Fun with CUPP and Medusa in Kali Linux (Part 2 of 3)

In the previous guide, I showed you how to use the Common User Password Profiler in Kali Linux.  Today, we’re going to crack passwords against that list.

So here’s the scenario:

Let’s say Joe Blow is the network engineer for Acme Corp and he has a local SSH account on this Cisco 3725 router.

Cisco 3725

You created your custom password list using the Common User Password Profiler (CUPP) but now you need to do something with it.

That’s where Medusa (“Meh – Doo – Sa”) comes in.

This is a very powerful password cracker and it’s easy to get overwhelmed if you look at the command syntax:

medusa --help | more

Medusa

So let’s skip to the chase and get to the good part

Let’s say you figured out the router is the default gateway on the LAN and you know the IP Address is 10.0.2.1.

We can enter the target hostname -h 10.0.2.1 the username to test -u joe and give it the password file that we generated from CUPP -p joe.txt.

We can also do a few extra password checks.  We’ll use -e ns to make sure the password isn’t blank or his username, joe.

After we find the first password we’ll stop the audit. -F and we’ll run the attack against the SSH module. -M ssh

Here’s the full command but remember you can easily piece this together by looking at the medusa –help output.

medusa -h 10.0.2.1 -u joe -P /root/cupp/joe.txt -e ns -F -M ssh

Note I’m using the SSH module for this example but there bountiful options from Telnet to HTTP.  You’re not confined to using SSH.


Anyway, let’s get this thing going.medusa crackedYou can clearly see in the output that Medusa is running multiple checks against the Cisco 3725 router sitting at 10.0.2.1.

It only took it three tries to discover the password for user joe: 011989.

Now that’s because I purposely configured a SSH password from the top of the joe.txt list.  In reality it could take longer or may not yield any results at all but the point is that Medusa greatly increases your changes of breaking into a highly targeted well-researched victim.

Now I can SSH into the router and p0wn the appliance.

ssh joe@10.0.2.1

Medusa SSH

Oh lookie here.  I can see all the interfaces.

I’m in.

In the next guide, I’m going to show you a few things you can do to prevent this kind of attack.  Check back tomorrow.  Same place same time.  Haha.

 

About

Connect with Vonnie on Twitter

Posted in Linux Tagged with: , , , ,