1MEDUSA(1) General Commands Manual MEDUSA(1)
2
6 MEDUSA - Parallel Network Login Auditor
7
9 medusa [-h host|-H file] [-u username|-U file] [-p password|-P file]
10 [-C file] -M module [OPTIONS]
11
13 Medusa is intended to be a speedy, massively parallel, modular, login
14 brute-forcer. The goal is to support as many services which allow
15 remote authentication as possible. The author considers following items
16 to some of the key features of this application:
17 *Thread-based parallel testing. Brute-force testing can be performed
19 against multiple hosts, users or passwords concurrently.
20 *Flexible user input. Target information (host/user/password) can be
22 specified in a variety of ways. For example, each item can be either a
23 single entry or a file containing multiple entries. Additionally, a
24 combination file format allows the user to refine their target listing.
25 *Modular design. Each service module exists as an independent .mod
27 file. This means that no modifications are necessary to the core appli‐
28 cation in order to extend the supported list of services for brute-
29 forcing.
30
33 -h [TARGET]
34 Target hostname or IP address.
35 -H [FILE]
38 Reads target specifications from the file specified rather than
39 from the command line. The file should contain a list separated
40 by newlines.
41 -u [TARGET]
44 Target username.
45 -U [FILE]
48 Reads target usernames from the file specified rather than from
49 the command line. The file should contain a list separated by
50 newlines.
51 -p [TARGET]
54 Target password.
55 -P [FILE]
58 Reads target passwords from the file specified rather than from
59 the command line. The file should contain a list separated by
60 newlines.
61 -C [FILE]
64 File containing combo entries. Combo files are colon separated
65 and in the following format: host:user:password. If any of the
66 three fields are left empty, the respective information should
67 be provided either as a single global value or as a list in a
68 file.
69 The following combinations are possible in the combo file: 1.)
71 foo:bar:fud 2.) foo:bar: 3.) foo:: 4.) :bar:fud 5.) :bar: 6.)
72 ::fud 7.) foo::fud
73 Medusa also supports using PwDump files as a combo file. The
75 format of these files should be user:id:lm:ntlm:::. We look for
76 ':::' at the end of the first line to determine if the file con‐
77 tains PwDump output.
78 -O [FILE]
81 File to append log information to. Medusa will log all accounts
82 credentials found to be valid or cause an unknown error. It will
83 also log the start and stop times of an audit, along with the
84 calling parameters.
85 -e [n/s/ns]
88 Additional password checks ([n] No Password, [s] Password =
89 Username). If both options are being used, they should be speci‐
90 fied together ("-e ns"). If only a single option is being called
91 use either "-e n" or "-e s".
92 -M [TEXT]
95 Name of the module to execute (without the .mod extension).
96 -m [TEXT]
99 Parameter to pass to the module. This can be passed multiple
100 times with a different parameter each time and they will all be
101 sent to the module (i.e. -m Param1 -m Param2, etc.)
102 -d Dump all known modules.
105 -n [NUM]
108 Use for non-default TCP port number.
109 -s Enable SSL.
112 -g [NUM]
115 Give up after trying to connect for NUM seconds (default 3).
116 -r [NUM]
119 Sleep NUM seconds between retry attempts (default 3).
120 -R [NUM]
123 Attempt NUM retries before giving up. The total number of
124 attempts will be NUM + 1.
125 -c [NUM]
128 Set the number of usec that are waited during a test of the
129 established network socket. Some services (e.g. FTP, IMAP, POP3,
130 and SMTP) may be configured to drop connections after an arbi‐
131 trary number of failed logon attempts. We try to reuse the
132 established connection to send authentication attempts until
133 this disconnect occurs, at which point the connection is
134 reestablished. To accomplish this, we check the socket to see if
135 it's still alive before authenticating within select modules.
136 The default is perform a 1 usec check. It may be necessary to
137 specify much larger values. For example, a 1000 usec was needed
138 against our test vsftp server to avoid issues with its built-in
139 anti-bruteforce mechanisms.
140 -t [NUM]
143 Total number of logins to be tested concurrently. It should be
144 noted that rougly t x T threads could be running at any one
145 time. 381 appears to be the limit on my fairly boring Gentoo
146 Linux host.
147 -T [NUM]
150 Total number of hosts to be tested concurrently.
151 -L Parallelize logins using one username per thread. The default is
154 to process the entire username before proceeding.
155 -f Stop scanning host after first valid username/password found.
158 -F Stop audit after first valid username/password found on any
161 host.
162 -b Suppress startup banner
165 -q Display module's usage information. This should be used in con‐
168 junction with the "-M" option. For example, "medusa -M smbnt
169 -q".
170 -v [NUM]
173 Verbose level [0 - 6 (more)]. All messages at or below the spec‐
174 ified level will be displayed. The default level is 5.
175 The following is the breakdown of the verbose levels: 0) EXIT
177 APPLICATION 1) MESSAGE WITHOUT TAG 2) LOG MESSAGE WITHOUT
178 TAG 3) IMPORTANT MESSAGE 4) ACCOUNT FOUND 5) ACCOUNT CHECK
179 6) GENERAL MESSAGE
180 -w [NUM]
183 Error debug level [0 - 10 (more)]. All messages at or below the
184 specified level will be displayed. The default level is 5.
185 The following is the breakdown of the error levels: 0) FATAL
187 1) ALERT 2) CRITICAL 3) ERROR 4) WARNING 5) NOTICE 6)
188 INFO 7) DEBUG 8) DEBUG - AUDIT 9) DEBUG - SERVER 10)
189 DEBUG - MODULE
190 -V Display version
193 -Z [TEXT]
196 Allows basic resuming of a previous scan. The supplied parameter
197 describes which hosts were completed, which were partially
198 tested and which had not been started. When Medusa receives a
199 SIGINT, it will calculate and display a "resume map". This map
200 can then be supplied to the next run. For example, "medusa
201 [OPTIONS PREVIOUSLY USED] -Z h6u1u2h8.". In this particular
202 example, hosts 1-5 were completed, host 6 was partially done
203 (user 1 was partially completed and user 2 and beyond had not
204 been started), host 7 was completed and host 8 and beyond had
205 not been started. Medusa will parse this map and skip hosts and
206 users accordingly. It should be noted that only host and user-
207 level, not password-level, resuming is supported. If a user had
208 been previously started, but was not completed, it will be
209 tested from the start of its respective password list.
210
213 JoMo-Kun <jmk@foofus.net> fizzgig <fizzgig@foofus.net>
214
216 Found a bug? Feel free to send in a patch.
217 MEDUSA(1)