Medusa Parallel Network Login Auditor
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few. Other online crackers are THC Hydra and Ncrack. For downloads and more information, visit the Medusa homepage.What?
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:- Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
- Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
- Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
Why?
Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:- Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
- Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
- Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
- Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others.
For a quick comparison of Medusa, Ncrack, and THC-Hydra see: medusa-compare.html
How?
How do I use this thing? Simply running "medusa" without any options will dump all the parameters it accepts along with their respective description. Here are several example uses:- Display all modules currently installed:
% medusa -d Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks Available modules in "." : Available modules in "/usr/local/lib/medusa/modules" : + mssql.mod : Brute force module for M$-SQL sessions : version 0.1.0 + http.mod : Brute force module for HTTP : version 0.1.1 + ssh.mod : Brute force module for SSH v2 sessions : version 0.1.1 + smbnt.mod : Brute force module for SMB/NTLMv1 sessions : version 0.1.1 + telnet.mod : Brute force module for telnet sessions : version 0.1.4
- Display specific options for a given module:
% medusa -M smbnt -q Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks smbnt.mod (0.1.1) JoMo-Kun :: Brute force module for SMB/NTLMv1 sessions Available module options: GROUP:? (DOMAIN, LOCAL*, BOTH) Option sets NetBIOS workgroup field. DOMAIN: Check credentials against this hosts primary domain controller via this host. LOCAL: Check local account. BOTH: Check both. This leaves the workgroup field set blank and then attempts to check the credentials against the host. If the account does not exist locally on the host being tested, that host then queries its domain controller. GROUP_OTHER:? Option allows manual setting of domain to check against. Use instead of GROUP. PASS:? (PASSWORD*, HASH, MACHINE) PASSWORD: Use normal password. HASH: Use a NTLM hash rather than a password. MACHINE: Use the machine's NetBIOS name as the password. NETBIOS Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default. Default mode is to test TCP/445 using Native Win2000. If this fails, module will fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following: medusa -M smbnt -m NETBIOS -n 139 (*) Default value Usage example: "-M smbnt -m GROUP:DOMAIN -m PASS:HASH"
- The following command instructs Medusa to test all passwords listed in passwords.txt
against a single user (administrator) on the host 192.168.0.20 via the SMB service.
The "-e ns" instructs Medusa to additionally check if the administrator account has
either a blank password or has its password set to match its username
(administrator).
% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: (1/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7) ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)
- The below command-line demonstrates how to execute some of the parallel features
of Medusa. Here at least 20 hosts and 10 users are tested concurrently. The "-L"
options instructs Medusa to parallelize by user. This means each of the 10 threads
targeting a host checks a unique user.
% medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt
- Medusa allows host/username/password data to also be set using a "combo" file. The
combo file can be specified using the "-C" option. The file should contain one entry per
line and have the values colon separated in the format host:user:password. If any of the
three fields are left empty, the respective information should be provided either as a
global value or as a list in a file. Medusa will perform a basic parameter check based on
the contents of the first line in the file.
The following combinations are possible in the combo file:
- host:username:password
- host:username:
- host::
- :username:password
- :username:
- ::password
- host::password
% medusa -M smbnt -C combo.txt
The combo.txt file:
192.168.0.20:administrator:password
192.168.0.20:testuser:pass
192.168.0.30:administrator:blah
192.168.0.40:user1:foopass
The following example will check each entry in the file combo.txt against the targets listed in hosts.txt
% medusa -M smbnt -C combo.txt -H hosts.txt
The combo.txt file:
:administrator:password
:testuser:pass
:administrator:blah
:user1:foopass
Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output. - Resume a Medusa scan. Medusa has the ability to resume a scan which was interrupted with a
SIGINT signal (e.g. CTRL-C). For example:
Test interrupted with SIGINT
% ../medusa -M ssh -H host.txt -U users.txt -p password
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: bar (4 of 4, 3 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
ALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting.
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
ALERT: To resume scan, add the following to your original command: "-Z h2u3u4h3."
Interrupted scan being resumed
% ../medusa -M ssh -H host.txt -U users.txt -p password -Z h2u3u4h3.
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: jmk (3 of 4, 0 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: bar (4 of 4, 1 complete) Password: password (1 of 1 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.15 (3 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
The following is a brief discription of the resume map:
h2u3u4h3. +--------- First host which was not 100% completed +------- First user for host which was not 100% completed +----- First user for host which was not started +--- First host which was not started +- Map ending mark
Module specific details:
- AFP
- CVS
- FTP
- HTTP
- IMAP
- MS-SQL
- MySQL
- NetWare NCP
- NNTP
- PcAnywhere
- POP3
- PostgreSQL
- REXEC
- RLOGIN
- RSH
- SMBNT
- SMTP-AUTH
- SMTP-VRFY
- SNMP
- SSHv2
- Subversion (SVN)
- Telnet
- VMware Authentication Daemon (vmauthd)
- VNC
- Generic Wrapper
- Web Form
Where?
Download: medusa-2.1.1.tar.gzMedusa-gui (Java-based GUI developed by tak and bigmoneyhat)
Install Instructions:
General
The majority of Medusa was written and tested on Linux/Gentoo-based systems. While it has been known to work on variety of operating systems, it is quite possible there may be issues that crop up only on non-Gentoo devices. Of course, there are issues that will probably also show up on Gentoo that have so far been missed...Medusa should be fairly straight-forward to build: "./configure; make; make install". However, this may result in a somewhat limited installation. To take full advantage of all the brute-forcing goodness that Medusa has to offer, several dependencies must be satisfied. The following table lists out the modules which have additional dependencies. In order for the modules to function, the appropriate header files must be installed on the system when the modules themselves are compiled. Additional module specific information is included within the documentation for each module.
Dependency | Homepage | Module | Notes |
OpenSSL | http://www.openssl.org | HTTP, MSSQL, SMBNT, SSL-based connections | |
LibSSH2 | http://www.libssh2.org | SSH | LibSSH2 patch provided to address timing issue. Issue appears to be addressed in 0.18. |
NCPFS | ftp://platan.vc.cvut.cz/pub/linux/ncpfs | NCP | Use "make install-dev" to install header files. |
LibPQ | http://www.postgresql.org | PostgreSQL | |
Subversion | http://subversion.tigris.org | SVN | |
afpfs-ng | http://alexthepuffin.googlepages.com/home | AFP | Header files may need to be manually installed. Autoconf currently assumes install base of /usr (e.g. /usr/include/afpfs-ng) |
Linux/Gentoo
At this time Medusa is not available within Portage. An ebuild for Medusa has been submitted to bugs.gentoo.org, but has not yet made its way into Portage. In the meantime, all of the ebuilds can be used via Portage Overlay. For example, Medusa can be installed via the Gentoo "pentoo" overlay located at trac.pentoo.ch. Additionally, the ebuilds have been included and can also be manually installed.The following ebuilds have been included within this distribution:
- /misc/net-analyzer/medusa-2.1.ebuild
- Modify /etc/make.conf
PORTDIR_OVERLAY="/some/directory/"
- Create the following within the PORTDIR_OVERLAY directory:
net-analyzer/medusa
- Place each ebuild and any accompanying files in its respective PORTDIR_OVERLAY directory.
cd into each directory and execute:
ebuild name_of_ebuild.ebuild digest
- Modify /etc/portage/package.keywords
net-analyzer/medusa ~x86
Other Systems
Medusa has been built and basic tests performed on a variety of default system installations. The following tables includes some notes from these tests.Operating System | Distro/Version | Notes |
Linux | BackTrack 5 (32-bit) | Installed: libssl-dev, libncp-dev, libpq-dev, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, libapr1-dev |
BackTrack 5R1 (32-bit) | Installed: libssl-dev, libncp-dev, libpq-dev, libssh2-1-dev, libsvn-dev | |
CentOS 6.2 (64-bit) | Installed: "Development Tools", openssl-devel, libssh2-devel, postgresql-devel, subversion-devel | |
Debian 5.0.3 | Installed: build-essential, libpcre3-dev, libssl-dev, libncp, libncp-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libsvn-dev | |
Fedora 12 | Installed: pcre-devel, afpfs-ng-devel, ncpfs-devel, postgresql-devel, libssh2-devel, subversion-devel | |
openSUSE 11.2 | Installed: patterns-openSUSE-devel_C_C++, pcre-devel, ncpfs-devel, libssh2-devel, postgresql-devel, subversion-devel | |
Slackware 13.0 | ||
Ubuntu 8.0.4 | ||
Ubuntu 9.10 | ||
Ubuntu 11.10 | Installed: build-essential, libssl-dev, libncp, libncp-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev | |
SunOS | Solaris 11 x86 | Installed: developer-gnu |
BSD | FreeBSD 7.2 | Installed: afpfs-ng, ncpfs, libssh, postgresql, libpq, libsvn |
FreeBSD 9.0-CURRENT (32-bit) | ||
OpenBSD 5.0 (64-bit) | ||
Mac OS X | OS X 10.6 | Installed: MacPorts |
OS X 10.7 | Installed: HomeBrew | |
Microsoft Windows | Cygwin | I have been unable to build the modules under Cygwin. If anyone can figure this out, I'll buy you a beer at the next DefCon. |
Who?
This fine piece of buggy software was brought to you by the geeks at Foofus.net. JoMo-Kun was the chief goon and wrote the core of Medusa along with several of the modules. Foofus created the initial design for the loadable modules. Fizzgig provided the networking code, several modules, the loadable module implementation along with also fixing a bunch JoMo-Kun's crappy stuff. pMonkey was a crazy module coding fiend. Last, but certainly not least, Heidi provided the tool's name.Huh?
If you have questions regarding this application, feel free to contact us. Either send me email directly or join our mailing list foofus-tools. If it breaks, please send a detailed bug report. Even better, send in a patch. I make no claims that this program will do what you want it to. I've been using it during our assessments for years now successfully. Hopefully, others will have similar luck. If you find Medusa useful and want to give something back, please submit new modules, code improvements or just buy any of the Foofus.net goons a beer at the next DefCon.Click: Download
0 comments:
Post a Comment