Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
MEDUSA(1)		    General Commands Manual		     MEDUSA(1)

NAME
       MEDUSA -	Parallel Network Login Auditor

SYNOPSIS
       medusa  [-h  host|-H  file] [-u username|-U file] [-p password|-P file]
       [-C file] -M module [OPTIONS]

DESCRIPTION
       Medusa is intended to be	a speedy, massively parallel,  modular,	 login
       brute-forcer.   The goal	is to support as many services which allow re-
       mote authentication as possible.	The author considers  following	 items
       to some of the key features of this application:

       *Thread-based  parallel	testing.  Brute-force testing can be performed
       against multiple	hosts, users or	passwords concurrently.

       *Flexible user input. Target information	 (host/user/password)  can  be
       specified  in a variety of ways.	For example, each item can be either a
       single entry or a file containing  multiple  entries.  Additionally,  a
       combination file	format allows the user to refine their target listing.

       *Modular	 design.  Each	service	 module	 exists	as an independent .mod
       file. This means	that no	modifications are necessary to the core	appli-
       cation in order to extend the supported list  of	 services  for	brute-
       forcing.

OPTIONS
       -h [TARGET]
	      Target hostname or IP address.

       -H [FILE]
	      Reads  target specifications from	the file specified rather than
	      from the command line.  The file should contain a	list separated
	      by newlines.

       -u [TARGET]
	      Target username.

       -U [FILE]
	      Reads target usernames from the file specified rather than  from
	      the  command  line.  The file should contain a list separated by
	      newlines.

       -p [TARGET]
	      Target password.

       -P [FILE]
	      Reads target passwords from the file specified rather than  from
	      the  command  line.  The file should contain a list separated by
	      newlines.

       -C [FILE]
	      File containing combo entries. Combo files are  colon  separated
	      and  in  the following format: host:user:password. If any	of the
	      three fields are left empty, the respective  information	should
	      be  provided  either  as a single	global value or	as a list in a
	      file.

	      The following combinations are possible in the combo  file:  1.)
	      foo:bar:fud  2.)	foo:bar:  3.) foo:: 4.)	:bar:fud 5.) :bar: 6.)
	      ::fud 7.)	foo::fud

	      Medusa also supports using PwDump	files as  a  combo  file.  The
	      format  of these files should be user:id:lm:ntlm:::. We look for
	      ':::' at the end of the first line to determine if the file con-
	      tains PwDump output.

       -O [FILE]
	      File to append log information to. Medusa	will log all  accounts
	      credentials found	to be valid or cause an	unknown	error. It will
	      also  log	 the  start and	stop times of an audit,	along with the
	      calling parameters.

       -e [n/s/ns]
	      Additional password checks ([n]  No  Password,  [s]  Password  =
	      Username). If both options are being used, they should be	speci-
	      fied together ("-e ns"). If only a single	option is being	called
	      use either "-e n"	or "-e s".

       -M [TEXT]
	      Name of the module to execute (without the .mod extension).

       -m [TEXT]
	      Parameter	 to  pass  to  the module. This	can be passed multiple
	      times with a different parameter each time and they will all  be
	      sent to the module (i.e.	-m Param1 -m Param2, etc.)

       -d     Dump all known modules.

       -n [NUM]
	      Use for non-default TCP port number.

       -s     Enable SSL.

       -g [NUM]
	      Give up after trying to connect for NUM seconds (default 3).

       -r [NUM]
	      Sleep NUM	seconds	between	retry attempts (default	3).

       -R [NUM]
	      Attempt  NUM  retries  before giving up. The total number	of at-
	      tempts will be NUM + 1.

       -c [NUM]
	      Set the number of	usec that are waited during a test of the  es-
	      tablished	 network  socket. Some services	(e.g. FTP, IMAP, POP3,
	      and SMTP)	may be configured to drop connections after  an	 arbi-
	      trary  number  of	failed logon attempts. We try to reuse the es-
	      tablished	connection to send authentication attempts until  this
	      disconnect  occurs,  at  which  point the	connection is reestab-
	      lished. To accomplish this, we check the socket to see  if  it's
	      still alive before authenticating	within select modules. The de-
	      fault  is	perform	a 1 usec check.	It may be necessary to specify
	      much larger values. For example, a 1000 usec was needed  against
	      our  test	 vsftp	server to avoid	issues with its	built-in anti-
	      bruteforce mechanisms.

       -t [NUM]
	      Total number of logins to	be tested concurrently.	It  should  be
	      noted  that  rougly  t  x	 T threads could be running at any one
	      time. 381	appears	to be the limit	on  my	fairly	boring	Gentoo
	      Linux host.

       -T [NUM]
	      Total number of hosts to be tested concurrently.

       -L     Parallelize logins using one username per	thread.	The default is
	      to process the entire username before proceeding.

       -f     Stop scanning host after first valid username/password found.

       -F     Stop  audit  after  first	 valid	username/password found	on any
	      host.

       -b     Suppress startup banner

       -q     Display module's usage information. This should be used in  con-
	      junction	with  the  "-M"	 option. For example, "medusa -M smbnt
	      -q".

       -v [NUM]
	      Verbose level [0 - 6 (more)]. All	messages at or below the spec-
	      ified level will be displayed. The default level is 5.

	      The following is the breakdown of	the verbose levels: 0)	  EXIT
	      APPLICATION  1)	 MESSAGE  WITHOUT TAG 2)   LOG MESSAGE WITHOUT
	      TAG 3)   IMPORTANT MESSAGE 4)   ACCOUNT FOUND 5)	 ACCOUNT CHECK
	      6)   GENERAL MESSAGE

       -w [NUM]
	      Error debug level	[0 - 10	(more)]. All messages at or below  the
	      specified	level will be displayed. The default level is 5.

	      The  following  is the breakdown of the error levels: 0)	 FATAL
	      1)   ALERT 2)   CRITICAL 3)   ERROR 4)   WARNING 5)   NOTICE  6)
	      INFO  7)	 DEBUG 8)   DEBUG - AUDIT 9)   DEBUG - SERVER 10)  DE-
	      BUG - MODULE

       -V     Display version

       -Z [TEXT]
	      Allows basic resuming of a previous scan.	The supplied parameter
	      describes	which  hosts  were  completed,	which  were  partially
	      tested  and  which had not been started.	When Medusa receives a
	      SIGINT, it will calculate	and display a "resume map".  This  map
	      can  then	be supplied to the next	run. For example, "medusa [OP-
	      TIONS PREVIOUSLY USED] -Z	h6u1u2h8.". In this  particular	 exam-
	      ple, hosts 1-5 were completed, host 6 was	partially done (user 1
	      was  partially  completed	 and  user  2  and beyond had not been
	      started),	host 7 was completed and host 8	 and  beyond  had  not
	      been  started.   Medusa  will  parse this	map and	skip hosts and
	      users accordingly. It should be noted that only host  and	 user-
	      level,  not password-level, resuming is supported. If a user had
	      been previously started, but  was	 not  completed,  it  will  be
	      tested from the start of its respective password list.

AUTHOR
       JoMo-Kun	<jmk@foofus.net> fizzgig <fizzgig@foofus.net>

BUGS
       Found a bug? Feel free to send in a patch.

								     MEDUSA(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=medusa&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help