Gaining access to remote services with Medusa

When reviewing the output from step 2, always make special notes of IP addresses that include some type of remote access service. SSH, Telnet, FTP, PC Anywhere and VNC are popular choices because gaining access to these services often results in the complete owning of that target. Upon discovery of one of these services, hackers typically turn to an “online password cracker”. Online password crackers work by attempting to brute force their way into a system by trying an exhaustive list of passwords and/or username combinations.

When using online password crackers, the potential for access can be greatly increased if you combine this attack with information gathered from step 1. Specifically you should be sure to include any usernames or passwords you discovered. The process of online password cracking literally requires the attacking program to send a username and a password to the target. If either the username or password is incorrect, the attack program will be presented with an error message and the log-in will fail. The password cracker will then send the next username and password combination. This process continues until the program is either successful in finding a login/password combo or it exhausts all the guesses. On the whole, even though computers are great at repetitive tasks like this, the process is rather slow.

You should be aware that some remote access systems employ a password throttling technique that can limit the number of unsuccessful log-ins you’re allowed. In these instances either your IP address can be blocked or the username can be locked out.

There are many tools that can be used for online password cracking. Two of the most popular tools are Medusa and Hydra. These tools are very similar in nature. In this course, we’ll focus on using Medusa, but it’s strongly encouraged that you become familiar with Hydra as well.

Medusa is described as parallel log-in brute forcer that attempts to gain access to remote authentication services. Medusa is capable of authenticating with numerous remote services including AFP, FTP, HTTP, IMAP, MS-SQL, MySQL, Net Ware, NCP, NNTP, PcAnywhere, POP3, REXEC, RLOGIN, SMTP-AUTH, SNMP, SSHv2, Telnet, VNC, Web Form and more.

To use Medusa, you need several pieces of information including the target IP address, a username or username list that you’re attempting to log in as, a password or dictionary file containing multiple passwords to use when logging in and the name of the service you’re attempting to authenticate with.

One of the requirements listen above is a dictionary list. A password dictionary is a file that contains a list of potential passwords. These lists are often referred to as dictionaries because they contain thousands or even millions of individual words. People often use plain English or some small variation like a 1 for an i or a 5 for an s when they create passwords. Password lists attempt to collect as many of these words as possible. Some hackers and penetration testers spend years building password dictionaries that grow to gigabytes in size. A good dictionary can be extremely useful but often requires a lot of time and attention to keep clean. Clean dictionaries are streamlined and free of duplication.

There are plenty of small wordlists that can be downloaded from the Internet and serve as a good starting point for building your own personal password dictionary. There are also tools available that will build dictionaries for us. However, fortunately, BlackArch have already included a few wordlists for us to use. You can find these dictionaries in the “/usr/share/dirb/wordlists” directory.

Once you have your password dictionary, you need to decide if you’re going to attempt to log in as a simple user or if you want to supply a list of potential users. If your reconnaissance efforts were rewarded with a list of usernames, you may want to start with those. If you were unsuccessful in gathering usernames and passwords, you may want to focus on the results of the e-mail addresses you collected with The Harvester. Remember, the first part of an e-mail address can often be used to generate a working domain username.

Assume that during your penetration test you were unable to find any domain usernames. However, The Harvester was able to dig up the e-mail address When using Medusa, one option is to create a list of potential usernames based on the e-mail address. These would include ben.owned, benowned, bowned, ownedb and several other combinations derived from the e-mail address. After creating a list of 5–10 usernames, it’s possible to feed this list into Medusa and attempt to brute force my way into the remote authentication service.

Now that we’ve a target IP address with some remote authentication service (we’ll assume SSH for this example), a password dictionary and at least one username, we’re ready to run Medusa. To execute the attack, you’d open a terminal and issue the following command:

medusa -h target_ip -u username -P path_to_password_dictionary -M authentication_service_to_attack

Take a moment to examine this command in more detail; you’ll need to customize the information for your target:

  • The first keyword “medusa” is used to start the brute forcing program.
  • -h“is used to specify the IP address of the target host.
  • The “-u” is used to denote a single username that Medusa will use to attempt log-ins
    • If you generated a list of usernames you’d like to attempt to log in with each of the usernames on the list, you can issue a capital “-U” followed by the path to the username file.
  • Likewise, the lowercase “-p” is used to specify a single password, whereas a capital “-P” is used to specify an entire list containing multiple passwords. The “-P” needs to be followed by the actual location or path to the dictionary file.
  • The “-M” switch is used to specify which service we want to attack.

To clarify this attack, let’s continue with the example we set up earlier. Suppose we’ve been hired to conduct a penetration testing against the company “”. During our information gathering with MetaGooFil, we uncover the username of “ownedb” and an IP address of “”. After port scanning the target, we discover that the server is running SSH on port 22. Moving to step 3, one of the first things to do is to attempt to brute force our way into the server. After firing up BlackArch and opening a terminal, we issue the following command:

medusa -h -u ownedb -P /usr/share/dirb/wordlists/small.txt -M ssh

If you’re having problems getting Medusa (or any of the tools covered in this course) to run on your version of BlackArch (or any other linux distro), it may be useful to reinstall the program. You can reinstall Medusa with the following command:

pacman -S medusa

If you’re using a debian-based Linux distribution, you can try adding either the Kali Linux repo or the Backtrack repo.

If Medusa returns a string like “ACCOUNT FOUND: [ssh]”, it means Medusa successfully found the password, and at this point you’d be able to remotely log in as the user.

Depending on the level of engagement and goals defined in your authorization and agreement form, you may be done with the penetration test at this point. Congratulations! You just completed your first penetration test and successfully gained access to a remote system.