Brutespray hanging about brutespray HOT 3 CLOSED

Unfortunately i could reproduce the problem. Currently Medusa does not have a host timeout or timeout option in general. If you have a bad host (e.g. https://en.wikipedia.org/wiki/Tarpit_(networking) or unresponsive service), which keeps the TCP connection alive and never closes it and don't return any banner, medusa will wait for it.

Possible Reason

However this should most likely be an error in the libssh2 library. After reading through the code of medusa i stumbled upon the following line. if (libssh2_session_startup(session, hSocket)) and to a note of the author:

Some notes regarding libssh2... Using the stock libssh2 library, it is likely
that the user will encounter hung module threads when running Medusa. This problem is
due to libssh2's libssh2_session_startup() not always returning. The cause of this hang
within libssh2, I believe, stems from the SSH servers being tested getting pissed and not
sending back a banner.

So there you have it - it's official documented since 2015 , but i'm unsure if this is really the problem or it's 00:21 and i don't see clear :D

Since the problem is already in medusa brutespray is not able to help here*.

Implementation ideas:

• C lang: Help implement such a feature in Medusa (https://github.com/jmk-foofus/medusa) e.g. timeout ( or a fix in lib ssh2 ? if this is the origin of the problem ?)
• Python: try to reduce the amount of hosts of a medusa run to a minimum and scale the processes - afterwards kill the process after a specific period. This can be achieved using signals (https://docs.python.org/3/library/signal.html#signal.SIGALRM) so a function can be killed after a specific timeout. Patator also uses this (
  https://github.com/lanjelot/patator/blob/master/patator.py#L2114)
• your lang of choice: Code your own

Alternative solutions:

In my option: use the right tool for the right job. That means that you need to search for an alternative for SSH or clean your host list from those services.

Side note:
Same can be applied to MYSQL. Newer version cannot be identified or tested with medusa (https://github.com/jmk-foofus/medusa/blob/292193b3995444aede53ff873899640b08129fc7/src/modsrc/mysql.c#L814).

I guess the problem of implementing everything in c should be a problem of the past with all these great open source libraries available, which abstract a vast amount of logic.

Reproduce

Medusa: v.2.2
libssh2-1: 1.8.0-2.1build1

Simply reproduce by specifying an open NC connection:

user@localhost:  nc -l -p 1337 

user@localhost: time medusa -u test -p test -M ssh -h 127.0.0.1 -n 1337 -v1000000 -w10000

i killed the connection after one hour.

Debug output of medusa

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

DEBUG [E5FA0D80]: Successfully loaded login information.
GENERAL: Parallel Hosts: 1 Parallel Logins: 1
GENERAL: Total Hosts: 1 
GENERAL: Total Users: 1
GENERAL: Total Passwords: 1
DEBUG AUDIT [E5FA0D80]: adding new server (0) to queue
DEBUG AUDIT [E5FA0D80]: waiting for server pool to end
DEBUG SERVER [E5F9F700]: Server ID: 0 Host: 127.0.0.1 iUserPassCnt: 1 iLoginCnt: 1
DEBUG SERVER [E5F9F700]: Set IPv4 address: 127.0.0.1 (127.0.0.1)
DEBUG SERVER [E5F9F700]: Adding new login task (0) to server queue (0)
DEBUG SERVER [E5F9F700]: waiting for server 0 login pool to end
DEBUG [E579E700]: startModule iId: 0 pLogin: E5F9EAB0 modParams->argv: D2460ED0 modParams: E5F9EA90
DEBUG [E579E700]: Trying module path of .
DEBUG [E579E700]: Attempting to load ./ssh.mod
DEBUG [E579E700]: Trying module path of /usr/lib/x86_64-linux-gnu/medusa/modules
DEBUG [E579E700]: Attempting to load /usr/lib/x86_64-linux-gnu/medusa/modules/ssh.mod
DEBUG MODULE [E579E700]: OMG teh ssh.mod module has been called!!
DEBUG [E579E700]: [getNextNormalCred] Initial credential set request for login module.
DEBUG [E579E700]: [getNextNormalCred] (PARALLEL_LOGINS_PASSWORD) setting user: test
DEBUG MODULE [E579E700]: [ssh.mod] module started for host: 127.0.0.1 user: test
DEBUG MODULE [E579E700]: Attempting to set banner: SSH-2.0-MEDUSA_1.0
DEBUG MODULE [E579E700]: Attempting to initiate SSH session.
DEBUG [E579E700]: Connected (internal)

from brutespray.

This should be a simple to fix by pushing a patch to Medusa. https://github.com/jmk-foofus/medusa.. I will look into it.

from brutespray.

thank you @x90skysn3k

from brutespray.