Medusa Parallel Network Login Auditor

JoMo-Kun / jmk "AT" foofus "DOT" net

What?
Why?
How?
Where?
Who?
Huh?

What?

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Why?

Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:

Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others.

For a quick comparison of Medusa, Ncrack, and THC-Hydra see: medusa-compare.html

How?

How do I use this thing? Simply running "medusa" without any options will dump all the parameters it accepts along with their respective description. Here are several example uses:

Display all modules currently installed:

% medusa -d
 
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

  Available modules in "." :
  Available modules in "/usr/local/lib/medusa/modules" :
    + mssql.mod :
      Brute force module for M$-SQL sessions : version 0.1.0
    + http.mod :
      Brute force module for HTTP : version 0.1.1
    + ssh.mod :
      Brute force module for SSH v2 sessions : version 0.1.1
    + smbnt.mod :
      Brute force module for SMB/NTLMv1 sessions : version 0.1.1
    + telnet.mod :
      Brute force module for telnet sessions : version 0.1.4

Display specific options for a given module:

% medusa -M smbnt -q 
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

smbnt.mod (0.1.1) JoMo-Kun :: Brute force module for SMB/NTLMv1 sessions

Available module options:
  GROUP:? (DOMAIN, LOCAL*, BOTH)
    Option sets NetBIOS workgroup field.
    DOMAIN: Check credentials against this hosts primary domain controller via this host.
    LOCAL:  Check local account.
    BOTH:   Check both. This leaves the workgroup field set blank and then attempts to check
            the credentials against the host. If the account does not exist locally on the
            host being tested, that host then queries its domain controller.
  GROUP_OTHER:?
    Option allows manual setting of domain to check against. Use instead of GROUP.
  PASS:?  (PASSWORD*, HASH, MACHINE)
    PASSWORD: Use normal password.
    HASH:     Use a NTLM hash rather than a password.
    MACHINE:  Use the machine's NetBIOS name as the password.
  NETBIOS
    Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default.
    Default mode is to test TCP/445 using Native Win2000. If this fails, module will
    fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following:
    medusa -M smbnt -m NETBIOS -n 139

(*) Default value
Usage example: "-M smbnt -m GROUP:DOMAIN -m PASS:HASH"

The following command instructs Medusa to test all passwords listed in passwords.txt against a single user (administrator) on the host 192.168.0.20 via the SMB service. The "-e ns" instructs Medusa to additionally check if the administrator account has either a blank password or has its password set to match its username (administrator).


% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt

Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password:  (1/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)

The below command-line demonstrates how to execute some of the parallel features of Medusa. Here at least 20 hosts and 10 users are tested concurrently. The "-L" options instructs Medusa to parallelize by user. This means each of the 10 threads targeting a host checks a unique user.
```
% medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt
```
Medusa allows host/username/password data to also be set using a "combo" file. The combo file can be specified using the "-C" option. The file should contain one entry per line and have the values colon separated in the format host:user:password. If any of the three fields are left empty, the respective information should be provided either as a global value or as a list in a file. Medusa will perform a basic parameter check based on the contents of the first line in the file.
The following combinations are possible in the combo file:
- host:username:password
- host:username:
- host::
- :username:password
- :username:
- ::password
- host::password
The following example will check each entry in the file combo.txt
% medusa -M smbnt -C combo.txt
The combo.txt file:
192.168.0.20:administrator:password 192.168.0.20:testuser:pass 192.168.0.30:administrator:blah 192.168.0.40:user1:foopass
The following example will check each entry in the file combo.txt against the targets listed in hosts.txt
% medusa -M smbnt -C combo.txt -H hosts.txt
The combo.txt file:
:administrator:password :testuser:pass :administrator:blah :user1:foopass
Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output.
Resume a Medusa scan. Medusa has the ability to resume a scan which was interrupted with a SIGINT signal (e.g. CTRL-C). For example:
Test interrupted with SIGINT
% ../medusa -M ssh -H host.txt -U users.txt -p password Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: bar (4 of 4, 3 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete) ALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting. ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete) ALERT: To resume scan, add the following to your original command: "-Z h2u3u4h3."
Interrupted scan being resumed
% ../medusa -M ssh -H host.txt -U users.txt -p password -Z h2u3u4h3. Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: jmk (3 of 4, 0 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: bar (4 of 4, 1 complete) Password: password (1 of 1 complete) ACCOUNT CHECK: [ssh] Host: 192.168.0.15 (3 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
The following is a brief discription of the resume map:
```
h2u3u4h3.
+--------- First host which was not 100% completed
  +------- First user for host which was not 100% completed
    +----- First user for host which was not started
      +--- First host which was not started
        +- Map ending mark
```

Module specific details:

Where?

GitHub
Medusa-gui (Java-based GUI developed by tak and bigmoneyhat)

Install Instructions:

General

The majority of Medusa was written and tested on Linux/Gentoo-based systems. While it has been known to work on variety of operating systems, it is quite possible there may be issues that crop up only on non-Gentoo devices. Of course, there are issues that will probably also show up on Gentoo that have so far been missed...

Medusa should be fairly straight-forward to build: "./configure; make; make install". However, this may result in a somewhat limited installation. To take full advantage of all the brute-forcing goodness that Medusa has to offer, several dependencies must be satisfied. The following table lists out the modules which have additional dependencies. In order for the modules to function, the appropriate header files must be installed on the system when the modules themselves are compiled. Additional module specific information is included within the documentation for each module.

Dependency Homepage Module Notes

OpenSSL http://www.openssl.org HTTP, MSSQL, SMBNT, SSL-based connections

LibSMB2 https://github.com/sahlberg/libsmb2 SMBNT (SMBv2 Support) SMBNT module natively supports SMBv1. If libsmb2 is present, it also supports SMBv2/3 and SMB signing.
LibSSH2 http://www.libssh2.org SSH LibSSH2 patch provided to address timing issue. Issue appears to be addressed in 0.18.

NCPFS ftp://platan.vc.cvut.cz/pub/linux/ncpfs NCP Use "make install-dev" to install header files.

LibPQ http://www.postgresql.org PostgreSQL

Subversion http://subversion.tigris.org SVN

afpfs-ng http://alexthepuffin.googlepages.com/home AFP Header files may need to be manually installed. Autoconf currently assumes install base of /usr (e.g. /usr/include/afpfs-ng)

It should also be noted that, by default, not all of the modules are built. Incomplete modules or modules which have not been sufficiently tested may be disabled. The "configure" output should identify which modules it will attempt to build. To enable non-default modules, use the "--enable-module-MODULE_NAME" configure option.

Linux/Gentoo

At this time Medusa is not available within Portage. An ebuild for Medusa has been submitted to bugs.gentoo.org, but has not yet made its way into Portage. In the meantime, all of the ebuilds can be used via Portage Overlay. For example, Medusa can be installed via the Gentoo "pentoo" overlay located at trac.pentoo.ch. Additionally, the ebuilds have been included and can also be manually installed.

The following ebuilds have been included within this distribution:

/misc/net-analyzer/medusa-2.1.ebuild

Some basic Portage Overlay instructions:

Modify /etc/make.conf
PORTDIR_OVERLAY="/some/directory/"
Create the following within the PORTDIR_OVERLAY directory:
net-analyzer/medusa
Place each ebuild and any accompanying files in its respective PORTDIR_OVERLAY directory.
cd into each directory and execute:
ebuild name_of_ebuild.ebuild digest
Modify /etc/portage/package.keywords
net-analyzer/medusa ~x86

MacOS

First download the source code and change to the Medusa directory:

git clone https://github.com/jmk-foofus/medusa
cd medusa

Also install the needed dependencies using Homebrew:

brew cask install xquartz
brew install freerdp

Then add the Freerdp path for executing the configuration without issues:

$ export FREERDP2_CFLAGS='-I/usr/local/include'
$ export FREERDP2_LIBS='-I/usr/local/lib/freerdp'

Then build things:

./configure
make && make install

Then copy the binary to your binaries folder

sudo cp src/medusa  /usr/local/bin

Now you can start using Medusa:

medusa

Other Systems

Medusa has been built and basic tests performed on a variety of default system installations. The following tables includes some notes from these tests.

Medusa v2.3

Operating System	Distro/Version	Notes
Linux	BackBox 8.1	Installed: automake, libssl-dev, libpq5, libpq-dev, libsmb2, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp2-dev
	Debian Sid (64-bit)	Installed: build-essential, automake, libssl-dev, libpq5, libpq-dev, libsmb2, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp2-dev
	Fedora 23	Installed: "Development Tools", automake, afpfs-ng-devel, libssh2-devel, libpq-devel, subversion-devel, freerdp-devel
	Kali 2024.1 (64-bit)	Installed: automake, libssl-dev, libpq5, libpq-dev, libsmb2, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp2-dev
	Ubuntu 22.04 (64-bit, WSL)	Installed: build-essential, automake, libssl-dev, libpq5, libpq-dev, libsmb2, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp2-dev

Medusa v2.2 and earlier

Operating System	Distro/Version	Notes
Linux	CentOS 7.1 (64-bit)	Installed: "Development Tools", openssl-devel, libssh2-devel, postgresql-devel, subversion-devel, freerdp-devel
	Debian 8.0.0 (64-bit)	Installed: build-essential, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libsvn-dev, freerdp, libfreerdp-dev, libncp, libncp-dev
	Fedora 21	Installed: "Development Tools", afpfs-ng-devel, openssl-devel, libssh2-devel, postgresql-devel, subversion-devel, freerdp-devel
	Kali 2020.4 (64-bit) [WSL]	Installed: build-essential, autoconf, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgnutls28-dev, libsvn-dev, freerdp2-dev
	Mint 17	Installed: build-essential, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, freerdp, libfreerdp-dev
	openSUSE 11.2	Installed: patterns-openSUSE-devel_C_C++, ncpfs-devel, libssh2-devel, postgresql-devel, subversion-devel
	Ubuntu 20.04	Installed: build-essential, autoconf, libssl-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgnutls28-dev, libsvn-dev, freerdp2-dev
SunOS	Solaris 11 x86	Installed: developer-gnu
BSD	FreeBSD 7.2	Installed: afpfs-ng, ncpfs, libssh2, postgresql, libpq, libsvn
Mac OS X	OS X 10.11 (El Capitan)	Installed: Homebrew, XCode, "brew install freerdp --HEAD", "brew install libssh2 postgresql subversion"
Microsoft Windows	Cygwin	I have been unable to build the modules under Cygwin. If anyone can figure this out, I'll buy you a beer at the next DefCon.

Who?

This fine piece of buggy software was brought to you by the geeks at Foofus.net. JoMo-Kun was the chief goon and wrote the core of Medusa along with several of the modules. Foofus created the initial design for the loadable modules. Fizzgig provided the networking code, several modules, the loadable module implementation along with also fixing a bunch JoMo-Kun's crappy stuff. pMonkey was a crazy module coding fiend. Last, but certainly not least, Heidi provided the tool's name.

Huh?

If you have questions regarding this application, feel free to contact us. Either send me email directly or join our mailing list foofus-tools. If it breaks, please send a detailed bug report. Even better, send in a patch. I make no claims that this program will do what you want it to. I've been using it during our assessments for years now successfully. Hopefully, others will have similar luck. If you find Medusa useful and want to give something back, please submit new modules, code improvements or just buy any of the Foofus.net goons a beer at the next DefCon.

Dependency	Homepage	Module	Notes
OpenSSL	http://www.openssl.org	HTTP, MSSQL, SMBNT, SSL-based connections
LibSMB2	https://github.com/sahlberg/libsmb2	SMBNT (SMBv2 Support)	SMBNT module natively supports SMBv1. If libsmb2 is present, it also supports SMBv2/3 and SMB signing.
LibSSH2	http://www.libssh2.org	SSH	LibSSH2 patch provided to address timing issue. Issue appears to be addressed in 0.18.
NCPFS	ftp://platan.vc.cvut.cz/pub/linux/ncpfs	NCP	Use "make install-dev" to install header files.
LibPQ	http://www.postgresql.org	PostgreSQL
Subversion	http://subversion.tigris.org	SVN
afpfs-ng	http://alexthepuffin.googlepages.com/home	AFP	Header files may need to be manually installed. Autoconf currently assumes install base of /usr (e.g. /usr/include/afpfs-ng)