Monday, June 14, 2010

Open Source Software 'Login Brute-Forcer' for Password Auditing

Medusa

Bad passwords can have catastrophic consequences. That's because passwords play a key role in enterprise security, protecting assets (including email systems, databases and many other types of servers) from unauthorized users (including malicious hackers).

A bad password has one of the following three characteristics:

  • It can easily be guessed
  • It is likely to appear in a wordlist
  • It can be bruteforced in a reasonable amount of time
  • All three of these possibilities need a little further explanation.
A number of tools are available for carrying out online attacks, including the open source software Hydra. Arguably, the best one is an open source software tool for the Linux OS called Medusa, written "by the geeks at Foofus.net."

Medusa is described as a "speedy, massively parallel, modular, login brute-forcer" with modules available to support almost any service that allows remote authentication using a password, including: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, POP3, PostgreSQL, SMTP-AUTH, Telnet and VNC. Medusa has been designed to run faster than Hydra by using thread-based (rather than Hydra's process-based) parallel testing to attempt to log in to multiple hosts or users concurrently.

No comments: