Password guessing with Medusa 2.0

1843
Medusa is my password forcer of choice! Mainly because of its speed. If you’re hoping to try it on a Windows box, sorry you’re out of luck. As far as I know, there is no Windows port. In which case you’re next best alternative is Hydra. See last week’s post found here.

Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit http://www.foofus.net/jmk/medusa/changelog

Medusa is a command line tool, as far as I know there is no GUI front end. But don’t let that scare you, it’s super simple to operate. The foo magic of compiling from source is the hardest part. Although if you’re running Ubuntu, Medusa is in their repository. Starting with Ubuntu 10.10 Medusa packages were updated to latest 2.0 release. If you’re a Fedora fan boy, good news; Medusa RPM is available. With Fedora 16 Medusa was updated to release 2.0. Anything prior will use Medusa 1.5. Other distros may have to compile from source.

Compiling Medusa from source:

1. Download Medusa 2.0 source from foofus.net
2. Decompress tarball tar -xvf medusa-2.0.tar.gz

3. Perform usual compile foo magic./configure
make
make install

One word of caution. During the ./configure process a module check is performed. If dependencies have not been met, Medusa will not support those modules. You’ll have to ensure all dependencies are satisfied before running make and make install. Have a look here if you run into trouble http://foofus.net/~jmk/medusa/medusa.htmlInstalling Medusa from Ubuntu Repository:

1. apt-get update
2. apt-get install medusaBasic password guessing with Medusa:

If you’d like to see all Medusa options, execute medusa with no switches.
If you’d like to see all supported modules execute medusa -d

In its most basic form Medusa requires the following information:

1. Target host
2. User name or text file with user names
3. Password or text file with passwords
4. Module name

For example; If I want to try a single password guess of abc123 against the Administrator account on a Windows box with an IP address of 192.168.100.1

medusa -h 192.168.100.1 -u Administrator -p abc123 -M smbnt

In a Windows environment the Administrator account is special in that it is the only account which cannot be locked out. Although watch out, some environments remove this feature. Before you brute force accounts ensure you know the lockout policy. But let’s pretend in this example the Administrator account does not lock out. This means I can attempt as many password guesses as I’d like. In this case I’d download a pre-compiled password list. Then, let Medusa loose and wait.

medusa -h 192.168.100.1 -u Administrator -P passwordlist.txt -M smbnt

Depending on the latency between you and the target host, limiting concurrent attempts may be a good idea. This can be accomplished with -t or if you’d like Medusa to stop after first succesful username, password combination use -f

Medusa is simple, fast and effective. I especially love the number of modules it supports, including web forms. How many times have you wanted to password guess a web site login? With Medusa it is possible, simply provide the proper URL. Medusa even supports SSL and if your target is using security through obscurity by using a non standard port, Medusa supports that too. Specify non standard ports with -n

Administrators should be auditing passwords regularly. Weak passwords are your number one concern. If you allow users to generate a weak password they will. You’re best bet is to implement a good password policy and enforce it.

For more information please visit our blog at: www.digitalboundary.net/wp