You are here: Home » Password Attacks » Medusa

Medusa

Medusa Description

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
  • Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3, MS-SQL, SSHv2, among others).

Homepage: https://github.com/jmk-foofus/medusa

Author: Joe Mondloch

License: GPLv2

Medusa Help

Syntax:

Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
  -h [TEXT]    : Target hostname or IP address
  -H [FILE]    : File containing target hostnames or IP addresses
  -u [TEXT]    : Username to test
  -U [FILE]    : File containing usernames to test
  -p [TEXT]    : Password to test
  -P [FILE]    : File containing passwords to test
  -C [FILE]    : File containing combo entries. See README for more information.
  -O [FILE]    : File to append log information to
  -e [n/s/ns]  : Additional password checks ([n] No Password, [s] Password = Username)
  -M [TEXT]    : Name of the module to execute (without the .mod extension)
  -m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a
                 different parameter each time and they will all be sent to the module (i.e.
                 -m Param1 -m Param2, etc.)
  -d           : Dump all known modules
  -n [NUM]     : Use for non-default TCP port number
  -s           : Enable SSL
  -g [NUM]     : Give up after trying to connect for NUM seconds (default 3)
  -r [NUM]     : Sleep NUM seconds between retry attempts (default 3)
  -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
  -c [NUM]     : Time to wait in usec to verify socket is available (default 500 usec).
  -t [NUM]     : Total number of logins to be tested concurrently
  -T [NUM]     : Total number of hosts to be tested concurrently
  -L           : Parallelize logins using one username per thread. The default is to process 
                 the entire username before proceeding.
  -f           : Stop scanning host after first valid username/password found.
  -F           : Stop audit after first valid username/password found on any host.
  -b           : Suppress startup banner
  -q           : Display module's usage information
  -v [NUM]     : Verbose level [0 - 6 (more)]
  -w [NUM]     : Error debug level [0 - 10 (more)]
  -V           : Display version
  -Z [TEXT]    : Resume scan based on map of previous scan

Medusa Manual

-h [TARGET]

Target hostname or IP address.

-H [FILE]

Reads target specifications from the file specified rather than from the command line. The file should contain a list separated by newlines.

-u [TARGET]

Target username.

-U [FILE]

Reads target usernames from the file specified rather than from the command line. The file should contain a list separated by newlines.

-p [TARGET]

Target password.

-P [FILE]

Reads target passwords from the file specified rather than from the command line. The file should contain a list separated by newlines.

-C [FILE]

File containing combo entries. Combo files are colon separated and in the following format: host:user:password. If any of the three fields are left empty, the respective information should be provided either as a single global value or as a list in a file.

The following combinations are possible in the combo file: 1.) foo:bar:fud 2.) foo:bar: 3.) foo:: 4.) :bar:fud 5.) :bar: 6.) ::fud 7.) foo::fud

Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output.

-O [FILE]

File to append log information to. Medusa will log all accounts credentials found to be valid or cause an unknown error. It will also log the start and stop times of an audit, along with the calling parameters.

-e [n/s/ns]

Additional password checks ([n] No Password, [s] Password = Username). If both options are being used, they should be specified together ("-e ns"). If only a single option is being called use either "-e n" or "-e s".

-M [TEXT]

Name of the module to execute (without the .mod extension).

-m [TEXT]

Parameter to pass to the module. This can be passed multiple times with a different parameter each time and they will all be sent to the module (i.e. -m Param1 -m Param2, etc.)

-d

Dump all known modules.

-n [NUM]

Use for non-default TCP port number.

-s

Enable SSL.

-g [NUM]

Give up after trying to connect for NUM seconds (default 3).

-r [NUM]

Sleep NUM seconds between retry attempts (default 3).

-R [NUM]

Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-c [NUM]

Set the number of usec that are waited during a test of the established network socket. Some services (e.g. FTP, IMAP, POP3, and SMTP) may be configured to drop connections after an arbitrary number of failed logon attempts. We try to reuse the established connection to send authentication attempts until this disconnect occurs, at which point the connection is reestablished. To accomplish this, we check the socket to see if it's still alive before authenticating within select modules. The default is perform a 1 usec check. It may be necessary to specify much larger values. For example, a 1000 usec was needed against our test vsftp server to avoid issues with its built-in anti-bruteforce mechanisms.

-t [NUM]

Total number of logins to be tested concurrently. It should be noted that rougly t x T threads could be running at any one time. 381 appears to be the limit on my fairly boring Gentoo Linux host.

-T [NUM]

Total number of hosts to be tested concurrently.

-L

Parallelize logins using one username per thread. The default is to process the entire username before proceeding.

-f

Stop scanning host after first valid username/password found.

-F

Stop audit after first valid username/password found on any host.

-b

Suppress startup banner

-q

Display module's usage information. This should be used in conjunction with the "-M" option. For example, "medusa -M smbnt -q".

-v [NUM]

Verbose level [0 - 6 (more)]. All messages at or below the specified level will be displayed. The default level is 5.

The following is the breakdown of the verbose levels: 0) EXIT APPLICATION 1) MESSAGE WITHOUT TAG 2) LOG MESSAGE WITHOUT TAG 3) IMPORTANT MESSAGE 4) ACCOUNT FOUND 5) ACCOUNT CHECK 6) GENERAL MESSAGE

-w [NUM]

Error debug level [0 - 10 (more)]. All messages at or below the specified level will be displayed. The default level is 5.

The following is the breakdown of the error levels: 0) FATAL 1) ALERT 2) CRITICAL 3) ERROR 4) WARNING 5) NOTICE 6) INFO 7) DEBUG 8) DEBUG - AUDIT 9) DEBUG - SERVER 10) DEBUG - MODULE

-V

Display version

-Z [TEXT]

Allows basic resuming of a previous scan. The supplied parameter describes which hosts were completed, which were partially tested and which had not been started. When Medusa receives a SIG‐INT, it will calculate and display a "resume map". This map can then be supplied to the next run. For example, "medusa [OPTIONS PREVIOUSLY USED] -Z h6u1u2h8.". In this particular example, hosts 1-5 were completed, host 6 was partially done (user 1 was partially completed and user 2 and beyond had not been started), host 7 was completed and host 8 and beyond had not been started. Medusa will parse this map and skip hosts and users accordingly. It should be noted that only host and user-level, not password-level, resuming is supported. If a user had been previously started, but was not completed, it will be tested from the start of its respective password list.

Options Medusa Modules

Available Medusa Modules:

  • afp.mod : Brute force module for AFP sessions
  • cvs.mod : Brute force module for CVS sessions
  • ftp.mod : Brute force module for FTP/FTPS sessions
  • http.mod : Brute force module for HTTP
  • imap.mod : Brute force module for IMAP sessions
  • mssql.mod : Brute force module for MSSQL sessions
  • mysql.mod : Brute force module for MySQL sessions
  • nntp.mod : Brute force module for NNTP sessions
  • pcanywhere.mod : Brute force module for PcAnywhere sessions
  • pop3.mod : Brute force module for POP3 sessions
  • postgres.mod : Brute force module for PostgreSQL sessions
  • rdp.mod : Brute force module for RDP (Microsoft Terminal Server) sessions
  • rexec.mod : Brute force module for REXEC sessions
  • rlogin.mod : Brute force module for RLOGIN sessions
  • rsh.mod : Brute force module for RSH sessions
  • smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions
  • smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO)
  • smtp.mod : Brute force module for SMTP Authentication with TLS
  • snmp.mod : Brute force module for SNMP Community Strings
  • ssh.mod : Brute force module for SSH v2 sessions
  • svn.mod : Brute force module for Subversion sessions
  • telnet.mod : Brute force module for telnet sessions
  • vmauthd.mod : Brute force module for the VMware Authentication Daemon
  • vnc.mod : Brute force module for VNC sessions
  • web-form.mod : Brute force module for web form
  • wrapper.mod : Generic Wrapper Module

cvs

Available module options:

  • DIR:?

Sets target directory name. If left unset, the default is "/root"

Usage example: "-M cvs -m DIR:/some_project"

ftp

Available module options:

  • MODE:? (NORMAL*, EXPLICIT, IMPLICIT)

EXPLICIT: AUTH TLS Mode as defined in RFC 4217

Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to sending any credentials, however, an "AUTH TLS" command is issued and a SSL session is negotiated.

IMPLICIT: FTP over SSL (990/tcp)

Implicit FTPS requires a SSL handshake to be performed before any FTP commands are sent. This service typically resides on tcp/990. If the user specifies this option or uses the "-n" (SSL) option, the module will default to this mode and tcp/990.

NORMAL

The default behaviour if no MODE is specified. Authentication is attempted in the clear. If the server requests encryption for the given user Explicit FTPS is utilized.

Example Usage:

medusa -M ftp -h host -u username -p password
medusa -M ftp -s -h host -u username -p password
medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password

(*) Default value

http

Available module options:

  • USER-AGENT:? (User-Agent. Default: Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1))
  • DIR:? (Target directory. Default "/")
  • AUTH:? (Authentication Type (BASIC/DIGEST/NTLM). Default: automatic)
  • DOMAIN:? [optional]
  • CUSTOM-HEADER:? Additional HTTP header.

More headers can be defined by using this option several times.

Usage example: "-M http -m USER-AGENT:"g3rg3 gerg" -m DIR:exchange/"

Usage example: "-M http -m CUSTOM-HEADER:"Cookie: SMCHALLENGE=YES"

Note: The default behavior of NTLM authentication is to use the server supplied domain name. In order to target local accounts, and not domain, use the DOMAIN option to reference the local system: "-m DOMAIN:127.0.0.1".

imap

Available module options:

  • TAG:? (Default: gerg)
  • AUTH:? (Authentication Type (LOGIN/PLAIN/NTLM). Default: automatic)
  • DOMAIN:? [optional]

Usage example: "-M imap -m TAG:A0001 -m AUTH:PLAIN

The DOMAIN option should supply the specified domain appropriately, regardless of authentication type. The domain can also be supplied via the username field, but the format appears to differ by auth type.

Example 1: NTLM authentication with DOMAIN option

"medusa -M imap -m AUTH:NTLM -m DOMAIN:FOODOM -h host -u foo -p bar"

Example 2: NTLM authentication with domain via username

"medusa -M imap -m AUTH:NTLM -h host -u foo@domain -p bar"

* If no domain is specified when using NTLM authentication, the server supplied value will be used.

Example 3: LOGIN authentication with domain via username

"medusa -M imap -m AUTH:LOGIN -h host -u 'domain\\foo' -p bar"

mssql

NOTE: MS-SQL Developer Edition or MSDE's concurrent workload governor limits you to no more than five concurrent connections to the server at any one time.

mysql

Available module options:

  • PASS:? (PASSWORD*, HASH)
  • PASSWORD: Use normal password.
  • HASH: Use a hash rather than a password. (non-SHA1 hashes only)

(*) Default value

Usage examples:

1: Normal boring check…

medusa -M mysql -h somehost -u someuser -p somepassword

2: Using an old-style MySQL hash…

medusa -M mysql -h somehost -U users.txt -p 39b52a209cf03d62 -m PASS:HASH

nntp

Usage example: "-M nntp -U accounts.txt -p password"

pcanywhere

NOTE: PcAnywhere allows only one connection at a time. Running multiple threads per target may not work well.

Available module options:

  • DOMAIN:?

Option allows manual setting of domain to check against when host uses NT authentication.

Usage example: "-M pcanywhere -m DOMAIN:FOODOM"

pop3

Available module options:

  • MODE:? (NORMAL, AS400) [optional]

Sets the mode for error detection.

  • AUTH:? (Authentication Type (USER/PLAIN/LOGIN/NTLM). Default: automatic). 

Module will query service for accepted methods via an "AUTH" request.

USER (clear-text), SASL PLAIN, SASL LOGIN, and SASL NTLM authentication methods are supported.

DOMAIN:? [optional]

AUTH USER - Appends domain to username (e.g. user@domain.com).

AUTH NTLM - Supplies specified domain during NTLM authentication. The default behaviour is to use the server supplied domain value.

Usage example:

medusa -M pop3 -m MODE:AS400 -U accounts.txt -p password
medusa -M pop3 -m DOMAIN:foo.com -U accounts.txt -p password

postgres

Available module options:

  • DB:?

Sets target database name.

Usage example: "-M postgres -m DB:some_db"

rdp

Available module options:

  • DOMAIN:? [optional]

Usage example: "-M rdp"

*** There appears to be thread-safety issues within the FreeRDP library and/or this module. ***

*** It is recommended that you avoid using concurrent hosts/users (i.e., -T/-t).

rsh

Rsh is a service where you either have .rhosts/hosts.equiv access from the source host or you don't. Passwords really don't matter. So the best way to use this module is with a single dummy password and a list of users you suspect may have .rhosts/hosts.equiv allows for your source.

smbnt

Available module options:

  • GROUP:? (DOMAIN, LOCAL*, BOTH)

Option sets NetBIOS workgroup field.

DOMAIN: Check credentials against this hosts primary domain controller via this host.

LOCAL: Check local account.

BOTH: Check both. This leaves the workgroup field set blank and then attempts to check the credentials against the host. If the account does not exist locally on the host being tested, that host then queries its domain controller.

  • GROUP_OTHER:?

Option allows manual setting of domain to check against. Use instead of GROUP.

  • PASS:? (PASSWORD*, HASH, MACHINE)

PASSWORD: Use normal password.

HASH: Use a NTLM hash rather than a password.

MACHINE: Use the machine's NetBIOS name as the password.

  • AUTH:? (LM, NTLM, LMv2*, NTLMv2)/ Option sets LAN Manager Authentication level.

LM:

NTLM:

LMv2:

NTLMv2:

NETBIOS

Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default. Default mode is to test TCP/445 using Native Win2000. If this fails, module will fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following:

medusa -M smbnt -m NETBIOS -n 139

(*) Default value

Usage examples:

1: Normal boring check…

medusa -M smbnt -h somehost -u someuser -p somepassword

2: Testing domain credentials against a client system…

medusa -M smbnt -h somehost -U users.txt -p password -m GROUP:DOMAIN

3: Testing each credential from a PwDump file against the target's domain via the target…

medusa -M smbnt -h somehost -C pwdump.txt -m PASS:HASH -m GROUP:DOMAIN

4: Testing each hash from a PwDump file against a specific user local to the target…

medusa -M smbnt -H hosts.txt -C pwdump.txt -u someuser -m PASS:HASH

5: Testing an individual NTLM hash…

medusa -M smbnt -H hosts.txt -u administrator -p 92D887C8010492C2944E2DF489A880E4:7A2EDE4F51BC5A03984C6BA2C239CF63::: -m PASS:HASH

Access level:

This module performs both an SMB authentication request (Session Setup AndX) and a share connection request (Tree Connect AndX). The share connection request is for the default hidden administrative share ADMIN$. The goal is to identify if the credentials being tested have administrative rights to the target system. The following examples highlight how to interrupt the responses.

Valid administrative-level credentials: [SUCCESS (ADMIN$ - Access Allowed)]

Valid user-level credentials: [SUCCESS (ADMIN$ - Access Denied)]

Valid credentials, access level unknown: [SUCCESS (ADMIN$ - Share Unavailable)]

smtp-vrfy

Available module options:

  • HELO [optional]

Use HELO command. Default: EHLO

  • HELODOMAIN:? [optional]

Specify the HELO/EHLO domain. Default: server.domain

  • MAILFROM:? [optional]

Specify the MAIL FROM address. Default: doesnotexist@foofus.net

  • VERB:? (Verb/Command: VRFY/EXPN/RCPT TO. Default: RCPT TO

*** NOTE: Target address domain should be specified within password field. ***

Usage example:

medusa -M smtp-vrfy -m VERB:VRFY -U accounts.txt -p domain.com

smtp

Available module options:

  • EHLO:? [optional] 

Specify the EHLO greeting.

  • AUTH:? (Authentication Type (PLAIN/LOGIN/NTLM). Default: automatic)

Module will query service for accepted methods via an "AUTH" request. PLAIN, LOGIN, and NTLM authentication methods are supported.

  • DOMAIN:? [optional]

The DOMAIN option should supply the specified domain appropriately, regardless of authentication type. The domain can also be supplied via the username field, but the format appears to differ by auth type.

Usage example:

medusa -M smtp -m AUTH:NTLM -U accounts.txt -p password
medusa -M smtp -m EHLO:world -U accounts.txt -p password

snmp

Available module options:

  • TIMEOUT:?

Sets the number of seconds to wait for the UDP responses (default: 5 sec).

  • SEND_DELAY:?

Sets the number of microseconds to wait between sending queries (default: 200 usec).

  • VERSION:? (1*, 2C)

Set the SNMP client version.

  • ACCESS:? (READ*, WRITE)

Set level of access to test for with the community string.

(*) Default value

It should be noted that when testing for WRITE capability, the module will read the current value of sysLocation and then write that same value back to the system.

Since SNMP is a UDP-based protocol, there is no handshaking between sending and receiving transport-layer entities. Due to this connectionless communication, about the only time we know a SNMP service exists, is if we send the correct community string and the server sends a response. All other queries result in no response whatsoever. The approach we use here is to initially just send all of our SNMP GET requests. After that completes, we wait TIMEOUT seconds for any responses. If we get any responses back, we examine them to see which community strings were successful. If ACCESS:WRITE was specified, we check for write access on each of the previously successful values. This techique should allow for quick brute forcing. However, one should take care with the TIMEOUT and SEND_DELAY values as to avoid causing issues with the target service or missing response data.

Usage example: "-M snmp -m TIMEOUT:2 -m ACCESS:WRITE"

ssh

Available module options:

  • BANNER:? (Libssh client banner. Default SSH-2.0-MEDUSA.)

Usage example: "-M ssh -m BANNER:SSH-2.0-FOOBAR"

svn

Available module options:

  • BRANCH:?

Sets URL branch to authenticate against. For example, svn://host/branch.

Usage example: "-M svn -m BRANCH:test_project"

telnet

Available module options:

  • MODE:? (NORMAL, AS400) [optional]

Sets the mode for error detection.

Usage example: "-M telnet -m MODE:AS400 -U accounts.txt -p password"

vmauthd

The VMware Authentication Daemon listens on TCP port 902 and may or may not require a SSL-encrypted connection. This module connects to the service using non-SSL and will automatically switch to SSL if required.

vnc

Available module options:

  • MAXSLEEP:?

Sets the maximum allowed sleep time when the VNC RealVNC anti-brute force delay is encountered. This value is in seconds and, if left unset, defaults to 60.

  • DOMAIN:?

Sets the domain value when authenticating against UltraVNC's MS-Logon feature.

Some versions of VNC have built-in anti-brute force functionality. RealVNC, for example, allows 5 failed attempts and then enforces a 10 second delay. For each subsequent attempt that delay is doubled. UltraVNC appears to allow 6 invalid attempts and then forces a 10 second delay between each following attempt. This module attempts to identify these situations and react appropriately by invoking sleep(). The user can set a sleep limit when brute forcing RealVNC using the MAXSLEEP parameter. Once this value has been reached, the module will exit.

It should be noted that this module currently supports password-less and password-only VNC servers. In addition, it supports UltraVNC's MS-Logon feature that can be used to provide pass-through authentication against local and domain Windows accounts. In the case of basic password-only VNC, provide any arbitrary username value.

Usage example: "-M vnc -m MAXSLEEP:120 -m DOMAIN:FOOFUSDOM"

web-form

Available module options:

  • USER-AGENT:? User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".
  • FORM:? Target form to request. Default: "/"
  • DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in server response. Default: "Login incorrect"
  • CUSTOM-HEADER:? Custom HTTP header.

More headers can be defined by using this option several times.

  • FORM-DATA:<METHOD>?<FIELDS>

Methods and fields to send to web service. Valid methods are GET and POST. The actual form data to be submitted should also be defined here. Specifically, the fields: username and password. The username field must be the first, followed by the password field.

Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"

-m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"

wrapper

The purpose of the wrapper module is to allow the user to execute arbitrary scripts while taking advantage of Medusa managing hosts/users/passwords. Sample scripts have been included in the wrapper directory: https://github.com/jmk-foofus/medusa/tree/master/src/modsrc/wrapper

The initial goal for this module was to test RDP servers using rdesktop. A patch to rdesktop 1.4.1 has been included in the /misc/rdesktop directory. This extends the dictionary patch from cqure.net to work with the Medusa wrapper STDIN method. It should be noted that rdesktop doesn't appear to be able to use command-line passwords when connecting to Windows 2000 hosts. Windows 2003 and XP worked fine during testing.

The following example shows one way to use rdesktop with the wrapper module:

medusa -M wrapper -m TYPE:STDIN -m PROG:rdesktop -m ARGS:"-u %U -p - %H" -H hosts.txt -U users.txt -P passwords.txt

One possible method for hiding the graphical output from rdesktop:

% Xvfb :97 -ac -nolisten tcp &

% export DISPLAY=:97

Available module options:

  • TYPE:? (SINGLE, STDIN)

Option sets type of script being called by module. See included sample scripts for ideas how to use this module.

  • SINGLE: Script expects all user input comes from original command line.
  • STDIN: Host and user information passed to script via command line.

Passwords to test are passed via STDIN to script.

  • PROG:?

Option for setting path to executable file.

  • ARGS:?

Option for setting executable parameters. The following substitutions can be used:

  • %H: Replaced with target IP address.
  • %U: Replaced with username to test.
  • %P: Replaced with password to test.

Usage example: '-M wrapper -m TYPE:SINGLE -m PROG:./foo.pl -m ARGS:"-h %H -u %U -p %P"'

Usage example: '-M wrapper -m TYPE:STDIN -m PROG:./bar.pl -m ARGS:"--host %H --user %U"'

Medusa Usage Example

The following command instructs Medusa to test all passwords listed in passwords.txt against a single user (administrator) on the host 192.168.0.20 via the SMB service. The "-e ns" instructs Medusa to additionally check if the administrator account has either a blank password or has its password set to match its username (administrator).

medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt

Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password:  (1/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)

The below command-line demonstrates how to execute some of the parallel features of Medusa. Here at least 20 hosts and 10 users are tested concurrently. The "-L" options instructs Medusa to parallelize by user. This means each of the 10 threads targeting a host checks a unique user.

medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt

Medusa allows host/username/password data to also be set using a "combo" file. The combo file can be specified using the "-C" option. The file should contain one entry per line and have the values colon separated in the format host:user:password. If any of the three fields are left empty, the respective information should be provided either as a global value or as a list in a file. Medusa will perform a basic parameter check based on the contents of the first line in the file.

The following combinations are possible in the combo file:

  • host:username:password
  • host:username:
  • host::
  • :username:password
  • :username:
  • ::password
  • host::password

The following example will check each entry in the file combo.txt

medusa -M smbnt -C combo.txt

The combo.txt file:
192.168.0.20:administrator:password
192.168.0.20:testuser:pass
192.168.0.30:administrator:blah
192.168.0.40:user1:foopass

The following example will check each entry in the file combo.txt against the targets listed in hosts.txt

medusa -M smbnt -C combo.txt -H hosts.txt

The combo.txt file:
:administrator:password
:testuser:pass
:administrator:blah
:user1:foopass

Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output.

Resume a Medusa scan. Medusa has the ability to resume a scan which was interrupted with a SIGINT signal (e.g. CTRL-C). For example:

../medusa -M ssh -H host.txt -U users.txt -p password
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: bar (4 of 4, 3 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting.
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ALERT: To resume scan, add the following to your original command: "-Z h2u3u4h3."

Interrupted scan being resumed

../medusa -M ssh -H host.txt -U users.txt -p password -Z h2u3u4h3.
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: jmk (3 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: bar (4 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.15 (3 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)

The following is a brief discription of the resume map:

h2u3u4h3.
+--------- First host which was not 100% completed
  +------- First user for host which was not 100% completed
    +----- First user for host which was not started
      +--- First host which was not started
        +- Map ending mark

How to install Medusa

The program is pre-installed on Kali Linux.

How to install Medusa on Debain, Ubuntu, Linux Mint

sudo apt-get remove medusa
sudo apt-get install automake autoconf m4 perl
git clone https://github.com/jmk-foofus/medusa
cd medusa/
autoreconf -f -i
./configure
make
sudo make install
/usr/local/bin/medusa --help

Medusa Screenshots

The program is a command-line utility.

Medusa Tutorials

Coming soon…

Related tools