Medusa

From aldeid
Jump to navigation Jump to search

Description

Medusa is a speedy, massively parallel, modular, login brute-forcer that supports many services which allow remote authentication.

Here is the list of available services:

Module Description Avail. in ver
AFP The AFP module tests accounts against the Apple Filing Protocol service. This AFP module leverages the afpfs-ng FUSE-based client (http://alexthepuffin.googlepages.com/home). 2.0+
CVS The CVS module tests accounts against the CVS version control system via the pserver protocol. 1.5+
FTP The FTP module tests accounts against the FTP and FTPS services. This includes both Explicit FTPS (AUTH TLS Mode as defined in RFC 4217) and Implicit (FTP over SSL (990/tcp)). 1.5+
HTTP The HTTP module tests accounts against HTTP/HTTPS services using BASIC-AUTH, integrated windows authentication (NTLM) and digest (MD5 and MD5-sess). 1.5+
IMAP The IMAP module tests accounts against the IMAP service. This module supports both imap (143) and imaps (993). The IMAP module asks for the server's capabilities and then does either a LOGIN or an AUTHENTICATE PLAIN, depending on its response. 1.5+
MS-SQL The MSSQL module tests accounts against Microsoft MS-SQL service. 1.5+
MySQL The MySQL module tests accounts against the MySQL service. 1.5+
NetWare NCP The NCP module tests accounts against the NetWare NCP service. This module was developed using a NetWare 5.1 host as the target. 1.5+
NNTP The NNTP module tests accounts against the Network News Transfer Protocol via AUTHINFO. 1.5+
PcAnywhere The PcAnywhere module tests accounts against the Symantec PcAnywhere service. 1.5+
POP3 The POP3 module tests accounts against the POP3 service. 1.5+
PostgreSQL The POP3 module tests accounts against the POP3 service. 1.5+
REXEC The REXEC module tests accounts against the REXEC service. 1.5+
RLOGIN The RLOGIN module tests accounts against the RLOGIN service. 1.5+
RSH The RSH module tests accounts against the RSH service. 1.5+
SMBNT The SMBNT module tests accounts against the Microsoft netbios-ssn (TCP/139) and microsoft-ds (TCP/445) services. Besides testing normal passwords, this module allows Medusa to directly test NTLM hashes against a Windows host. This may be useful for an auditor who has aquired a sam._ or pwdump file and would like to quickly determine which are valid entries. 1.5+
SMTP-AUTH Brute force module for SMTP Authentication with TLS (STARTTLS extension). Called smtp.mod under version 1.5. 1.5+
SMTP-VRFY The SMTP-VRFY module can be used to enumerate which accounts are valid on a mail server. 1.5+
SNMP The SNMP module tests community strings against the Simple Network Management Protocol (SNMP) service. 1.5+
SSH The SSH module tests accounts against SSH service using SSH version 2. The module currently supports brute-forcing SSH Keyboard-interactive and Password authentication modes. 1.5+
Subversion (SVN) The SVN module tests accounts against the Subversion (SVN) service. 1.5+
TELNET The TELNET module tests accounts against the TELNET service. This module supports both telnet (23) and telnets (992). 1.5+
VMware Authentication Daemon (vmauthd) The VMWAUTHD module tests accounts against the VMware Authentication Daemon. It supports both non-SSL and SSL encrypted installations of the service. 1.5+
VNC The VNC module tests accounts against the VNC service. 1.5+
WEB-FORM Basic web form brute force module which handles GET/POST requests. Supports customizable submit parameters and server response text. 1.5+
Generic-Wrapper The purpose of the wrapper module is to allow the user to execute arbitrary scripts while taking advantage of Medusa managing hosts/users/passwords. Two sample scripts have been included in the wrapper directory. 1.5+

Installation

Installation from packages

It will install Medusa 1.5. For a more recent version, see installation from sources.

Installation from sources

Pre-requisites

OpenSSL

See installation of OpenSSL from sources

Libssh2

$ cd /data/src/
$ wget http://libssh2.org/download/libssh2-1.2.7.tar.gz
$ tar xzvf libssh2-1.2.7.tar.gz
$ cd libssh2-1.2.7/
$ ./configure
$ make
$ sudo make install

NCPFS

$ sudo apt-get install ncpfs

LibPQ

libPQ packages installs necssary postgreSQL libraries.

$ sudo apt-get install libpq-dev

Subversion

Subversion is a version control system. To install this pre-requisity, just type:

$ sudo apt-get install subversion

afpfs-ng

afpfs is an open source client for Apple Filing Protocol. Before you install it, check that you have following dependancies:

$ sudo apt-get install libgcrypt11-dev libreadline6-dev libfuse-dev

To afpfs-ng it, type:

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/afpfs-ng/afpfs-ng/0.8.1/afpfs-ng-0.8.1.tar.bz2
$ bzip2 -cd afpfs-ng-0.8.1.tar.bz2 | tar xf -
$ ./configure
$ make
$ sudo make install

Installation of Medusa

$ cd /data/src/
$ wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
$ tar xzvf medusa-2.0.tar.gz
$ cd medusa-2.0/
$ ./configure
$ make
$ sudo make install

Usage

Syntax

Basic syntax is:

medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

To list all available modules, issue following command:

$ medusa -d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

 Available modules in "." :

 Available modules in "/usr/lib/medusa/modules" :
   + cvs.mod : Brute force module for CVS sessions : version 1.0.0
   + ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0
   + http.mod : Brute force module for HTTP : version 1.3.0
   + imap.mod : Brute force module for IMAP sessions : version 1.2.0
   + mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1
   + mysql.mod : Brute force module for MySQL sessions : version 1.2
   + ncp.mod : Brute force module for NCP sessions : version 1.0.0
   + nntp.mod : Brute force module for NNTP sessions : version 1.0.0
   + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2
   + pop3.mod : Brute force module for POP3 sessions : version 1.2
   + postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0
   + rexec.mod : Brute force module for REXEC sessions : version 1.1.1
   + rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2
   + rsh.mod : Brute force module for RSH sessions : version 1.0.1
   + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5
   + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0
   + smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0
   + snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0
   + ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2
   + svn.mod : Brute force module for Subversion sessions : version 1.0.0
   + telnet.mod : Brute force module for telnet sessions : version 1.2.2
   + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1
   + vnc.mod : Brute force module for VNC sessions : version 1.0.1
   + web-form.mod : Brute force module for web forms : version 1.0.0
   + wrapper.mod : Generic Wrapper Module : version 1.0.1

To get help on a specific module (without .mod extension), issue:

$ medusa -M <module> -q

Example for web-form:

$ medusa -M web-form -q
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

web-form.mod (1.0.0) Luciano Bello <[email protected]> :: Brute force module for web forms

Available module options:
  USER-AGENT:?       User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".
  FORM:?             Target form to request. Default: "/"
  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in
                     server response. Default: "Login incorrect"
  FORM-DATA:<METHOD>?<FIELDS>
                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form
                     data to be submitted should also be defined here. Specifically, the fields: username and
                     password. The username field must be the first, followed by the password field.
                     Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"
                 -m FORM-DATA:"post?user=&pass=&submit=True"

Specific syntax

See examples section.

Example

form-web

Consider the following PHP form:

<html>
<body>
<?php
if(isset($_POST['u']) && isset($_POST['p'])) {
  if($_POST['u']=='admin' && $_POST['p']=='password') {
    echo('ACCESS GRANTED');
  } else {
    echo('ACCESS DENIED');
  }
}
?>
<form name="f1" method="post" action="test.php">
<p>Login: <input type="text" name="u" /></p>
<p>Password: <input type="password" name="p" /></p>
<p><input type="submit" name="Login" value="Login" /></p>
</form>
</body>
</html>

Given the fact that we know there is a valid "admin" account, we can use Medusa to brute-force the form. We will use following command:

$ medusa \
  -h 127.0.0.1 \
  -u admin \
  -P /data/dict/dict.txt \
  -M web-form \
  -m FORM:"admin/test.php" \
  -m DENY-SIGNAL:"ACCESS DENIED" \
  -m FORM-DATA:"post?u=&p=&Login=Login"

It will produce following results:

ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: oops (1 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: 123 (2 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: 1234 (3 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: all (4 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: nimda (5 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: administrator (6 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: admin (7 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: pass (8 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: passwd (9 of 15 complete)
ACCOUNT CHECK: [web-form] Host: 127.0.0.1 (1 of 1, 1 complete) User: admin (1 of 1, 1 complete) Password: password (10 of 15 complete)
ACCOUNT FOUND: [web-form] Host: 127.0.0.1 User: admin Password: password [SUCCESS]

Comments

<disqus><disqus>