1
00:00:00,120 --> 00:00:03,240
Welcome to Part Five of this module.

2
00:00:03,360 --> 00:00:11,460
It's time to take out our trusty mirrors shields and gaze for a while at Medusa Medusa is a lightweight

3
00:00:11,490 --> 00:00:19,740
log in brute force her that is to password cracking what a tribute Shay is to a castle Medusa is often

4
00:00:19,740 --> 00:00:27,780
seen as the also rans the much more popular Hydra however will Hydra is undeniably superior for attacking

5
00:00:27,780 --> 00:00:29,740
individual web portals.

6
00:00:30,000 --> 00:00:36,900
Medusa is efficient for most everything else it is speedy and modular although it requires a lot of

7
00:00:36,900 --> 00:00:40,920
user input but it's not that difficult to use.

8
00:00:40,920 --> 00:00:48,540
Once you get past the excessive number of switches Medusa comes bundled with Kali 2.0 and is a linux

9
00:00:48,600 --> 00:00:51,230
only offering at least right now.

10
00:00:51,480 --> 00:01:02,020
It can be found under applications password attacks Medusa running it on the command line without other

11
00:01:02,020 --> 00:01:02,710
inputs.

12
00:01:02,710 --> 00:01:05,900
Gives us our help menu with all the switches.

13
00:01:06,130 --> 00:01:12,430
For those of you who have been following along this course in order you will have already seen most

14
00:01:12,430 --> 00:01:14,030
of what Medusa can do.

15
00:01:14,080 --> 00:01:18,090
Done by Hydra in other modules such as for example.

16
00:01:18,100 --> 00:01:23,580
We looked at Sparta that being said this is a solid program.

17
00:01:23,790 --> 00:01:26,710
So why would you use it over Hydra.

18
00:01:26,850 --> 00:01:29,910
Medusa is a very lightweight tool.

19
00:01:30,060 --> 00:01:37,190
It is a much cleaner log cracker and it is multi threaded which allows you to scan multiple hosts at

20
00:01:37,200 --> 00:01:38,720
one time.

21
00:01:38,760 --> 00:01:47,280
The great thing about this is that it works on many services such as FTE P H TTP my sequel telnet and

22
00:01:47,280 --> 00:01:55,350
many others will Hydra tends to be integrated into a lot of things such as burp sweet and Sparta Medusa

23
00:01:55,410 --> 00:01:59,000
is not a tool that you should ignore in this video.

24
00:01:59,010 --> 00:02:04,560
The target is once again going to be a metal splinter able to machine that I have running on the office

25
00:02:04,560 --> 00:02:11,790
network never use this or any other hacking tool against any target that you do not personally own or

26
00:02:11,790 --> 00:02:17,080
have written permission from the owner to penetration test or you could be breaking the law.

27
00:02:17,100 --> 00:02:18,750
Let's get started.

28
00:02:18,750 --> 00:02:25,890
I should begin by saying that I cheated a little bit here and created a word list that contains the

29
00:02:25,890 --> 00:02:32,510
correct usernames and passwords for our target along with a few incorrect ones.

30
00:02:32,520 --> 00:02:39,810
This is because I want to teach the method and using a full sized word list would achieve the same objective

31
00:02:39,870 --> 00:02:43,630
but it would take hours or even days.

32
00:02:43,680 --> 00:02:50,400
I've said it before and other modules and it's worth repeating brute forcing is normally a very long

33
00:02:50,490 --> 00:02:55,180
and very slow process if you choose this approach.

34
00:02:55,190 --> 00:03:01,400
You need to be prepared to dedicate the system that you're using to the task for an undetermined length

35
00:03:01,400 --> 00:03:02,880
of time.

36
00:03:02,990 --> 00:03:09,080
It's hard in your system and you want to make certain whatever device you have for cooling your computer

37
00:03:09,460 --> 00:03:17,630
be it a fan or something else is operational since your processor can really heat up if you're wondering

38
00:03:17,630 --> 00:03:18,800
about word lists.

39
00:03:18,800 --> 00:03:26,540
Please see the prior video on cool and on crunch for instructions on how to create word lists of your

40
00:03:26,540 --> 00:03:27,520
own.

41
00:03:27,560 --> 00:03:35,590
You can also use the ones that come prepackaged with Kelly 2.0 such as the excellent rock you would

42
00:03:35,600 --> 00:03:41,670
list and if all else fails you can download lists from many different sources online.

43
00:03:42,020 --> 00:03:48,890
But with all of that being said a list of some kind is in fact required with Medusa.

44
00:03:49,070 --> 00:03:51,320
It will not work like John the Ripper does.

45
00:03:51,380 --> 00:03:59,670
If you don't supply one so for services like F T.P. telnet SSA.

46
00:03:59,680 --> 00:04:01,710
This is a fantastic tool.

47
00:04:01,750 --> 00:04:10,270
Let's go over some of the key commands tech H is how we specify our target hostname or IP address.

48
00:04:10,270 --> 00:04:16,570
The next command that we're going to be using is the TAC U which specifies the user name.

49
00:04:16,570 --> 00:04:23,310
This isn't always necessary though as there are many cases where you won't have a user name.

50
00:04:23,320 --> 00:04:29,020
It's possible to use a user name list along with a password list which will be demonstrated in the next

51
00:04:29,020 --> 00:04:30,620
example.

52
00:04:30,640 --> 00:04:40,840
It's also worth pointing out that the TAC uppercase H is used to specify a file containing a list of

53
00:04:40,840 --> 00:04:48,910
hosts if you just came from the information gathering section of this course you might have just such

54
00:04:48,910 --> 00:04:51,270
a file in a text document.

55
00:04:51,490 --> 00:04:58,880
And like I said this is where Medusa really shines because it's quite good at scanning multiple targets.

56
00:04:59,170 --> 00:05:07,060
It seems like so many penetration testers just rely on Hydra and totally overlook this very nice aspect

57
00:05:07,060 --> 00:05:17,200
of Medusa and by the same token we can use the TAC uppercase U to specify a file containing user names.

58
00:05:17,260 --> 00:05:22,630
Just imagine having a list of hosts obtained during the information gathering phase.

59
00:05:22,750 --> 00:05:31,020
Then a list of user names obtained through sequel map or some other method she may not be the most beautiful

60
00:05:31,020 --> 00:05:41,880
girl at the ball but Medusa is a fantastic dancer the tech P option is how we will specify our password

61
00:05:41,880 --> 00:05:53,470
file and the tech uppercase M which is short for module allows us to specify the service that we will

62
00:05:53,470 --> 00:05:55,360
be attacking.

63
00:05:55,360 --> 00:05:59,430
Whereas the TAC n allows us to specify a port.

64
00:05:59,560 --> 00:06:06,160
So our first command is going to be against the SSA H port on our target.

65
00:06:06,160 --> 00:06:13,650
All we need is the U.R.L. or the IP address which you may remember from prior videos as being 10 dot

66
00:06:13,710 --> 00:06:15,610
0 0 dot eight.

67
00:06:15,640 --> 00:06:21,220
The cracking process is slightly different because we have to specify a few things.

68
00:06:21,400 --> 00:06:34,420
So to launch the attack type Medusa and we're going to specify TAC H for the host which is 10 dot 0

69
00:06:34,550 --> 00:06:44,240
0 dot 8 and now we're going to specify a user name with tak you and we're going to give it MSF admin

70
00:06:45,660 --> 00:06:51,210
which is the user name for the IMET a splitter BL machine that we're going to be attacking again.

71
00:06:51,220 --> 00:06:57,900
I'll demonstrate how to use a list for this in the next example.

72
00:06:57,930 --> 00:07:04,560
Next we're going to use uppercase P and we're going to specify the location of the word list that we're

73
00:07:04,560 --> 00:07:07,350
going to be using for password guesses.

74
00:07:07,350 --> 00:07:15,630
Now in this case it is located on my desktop and again you can use the word lists that came with Cally

75
00:07:15,640 --> 00:07:19,000
such as Rocky U or even generate your own.

76
00:07:19,000 --> 00:07:25,750
If you were doing this blind against a real target I would recommend either rock you or sequel map word

77
00:07:25,750 --> 00:07:26,410
lists

78
00:07:30,200 --> 00:07:38,480
Tak capital M is used to specify the module which in this case is SS H then we use the TAC n command

79
00:07:38,480 --> 00:07:45,100
to give it a port which is twenty two by default for SS H connections everything appears to be an order.

80
00:07:45,140 --> 00:07:53,920
So we press enter this will be over very quickly because as I said I cheated and I put the passwords

81
00:07:53,980 --> 00:07:57,230
into a word list that I'm using.

82
00:07:57,280 --> 00:08:05,440
This process goes off like a normal brute force attack and then as a word list attack by default it

83
00:08:05,440 --> 00:08:12,370
goes through all of the words and all of the combinations that can go through and it successfully obtained

84
00:08:12,370 --> 00:08:13,450
both passwords.

85
00:08:14,980 --> 00:08:15,990
Great.

86
00:08:16,030 --> 00:08:19,820
Now let's try this again against a different service.

87
00:08:19,870 --> 00:08:23,270
Let's pretend that we don't have the user name.

88
00:08:23,440 --> 00:08:30,490
This time we're going to specify a user name file which again is going to be quite short because I cheated

89
00:08:30,820 --> 00:08:35,040
and we're going to attack the FTB service running on Port 21.

90
00:08:35,080 --> 00:08:43,470
Just clear the screen there so the command is almost exactly the same as before.

91
00:08:43,540 --> 00:08:45,560
Give it the target.

92
00:08:45,640 --> 00:08:52,570
We're not going to specify a user name this time we're going to use capital you and we're going to give

93
00:08:52,570 --> 00:09:00,070
it our word list which is going to be desktop user lists.

94
00:09:00,340 --> 00:09:05,080
I stored my user list on the desktop and of course yours would be wherever you stored it.

95
00:09:05,200 --> 00:09:13,240
Then we'll use Tak P to specify the file we're using for password guesses which is still word list and

96
00:09:13,240 --> 00:09:21,250
then tack m sorry and this time we're going to specify that the attack is against F.

97
00:09:21,640 --> 00:09:29,380
And finally we're going to give it the port and for TPA the default port is 21 and I'm sorry.

98
00:09:29,380 --> 00:09:33,810
And this is case sensitive desktop needed to have a capital D.

99
00:09:35,020 --> 00:09:36,280
All right.

100
00:09:36,580 --> 00:09:38,200
Sorry about that little typos

101
00:09:41,670 --> 00:09:49,270
so here we are specifying the target host the location of the user list which in my case again was on

102
00:09:49,270 --> 00:09:50,430
the desktop.

103
00:09:50,430 --> 00:09:54,120
The location of the word list to be used for password guesses.

104
00:09:54,120 --> 00:09:58,840
The service which is FCP and the port which is 21 by default.

105
00:09:58,860 --> 00:10:06,030
Now Medusa is going to go through all possible combinations using these very simple and short lists

106
00:10:06,810 --> 00:10:14,010
and I'm going to let this run for a while so that you can see exactly how this process is working as

107
00:10:14,010 --> 00:10:14,760
we go.

108
00:10:14,760 --> 00:10:21,630
You're going to see successes announced in the read out but in the case of a very large pen test these

109
00:10:21,630 --> 00:10:29,540
can be somewhat hard to spot the procedure is basically the same for any service that you wish to attack

110
00:10:30,080 --> 00:10:39,080
simply specify the correct service using TAC uppercase M and the correct port and watch Medusa go or

111
00:10:39,080 --> 00:10:46,580
supply a target list and leave Medusa to do her thing at the start of this video.

112
00:10:46,600 --> 00:10:54,610
I mention that Medusa is modular and there are in fact a lot of modules that have been written to expand

113
00:10:54,610 --> 00:11:00,300
and build upon Medusa has considerable capabilities and these can be found online.

114
00:11:00,400 --> 00:11:07,360
Medusa is an open source tool and while it doesn't get the kind of love and attention that Hydra often

115
00:11:07,360 --> 00:11:11,610
receives it does have a loyal following.

116
00:11:11,620 --> 00:11:18,820
It really isn't possible to show off the true potential of Medusa just using the few computers I have

117
00:11:18,820 --> 00:11:27,370
at my disposal but its capability at going through a large number of targets is really quite impressive

118
00:11:28,660 --> 00:11:35,290
so keep this in mind when you're doing large scale penetration tests and also keep in mind that even

119
00:11:35,290 --> 00:11:43,150
though brute forcing is as I've said it over and over painfully slow Medusa is very efficient at it.

120
00:11:43,150 --> 00:11:50,770
Provided that you give it a good word list to utilize and a good word list would be one that is either

121
00:11:50,770 --> 00:11:53,680
tailored for your target or a wordless.

122
00:11:53,680 --> 00:12:04,730
That does not contain a lot of duplicate words or nonsense strings that would only clutter up this process.

123
00:12:04,830 --> 00:12:05,490
All right.

124
00:12:05,510 --> 00:12:13,100
And so scrolling up here we can see that there were several successes Amidst the many many guesses

125
00:12:18,340 --> 00:12:23,760
and that was Medusa an excellent tool that I hope will be of use to you.

126
00:12:23,770 --> 00:12:24,190
Thank you.