diff --git a/Makefile.am b/Makefile.am index 45e013a..9b6a909 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ AUTOMAKE_OPTIONS = gnu SUBDIRS = src -man_MANS = doc/medusa.1 +man_MANS = docs/medusa.1 -EXTRA_DIST_HTML != ls $(srcdir)/doc/*.html -EXTRA_DIST = doc/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa +EXTRA_DIST_HTML != ls $(srcdir)/docs/*.html +EXTRA_DIST = docs/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa diff --git a/Makefile.in b/Makefile.in index 0dda786..ec4315e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -338,8 +338,8 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = gnu SUBDIRS = src -man_MANS = doc/medusa.1 -EXTRA_DIST = doc/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa +man_MANS = docs/medusa.1 +EXTRA_DIST = docs/medusa.1 $(EXTRA_DIST_HTML) misc/net-analyzer/medusa-2.2.ebuild misc/zsh/_medusa all: config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -868,7 +868,7 @@ uninstall-man: uninstall-man1 .PRECIOUS: Makefile -EXTRA_DIST_HTML != ls $(srcdir)/doc/*.html +EXTRA_DIST_HTML != ls $(srcdir)/docs/*.html # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/README.md b/README.md index 7bf138d..12744af 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ **Medusa Parallel Network Login Auditor** -Copyright (C) 2016 Joe Mondloch
+Copyright (C) 2024 Joe Mondloch
JoMo-Kun / jmk@foofus.net Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application: @@ -13,49 +13,6 @@ Flexible user input. Target information (host/user/password) can be specified in Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing. -Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, MS-SQL, POP3, RDP, SSHv2, among others). +Multiple protocols supported. Many services are currently supported (e.g. SMB (SMBv1-3 w/ SMB signing), HTTP, MS-SQL, POP3, RDP, SSHv2, among others). -See doc/medusa.html for Medusa documentation. For additional information: -- http://foofus.net/?page_id=51 -- http://foofus.net/goons/jmk/medusa/medusa.html - -## Building on macOS - -First download the source code and change to the Medusa directory: - -``` -git clone https://github.com/jmk-foofus/medusa -cd medusa -``` - -Also install the needed dependencies using Homebrew: - -``` -brew cask install xquartz -brew install freerdp -``` - -Then add the Freerdp path for executing the configuration without issues: - -``` -$ export FREERDP2_CFLAGS='-I/usr/local/include' -$ export FREERDP2_LIBS='-I/usr/local/lib/freerdp' -``` - -Then build things: - -``` -./configure -make && make install -``` - -Then copy the binary to your binaries folder - -``` -sudo cp src/medusa /usr/local/bin - ``` -Now you can start using Medusa: - -``` -medusa -``` +Medusa documentation: https://jmk-foofus.github.io/medusa/medusa.html diff --git a/doc/medusa-afp.html b/docs/medusa-afp.html similarity index 100% rename from doc/medusa-afp.html rename to docs/medusa-afp.html diff --git a/doc/medusa-compare.html b/docs/medusa-compare.html similarity index 100% rename from doc/medusa-compare.html rename to docs/medusa-compare.html diff --git a/doc/medusa-cvs.html b/docs/medusa-cvs.html similarity index 100% rename from doc/medusa-cvs.html rename to docs/medusa-cvs.html diff --git a/doc/medusa-ftp.html b/docs/medusa-ftp.html similarity index 100% rename from doc/medusa-ftp.html rename to docs/medusa-ftp.html diff --git a/doc/medusa-http.html b/docs/medusa-http.html similarity index 100% rename from doc/medusa-http.html rename to docs/medusa-http.html diff --git a/doc/medusa-imap.html b/docs/medusa-imap.html similarity index 100% rename from doc/medusa-imap.html rename to docs/medusa-imap.html diff --git a/doc/medusa-mssql.html b/docs/medusa-mssql.html similarity index 100% rename from doc/medusa-mssql.html rename to docs/medusa-mssql.html diff --git a/doc/medusa-mysql.html b/docs/medusa-mysql.html similarity index 100% rename from doc/medusa-mysql.html rename to docs/medusa-mysql.html diff --git a/doc/medusa-ncp.html b/docs/medusa-ncp.html similarity index 100% rename from doc/medusa-ncp.html rename to docs/medusa-ncp.html diff --git a/doc/medusa-nntp.html b/docs/medusa-nntp.html similarity index 100% rename from doc/medusa-nntp.html rename to docs/medusa-nntp.html diff --git a/doc/medusa-pcanywhere.html b/docs/medusa-pcanywhere.html similarity index 100% rename from doc/medusa-pcanywhere.html rename to docs/medusa-pcanywhere.html diff --git a/doc/medusa-pop3.html b/docs/medusa-pop3.html similarity index 100% rename from doc/medusa-pop3.html rename to docs/medusa-pop3.html diff --git a/doc/medusa-postgres.html b/docs/medusa-postgres.html similarity index 100% rename from doc/medusa-postgres.html rename to docs/medusa-postgres.html diff --git a/doc/medusa-rdp.html b/docs/medusa-rdp.html similarity index 51% rename from doc/medusa-rdp.html rename to docs/medusa-rdp.html index bc8a4f6..3ee33a2 100644 --- a/doc/medusa-rdp.html +++ b/docs/medusa-rdp.html @@ -17,23 +17,6 @@

Medusa Parallel Network Login Auditor :: RDP

pass-the-hash option is also only available if FreeRDP version 1.2 or greater is installed. -

-Pre-built binaries of the FreeRDP master branch are available at https://ci.freerdp.com. -Builds are available for Ubuntu, Debian, Fedora, and OpenSUSE. The nightly -builds are installed into /opt/freerdp-nightly and can be installed in parallel -with the distribution's regular freerdp package. If Medusa detected this version -during its build process, it should have built against it over any other installed -version of FreeRDP. - -

-For example, the following worked for Kali 2.0 on 2015/11/04:
-- Visit: https://ci.freerdp.com/job/freerdp-nightly-binaries/architecture=amd64,distribution=jessie,label=pkg-deb/
-- Download: freerdp-nightly_1.2.1+0~20151104024829.185~1.gbpb83356_amd64.deb
-- Download: freerdp-nightly-dev_1.2.1+0~20151104024829.185~1.gbpb83356_amd64.deb
-- Install: dpkg -i freerdp-nightly*
-- Update run time path: echo /opt/freerdp-nightly/lib/ >> /etc/ld.so.conf; ldconfig -- Build Medusa: ./configure;make -

The following examples demonstrate several uses of the RDP module: diff --git a/doc/medusa-rexec.html b/docs/medusa-rexec.html similarity index 100% rename from doc/medusa-rexec.html rename to docs/medusa-rexec.html diff --git a/doc/medusa-rlogin.html b/docs/medusa-rlogin.html similarity index 100% rename from doc/medusa-rlogin.html rename to docs/medusa-rlogin.html diff --git a/doc/medusa-rsh.html b/docs/medusa-rsh.html similarity index 100% rename from doc/medusa-rsh.html rename to docs/medusa-rsh.html diff --git a/doc/medusa-smbnt.html b/docs/medusa-smbnt.html similarity index 100% rename from doc/medusa-smbnt.html rename to docs/medusa-smbnt.html diff --git a/doc/medusa-smtp-vrfy.html b/docs/medusa-smtp-vrfy.html similarity index 100% rename from doc/medusa-smtp-vrfy.html rename to docs/medusa-smtp-vrfy.html diff --git a/doc/medusa-smtp.html b/docs/medusa-smtp.html similarity index 100% rename from doc/medusa-smtp.html rename to docs/medusa-smtp.html diff --git a/doc/medusa-snmp.html b/docs/medusa-snmp.html similarity index 100% rename from doc/medusa-snmp.html rename to docs/medusa-snmp.html diff --git a/doc/medusa-ssh.html b/docs/medusa-ssh.html similarity index 100% rename from doc/medusa-ssh.html rename to docs/medusa-ssh.html diff --git a/doc/medusa-svn.html b/docs/medusa-svn.html similarity index 100% rename from doc/medusa-svn.html rename to docs/medusa-svn.html diff --git a/doc/medusa-telnet.html b/docs/medusa-telnet.html similarity index 100% rename from doc/medusa-telnet.html rename to docs/medusa-telnet.html diff --git a/doc/medusa-vmauthd.html b/docs/medusa-vmauthd.html similarity index 100% rename from doc/medusa-vmauthd.html rename to docs/medusa-vmauthd.html diff --git a/doc/medusa-vnc.html b/docs/medusa-vnc.html similarity index 100% rename from doc/medusa-vnc.html rename to docs/medusa-vnc.html diff --git a/doc/medusa-web-form.html b/docs/medusa-web-form.html similarity index 100% rename from doc/medusa-web-form.html rename to docs/medusa-web-form.html diff --git a/doc/medusa-wrapper.html b/docs/medusa-wrapper.html similarity index 100% rename from doc/medusa-wrapper.html rename to docs/medusa-wrapper.html diff --git a/doc/medusa.1 b/docs/medusa.1 similarity index 100% rename from doc/medusa.1 rename to docs/medusa.1 diff --git a/doc/medusa.html b/docs/medusa.html similarity index 96% rename from doc/medusa.html rename to docs/medusa.html index fbdeb8f..1be7ff2 100644 --- a/doc/medusa.html +++ b/docs/medusa.html @@ -407,6 +407,50 @@

Linux/Gentoo

+

MacOS

+ +

+First download the source code and change to the Medusa directory: + +

+git clone https://github.com/jmk-foofus/medusa
+cd medusa
+
+ +Also install the needed dependencies using Homebrew: + +
+brew cask install xquartz
+brew install freerdp
+
+ +Then add the Freerdp path for executing the configuration without issues: + +
+$ export FREERDP2_CFLAGS='-I/usr/local/include'
+$ export FREERDP2_LIBS='-I/usr/local/lib/freerdp'
+
+ +Then build things: + +
+./configure
+make && make install
+
+ +Then copy the binary to your binaries folder + +
+sudo cp src/medusa  /usr/local/bin
+
+ +Now you can start using Medusa: + +
+medusa
+
+ +

Other Systems

diff --git a/src/modsrc/rdp.c b/src/modsrc/rdp.c index 7825b6b..dbe01c7 100644 --- a/src/modsrc/rdp.c +++ b/src/modsrc/rdp.c @@ -126,8 +126,6 @@ void showUsage() writeVerbose(VB_NONE, ""); writeVerbose(VB_NONE, "Note: This module does NOT work against Microsoft Windows 2003/XP and earlier."); writeVerbose(VB_NONE, ""); - writeVerbose(VB_NONE, "*** There appears to be thread-safety issues within the FreeRDP library and/or this module. ***"); - writeVerbose(VB_NONE, "*** It is recommended that you avoid using concurrent hosts/users (i.e., -T/-t)."); writeVerbose(VB_NONE, ""); } @@ -379,6 +377,8 @@ int tryLogin(_MODULE_DATA* _psSessionData, sLogin** psLogin, freerdp* instance, unsigned int i; int old_stderr; int old_stdout; + unsigned char *p = NULL; + unsigned char *ntlm_hash = NULL; /* Nessus Plugins: smb_header.inc */ /* Note: we are currently only examining the lower 2 bytes of data */ @@ -447,9 +447,26 @@ int tryLogin(_MODULE_DATA* _psSessionData, sLogin** psLogin, freerdp* instance, /* Pass-the-hash support added to FreeRDP 1.2.x development tree */ if (_psSessionData->isPassTheHash) { + /* Extract NTLM hash from PwDump format */ + /* [PwDump] D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */ + p = szPassword; + i = 0; + while ((*p != '\0') && (i < 1)) { + if (*p == ':') + i++; + p++; + } + + if (*p == '\0') { + ntlm_hash = szPassword; + } else { + ntlm_hash = p; + memset(ntlm_hash + 32, '\0', 1); + } + instance->settings->ConsoleSession = TRUE; instance->settings->RestrictedAdminModeRequired = TRUE; - instance->settings->PasswordHash = szPassword; + instance->settings->PasswordHash = ntlm_hash; } else instance->settings->Password = szPassword; diff --git a/src/modsrc/smbnt-smb1.c b/src/modsrc/smbnt-smb1.c index 9428d84..2be4aed 100644 --- a/src/modsrc/smbnt-smb1.c +++ b/src/modsrc/smbnt-smb1.c @@ -240,6 +240,7 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char unsigned int i = 0, j = 0; int mdlen; unsigned char *p = NULL; + unsigned char *ntlm_hash = NULL; char HexChar; int HexValue; unsigned char NO_PASSWORD[1] = ""; @@ -254,15 +255,22 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char i++; p++; } + + if (*p == '\0') { + ntlm_hash = pass; + } else { + ntlm_hash = p; + memset(ntlm_hash + 32, '\0', 1); + } } /* If "-e ns" was used, don't treat these values as hashes. */ - if ((_psSessionData->hashFlag == HASH) && (i >= 1)) { - if (*p == '\0') { - writeError(ERR_ERROR, "Error reading PwDump file."); + if ((_psSessionData->hashFlag == HASH)) { + if (*ntlm_hash == '\0') { + writeError(ERR_ERROR, "Error reading hash or PwDump file."); return FAILURE; } - else if (*p == 'N') { + else if (*ntlm_hash == 'N') { writeError(ERR_DEBUG_MODULE, "Found \"NO PASSWORD\" for NTLM Hash."); pass = NO_PASSWORD; @@ -281,11 +289,11 @@ int MakeNTLM(_SMBNT_DATA *_psSessionData, unsigned char *ntlmhash, unsigned char EVP_MD_CTX_free(md4Context); } else { - writeError(ERR_DEBUG_MODULE, "Convert ASCII PwDump NTLM Hash (%s).", p); + writeError(ERR_DEBUG_MODULE, "Convert ASCII PwDump NTLM Hash (%s).", ntlm_hash); for (i = 0; i < 16; i++) { HexValue = 0x0; for (j = 0; j < 2; j++) { - HexChar = (char) p[2 * i + j]; + HexChar = (char) ntlm_hash[2 * i + j]; if (HexChar > 0x39) HexChar = HexChar | 0x20; /* convert upper case to lower */ diff --git a/src/modsrc/smbnt-smb2.c b/src/modsrc/smbnt-smb2.c index 46fe0c7..2e9efe6 100644 --- a/src/modsrc/smbnt-smb2.c +++ b/src/modsrc/smbnt-smb2.c @@ -114,6 +114,9 @@ int SMB2ConvertPassword(_SMBNT_DATA *_psSessionData, unsigned char* szPassword, writeError(ERR_DEBUG_MODULE, "Prepare ASCII PwDump NTLM Hash (%s).", p); if (asprintf((char **)szPassword2, "ntlm:%s", p) < 0) { return FAILURE; } } + } else if ((_psSessionData->hashFlag == HASH)) { + writeError(ERR_DEBUG_MODULE, "Prepare ASCII PwDump NTLM Hash (%s).", szPassword); + if (asprintf((char **)szPassword2, "ntlm:%s", szPassword) < 0) { return FAILURE; } } else { *szPassword2 = szPassword; writeError(ERR_DEBUG_MODULE, "[%s] Using standard password: %s", MODULE_NAME, *szPassword2);