Zum Inhalt springen
1337skills 1337skills - Referenzen

Medusa

Medusa is a speedy, parallel, and modular login brute force tool. Support for multiple protocols and parallel connections for efficient credential testing.

Installation

Linux/Ubuntu

# Install from repositories
sudo apt update
sudo apt install medusa

# Build from source
wget https://github.com/jmk-foce/medusa/releases/download/v2.2/medusa-2.2.tar.gz
tar xzf medusa-2.2.tar.gz
cd medusa-2.2
./configure
make
sudo make install

# Verify
medusa -V
medusa --help

macOS

# Homebrew
brew install medusa

# Or MacPorts
sudo port install medusa

Windows

# Via Chocolatey
choco install medusa

# Or download Windows binary from releases

Basic Usage

Simple Brute Force

# Basic SSH brute force
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# Test multiple hosts
medusa -H hosts.txt -u admin -P passwords.txt -M ssh

# Try multiple usernames
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1

Common Protocols

# SSH
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh

# FTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp

# HTTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http

# MySQL
medusa -h 192.168.1.100 -u root -P passwords.txt -M mysql

# PostgreSQL
medusa -h 192.168.1.100 -u postgres -P passwords.txt -M postgres

# Telnet
medusa -h 192.168.1.100 -u admin -P passwords.txt -M telnet

# SMTP
medusa -h 192.168.1.100 -u admin -P passwords.txt -M smtp

# SMB/Windows
medusa -h 192.168.1.100 -u Administrator -P passwords.txt -M smbnt

Input Options

FlagDescription
-h <host>Single target host
-H <file>File with hosts (one per line)
-u <user>Single username
-U <file>File with usernames (one per line)
-p <pass>Single password
-P <file>File with passwords (one per line)
-C <file>Colon-separated file (user:pass)
-n <port>Target port

Performance Options

Parallel Execution

# Set number of threads
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 10

# Parallel hosts
medusa -H hosts.txt -u admin -P passwords.txt -M ssh -t 20

# Adjust based on system resources
# -t 50 for large wordlists
# -t 5  for slow connections

# Set timeout
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -w 3

# Set delay between attempts
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -x 1

Output & Logging

Display Options

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 0
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 2

# Show all attempts
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -V

# Log to file
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns > results.txt

# Machine-readable output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -f results.log

Output Flags

# Abbreviated output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns

# Verbose output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -v 1

# Combined output
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -e ns -v 1

Advanced Features

Module-Specific Options

# HTTP module with form path
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -m HTTP:method:POST

# HTTP with custom port
medusa -h 192.168.1.100 -u admin -P passwords.txt -M http -n 8080

# SSH with private key option
medusa -h 192.168.1.100 -u admin -M ssh -m SSH:auth:publickey

# FTP with timeout
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ftp -w 5

List Available Modules

# Show all available modules
medusa -d

# Show module details
medusa -d -M ssh
medusa -d -M http

Practical Examples

SSH Brute Force

# Create user and password lists
cat << EOF > users.txt
admin
root
user
guest
EOF

cat << EOF > passwords.txt
password
123456
admin123
letmein
EOF

# Run brute force
medusa -H hosts.txt -U users.txt -P passwords.txt -M ssh -t 20 -v 0

HTTP Form Attack

# Common web login
medusa -h web.example.com -u admin -P passwords.txt -M http \
  -m HTTP:method:POST \
  -m HTTP:uri:/admin/login.php \
  -m HTTP:username:admin \
  -m HTTP:password:password

# Alternative (without module options)
medusa -h web.example.com -u admin -P passwords.txt -M http -n 80

Database Brute Force

# MySQL brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M mysql -n 3306 -t 5

# PostgreSQL
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M postgres -n 5432

# MSSQL
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M mssql -n 1433

Windows SMB Attack

# SMB/SMBNT brute force
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt -t 10

# With domain specification
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M smbnt \
  -m SMB:domain:DOMAIN -t 10

Batch Processing

#!/bin/bash
# Brute force multiple hosts

hosts=(192.168.1.1 192.168.1.2 192.168.1.3)
users="users.txt"
passwords="passwords.txt"

for host in "${hosts[@]}"; do
    echo "Testing $host..."
    medusa -h $host -U $users -P $passwords -M ssh -t 20 -v 0 >> results.txt
done

Creating Wordlists

Generate Password Lists

# Using John the Ripper wordlist
wc -l /usr/share/wordlists/rockyou.txt

# Create custom wordlist
cat << EOF > passwords.txt
password
password1
password123
admin
admin123
letmein
welcome
12345678
EOF

# Generate using crunch
crunch 8 10 0123456789 > numbers.txt

# Combine wordlists
cat list1.txt list2.txt > combined.txt

# Remove duplicates
sort passwords.txt | uniq > passwords_unique.txt

User Enumeration

# Common usernames
cat << EOF > users.txt
admin
root
user
guest
test
administrator
service
support
EOF

# Try with domain users
for user in $(cat users.txt); do
  echo "$user@domain.com"
done > domain_users.txt

Performance Tuning

Resource Management

# Adjust threads based on target responsiveness
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 30

# Add timeout for slower connections
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -w 10

# Add delay to avoid detection
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -x 2

# Balanced approach
medusa -h 192.168.1.100 -u admin -P passwords.txt -M ssh -t 15 -w 5 -x 1

Monitoring & Control

Status Checking

# Run in background
medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 20 &

# Check running processes
ps aux | grep medusa

# Monitor progress
watch 'ps aux | grep medusa'

Security Considerations

  • Only test on authorized systems
  • Respect rate limiting and IDS alerts
  • Implement delays to avoid lockout
  • Document all testing
  • Use strong, diverse wordlists
  • Consider implementing account lockout monitoring
  • Test during agreed maintenance windows
  • Implement proper logging and alerting

Common Modules

ModuleProtocolPort
sshSSH22
ftpFTP21
httpHTTP80
mysqlMySQL3306
postgresPostgreSQL5432
mssqlMS SQL1433
smtpSMTP25
pop3POP3110
imapIMAP143
smbntSMB/CIFS445
telnetTelnet23
vncVNC5900
snmpSNMP161

Last updated: 2025-03-30