Medusa
Medusa is a fast, massively parallel, and modular login brute-forcer designed to support a wide array of services that allow remote authentication. Its primary objective is to enable penetration testers and security professionals to assess the resilience of login systems against brute-force attacks.
Medusa’s key features include:
- Speed and Parallelism: Utilizes multiple parallel connections to perform brute-force attacks efficiently
- Modularity: Supports numerous authentication protocols through dedicated modules
- Flexibility: Can target single hosts or multiple hosts from a file
- Ease of Use: Straightforward command-line interface with clear syntax
Installation
Medusa often comes pre-installed on popular penetration testing distributions. You can verify its presence by running:
medusa -h
Installing Medusa on a Linux system is straightforward:
sudo apt-get -y update
sudo apt-get -y install medusa
Command Syntax
Medusa’s command-line interface follows this general structure:
medusa [target_options] [credential_options] -M module [module_options]
Target Options
| Option | Description | Example |
|---|---|---|
-h HOST | Specify a single target hostname or IP address | medusa -h 192.168.1.10 ... |
-H FILE | Specify a file containing a list of targets | medusa -H targets.txt ... |
Credential Options
| Option | Description | Example |
|---|---|---|
-u USERNAME | Provide a single username | medusa -u admin ... |
-U FILE | Provide a file containing a list of usernames | medusa -U usernames.txt ... |
-p PASSWORD | Specify a single password | medusa -p password123 ... |
-P FILE | Specify a file containing a list of passwords | medusa -P passwords.txt ... |
-e ns | Check for empty passwords (n) and passwords matching username (s) | medusa -e ns ... |
The -e option is useful for testing weak configurations:
-e n: Try empty passwords-e s: Try passwords matching the username-e ns: Try both empty and same-as-username passwords
Attack Options
| Option | Description | Example |
|---|---|---|
-M MODULE | Define the specific module to use for the attack | medusa -M ssh ... |
-m "OPTION" | Provide additional parameters required by the chosen module | medusa -M http -m "POST /login.php..." |
-t TASKS | Define the number of parallel login attempts to run | medusa -t 4 ... |
-f | Fast mode: Stop the attack after the first successful login on current host | medusa -f ... |
-F | Fast mode: Stop the attack after the first successful login on any host | medusa -F ... |
-n PORT | Specify a non-default port for the target service | medusa -n 2222 ... |
-v LEVEL | Verbose output: Display detailed information (0-6, higher = more verbose) | medusa -v 4 ... |
Modules
Each module in Medusa is tailored to interact with specific authentication mechanisms, allowing it to send the appropriate requests and interpret responses for successful attacks.
| Module | Service/Protocol | Description | Example Command |
|---|---|---|---|
ftp | File Transfer Protocol | Brute-forcing FTP login credentials, used for file transfers over a network | medusa -M ftp -h 192.168.1.100 -u admin -P passwords.txt |
http | Hypertext Transfer Protocol | Brute-forcing login forms on web applications over HTTP (GET/POST) | medusa -M http -h www.example.com -U users.txt -P passwords.txt -m DIR:/login.php -m FORM:username=^USER^&password=^PASS^ |
imap | Internet Message Access Protocol | Brute-forcing IMAP logins, often used to access email servers | medusa -M imap -h mail.example.com -U users.txt -P passwords.txt |
mysql | MySQL Database | Brute-forcing MySQL database credentials, commonly used for web applications and databases | medusa -M mysql -h 192.168.1.100 -u root -P passwords.txt |
pop3 | Post Office Protocol 3 | Brute-forcing POP3 logins, typically used to retrieve emails from a mail server | medusa -M pop3 -h mail.example.com -U users.txt -P passwords.txt |
rdp | Remote Desktop Protocol | Brute-forcing RDP logins, commonly used for remote desktop access to Windows systems | medusa -M rdp -h 192.168.1.100 -u admin -P passwords.txt |
ssh | Secure Shell (SSH) | Brute-forcing SSH logins, commonly used for secure remote access | medusa -M ssh -h 192.168.1.100 -u root -P passwords.txt |
svn | Subversion (SVN) | Brute-forcing Subversion (SVN) repositories for version control | medusa -M svn -h 192.168.1.100 -u admin -P passwords.txt |
telnet | Telnet Protocol | Brute-forcing Telnet services for remote command execution on older systems | medusa -M telnet -h 192.168.1.100 -u admin -P passwords.txt |
vnc | Virtual Network Computing | Brute-forcing VNC login credentials for remote desktop access | medusa -M vnc -h 192.168.1.100 -P passwords.txt |
web-form | Web Login Forms | Brute-forcing login forms on websites using HTTP POST requests | medusa -M web-form -h www.example.com -U users.txt -P passwords.txt -m FORM:"username=^USER^&password=^PASS^:F=Invalid" |
Common Usage Examples
SSH Brute-Force Attack
Target a single SSH server with username and password lists:
medusa -h 192.168.0.100 -U usernames.txt -P passwords.txt -M ssh
This command instructs Medusa to:
- Target the host at 192.168.0.100
- Use the usernames from the usernames.txt file
- Test the passwords listed in the passwords.txt file
- Employ the ssh module for the attack
Multiple Web Servers with Basic HTTP Authentication
Test multiple web servers concurrently:
medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GET
In this case, Medusa will:
- Iterate through the list of web servers in web_servers.txt
- Use the usernames and passwords provided
- Employ the http module with the GET method to attempt logins
- Run multiple threads efficiently checking each server for weak credentials
Testing for Empty or Default Passwords
Assess whether any accounts have empty or default passwords:
medusa -h 10.0.0.5 -U usernames.txt -e ns -M ssh
This command instructs Medusa to:
- Target the host at 10.0.0.5
- Use the usernames from usernames.txt
- Perform additional checks for empty passwords (
-e n) and passwords matching the username (-e s) - Use the appropriate service module
Medusa will try each username with an empty password and then with the password matching the username, potentially revealing accounts with weak or default configurations.
HTTP POST Form Attack
Attack a web login form using POST requests:
medusa -M http -h www.example.com -U users.txt -P passwords.txt -m "POST /login.php HTTP/1.1\r\nContent-Length: 30\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=^USER^&password=^PASS^"
Custom Port SSH Attack
Target SSH on a non-standard port:
medusa -h 192.168.1.100 -n 2222 -U usernames.txt -P passwords.txt -M ssh
Fast Mode (Stop on First Success)
Stop immediately after finding valid credentials:
medusa -h 192.168.1.100 -U usernames.txt -P passwords.txt -M ssh -f
Use -F to stop after first success on any host when targeting multiple hosts.
Verbose Output
Get detailed information about the attack progress:
medusa -h 192.168.1.100 -U usernames.txt -P passwords.txt -M ssh -v 4
Higher verbosity levels (up to 6) provide more detailed output.
Parallel Tasks
Control the number of parallel login attempts:
medusa -h 192.168.1.100 -U usernames.txt -P passwords.txt -M ssh -t 8
Increasing the number of tasks can speed up the attack but may also increase the risk of detection or overwhelming the target service.
Core Takeaways
- Medusa uses parallel connections to efficiently brute-force login credentials across multiple protocols
- Target options (
-hor-H) specify hosts, while credential options (-u/-Uand-p/-P) specify usernames and passwords - The
-eoption allows testing for weak configurations like empty passwords or passwords matching usernames - Module selection (
-M) determines which authentication protocol to target - Use
-for-Fto stop after the first successful login, saving time when valid credentials are found - Adjust
-tto control parallel threads, balancing speed against detection risk - Module options (
-m) may be required for complex scenarios like HTTP form attacks