Thursday, August 9, 2012

3:00 PM

Medusa Parallel Network Login Auditor

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few. Other online crackers are THC Hydra and Ncrack. For downloads and more information, visit the Medusa homepage.

What?

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Why?

Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:
  • Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
  • Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
  • Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
  • Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others.

For a quick comparison of Medusa, Ncrack, and THC-Hydra see: medusa-compare.html

How?

How do I use this thing? Simply running "medusa" without any options will dump all the parameters it accepts along with their respective description. Here are several example uses:
  • Display all modules currently installed:
    % medusa -d

    Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

    Available modules in "." :
    Available modules in "/usr/local/lib/medusa/modules" :
    + mssql.mod :
    Brute force module for M$-SQL sessions : version 0.1.0
    + http.mod :
    Brute force module for HTTP : version 0.1.1
    + ssh.mod :
    Brute force module for SSH v2 sessions : version 0.1.1
    + smbnt.mod :
    Brute force module for SMB/NTLMv1 sessions : version 0.1.1
    + telnet.mod :
    Brute force module for telnet sessions : version 0.1.4
  • Display specific options for a given module:
    % medusa -M smbnt -q 
    Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

    smbnt.mod (0.1.1) JoMo-Kun :: Brute force module for SMB/NTLMv1 sessions

    Available module options:
    GROUP:? (DOMAIN, LOCAL*, BOTH)
    Option sets NetBIOS workgroup field.
    DOMAIN: Check credentials against this hosts primary domain controller via this host.
    LOCAL: Check local account.
    BOTH: Check both. This leaves the workgroup field set blank and then attempts to check
    the credentials against the host. If the account does not exist locally on the
    host being tested, that host then queries its domain controller.
    GROUP_OTHER:?
    Option allows manual setting of domain to check against. Use instead of GROUP.
    PASS:? (PASSWORD*, HASH, MACHINE)
    PASSWORD: Use normal password.
    HASH: Use a NTLM hash rather than a password.
    MACHINE: Use the machine's NetBIOS name as the password.
    NETBIOS
    Force NetBIOS Mode (Disable Native Win2000 Mode). Win2000 mode is the default.
    Default mode is to test TCP/445 using Native Win2000. If this fails, module will
    fall back to TCP/139 using NetBIOS mode. To test only TCP/139, use the following:
    medusa -M smbnt -m NETBIOS -n 139

    (*) Default value
    Usage example: "-M smbnt -m GROUP:DOMAIN -m PASS:HASH"
  • The following command instructs Medusa to test all passwords listed in passwords.txt against a single user (administrator) on the host 192.168.0.20 via the SMB service. The "-e ns" instructs Medusa to additionally check if the administrator account has either a blank password or has its password set to match its username (administrator).

    % medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt

    Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: (1/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass2 (5/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass3 (6/7)
    ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass4 (7/7)
  • The below command-line demonstrates how to execute some of the parallel features of Medusa. Here at least 20 hosts and 10 users are tested concurrently. The "-L" options instructs Medusa to parallelize by user. This means each of the 10 threads targeting a host checks a unique user.

    % medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt
  • Medusa allows host/username/password data to also be set using a "combo" file. The combo file can be specified using the "-C" option. The file should contain one entry per line and have the values colon separated in the format host:user:password. If any of the three fields are left empty, the respective information should be provided either as a global value or as a list in a file. Medusa will perform a basic parameter check based on the contents of the first line in the file. The following combinations are possible in the combo file:
    • host:username:password
    • host:username:
    • host::
    • :username:password
    • :username:
    • ::password
    • host::password
    The following example will check each entry in the file combo.txt
    % medusa -M smbnt -C combo.txt

    The combo.txt file:
    192.168.0.20:administrator:password
    192.168.0.20:testuser:pass
    192.168.0.30:administrator:blah
    192.168.0.40:user1:foopass

    The following example will check each entry in the file combo.txt against the targets listed in hosts.txt
    % medusa -M smbnt -C combo.txt -H hosts.txt

    The combo.txt file:
    :administrator:password
    :testuser:pass
    :administrator:blah
    :user1:foopass

    Medusa also supports using PwDump files as a combo file. The format of these files should be user:id:lm:ntlm:::. We look for ':::' at the end of the first line to determine if the file contains PwDump output.
  • Resume a Medusa scan. Medusa has the ability to resume a scan which was interrupted with a SIGINT signal (e.g. CTRL-C). For example: Test interrupted with SIGINT
    % ../medusa -M ssh -H host.txt -U users.txt -p password
    Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

    ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.1 (1 of 11, 0 complete) User: bar (4 of 4, 3 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: administrator (2 of 4, 1 complete) Password: password (1 of 1 complete)
    ALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting.
    ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 1 complete) User: jmk (3 of 4, 2 complete) Password: password (1 of 1 complete)
    ALERT: To resume scan, add the following to your original command: "-Z h2u3u4h3."

    Interrupted scan being resumed
    % ../medusa -M ssh -H host.txt -U users.txt -p password -Z h2u3u4h3.
    Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

    ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: jmk (3 of 4, 0 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.11 (2 of 11, 0 complete) User: bar (4 of 4, 1 complete) Password: password (1 of 1 complete)
    ACCOUNT CHECK: [ssh] Host: 192.168.0.15 (3 of 11, 1 complete) User: foo (1 of 4, 0 complete) Password: password (1 of 1 complete)

    The following is a brief discription of the resume map:

    h2u3u4h3.
    +--------- First host which was not 100% completed
    +------- First user for host which was not 100% completed
    +----- First user for host which was not started
    +--- First host which was not started
    +- Map ending mark

Module specific details:

  • AFP
  • CVS
  • FTP
  • HTTP
  • IMAP
  • MS-SQL
  • MySQL
  • NetWare NCP
  • NNTP
  • PcAnywhere
  • POP3
  • PostgreSQL
  • REXEC
  • RLOGIN
  • RSH
  • SMBNT
  • SMTP-AUTH
  • SMTP-VRFY
  • SNMP
  • SSHv2
  • Subversion (SVN)
  • Telnet
  • VMware Authentication Daemon (vmauthd)
  • VNC
  • Generic Wrapper
  • Web Form

Where?

  Download: medusa-2.1.1.tar.gz
Medusa-gui (Java-based GUI developed by tak and bigmoneyhat)

Install Instructions:

General

The majority of Medusa was written and tested on Linux/Gentoo-based systems. While it has been known to work on variety of operating systems, it is quite possible there may be issues that crop up only on non-Gentoo devices. Of course, there are issues that will probably also show up on Gentoo that have so far been missed...
Medusa should be fairly straight-forward to build: "./configure; make; make install". However, this may result in a somewhat limited installation. To take full advantage of all the brute-forcing goodness that Medusa has to offer, several dependencies must be satisfied. The following table lists out the modules which have additional dependencies. In order for the modules to function, the appropriate header files must be installed on the system when the modules themselves are compiled. Additional module specific information is included within the documentation for each module.


Dependency Homepage Module Notes
OpenSSL http://www.openssl.org HTTP, MSSQL, SMBNT, SSL-based connections
LibSSH2 http://www.libssh2.org SSH LibSSH2 patch provided to address timing issue. Issue appears to be addressed in 0.18.
NCPFS ftp://platan.vc.cvut.cz/pub/linux/ncpfs NCP Use "make install-dev" to install header files.
LibPQ http://www.postgresql.org PostgreSQL
Subversion http://subversion.tigris.org SVN
afpfs-ng http://alexthepuffin.googlepages.com/home AFP Header files may need to be manually installed. Autoconf currently assumes install base of /usr (e.g. /usr/include/afpfs-ng)
It should also be noted that, by default, not all of the modules are built. Incomplete modules or modules which have not been sufficiently tested may be disabled. The "configure" output should identify which modules it will attempt to build. To enable non-default modules, use the "--enable-module-MODULE_NAME" configure option.

Linux/Gentoo

At this time Medusa is not available within Portage. An ebuild for Medusa has been submitted to bugs.gentoo.org, but has not yet made its way into Portage. In the meantime, all of the ebuilds can be used via Portage Overlay. For example, Medusa can be installed via the Gentoo "pentoo" overlay located at trac.pentoo.ch. Additionally, the ebuilds have been included and can also be manually installed.
The following ebuilds have been included within this distribution:
  • /misc/net-analyzer/medusa-2.1.ebuild
Some basic Portage Overlay instructions:

  • Modify /etc/make.conf
    PORTDIR_OVERLAY="/some/directory/"
  • Create the following within the PORTDIR_OVERLAY directory:
    net-analyzer/medusa
  • Place each ebuild and any accompanying files in its respective PORTDIR_OVERLAY directory.
    cd into each directory and execute:
    ebuild name_of_ebuild.ebuild digest
  • Modify /etc/portage/package.keywords
    net-analyzer/medusa ~x86

Other Systems

Medusa has been built and basic tests performed on a variety of default system installations. The following tables includes some notes from these tests.


Operating System Distro/Version Notes
Linux BackTrack 5 (32-bit) Installed: libssl-dev, libncp-dev, libpq-dev, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev, libapr1-dev
BackTrack 5R1 (32-bit) Installed: libssl-dev, libncp-dev, libpq-dev, libssh2-1-dev, libsvn-dev
CentOS 6.2 (64-bit) Installed: "Development Tools", openssl-devel, libssh2-devel, postgresql-devel, subversion-devel
Debian 5.0.3 Installed: build-essential, libpcre3-dev, libssl-dev, libncp, libncp-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libsvn-dev
Fedora 12 Installed: pcre-devel, afpfs-ng-devel, ncpfs-devel, postgresql-devel, libssh2-devel, subversion-devel
openSUSE 11.2 Installed: patterns-openSUSE-devel_C_C++, pcre-devel, ncpfs-devel, libssh2-devel, postgresql-devel, subversion-devel
Slackware 13.0
Ubuntu 8.0.4
Ubuntu 9.10
Ubuntu 11.10 Installed: build-essential, libssl-dev, libncp, libncp-dev, libpq5, libpq-dev, libssh2-1, libssh2-1-dev, libgcrypt11-dev, libgnutls-dev, libsvn-dev
SunOS Solaris 11 x86 Installed: developer-gnu
BSD FreeBSD 7.2 Installed: afpfs-ng, ncpfs, libssh, postgresql, libpq, libsvn
FreeBSD 9.0-CURRENT (32-bit)
OpenBSD 5.0 (64-bit)
Mac OS X OS X 10.6 Installed: MacPorts
OS X 10.7 Installed: HomeBrew
Microsoft Windows Cygwin I have been unable to build the modules under Cygwin. If anyone can figure this out, I'll buy you a beer at the next DefCon.

Who?

This fine piece of buggy software was brought to you by the geeks at Foofus.net. JoMo-Kun was the chief goon and wrote the core of Medusa along with several of the modules. Foofus created the initial design for the loadable modules. Fizzgig provided the networking code, several modules, the loadable module implementation along with also fixing a bunch JoMo-Kun's crappy stuff. pMonkey was a crazy module coding fiend. Last, but certainly not least, Heidi provided the tool's name.

Huh?

If you have questions regarding this application, feel free to contact us. Either send me email directly or join our mailing list foofus-tools. If it breaks, please send a detailed bug report. Even better, send in a patch. I make no claims that this program will do what you want it to. I've been using it during our assessments for years now successfully. Hopefully, others will have similar luck. If you find Medusa useful and want to give something back, please submit new modules, code improvements or just buy any of the Foofus.net goons a beer at the next DefCon.

Click: Download

0 comments:

Post a Comment