Medusa

After a hiatus, I feel like diving into cracking tools. I thought Medusa would be a nice fit for this purpose. As most of you would know medusa is a cracking tool like ncrack or hydra that can execute bruteforce attacks remotely. It supports sorts of protocols such as SSH, Telnet, HTTP, HTTPS and many more. Before we go, there are certain things we should know about how ftp service works and what sort of limitations or restrictions hosts can apply to these services. What is maximum number for failed login attempts? Is it configured to ban clients after a certain number of failed attempts? If yes, is it permanent or temporary? These facts can pretty much hamper the process when cracking and eventually you decide whether you cannot pull it off or need to add some parameters to see if it works out.

For the sake of this tutorial, I planned to use it with FTP cracking. I have prepared wordlists in Kali Linux on a virtual machine and pre-installed ProFTPD 1.3.5 on my laptop as a server machine. The valid username is username and password is password123.

Medusa is fairly straightforward and has a command-line interface. I should say it has mainly five variables (parameters) in its use. One of them is where you specify host address which -h stands for. It also allows you to have wordlists containing multiple hosts (-H file directory for lists) when you need to work on more than one host which is a pretty rare case I guess. Next, we have a username section whose parameter is -u or -U (upper case for lists). Like aircrack, hydra etc. medusa uses lower case for defined entries. When you are sure it has a username named admin then go ahead and put -u admin. Similarly, it can be applied to password (-p or -P) cases. Let us say you have no clue what these could be. In this instance you should prepare wordlists for both usernames and passwords. You should put a ready-to-use wordlist you can find somewhere or compile a specific list by taking guesses about probable usernames. Taking shots in the dark wouldn't help you without ever knowing one of these at least. I recommend short lists that include words you think are likely valid. Such as admin, root, me, ftp. Last but not least, we need to specify the execution mode which will define the protocol worked on. -M stands for mode. Below, we have a couple of optional parameters to tweak your bruteforce process.

Ftp server might have more than one username. So when medusa find the correct username and password, it never stops until the lists end. It normally tries all username and password pairs in order. If you want it to stop bruteforcing once it finds a valid one, you should add -f parameter. In case of bruteforcing in login pages with HTTPS protocol, it has -s parameter to enable SSL mode. -v stands for verbosity which can be increased up to level six. It also offers you a convenience to resume your previous scan with -Z parameter. Sometimes a password or username comes to your mind and you could want to quickly add it to the scan, there is a practical option with -e parameter. Maybe ftp server could be delicately configured against bruteforce attacks and you get blocked attempting. You can have fine adjustments with sleep duration between retry attempts or maximum retry number before giving up and so forth. For further information, you should check out other parameters yourself and test them out against your target in a vitual machine.

Dnsenum

This tutorial is over one of the most well-known DNS enumerators named Dnsenum. Dns enumeration is conducted in active information phase to obtain as much detailed information as possible regarding target system. Before getting into DNS enumeration process, it is highly important to know the basics of how DNS servers work. I highly recommend you having enough knowledge on things like Zone Transfer and DNS record types to better understand the concept. It is safe to say that obtaining crucial information about a target can sometimes be pretty easy when a server is misconfigured so that you can easily find out its reverse DNS records, name records, the mail server they use even operation system installed on a target system. Anything can be found with this technique might have critical vulnerability to exploit and help you get into the system. There are a bunch of practical tools that help you gather information about DNS records. DNSrecon, fierce,dnstracer and dig would be a few of these. This tutorial is particularly about DNSenum.

To use the tool you should execute it in the console typing dnsenum. When it comes up you’ll see its parameters. You can see the most used ones down below. Each one has a description in the help menu. So you can try out other ones yourself.

--enum It contains three different commands which are threads, max subdomain number and whois query options. Thread value set to 5, second option is for the number of subdomains scraped from Google which is set to 10 and last but not least it has whois query which you should optionally enable with -w parameter.

--noreverse As it says itself in the help menu, it skips the reverse lookups.

-f This is for bruteforcing. There needs to be the directory of the wordlist file includes subdomain names. You should or use the built-in wordlist in /usr/share/dnsenum/dns.txt either find a better one on the Internet.

-o It can output the results in xml format. I think this function is sort of buggy for this version. It doesn't give proper formatted reports. When I tried converting one into pdf format, online converter gave me a 312 pages long pdf file. Most of pages were blank.

-w For performing whois queries on c class network.

--dnsserver With this parameter, you can indicate what dns server you would like to use for your enumeration. It works with Google unless you specify a DNS server.

This time I run it for a website (zonetransfer.me) that is purposefully misconfigured with zone transfer. It gives us all information with record types of this server.

You would better compare the result you get from dnsenum with the ones obtained with an another tool to make sure you do not miss anything important.