1MEDUSA(1)                   General Commands Manual                  MEDUSA(1)
2
3
4

NAME

6       MEDUSA - Parallel Network Login Auditor
7

SYNOPSIS

9       medusa  [-h  host|-H  file] [-u username|-U file] [-p password|-P file]
10       [-C file] -M module [OPTIONS]
11

DESCRIPTION

13       Medusa is intended to be a speedy, massively parallel,  modular,  login
14       brute-forcer.   The  goal  is  to  support as many services which allow
15       remote authentication as possible. The author considers following items
16       to some of the key features of this application:
17
18       *Thread-based  parallel  testing.  Brute-force testing can be performed
19       against multiple hosts, users or passwords concurrently.
20
21       *Flexible user input. Target information  (host/user/password)  can  be
22       specified  in a variety of ways. For example, each item can be either a
23       single entry or a file containing  multiple  entries.  Additionally,  a
24       combination file format allows the user to refine their target listing.
25
26       *Modular  design.  Each  service  module  exists as an independent .mod
27       file. This means that no modifications are necessary to the core appli‐
28       cation  in  order  to  extend the supported list of services for brute-
29       forcing.
30
31

OPTIONS

33       -h [TARGET]
34              Target hostname or IP address.
35
36
37       -H [FILE]
38              Reads target specifications from the file specified rather  than
39              from the command line.  The file should contain a list separated
40              by newlines.
41
42
43       -u [TARGET]
44              Target username.
45
46
47       -U [FILE]
48              Reads target usernames from the file specified rather than  from
49              the  command  line.  The file should contain a list separated by
50              newlines.
51
52
53       -p [TARGET]
54              Target password.
55
56
57       -P [FILE]
58              Reads target passwords from the file specified rather than  from
59              the  command  line.  The file should contain a list separated by
60              newlines.
61
62
63       -C [FILE]
64              File containing combo entries. Combo files are  colon  separated
65              and  in  the following format: host:user:password. If any of the
66              three fields are left empty, the respective  information  should
67              be  provided  either  as a single global value or as a list in a
68              file.
69
70              The following combinations are possible in the combo  file:  1.)
71              foo:bar:fud  2.)  foo:bar:  3.) foo:: 4.) :bar:fud 5.) :bar: 6.)
72              ::fud 7.) foo::fud
73
74              Medusa also supports using PwDump files as  a  combo  file.  The
75              format  of these files should be user:id:lm:ntlm:::. We look for
76              ':::' at the end of the first line to determine if the file con‐
77              tains PwDump output.
78
79
80       -O [FILE]
81              File  to append log information to. Medusa will log all accounts
82              credentials found to be valid or cause an unknown error. It will
83              also  log  the  start and stop times of an audit, along with the
84              calling parameters.
85
86
87       -e [n/s/ns]
88              Additional password checks ([n]  No  Password,  [s]  Password  =
89              Username). If both options are being used, they should be speci‐
90              fied together ("-e ns"). If only a single option is being called
91              use either "-e n" or "-e s".
92
93
94       -M [TEXT]
95              Name of the module to execute (without the .mod extension).
96
97
98       -m [TEXT]
99              Parameter  to  pass  to  the module. This can be passed multiple
100              times with a different parameter each time and they will all  be
101              sent to the module (i.e.  -m Param1 -m Param2, etc.)
102
103
104       -d     Dump all known modules.
105
106
107       -n [NUM]
108              Use for non-default TCP port number.
109
110
111       -s     Enable SSL.
112
113
114       -g [NUM]
115              Give up after trying to connect for NUM seconds (default 3).
116
117
118       -r [NUM]
119              Sleep NUM seconds between retry attempts (default 3).
120
121
122       -R [NUM]
123              Attempt  NUM  retries  before  giving  up.  The  total number of
124              attempts will be NUM + 1.
125
126
127       -c [NUM]
128              Set the number of usec that are waited  during  a  test  of  the
129              established network socket. Some services (e.g. FTP, IMAP, POP3,
130              and SMTP) may be configured to drop connections after  an  arbi‐
131              trary  number  of  failed  logon  attempts.  We try to reuse the
132              established connection to  send  authentication  attempts  until
133              this  disconnect  occurs,  at  which  point  the  connection  is
134              reestablished. To accomplish this, we check the socket to see if
135              it's  still  alive  before authenticating within select modules.
136              The default is perform a 1 usec check. It may  be  necessary  to
137              specify  much larger values. For example, a 1000 usec was needed
138              against our test vsftp server to avoid issues with its  built-in
139              anti-bruteforce mechanisms.
140
141
142       -t [NUM]
143              Total  number  of logins to be tested concurrently. It should be
144              noted that rougly t x T threads could  be  running  at  any  one
145              time.  381  appears  to  be the limit on my fairly boring Gentoo
146              Linux host.
147
148
149       -T [NUM]
150              Total number of hosts to be tested concurrently.
151
152
153       -L     Parallelize logins using one username per thread. The default is
154              to process the entire username before proceeding.
155
156
157       -f     Stop scanning host after first valid username/password found.
158
159
160       -F     Stop  audit  after  first  valid  username/password found on any
161              host.
162
163
164       -b     Suppress startup banner
165
166
167       -q     Display module's usage information. This should be used in  con‐
168              junction  with  the  "-M"  option. For example, "medusa -M smbnt
169              -q".
170
171
172       -v [NUM]
173              Verbose level [0 - 6 (more)]. All messages at or below the spec‐
174              ified level will be displayed. The default level is 5.
175
176              The  following is the breakdown of the verbose levels: 0)   EXIT
177              APPLICATION 1)   MESSAGE WITHOUT TAG 2)    LOG  MESSAGE  WITHOUT
178              TAG 3)   IMPORTANT MESSAGE 4)   ACCOUNT FOUND 5)   ACCOUNT CHECK
179              6)   GENERAL MESSAGE
180
181
182       -w [NUM]
183              Error debug level [0 - 10 (more)]. All messages at or below  the
184              specified level will be displayed. The default level is 5.
185
186              The  following  is the breakdown of the error levels: 0)   FATAL
187              1)   ALERT 2)   CRITICAL 3)   ERROR 4)   WARNING 5)   NOTICE  6)
188              INFO  7)    DEBUG  8)    DEBUG  -  AUDIT 9)   DEBUG - SERVER 10)
189              DEBUG - MODULE
190
191
192       -V     Display version
193
194
195       -Z [TEXT]
196              Allows basic resuming of a previous scan. The supplied parameter
197              describes  which  hosts  were  completed,  which  were partially
198              tested and which had not been started.  When Medusa  receives  a
199              SIGINT,  it  will calculate and display a "resume map". This map
200              can then be supplied to  the  next  run.  For  example,  "medusa
201              [OPTIONS  PREVIOUSLY  USED]  -Z  h6u1u2h8.".  In this particular
202              example, hosts 1-5 were completed, host  6  was  partially  done
203              (user  1  was  partially completed and user 2 and beyond had not
204              been started), host 7 was completed and host 8  and  beyond  had
205              not been started.  Medusa will parse this map and skip hosts and
206              users accordingly. It should be noted that only host  and  user-
207              level,  not password-level, resuming is supported. If a user had
208              been previously started, but  was  not  completed,  it  will  be
209              tested from the start of its respective password list.
210
211

AUTHOR

213       JoMo-Kun <jmk@foofus.net> fizzgig <fizzgig@foofus.net>
214

BUGS

216       Found a bug? Feel free to send in a patch.
217
218
219
220                                                                     MEDUSA(1)
Impressum