But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number. Suppose on scanning the target network I found SSH is running port instead of 22, therefore, I will execute the following command for ssh login attack. As you can observe, in 1 st command of medusa it fails to connect on ssh as port 22 was close and it has found 1 valid password: for username: raj for SSH login port As you can observe with every username, it is trying to match the following combination along with the password list.
For the purpose of the record maintenance, better readability, and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -O of the Medusa to save the output in a text file.
If you want to hide banner of Medusa while making brute force attack then use -b option to Suppress startup banner. There are six levels for the verbose mode to examine the attack details and also contain an error debug option that contains ten levels for debug mode.
You can use -v option for verbose parameter and -w option for error debugging parameter. As said above there is level from for examining brute force attack at each level, here you will observe the result of is approx.
Debug mode is showing wait time, socket, send data size and received data size, module detail, and path.
If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file. As you can observe in the given below image, we have the userpass. Now you can observe the output result from the given below image where after pressing ctrl C it stops the attack and then adds the highlighted text in your command to resume the attack and continue it.
Repeat same as above, now compare the result after executing all three command you will notice it has continued the brute-forcing from the last dropped attempt. Contact here. Hi Raj, first of all congratulations because this complete post. I think is very useful for many people.
My main app of this kind is THC Hydra, so I want to know if you could try both apps in a productive scenario like a real pentest , and if yes, what is your opinion.
Skip to content Hacking Articles. Hacking Tools , Penetration Testing. November 14, by Raj Chandel. The author considers the following items as some of the key features of this application: Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
Flexible user input. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
Modular design. Each service module exists as an independent. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing. Multiple protocols supported. Many services are currently supported e.
This can be passed multiple times with a different parameter each time and they will all be sent to the module i. The default is to process the entire username before proceeding.
Password Cracking For Specific Username Medusa is a very impactful tool and also quite easy to use for making a brute force attack on any protocol. Username Cracking for Specific Password Assume you want to crack username for FTP or any other whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. File to append log information to. Medusa will log all accounts credentials found to be valid or cause an unknown error.
It will also log the start and stop times of an audit, along with the calling parameters. If both options are being used, they should be specified together "-e ns". If only a single option is being called use either "-e n" or "-e s". Name of the module to execute without the. Parameter to pass to the module.
This can be passed multiple times with a different parameter each time and they will all be sent to the module i. Give up after trying to connect for NUM seconds default 3. Sleep NUM seconds between retry attempts default 3. Attempt NUM retries before giving up. Set the number of usec that are waited during a test of the established network socket. Some services e. We try to reuse the established connection to send authentication attempts until this disconnect occurs, at which point the connection is reestablished.
To accomplish this, we check the socket to see if it's still alive before authenticating within select modules. The default is perform a 1 usec check.
It may be necessary to specify much larger values. For example, a usec was needed against our test vsftp server to avoid issues with its built-in anti-bruteforce mechanisms. Total number of logins to be tested concurrently. It should be noted that rougly t x T threads could be running at any one time. Parallelize logins using one username per thread. The default is to process the entire username before proceeding. Display module's usage information.
This should be used in conjunction with the "-M" option. For example, "medusa -M smbnt -q". Verbose level [0 - 6 more ]. All messages at or below the specified level will be displayed. The default level is 5. Error debug level [0 - 10 more ]. Allows basic resuming of a previous scan.
The supplied parameter describes which hosts were completed, which were partially tested and which had not been started.
This map can then be supplied to the next run. In this particular example, hosts were completed, host 6 was partially done user 1 was partially completed and user 2 and beyond had not been started , host 7 was completed and host 8 and beyond had not been started. Medusa will parse this map and skip hosts and users accordingly. It should be noted that only host and user-level, not password-level, resuming is supported.
If a user had been previously started, but was not completed, it will be tested from the start of its respective password list. Sets target directory name. The default behaviour if no MODE is specified. Authentication is attempted in the clear. The domain can also be supplied via the username field, but the format appears to differ by auth type.
Running multiple threads per target may not work well. Option allows manual setting of domain to check against when host uses NT authentication. Module will query service for accepted methods via an "AUTH" request. The default behaviour is to use the server supplied domain value. Rsh is a service where you either have. Passwords really don't matter. So the best way to use this module is with a single dummy password and a list of users you suspect may have.
BOTH: Check both. This leaves the workgroup field set blank and then attempts to check the credentials against the host. If the account does not exist locally on the host being tested, that host then queries its domain controller. Option allows manual setting of domain to check against. Win mode is the default.
The goal is to identify if the credentials being tested have administrative rights to the target system.
The following examples highlight how to interrupt the responses. Sets the number of seconds to wait for the UDP responses default: 5 sec. Sets the number of microseconds to wait between sending queries default: usec.
0コメント