1================================================================
2Version 2.2
3================================================================
4
5Medusa Core Updates:
6  - General code clean-up and compiler warning squashing
7
8Module Updates:
9
10HTTP
11  - NTLM2 session response support
12  - Report domain name provided in NTLM challenge (verbose output)
13  - Allow inclusion of custom headers
14
15RDP
16  - Initial release of RDP module (FreeRDP-based)
17  - Support for pass-the-hash authentication
18
19SMB
20  - Report account access (admin vs user-level) through ADMIN$ connection
21
22SMTP-VRFY
23  - Added EXPN/RCPT support
24
25SSH
26  - Fix OS X multi-thread issues
27
28================================================================
29Version 2.1.1
30================================================================
31
32Minor release updates:
33  - GCC 4.7 compile issue ("-module" removed)
34  - SMBNT: fix infinite loop issue when testing against OS X
35  - SNMP: remove socket flushing that caused us to miss passwords
36  - IMAP: less restrictive regex to better match OK responses
37  - POP3: restart connection after each attempt to deal with shunning
38
39================================================================
40Version 2.1
41================================================================
42
43Medusa Core Updates:
44
45  - Combo format now accepts "host:user:lm hash:ntlm hash"
46  - Autoconf updates and fixes
47  - Removed PCRE library dependency (using stock glibc regex support)
48
49Module Updates:
50
51  - Numerous bug-fixes across modules (e.g., SSH2 thread-safety)
52  - Support for UltraVNC MS-Logon (local/domain Windows credentials)
53
54Additional Updates:
55  - Third-party GUI released:
56    http://wiki.taksmind.org/index.php?title=Medusa-gui
57
58================================================================
59Version 2.0
60================================================================
61
62Medusa Core Updates:
63  -Pool-based thread handling
64
65  Previous version destroyed threads following the completion of a host
66  or user test. The use of a thread pool should decrease the overall
67  application overhead by limiting the frequency of thread destruction
68  and creation. The original code ran into issues in several specific
69  situations (e.g. testing over a thousand users with only a single
70  password). Such cases resulted in a large number of threads being
71  created and destroyed in short order, frequently resulting in an
72  application crash. The thread pool should eliminate this particular
73  problem.
74
75  -Modules now request next credential set (username + password)
76
77  Modules previously called getNextPass(), which returned a valid password
78  until the password list for the user being tested was exhausted. At that
79  point, the module exited and the login thread was destroyed. A new thread
80  and module instance would be created for the next user to test. We now
81  use getNextCredetialSet(), which returns a valid user and password. This
82  allows the module to get the next user to test and decide whether the
83  connection needs to be completely torn down or not.
84
85  -Secondary user credential queue added for missed login tests.
86
87  In certain situations we need to scale back the number of concurrent
88  login threads targetting a specific service. For example, MSDE's workload
89  governor limits the service to no more than 5 concurrent connections. If
90  the user kicked-off 10 parallel login threads, 5 of those are going to
91  fail and terminate. The challenge is that each of those threads was
92  already assigned a credential set to test.
93
94  The previous version simply printed the username and password combinations
95  which were not tested and moved on. We now push these missed credentials
96  into a host specific queue. Once the login threads have finished their
97  normal checks, they move on to this queue and retry the previously missed
98  credentials. In some cases, say it's the last thread that pushed something
99  into the queue before exiting, we kick-off a clean-up thread to walk through
100  any remaining items.
101
102  -Host and User-level Resume
103
104  Support for host and user-level resuming of a scan. When Medusa receives a
105  SIGINT, it will calculate and display a "resume map". This map can then be
106  supplied to the next run. For example, "medusa [OPTIONS PREVIOUSLY USED]
107  -Z h6u1u2h8.". This map describes which hosts were completed and which
108  systems had not been touched. If a host was partially completed, it
109  describes which users had been tested for that specific system. It should
110  be noted that password-level resuming is not supported. If a user's
111  password list was only partially completed, testing of the user will be
112  restarted on resume.
113
114Module Updates:
115  FTP
116    -Misc. fixes
117
118  IMAP
119    -Domain module option for BASIC/NTLM authentication types
120    -Allow auth type to be specified
121    -Misc. fixes (NTLM base64 length, restart HTTP connection after each request)
122
123  IMAP
124    -Domain module option for LOGIN/NTLM authentication types
125    -Regex-based server response matching for better handling of slow targets
126    -Misc. fixes (handle dropped connections, force TLSv1, base64 length)
127
128  MSSQL
129    -Auto SQL port identification via "SQL Ping" technique
130
131  NCP
132    -Misc. fixes (connection retry code)
133
134  POP3
135    -Domain module option for NTLM authentication type
136    -Regex-based server response matching for better handling of slow targets
137    -Misc. fixes (base64 length)
138
139  SMTP
140    -Regex-based server response matching for better handling of slow targets
141
142  SMTP-VRFY
143    -Misc. fixes (don't include "@" if no domain specified)
144
145  SSH
146    -Detect and warn if being built on Debian/Ubuntu system (broken libssh2)
147
148  VMAUTHD
149    -Regex-based server response matching for better handling of slow targets
150
151  Web-Form
152    -Misc. fixes
153
154  WRAPPER
155    -Misc. fixes (fix handling of short usernames/passwords)
156
157================================================================
158Version 1.5
159================================================================
160
161Medusa Core Updates:
162  -Provides additional information about current account check (e.g. 172.22.110.58 (60 of 104, 51 complete))
163  -Support for simple resume by host.
164  -Bug fix for "-e" option
165  -Bug fix for displaying hostname vs. IP
166  -Added function for printing a specified length of binary data in hex
167
168Module Updates:
169  AFP
170  -Added new module for Apple Filing Protocol from pmonkey
171
172  HTTP
173  -NTLM auth bug fix
174  -Digest authentication support (MD5 and MD5-sess)
175
176  IMAP
177  -STARTTLS extension support
178  -NTLM support
179
180  MYSQL
181  -Misc. bug fixes
182
183  POP3
184  -STARTTLS extension support
185  -Better handling of connections dropped by remote server
186  -Support user-supplied domain names
187  -LOGIN, PLAIN, and NTLM support
188
189  SMBNT
190  -Created framework for different authentication levels (e.g. LM, NTLM, etc).
191  -Support for basic LM authentication to allow for case insensitive bruting
192  -NTLMv2/LMv2 support (Vista bruting)
193  -Fix for guest user check
194  -Support for "DOMAIN\USER" and "DOMAIN\\USER" style names
195
196  SMTP
197  -Renamed SMTP-AUTH to SMTP
198  -NTLM support
199
200  SMTP-VRFY
201  -Misc. bug fixes
202
203  SSH
204  -Honor number of user specified retries
205  -Restart connection when server fails to respond with auth modes after several attempts
206
207  TELNET
208  -Basic AS/400 Telnet / TN5250 support
209  -Log hosts supplying only a password prompt (non-AAA)
210
211  VMAUTHD
212  -Misc. bug fixes
213
214  WEB-FORM
215  -Misc. bug fixes for user-supplied FORM-DATA value
216
217Misc. Updates:
218  -Added ZSH Functions file
219  -Updated Medusa ebuild version and added new module dependencies.
220
221================================================================
222Version 1.4
223================================================================
224
225Medusa Core Updates:
226  -Major re-working of the autoconf setup. Modules can now be enabled/disabled
227   individually. Also, modules for which the base dependencies are not
228   satisfied are simply not built. In the past they were compiled, but left in
229   a non-functional state. The default is to build all "stable" modules.
230  -APR version detection
231  -Misc bug fix in networking code
232  -SSL socket rework. Fixes issue with concurrent mixed SSL and non-SSL
233   connections (FTPS).
234
235Module Updates:
236  FTP
237  -Added support for explicit and implicit SFTP
238  -Better handling of FTP banners
239
240  HTTP
241  -Now leaves user specified value intact within Host: header
242  -Minor code cleanup
243
244  IMAP
245  -LOGIN AUTH support
246  -Added TAG module parameter
247  -No longer restarts connection after each attempt
248
249  NNTP
250  -Added module with AUTHINFO support
251
252  POP3
253  -No longer restarts connection after each attempt
254
255  MySQL
256  -Misc bug fixes / error handling
257  -Added MySQL pre-4.1 pass-the-hash support
258
259  NCP
260  -Misc bug fixes
261
262  SMBNT
263  -Misc bug fixes
264
265  SMTP-AUTH
266  -AUTH PLAIN support
267  -AUTH LOGIN (e.g. Exchange) support
268
269  SSH
270  -Handles new libssh2 error messages
271  -Libssh2 (0.18) should no longer cause Medusa to hang on SSHv1 hosts or when
272   the target refuses to send its banner.
273  -Added banner parameter verification (Luciano Bello)
274
275  VNC
276  -Misc bug fixes
277
278  WEB-FORM
279  -Added new module from Luciano Bello
280
281  WRAPPER
282  -Better handling of failed attempts within oracle.pl script
283
284================================================================
285Version 1.3
286================================================================
287
288Medusa Core Updates:
289  -Module listing fix for OpenBSD/AMD64
290  -Autoconf tweaks for NCP & SVN checks
291  -Autoconf tweaks for Solaris/OpenBSD
292  -Removed unnecessary IP address checks
293  -Other minor bug fixes
294
295================================================================
296Version 1.2
297================================================================
298
299Moved following modules to stable:
300  NCP, VNC, PostgreSQL, SVN, CVS, VmAuthd, SNMP
301
302Medusa Core Updates:
303  -Compile on x86_64, Mac OS X.
304  -Minor bug fixes.
305  -Modified license with OpenSSL GPL exemption.
306
307Module Updates:
308  SMBNT
309  -Added AS/400 target support.
310  -Global "-e" option now works with module "PASS:HASH".
311
312  FTP
313  -Modified response parsing code to support AS/400 brute-forcing.
314
315  REXEC
316  -Modified response parsing code.
317
318  Wrapper
319  -Added oracle script.
320  -Added SMB NULL session script.
321
322================================================================
323Version 1.1
324================================================================
325
326Added following modules (unstable):
327  CVS, NCP, PostgreSQL, SMTP/VRFY, SNMP, SVN, VmAuthd, VNC
328
329Moved following modules to stable:
330  PcAnywhere, FTP, IMAP, RSH, REXEC, RLOGIN, and generic wrapper
331
332Medusa Core Updates:
333  -Display module list sorted alphabetically
334  -Compiles on OpenBSD
335  -Added delayed receive functions which allow the modules to specify the timeout
336   for both the initial socket read and the second "is any more data there?" check.
337  -Modified SSL connect function. The function now takes an already existing socket
338   and switches it over to SSL. This is needed for modules like VMAUTHD.
339  -Major rework of network receive function. Original code was copied from Hydra and
340   seemed to have some issues.
341
342Module Updates:
343  HTTP
344  -Added check for 301 error code (success)
345  -NTLM authentication support
346
347  IMAP
348  -Minor code cleanup
349
350  MySQL
351  -Added support for testing accounts without password
352
353  PcAnywhere
354  -Added sleep to deal with servers freaking out when attempts arrive too quickly
355
356  POP3
357  -Added AS/400 mode. Examines error codes to give us better information about
358   account status.
359
360  SMBNT
361  -Added check to detect non-existent accounts when auditing an XP client
362
363  Telnet
364  -Moved receive functions to new delayed receive functions. This is slower, but
365   we should actually be able to brute devices with long logon banners now.
366
367  Wrapper
368  -Added support for scripts to pass error messages back to Medusa.
369
370Misc. Updates:
371  Rdesktop
372  -Added better success/failure detection
373  -Added support to detect various error messages
374  -Added basic W2K support
375  -Added basic OS detection
376
377  Ebuilds
378  -Updated libssh2 ebuild based on bugs.gentoo.org feedback.
379  -Updated Medusa ebuild based on bugs.gentoo.org feedback.
380  -Updated Medusa version and added new module dependencies.
381  -Modified ncpfs ebuild for "install-dev" option.
382
383================================================================
384Version 1.0
385================================================================
386
387Initial release
388Modules (stable): HTTP, MS-SQL, SMBNT, SSHv2, Telnet, POP3 and MySQL
389Modules (unstable): RSH, RLOGIN, REXEC, FTP, IMAP, PcAnywhere, and generic wrapper
390
391