170 ◾
Ethical Hacking and Penetration Testing Guide Hydra GUI For all GUI fans, there is a GUI version of Hydra, which is available by default in BackTrack. All
you need to do is to type “Xhydra” or “HydraGTK” from the command line to explore it.
Medusa Medusa is an alternative to Hydra and is a really fast password cracking tool. It is a parallel brute
force tool just like Hydra. However, it is much more stable and faster than Hydra because it uses
“Pthread,” meaning that it won’t necessarily duplicate the information, whereas Hydra uses “fork”
for parallel processing. To know more about why Medusa is better, you can refer to its official
documentation, the link of which is given in the following.
Basic Syntax To check for available options in Medusa, we will execute “Medusa” command without parameters.
As you can see from the screenshot, we need four parameters in order to run Medusa.
–h = Hostname to attack
–u = Username to attack
–P = Password file
–M = Service to attack
OpenSSH Username Discovery Bug In the following example, we will use Medusa to crack the SSH password, but before that, we will
use an OpenSSH username discovery bug to gather a valid username. OpenSSH is one of the most
widely used software for providing encrypted communications over the network.
In order to perform a more efficient brute force attack, it’s necessary for a penetration tester to
know existing usernames. With SSH, there is a small trick that was brought to attention recently
by a security researcher at “cureblog.de”.
The problem with Open-SSH is that it checks if the user exists even before it validates the
password. So, supplying a password with large length of data causes it to go very slow thus induc-
ing the long delay of check. Summing it up, when supplying a password with a large length, if a
username exists, the delay is high, and if a username does not exist, the delay is low. A security
researcher, Tyler Borland, has written a python script to automate this process.
The script is available at
https://code.google.com/p/multiproc-openssh-username-bruteforce/source/browse/ssh_user_
enum.py
