Results 1 to 6 of 6

Thread: Medusa Usage

  1. #1
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    3

    Default Medusa Usage

    Hello Group,

    I hope this post finds everyone well.

    I was hoping that someone smarter than I could shed light on the exact usage of Medusa for a web-form dictionary attack.

    The exact input I have been using is the following:
    medusa -h website -u user1 -P mywordlist.txt -O medusa_output.txt -e ns -M web-form -m FORM:"hidden/login.asp" -m DENY-SIGNAL:"Failed" -m FORM-DATA:"post?username=&password=&login="

    I am getting the following error: WARNING: Invalid FORM-Data format. Using default format: "post?username=&password="

    My questions are the following:
    1. What am I typing wrong in the command?
    2. How do I associate the data in FORM-DATA with my initial single username (user1) and password list (mywordlist.txt)?

    I hope I've explained myself properly.

    Any suggestions would be greatly appreciated.

    Many thanks in advance.

    Best,

    Roki

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Does hidden/login.asp use an HTTP POST? Does it actually exist? (The page isn't exactly hidden if you tell everyone where it is....seems strange to name a directory that way). Are the fields actually username, password, and login?

    If you want user to be user1 wouldn't your form data be post?username=user1? Why bother passing password and login via form data if you aren't assigning any value to them?

    Is there a reason you want to use Medusa and not Hyrda? (Not that it can't be done with Medusa but from the people I've talked to and the documentation I've seen Hydra is a much better bet if you need support).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    3

    Default

    Hello Thorin,

    Thanks for your reply.

    Yes, 'hidden/login.asp' do exist. However, I changed the folder/file names from what they are actually named. In reality, it is pointing to an admin login portal.

    The actual variable names which get passed as http POST are called 'username', 'password' and 'Submit'.
    I'm trying to submit the following:
    'user1' as the value for 'username'
    items in my mywordlist.txt for 'password'
    'Login >' for the value for 'Submit' (this is the default value which gets submitted)

    In this case I will attempt with the following command:
    medusa -h website -P mywordlist.txt -O medusa_output.txt -e ns -M web-form -m FORM:"hidden/login.asp" -m DENY-SIGNAL:"Failed" -m FORM-DATA:"post?username=user1&password=&login="

    I chose Medusa because I thought it would be easier as I've read reviews that Hydra needs the hydra-http-form-patch for this attack.

    Does that mean that the '-u user1' is unnecessary? When I try to submit the command without the '-u user1' it gives me a message that the user login information must be supplied. When I DO supply this information Medusa says that it is reverting to the default format.

    I am still unclear about how to specify that mywordlist.txt should be used for the 'password' variable.

    Many thanks,

    Roki

  4. #4
    Just burned his ISO cos23's Avatar
    Join Date
    Mar 2009
    Posts
    1

    Default

    have you already tried another modul? such as the http.mod ? try this with minimally options and if it works add the next option and so on ...

    medusa -h website -u user1 -P cracklib or wordlist -M http -m DIR:hidden/

    this should work with the most webforms (router etc...)

    ...

    have you already tried another modul? such as the http.mod ??
    try this with minimally options and if it works add the next option
    and so on ... so you can exclude errors ...

    medusa -h website -u user -P cracklib or wordlist -M http -m DIR:/

    should work with the most webforms (router logins etc...) and in your case

    -M http -m DIR:hidden/

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    Hi.
    I am facing almost the same problem.

    I am running medusa this way:
    medusa -f -v 6 -w 10 -u admin_test -P passwd.txt -M web-form -m FORM:"test/index.php" -m DENY-SIGNAL:"test failed" -m FORM-DATA:"POST?user=&pass=&Submit=Login" -h localhost

    there are 3 passwords in my passwd.txt:
    pass1
    pass2
    pass3

    For my first test, the pass3 is the right one.
    So, here is the debug log:
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Action Method: POST
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form User Field: user=
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Pass Field: pass=
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Rest Field: Submit=Login

    Everything ok for pass1, but it failed. (I checked the http response, server is responding the expected page)

    Now, the next pass:
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Action Method: POST
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form User Field: (null)
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Pass Field: (null)
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Rest Field: (null)

    All fields are null. Pass fail, obviously.

    For pass3:
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Action Method: POST
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form User Field: user=
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Pass Field: pass=
    DEBUG MODULE [B74F6B90]: [web-form.mod] User-supplied Form Rest Field: Submit=Login

    All fields populated correctly!
    For pass3 the attack returns success, but what if it was pass2 (the one with null fields?!)
    When I put some more passwords in the file, the null fields appears more times.

    Testing in apache, but the same problem occurred with IIS.

    Does someone know what is going on? I will try with hydra now, anyway.
    Thanks!

  6. #6
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    2

    Default

    Quote Originally Posted by roki007 View Post
    Hello Group,
    I am getting the following error: WARNING: Invalid FORM-Data format. Using default format: "post?username=&password="
    This was fixed in version 1.5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •