Medusa: How to use password cracker

Passwords are often the weakest link in a system and that is why we continue to browse the tools in the password crackers. This time we will study the Medusa password cracker, a well known one . tool.

It is a tool that can work very fast as a brute-force connector on a system. As we have explained in earlier articles Brute Force (or otherwise brutal attack) we call the exhaustive testing of possible keys that produce a cryptogram to reveal the original message. The purpose of Medusa is to support as many protocols and services as possible to support remote authentication (eg ssh). Some of the benefits of this application are summarized below:

• Parallel use: Brute forcing can take place against multiple hosts, users or passwords at the same time.
• Eflexibility: The target information (host / user / password) can be specified in different ways.
• Multi-protocol support: Medusa can support different services and protocols (eg SMP, HTTP, POP3, MS-SQL, SSHv2 etc.)

How to install it

Medusa is offered for operating systems Linux, Windows and MacOS. In the well known version of operating system for penetration tester, Kali Linux you will find Medusa pre-installed.

Linux

You should first refresh your repositories and install the dependencies that are needed:

Then you need to install the 3 version Python (required by Medusa v0.3.0 version onwards) using the appropriate commands depending on the version of your operating system.

Then create a group and a user named medusa. This is needed to ensure that the tool will not affect the security of our computer and run isolated:

Then clone the Git repo for Medusa:

For systems SysVinit, you need to copy service init.d:

For Ubuntu:

For Debian:

Make sure the new service has the appropriate permissions:

Refresh and start the new service:

For systems Upstart, you need to copy service init.d:

Make sure the new service has the appropriate permissions:

Refresh and start the new service:

For systems Systemd, you need to copy service init.d:

Make sure the new service has the appropriate permissions:

Get started and check the status of the new service:

Make Medusa run at startup (optional):

To make sure everything went well, check if Medusa is accessible at: http: //localhost: 8081

Windows

Because installing the tool in a Windows environment can be extremely complicated for many users, the creators of Medusa have created a Windows installer that can download all the necessary files and proceed with their installation. It can also create a service so that the Medusa starts automatically when they start Windows.

You should first visit her official Github page of the tool and download the latest available version.

In the folder you just downloaded, locate the installer and run it. What you'll see on your screen looks like the picture below.

To proceed with the installation, press Next and then select the installation folder. Select the option again Next to move on. The next window will ask if you would like to create a shortcut for the tool in the home menu.

The next window will ask you for the door on which you want Medusa to run. It is advisable to leave the default value as it is and proceed with the installation by pressing the button Next.

In the next window you will be asked if you would like to create a shortcut to your desktop.

The penultimate installation window will show you a summary of the settings you have selected and the dependencies to be installed with Medusa. If you select the button install the necessary files will start to download and then the installation will be completed after you press the button Finish.

If all goes well you can open anyone browser and visit Medusa's web interface at: http://localhost:8081.

How to use it

To view all available tool options and their corresponding description, open a terminal and type Medusa.

root @ kali-: ~ # medusa Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net> Syntax: Medusa [-h host | -H file] [ -u username | -U file] [-p password | -p file] [-C file] -M module [OPT] -h [TEXT]: Target hostname or IP address -H [FILE]: File containing target hostnames or IP addresses -u [TEXT]: Username to test -U [FILE]: File containing usernames to test -p [TEXT]: Password to test -P [FILE]: File containing passwords to test -C [FILE]: File containing combo entries. See README for more information. -O [FILE]: File to append log information to -e [n / s / ns]: Additional password checks ([n] No Password, [s] Password = Username) -M [TEXT]: Name of the module to execute (without the .mod extension) -m [TEXT]: Parameter to pass to the module. This can be passed multiple times with different parameters each time and they will all be sent to the module (ie -m Param1 -m Param2, etc.) -d: Dump all known modules -n [NUM]: Use for non- default TCP port number -s: Enable SSL -g [NUM]: Sleep NUM seconds between retry attempts (default 3) -r [NUM]: Give up after trying to connect for NUM seconds (default 3) -r [NUM]: Attempt NUM retries before giving up. The total number of attempts will be NUM + 1. -c [NUM]: Time to wait in usec to verify socket is available (default 500 usec). -t [NUM]: Total number of logins to be tested concurrently -T [NUM]: Total number of hosts to be tested concurrently -L: Parallelize logins using one username per thread. The default is to process the entire username before proceeding. -f: Stop scanning host after first valid username / password found. -F: Stop audit after first valid username / password found on any host. -b: Suppress startup banner -q: Display module usage information -v [NUM]: Verbose level [0 - 6 (more)] -w [NUM]: Error debug level [0 - 10 (more)] -V: Display version -Z [TEXT]: Resume scan based on previous map map

Examples of different commands you can run, depending on the attack protocol, can be found below:

Find a specific password username

As we have already mentioned Medusa is a very fast tool, capable of working together with different protocols.

For example, if you want to crack the ssh password for a specific username, you can use the dictionary attack technique (dictionary attack). The parameter -u is used to declare a specific username and password -P to declare the dictionary file:

Finding username for a specific one password

In the reverse case, where you own the password and want to check which username (for ssh service or other) it corresponds to, you can use the same dictionary attack technique:

Finding username and a corresponding password

Combined, if you want to find a username and password (for ssh service or another) you can run the following again with the dictionary attack technique. The parameter -U Enables dictionary mode for possible usernames and -P for possible passwords.

Save result to disk

For maintenance and reading purposes, you can record the results of the Medusa commands in a file. For this reason, use the parameter -THE and then the desired file title:

Continuing the attack

Many times an attack can be stopped or a block canceled, so using the parameter - G. you can continue the attack by running the last failed command instead of starting at the beginning:

Attack on a specific door

Network admins often change the number of one service door to another. In previous cases where we tested the ssh service, Medusa ran the attack on the 22 door, the default ssh door.

However, using the parameter -n you can run the attack by choosing the number of the door you want to control, not the default door number service.

So, by scanning a particular network, we found that the ssh door is 2222 and not 22. For this reason we should run the following command

How did Medusa look to you? Would you prefer it?