbnt -C combo.txt
The combo.txt file:
192.168.0.20:administrator:password
192.168.0.20:testuser:pass
192.168.0.30:administrator:blah
192.168.0.40:user1:foopass
The following example will check each entry in the file combo.txt against the targets
listed in hosts.txt
% medusa -M smbnt -C combo.txt -H hosts.txt
The combo.txt file:
:administrator:password
:testuser:pass
:administrator:blah
:user1:foopass
Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output.
Test interrupted with SIGINT
% ../medusa -M ssh -H host.txt -U users.txt -p password
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: bar (4 of 4, 3 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting.
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ALERT: To resume scan, add the following to your original command: "-Z h2u3u4h3."
Interrupted scan being resumed
% ../medusa -M ssh -H host.txt -U users.txt -p password -Z h2u3u4h3.
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: jmk (3 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: bar (4 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.15 (3 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
The following is a brief discription of the resume map:
h2u3u4h3. +--------- First host which was not 100% completed +------- First user for host which was not 100% completed +----- First user for host which was not started +--- First host which was not started +- Map ending mark
The majority of Medusa was written and tested on Linux/Gentoo-based systems. While it has been known to work on variety of operating systems, it is quite possible there may be issues that crop up only on non-Gentoo devices. Of course, there are issues that will probably also show up on Gentoo that have so far been missed...
Medusa should be fairly straight-forward to build: "./configure; make; make install". However,
this may result in a somewhat limited installation. To take full advantage of all the brute-forcing
goodness that Medusa has to offer, several dependencies must be satisfied. The following table
lists out the modules which have additional dependencies. In order for the modules to function,
the appropriate header files must be installed on the system when the modules themselves are
compiled. Additional module specific information is included within the documentation for each
module.
Dependency | Homepage | Module | Notes |
OpenSSL | http://www.openssl.org | HTTP, MSSQL, SMBNT, SSL-based connections | |
LibSSH2 | http://www.libssh2.org | SSH | LibSSH2 patch provided to address timing issue. Issue appears to be addressed in 0.18. |
NCPFS | ftp://platan.vc.cvut.cz/pub/linux/ncpfs | NCP | Use "make install-dev" to install header files. |
LibPQ | http://www.postgresql.org | PostgreSQL | |
Subversion | http://subversion.tigris.org | SVN | |
afpfs-ng | http://alexthepuffin.googlepages.com/home | AFP | Header files may need to be manually installed. Autoconf currently assumes install base of /usr (e.g. /usr/include/afpfs-ng) |
It should also be noted that, by default, not all of the modules are built. Incomplete modules or modules which have not been sufficiently tested may be disabled. The "configure" output should identify which modules it will attempt to build. To enable non-default modules, use the "--enable-module-MODULE_NAME" configure option.
At this time Medusa is not available within Portage. An ebuild for Medusa has been submitted to bugs.gentoo.org, but has not yet made its way into Portage. In the meantime, all of the ebuilds can be used via Portage Overlay. For example, Medusa can be installed via the Gentoo "pentoo" overlay located at trac.pentoo.ch. Additionally, the ebuilds have been included and can also be manually installed.
The following ebuilds have been included within this distribution:
Some basic Portage Overlay instructions:
PORTDIR_OVERLAY="/some/directory/"
net-analyzer/medusa
ebuild name_of_ebuild.ebuild digest
net-analyzer/medusa ~x86
Medusa has been built and basic tests performed on a variety of default system installations.
The following tables includes some notes from these tests.
Operating System | Distro/Version | Notes |
Linux | CentOS 7.1 (64-bit) | Installed: "Development Tools", openssl-devel, libssh2-devel, postgresql-devel, subversion-devel, freerdp-devel |
Debian Stretch (64-bit) | Installed: build-essential, libgnutls28-dev, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp, libfreerdp-dev | |
Fedora 21 | Installed: "Development Tools", afpfs-ng-devel, openssl-devel, libssh2-devel, postgresql-devel, subversion-devel, freerdp-devel | |
Kali 1.1.0 (32-bit) | Installed: libafpclient0, libafpclient-dev, libncp, libncp-dev, libpq-dev, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, freerdp-x11, libfreerdp-dev | |
Kali 2.0 (64-bit) | Installed: automake, libssl-dev, libpq-dev, libssh2-1-dev, libgcrypt11-dev, libgnutls28-dev, libsvn-dev, freerdp-x11, libfreerdp-dev | |
Mint 17 | Installed: build-essential, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, freerdp, libfreerdp-dev | openSUSE 11.2 | Installed: patterns-openSUSE-devel_C_C++, ncpfs-devel, libssh2-devel, postgresql-devel, subversion-devel |
Ubuntu 14.04 | Installed: build-essential, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, freerdp, libfreerdp-dev | |
SunOS | Solaris 11 x86 | Installed: developer-gnu |
BSD | FreeBSD 7.2 | Installed: afpfs-ng, ncpfs, libssh2, postgresql, libpq, libsvn |
Mac OS X | OS X 10.10 (Yosemite) | Installed: Homebrew, XCode, "brew install freerdp --HEAD" |
Microsoft Windows | Cygwin | I have been unable to build the modules under Cygwin. If anyone can figure this out, I'll buy you a beer at the next DefCon. |
This fine piece of buggy software was brought to you by the geeks at Foofus.net. JoMo-Kun was the chief goon and wrote the core of Medusa along with several of the modules. Foofus created the initial design for the loadable modules. Fizzgig provided the networking code, several modules, the loadable module implementation along with also fixing a bunch JoMo-Kun's crappy stuff. pMonkey was a crazy module coding fiend. Last, but certainly not least, Heidi provided the tool's name.
If you have questions regarding this application, feel free to contact us. Either send me email directly or join our mailing list foofus-tools. If it breaks, please send a detailed bug report. Even better, send in a patch. I make no claims that this program will do what you want it to. I've been using it during our assessments for years now successfully. Hopefully, others will have similar luck. If you find Medusa useful and want to give something back, please submit new modules, code improvements or just buy any of the Foofus.net goons a beer at the next DefCon.
Joe
© Copyright 2016, Foofus Advanced Security Services
any time. any fucknut.