1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
================================================================
Version 2.3 (2025/05)
================================================================
Medusa Core Updates:
- General code clean-up and compiler warning squashing
- Updated OpenSSL calls from 1.x to 3.x
- Log timestamps on password checks
- Multiple bugfixes from contributors (see commit log)
Module Updates:
RDP
- FreeRDP 3.0 support
SMBNT
- SMBv2/3 and SMB signing support (libsmb2)
VNC
- Removed UltraVNC MS-Logon I/II support due to OpenSSL updates
================================================================
Version 2.2
================================================================
Medusa Core Updates:
- General code clean-up and compiler warning squashing
Module Updates:
HTTP
- NTLM2 session response support
- Report domain name provided in NTLM challenge (verbose output)
- Allow inclusion of custom headers
RDP
- Initial release of RDP module (FreeRDP-based)
- Support for pass-the-hash authentication
SMB
- Report account access (admin vs user-level) through ADMIN$ connection
SMTP-VRFY
- Added EXPN/RCPT support
SSH
- Fix OS X multi-thread issues
================================================================
Version 2.1.1
================================================================
Minor release updates:
- GCC 4.7 compile issue ("-module" removed)
- SMBNT: fix infinite loop issue when testing against OS X
- SNMP: remove socket flushing that caused us to miss passwords
- IMAP: less restrictive regex to better match OK responses
- POP3: restart connection after each attempt to deal with shunning
================================================================
Version 2.1
================================================================
Medusa Core Updates:
- Combo format now accepts "host:user:lm hash:ntlm hash"
- Autoconf updates and fixes
- Removed PCRE library dependency (using stock glibc regex support)
Module Updates:
- Numerous bug-fixes across modules (e.g., SSH2 thread-safety)
- Support for UltraVNC MS-Logon (local/domain Windows credentials)
Additional Updates:
- Third-party GUI released:
http://wiki.taksmind.org/index.php?title=Medusa-gui
================================================================
Version 2.0
================================================================
Medusa Core Updates:
-Pool-based thread handling
Previous version destroyed threads following the completion of a host
or user test. The use of a thread pool should decrease the overall
application overhead by limiting the frequency of thread destruction
and creation. The original code ran into issues in several specific
situations (e.g. testing over a thousand users with only a single
password). Such cases resulted in a large number of threads being
created and destroyed in short order, frequently resulting in an
application crash. The thread pool should eliminate this particular
problem.
-Modules now request next credential set (username + password)
Modules previously called getNextPass(), which returned a valid password
until the password list for the user being tested was exhausted. At that
point, the module exited and the login thread was destroyed. A new thread
and module instance would be created for the next user to test. We now
use getNextCredetialSet(), which returns a valid user and password. This
allows the module to get the next user to test and decide whether the
connection needs to be completely torn down or not.
-Secondary user credential queue added for missed login tests.
In certain situations we need to scale back the number of concurrent
login threads targetting a specific service. For example, MSDE's workload
governor limits the service to no more than 5 concurrent connections. If
the user kicked-off 10 parallel login threads, 5 of those are going to
fail and terminate. The challenge is that each of those threads was
already assigned a credential set to test.
The previous version simply printed the username and password combinations
which were not tested and moved on. We now push these missed credentials
into a host specific queue. Once the login threads have finished their
normal checks, they move on to this queue and retry the previously missed
credentials. In some cases, say it's the last thread that pushed something
into the queue before exiting, we kick-off a clean-up thread to walk through
any remaining items.
-Host and User-level Resume
Support for host and user-level resuming of a scan. When Medusa receives a
SIGINT, it will calculate and display a "resume map". This map can then be
supplied to the next run. For example, "medusa [OPTIONS PREVIOUSLY USED]
-Z h6u1u2h8.". This map describes which hosts were completed and which
systems had not been touched. If a host was partially completed, it
describes which users had been tested for that specific system. It should
be noted that password-level resuming is not supported. If a user's
password list was only partially completed, testing of the user will be
restarted on resume.
Module Updates:
FTP
-Misc. fixes
IMAP
-Domain module option for BASIC/NTLM authentication types
-Allow auth type to be specified
-Misc. fixes (NTLM base64 length, restart HTTP connection after each request)
IMAP
-Domain module option for LOGIN/NTLM authentication types
-Regex-based server response matching for better handling of slow targets
-Misc. fixes (handle dropped connections, force TLSv1, base64 length)
MSSQL
-Auto SQL port identification via "SQL Ping" technique
NCP
-Misc. fixes (connection retry code)
POP3
-Domain module option for NTLM authentication type
-Regex-based server response matching for better handling of slow targets
-Misc. fixes (base64 length)
SMTP
-Regex-based server response matching for better handling of slow targets
SMTP-VRFY
-Misc. fixes (don't include "@" if no domain specified)
SSH
-Detect and warn if being built on Debian/Ubuntu system (broken libssh2)
VMAUTHD
-Regex-based server response matching for better handling of slow targets
Web-Form
-Misc. fixes
WRAPPER
-Misc. fixes (fix handling of short usernames/passwords)
================================================================
Version 1.5
================================================================
Medusa Core Updates:
-Provides additional information about current account check (e.g. 172.22.110.58 (60 of 104, 51 complete))
-Support for simple resume by host.
-Bug fix for "-e" option
-Bug fix for displaying hostname vs. IP
-Added function for printing a specified length of binary data in hex
Module Updates:
AFP
-Added new module for Apple Filing Protocol from pmonkey
HTTP
-NTLM auth bug fix
-Digest authentication support (MD5 and MD5-sess)
IMAP
-STARTTLS extension support
-NTLM support
MYSQL
-Misc. bug fixes
POP3
-STARTTLS extension support
-Better handling of connections dropped by remote server
-Support user-supplied domain names
-LOGIN, PLAIN, and NTLM support
SMBNT
-Created framework for different authentication levels (e.g. LM, NTLM, etc).
-Support for basic LM authentication to allow for case insensitive bruting
-NTLMv2/LMv2 support (Vista bruting)
-Fix for guest user check
-Support for "DOMAIN\USER" and "DOMAIN\\USER" style names
SMTP
-Renamed SMTP-AUTH to SMTP
-NTLM support
SMTP-VRFY
-Misc. bug fixes
SSH
-Honor number of user specified retries
-Restart connection when server fails to respond with auth modes after several attempts
TELNET
-Basic AS/400 Telnet / TN5250 support
-Log hosts supplying only a password prompt (non-AAA)
VMAUTHD
-Misc. bug fixes
WEB-FORM
-Misc. bug fixes for user-supplied FORM-DATA value
Misc. Updates:
-Added ZSH Functions file
-Updated Medusa ebuild version and added new module dependencies.
================================================================
Version 1.4
================================================================
Medusa Core Updates:
-Major re-working of the autoconf setup. Modules can now be enabled/disabled
individually. Also, modules for which the base dependencies are not
satisfied are simply not built. In the past they were compiled, but left in
a non-functional state. The default is to build all "stable" modules.
-APR version detection
-Misc bug fix in networking code
-SSL socket rework. Fixes issue with concurrent mixed SSL and non-SSL
connections (FTPS).
Module Updates:
FTP
-Added support for explicit and implicit SFTP
-Better handling of FTP banners
HTTP
-Now leaves user specified value intact within Host: header
-Minor code cleanup
IMAP
-LOGIN AUTH support
-Added TAG module parameter
-No longer restarts connection after each attempt
NNTP
-Added module with AUTHINFO support
POP3
-No longer restarts connection after each attempt
MySQL
-Misc bug fixes / error handling
-Added MySQL pre-4.1 pass-the-hash support
NCP
-Misc bug fixes
SMBNT
-Misc bug fixes
SMTP-AUTH
-AUTH PLAIN support
-AUTH LOGIN (e.g. Exchange) support
SSH
-Handles new libssh2 error messages
-Libssh2 (0.18) should no longer cause Medusa to hang on SSHv1 hosts or when
the target refuses to send its banner.
-Added banner parameter verification (Luciano Bello)
VNC
-Misc bug fixes
WEB-FORM
-Added new module from Luciano Bello
WRAPPER
-Better handling of failed attempts within oracle.pl script
================================================================
Version 1.3
================================================================
Medusa Core Updates:
-Module listing fix for OpenBSD/AMD64
-Autoconf tweaks for NCP & SVN checks
-Autoconf tweaks for Solaris/OpenBSD
-Removed unnecessary IP address checks
-Other minor bug fixes
================================================================
Version 1.2
================================================================
Moved following modules to stable:
NCP, VNC, PostgreSQL, SVN, CVS, VmAuthd, SNMP
Medusa Core Updates:
-Compile on x86_64, Mac OS X.
-Minor bug fixes.
-Modified license with OpenSSL GPL exemption.
Module Updates:
SMBNT
-Added AS/400 target support.
-Global "-e" option now works with module "PASS:HASH".
FTP
-Modified response parsing code to support AS/400 brute-forcing.
REXEC
-Modified response parsing code.
Wrapper
-Added oracle script.
-Added SMB NULL session script.
================================================================
Version 1.1
================================================================
Added following modules (unstable):
CVS, NCP, PostgreSQL, SMTP/VRFY, SNMP, SVN, VmAuthd, VNC
Moved following modules to stable:
PcAnywhere, FTP, IMAP, RSH, REXEC, RLOGIN, and generic wrapper
Medusa Core Updates:
-Display module list sorted alphabetically
-Compiles on OpenBSD
-Added delayed receive functions which allow the modules to specify the timeout
for both the initial socket read and the second "is any more data there?" check.
-Modified SSL connect function. The function now takes an already existing socket
and switches it over to SSL. This is needed for modules like VMAUTHD.
-Major rework of network receive function. Original code was copied from Hydra and
seemed to have some issues.
Module Updates:
HTTP
-Added check for 301 error code (success)
-NTLM authentication support
IMAP
-Minor code cleanup
MySQL
-Added support for testing accounts without password
PcAnywhere
-Added sleep to deal with servers freaking out when attempts arrive too quickly
POP3
-Added AS/400 mode. Examines error codes to give us better information about
account status.
SMBNT
-Added check to detect non-existent accounts when auditing an XP client
Telnet
-Moved receive functions to new delayed receive functions. This is slower, but
we should actually be able to brute devices with long logon banners now.
Wrapper
-Added support for scripts to pass error messages back to Medusa.
Misc. Updates:
Rdesktop
-Added better success/failure detection
-Added support to detect various error messages
-Added basic W2K support
-Added basic OS detection
Ebuilds
-Updated libssh2 ebuild based on bugs.gentoo.org feedback.
-Updated Medusa ebuild based on bugs.gentoo.org feedback.
-Updated Medusa version and added new module dependencies.
-Modified ncpfs ebuild for "install-dev" option.
================================================================
Version 1.0
================================================================
Initial release
Modules (stable): HTTP, MS-SQL, SMBNT, SSHv2, Telnet, POP3 and MySQL
Modules (unstable): RSH, RLOGIN, REXEC, FTP, IMAP, PcAnywhere, and generic wrapper
|
