Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Fun with CUPP and Medusa in Kali Linux (Part 2 of 3) - fixedByVonnie

Fun with CUPP and Medusa in Kali Linux (Part 2 of 3)

In the previous guide, I showed you how to use the Common User Password Profiler in Kali Linux.  Today, we’re going to crack passwords against that list.

So here’s the scenario:

Let’s say Joe Blow is the network engineer for Acme Corp and he has a local SSH account on this Cisco 3725 router.

Cisco 3725

You created your custom password list using the Common User Password Profiler (CUPP) but now you need to do something with it.

That’s where Medusa (“Meh – Doo – Sa”) comes in.

This is a very powerful password cracker and it’s easy to get overwhelmed if you look at the command syntax:

medusa --help | more


So let’s skip to the chase and get to the good part

Let’s say you figured out the router is the default gateway on the LAN and you know the IP Address is

We can enter the target hostname -h the username to test -u joe and give it the password file that we generated from CUPP -p joe.txt.

We can also do a few extra password checks.  We’ll use -e ns to make sure the password isn’t blank or his username, joe.

After we find the first password we’ll stop the audit. -F and we’ll run the attack against the SSH module. -M ssh

Here’s the full command but remember you can easily piece this together by looking at the medusa –help output.

medusa -h -u joe -P /root/cupp/joe.txt -e ns -F -M ssh

Note I’m using the SSH module for this example but there bountiful options from Telnet to HTTP.  You’re not confined to using SSH.

Anyway, let’s get this thing going.medusa crackedYou can clearly see in the output that Medusa is running multiple checks against the Cisco 3725 router sitting at

It only took it three tries to discover the password for user joe: 011989.

Now that’s because I purposely configured a SSH password from the top of the joe.txt list.  In reality it could take longer or may not yield any results at all but the point is that Medusa greatly increases your changes of breaking into a highly targeted well-researched victim.

Now I can SSH into the router and p0wn the appliance.

ssh joe@

Medusa SSH

Oh lookie here.  I can see all the interfaces.

I’m in.

In the next guide, I’m going to show you a few things you can do to prevent this kind of attack.  Check back tomorrow.  Same place same time.  Haha.



Connect with Vonnie on Twitter

Posted in Linux Tagged with: , , , ,