Merge pull request #66 from jmk-foofus/update-documentation-release

Update documentation release

Makefile.am

@@ -2,7 +2,7 @@ AUTOMAKE_OPTIONS = gnu
 
 SUBDIRS = src
 
-man_MANS = doc/medusa.1
+man_MANS = docs/medusa.1
 
-EXTRA_DIST_HTML != ls $(srcdir)/doc/*.html
-EXTRA_DIST = doc/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa
+EXTRA_DIST_HTML != ls $(srcdir)/docs/*.html
+EXTRA_DIST = docs/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa

Makefile.in

@@ -338,8 +338,8 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 AUTOMAKE_OPTIONS = gnu
 SUBDIRS = src
-man_MANS = doc/medusa.1
-EXTRA_DIST = doc/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa
+man_MANS = docs/medusa.1
+EXTRA_DIST = docs/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa
 all: config.h
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -868,7 +868,7 @@ uninstall-man: uninstall-man1
 .PRECIOUS: Makefile
 
 
-EXTRA_DIST_HTML != ls $(srcdir)/doc/*.html
+EXTRA_DIST_HTML != ls $(srcdir)/docs/*.html
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.

README.md

@@ -2,7 +2,7 @@
 
 **Medusa Parallel Network Login Auditor**
 
-Copyright (C) 2016 Joe Mondloch<br />
+Copyright (C) 2024 Joe Mondloch<br />
 JoMo-Kun / [email protected]
 
 Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:
@@ -13,49 +13,6 @@ Flexible user input. Target information (host/user/password) can be specified in
 
 Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
 
-Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, MS-SQL, POP3, RDP, SSHv2, among others).
+Multiple protocols supported. Many services are currently supported (e.g. SMB (SMBv1-3 w/ SMB signing), HTTP, MS-SQL, POP3, RDP, SSHv2, among others).
 
-See doc/medusa.html for Medusa documentation. For additional information:
-- http://foofus.net/?page_id=51
-- http://foofus.net/goons/jmk/medusa/medusa.html
-
-## Building on macOS
-
-First download the source code and change to the Medusa directory:
-
-```
-git clone https://github.com/jmk-foofus/medusa
-cd medusa
-```
-
-Also install the needed dependencies using Homebrew:
-
-```
-brew cask install xquartz
-brew install freerdp
-```
-
-Then add the Freerdp path for executing the configuration without issues:
-
-```
-$ export FREERDP2_CFLAGS='-I/usr/local/include'
-$ export FREERDP2_LIBS='-I/usr/local/lib/freerdp'
-```
-
-Then build things:
-
-```
-./configure
-make && make install
-```
-
-Then copy the binary to your binaries folder
-
-```
-sudo cp src/medusa  /usr/local/bin
- ```
-Now you can start using Medusa:
-
-```
-medusa
-```
+Medusa documentation: https://jmk-foofus.github.io/medusa/medusa.html

doc/medusa-rdp.html → docs/medusa-rdp.html

@@ -17,23 +17,6 @@ <H1>Medusa Parallel Network Login Auditor :: RDP</H1>
 pass-the-hash option is also only available if FreeRDP version 1.2 or 
 greater is installed.
 
-<P>
-Pre-built binaries of the FreeRDP master branch are available at <A HREF="https://ci.freerdp.com">https://ci.freerdp.com</A>.
-Builds are available for Ubuntu, Debian, Fedora, and OpenSUSE. The nightly 
-builds are installed into /opt/freerdp-nightly and can be installed in parallel 
-with the distribution's regular freerdp package. If Medusa detected this version
-during its build process, it should have built against it over any other installed
-version of FreeRDP.
-
-<P>
-For example, the following worked for Kali 2.0 on 2015/11/04:<BR>
-- Visit: <A HREF="https://ci.freerdp.com/job/freerdp-nightly-binaries/architecture=amd64,distribution=jessie,label=pkg-deb/">https://ci.freerdp.com/job/freerdp-nightly-binaries/architecture=amd64,distribution=jessie,label=pkg-deb/</A><BR>
-- Download: freerdp-nightly_1.2.1+0~20151104024829.185~1.gbpb83356_amd64.deb<BR>
-- Download: freerdp-nightly-dev_1.2.1+0~20151104024829.185~1.gbpb83356_amd64.deb<BR>
-- Install: dpkg -i freerdp-nightly*<BR>
-- Update run time path: echo /opt/freerdp-nightly/lib/ >> /etc/ld.so.conf; ldconfig 
-- Build Medusa: ./configure;make
-
 <P>
 The following examples demonstrate several uses of the RDP module:
 

doc/medusa.html → docs/medusa.html

@@ -407,6 +407,50 @@ <H4>Linux/Gentoo</H4>
     </CODE>
 </UL>
 
+<H4>MacOS</H4>
+
+<P>
+First download the source code and change to the Medusa directory:
+
+<PRE>
+git clone https://github.com/jmk-foofus/medusa
+cd medusa
+</PRE>
+
+Also install the needed dependencies using Homebrew:
+
+<PRE>
+brew cask install xquartz
+brew install freerdp
+</PRE>
+
+Then add the Freerdp path for executing the configuration without issues:
+
+<PRE>
+$ export FREERDP2_CFLAGS='-I/usr/local/include'
+$ export FREERDP2_LIBS='-I/usr/local/lib/freerdp'
+</PRE>
+
+Then build things:
+
+<PRE>
+./configure
+make && make install
+</PRE>
+
+Then copy the binary to your binaries folder
+
+<PRE>
+sudo cp src/medusa  /usr/local/bin
+</PRE>
+
+Now you can start using Medusa:
+
+<PRE>
+medusa
+</PRE>
+
+
 <H4>Other Systems</H4>
 
 <P>

src/modsrc/rdp.c

@@ -126,8 +126,6 @@ void showUsage()
   writeVerbose(VB_NONE, "");
   writeVerbose(VB_NONE, "Note: This module does NOT work against Microsoft Windows 2003/XP and earlier.");
   writeVerbose(VB_NONE, "");
-  writeVerbose(VB_NONE, "*** There appears to be thread-safety issues within the FreeRDP library and/or this module. ***");
-  writeVerbose(VB_NONE, "*** It is recommended that you avoid using concurrent hosts/users (i.e., -T/-t).");
   writeVerbose(VB_NONE, "");
 }
 
@@ -379,6 +377,8 @@ int tryLogin(_MODULE_DATA* _psSessionData, sLogin** psLogin, freerdp* instance,
   unsigned int i;
   int old_stderr;
   int old_stdout;
+  unsigned char *p = NULL;
+  unsigned char *ntlm_hash = NULL;
 
   /* Nessus Plugins: smb_header.inc */
   /* Note: we are currently only examining the lower 2 bytes of data */
@@ -447,9 +447,26 @@ int tryLogin(_MODULE_DATA* _psSessionData, sLogin** psLogin, freerdp* instance,
   /* Pass-the-hash support added to FreeRDP 1.2.x development tree */
   if (_psSessionData->isPassTheHash)
   {
+    /* Extract NTLM hash from PwDump format */ 
+    /* [PwDump] D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */
+    p = szPassword;
+    i = 0;
+    while ((*p != '\0') && (i < 1)) {
+      if (*p == ':')
+        i++;
+      p++;
+    }
+
+    if (*p == '\0') {
+      ntlm_hash = szPassword;
+    } else {
+      ntlm_hash = p;
+      memset(ntlm_hash + 32, '\0', 1);
+    }
+
     instance->settings->ConsoleSession = TRUE;
     instance->settings->RestrictedAdminModeRequired = TRUE;
-    instance->settings->PasswordHash = szPassword;
+    instance->settings->PasswordHash = ntlm_hash;
   }
   else
     instance->settings->Password = szPassword;

src/modsrc/smbnt-smb1.c

@@ -240,6 +240,7 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char
   unsigned int i = 0, j = 0;
   int mdlen;
   unsigned char *p = NULL;
+  unsigned char *ntlm_hash = NULL;
   char HexChar;
   int HexValue;
   unsigned char NO_PASSWORD[1] = "";
@@ -254,15 +255,22 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char
         i++;
       p++;
     }
+
+    if (*p == '\0') {
+      ntlm_hash = pass;
+    } else {
+      ntlm_hash = p;
+      memset(ntlm_hash + 32, '\0', 1);
+    }
   }
 
   /* If "-e ns" was used, don't treat these values as hashes. */
-  if ((_psSessionData->hashFlag == HASH) && (i >= 1)) {
-    if (*p == '\0') {
-      writeError(ERR_ERROR, "Error reading PwDump file.");
+  if ((_psSessionData->hashFlag == HASH)) {
+    if (*ntlm_hash == '\0') {
+      writeError(ERR_ERROR, "Error reading hash or PwDump file.");
       return FAILURE;
     }
-    else if (*p == 'N') {
+    else if (*ntlm_hash == 'N') {
       writeError(ERR_DEBUG_MODULE, "Found \"NO PASSWORD\" for NTLM Hash.");
       pass = NO_PASSWORD;
 
@@ -281,11 +289,11 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char
       EVP_MD_CTX_free(md4Context);
     }
     else {
-      writeError(ERR_DEBUG_MODULE, "Convert ASCII PwDump NTLM Hash (%s).", p);
+      writeError(ERR_DEBUG_MODULE, "Convert ASCII PwDump NTLM Hash (%s).", ntlm_hash);
       for (i = 0; i < 16; i++) {
         HexValue = 0x0;
         for (j = 0; j < 2; j++) {
-          HexChar = (char) p[2 * i + j];
+          HexChar = (char) ntlm_hash[2 * i + j];
 
           if (HexChar > 0x39)
             HexChar = HexChar | 0x20;     /* convert upper case to lower */

src/modsrc/smbnt-smb2.c

@@ -114,6 +114,9 @@ int SMB2ConvertPassword(_SMBNT_DATA *_psSessionData, unsigned char* szPassword,
       writeError(ERR_DEBUG_MODULE, "Prepare ASCII PwDump NTLM Hash (%s).", p);
       if (asprintf((char **)szPassword2, "ntlm:%s", p) < 0) { return FAILURE; }
     }
+  } else if ((_psSessionData->hashFlag == HASH)) {
+    writeError(ERR_DEBUG_MODULE, "Prepare ASCII PwDump NTLM Hash (%s).", szPassword);
+    if (asprintf((char **)szPassword2, "ntlm:%s", szPassword) < 0) { return FAILURE; }
   } else {
     *szPassword2 = szPassword;
     writeError(ERR_DEBUG_MODULE, "[%s] Using standard password: %s", MODULE_NAME, *szPassword2);