IT Breathes!

To follow up the rousing discussion about Microsoft’s COFEE (thanks Peter!) I thought I would bring to you the marvelous world of brute forcing logons. On linux there are two wonderful tools for brute forcing multiple protocols: THC-Hydra and Medusa.

THC-Hydra, made by The Hackers Choice was really the first brute forcing pentest tool using multiple threads and having multiple protocols. The most recent version was updated 2 years ago. You can find the most recent version and more information here: http://freeworld.thc.org/thc-hydra/

Medusa was made by Foofus. It was really built because the developer wasn’t happy with the way THC-Hydra was handling threading. The most recent version is about a year old. You can find more information here: http://www.foofus.net/jmk/medusa/medusa.html

Both tools fundamentally do the same thing, they allow you to specify a username (or supply a list of usernames) and a list of passwords to test against a given protocol. For this test we’re going to try to brute force the user ‘Brutus’ on the local machine using SSH.

One little caveat, I went into this task assuming that Medusa would leave THC-Hydra’s stone corpse sinking to the bottom of the ocean.

The Setup

To test each tool I installed Vector Linux to a new VMware image. Vector linux is a great lightweight Linux distribution based on Slackware made for older machines and is really fast.

Compiling

I compiled each tool from their source by issuing the ol’ ‘./configure, make’ and running the compiled binaries. This is where I hit my first snag with THC-Hydra. Vector Linux comes with only the newest version of the SSH libraries. After working for about an hour I was finally able to force it to use a downloaded older version of the libraries. Medusa however uses the newer libraries and was able to compile without any hiccups. Each tool, however, has their own set of dependencies for various brute forcing options. For example in Medusa you would need extra libraries to brute force SubVersion (SVN) logons.

Testing the tools

Hydra and Medusa have their own syntax but they are very similar. To run the for Hydra I entered in the following command:

./hydra -l brutus -P /home/grassmunk/dict.txt 192.168.1.130 ssh

The Hydra command works like this: The -l is the username you want to test, in this case it’s ‘brutus’. The –P is the password file you want to use. Once you’ve established the username(s) and passwords to test you simply tell Hydra which server to use, in this case 192.168.1.130 and the protocol to use which was ssh.

Here’s where I hit my second snag.

./hydra: error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

So even though it compiled fine it wasn’t able to locate the library files. I copied that damn file everywhere but to no avail.

To test Medusa I entered the following command:

./medusa -h 192.168.1.130 -u brutus -p /home/grassmunk/dict.txt -M ssh

As you can see the syntax is very similar. The –u is the username, the –p Is the password file and the –M is the protocol to use (which Medusa calls a ‘Module’).

This is where I hit my first problem with Medusa, after running the command it crashed and spit out this lovely debug information

It was at this point I was about ready to give up. Neither of these tools were really usable or good at testing SSH bruteforcing. One needed old SSH libraries to work and the other crashed and burned upon the first use.

Seeing as this might be due to Vector Linux I tried each tool in BackTrack. BackTrack is a pentesters Linux livecd distribution. It has a lot of tools you can use to scan, test and break into systems. You can find it here: http://www.remote-exploit.org/backtrack.html

With backtrack loaded I was able to test each tool, and the outcomes were astounding! For a newer and better tool Medusa was the slowest and least usable of the two tools. Medusa would fail after 4 or 5 logon attempts. Initially I thought this was due to my configuration of SSH but THC-Hydra had no problems blowing through 42 logons every second.

I also tested FTP on Vector Linus, which worked in both tools, and the results were exactly the same. THC-Hydra runs flawlessly while Medusa stops after a handful of logons.

Conclusion

When I first discovered Medusa I was really excited. It sounded like a faster and newer tool than THC-Hydra but in the end The Hackers Choice really stands true. It’s the best and fastest tool out there and easiest to use.

Note: I also tested a tool included with BackTtack called SSHater. I can’t say how disappointed I was with this tool. When I setup the server’s I picked a password and put it about in between the 900 and 901st password so I could see what happened when the tool returned a positive. SSHater tested every password with multiple errors, passes my password without even blinking and continued on. I wanted until the tool went through every password and I didn’t even say anything. As far as I could tell SSHater just lists the passwords and a bunch of errors. I didn’t bother looking at the SSH log to see if it was actually trying to initiate a connections though.