1================================================================ 2Version 2.2 3================================================================ 4 5Medusa Core Updates: 6 - General code clean-up and compiler warning squashing 7 8Module Updates: 9 10HTTP 11 - NTLM2 session response support 12 - Report domain name provided in NTLM challenge (verbose output) 13 - Allow inclusion of custom headers 14 15RDP 16 - Initial release of RDP module (FreeRDP-based) 17 - Support for pass-the-hash authentication 18 19SMB 20 - Report account access (admin vs user-level) through ADMIN$ connection 21 22SMTP-VRFY 23 - Added EXPN/RCPT support 24 25SSH 26 - Fix OS X multi-thread issues 27 28================================================================ 29Version 2.1.1 30================================================================ 31 32Minor release updates: 33 - GCC 4.7 compile issue ("-module" removed) 34 - SMBNT: fix infinite loop issue when testing against OS X 35 - SNMP: remove socket flushing that caused us to miss passwords 36 - IMAP: less restrictive regex to better match OK responses 37 - POP3: restart connection after each attempt to deal with shunning 38 39================================================================ 40Version 2.1 41================================================================ 42 43Medusa Core Updates: 44 45 - Combo format now accepts "host:user:lm hash:ntlm hash" 46 - Autoconf updates and fixes 47 - Removed PCRE library dependency (using stock glibc regex support) 48 49Module Updates: 50 51 - Numerous bug-fixes across modules (e.g., SSH2 thread-safety) 52 - Support for UltraVNC MS-Logon (local/domain Windows credentials) 53 54Additional Updates: 55 - Third-party GUI released: 56 http://wiki.taksmind.org/index.php?title=Medusa-gui 57 58================================================================ 59Version 2.0 60================================================================ 61 62Medusa Core Updates: 63 -Pool-based thread handling 64 65 Previous version destroyed threads following the completion of a host 66 or user test. The use of a thread pool should decrease the overall 67 application overhead by limiting the frequency of thread destruction 68 and creation. The original code ran into issues in several specific 69 situations (e.g. testing over a thousand users with only a single 70 password). Such cases resulted in a large number of threads being 71 created and destroyed in short order, frequently resulting in an 72 application crash. The thread pool should eliminate this particular 73 problem. 74 75 -Modules now request next credential set (username + password) 76 77 Modules previously called getNextPass(), which returned a valid password 78 until the password list for the user being tested was exhausted. At that 79 point, the module exited and the login thread was destroyed. A new thread 80 and module instance would be created for the next user to test. We now 81 use getNextCredetialSet(), which returns a valid user and password. This 82 allows the module to get the next user to test and decide whether the 83 connection needs to be completely torn down or not. 84 85 -Secondary user credential queue added for missed login tests. 86 87 In certain situations we need to scale back the number of concurrent 88 login threads targetting a specific service. For example, MSDE's workload 89 governor limits the service to no more than 5 concurrent connections. If 90 the user kicked-off 10 parallel login threads, 5 of those are going to 91 fail and terminate. The challenge is that each of those threads was 92 already assigned a credential set to test. 93 94 The previous version simply printed the username and password combinations 95 which were not tested and moved on. We now push these missed credentials 96 into a host specific queue. Once the login threads have finished their 97 normal checks, they move on to this queue and retry the previously missed 98 credentials. In some cases, say it's the last thread that pushed something 99 into the queue before exiting, we kick-off a clean-up thread to walk through 100 any remaining items. 101 102 -Host and User-level Resume 103 104 Support for host and user-level resuming of a scan. When Medusa receives a 105 SIGINT, it will calculate and display a "resume map". This map can then be 106 supplied to the next run. For example, "medusa [OPTIONS PREVIOUSLY USED] 107 -Z h6u1u2h8.". This map describes which hosts were completed and which 108 systems had not been touched. If a host was partially completed, it 109 describes which users had been tested for that specific system. It should 110 be noted that password-level resuming is not supported. If a user's 111 password list was only partially completed, testing of the user will be 112 restarted on resume. 113 114Module Updates: 115 FTP 116 -Misc. fixes 117 118 IMAP 119 -Domain module option for BASIC/NTLM authentication types 120 -Allow auth type to be specified 121 -Misc. fixes (NTLM base64 length, restart HTTP connection after each request) 122 123 IMAP 124 -Domain module option for LOGIN/NTLM authentication types 125 -Regex-based server response matching for better handling of slow targets 126 -Misc. fixes (handle dropped connections, force TLSv1, base64 length) 127 128 MSSQL 129 -Auto SQL port identification via "SQL Ping" technique 130 131 NCP 132 -Misc. fixes (connection retry code) 133 134 POP3 135 -Domain module option for NTLM authentication type 136 -Regex-based server response matching for better handling of slow targets 137 -Misc. fixes (base64 length) 138 139 SMTP 140 -Regex-based server response matching for better handling of slow targets 141 142 SMTP-VRFY 143 -Misc. fixes (don't include "@" if no domain specified) 144 145 SSH 146 -Detect and warn if being built on Debian/Ubuntu system (broken libssh2) 147 148 VMAUTHD 149 -Regex-based server response matching for better handling of slow targets 150 151 Web-Form 152 -Misc. fixes 153 154 WRAPPER 155 -Misc. fixes (fix handling of short usernames/passwords) 156 157================================================================ 158Version 1.5 159================================================================ 160 161Medusa Core Updates: 162 -Provides additional information about current account check (e.g. 172.22.110.58 (60 of 104, 51 complete)) 163 -Support for simple resume by host. 164 -Bug fix for "-e" option 165 -Bug fix for displaying hostname vs. IP 166 -Added function for printing a specified length of binary data in hex 167 168Module Updates: 169 AFP 170 -Added new module for Apple Filing Protocol from pmonkey 171 172 HTTP 173 -NTLM auth bug fix 174 -Digest authentication support (MD5 and MD5-sess) 175 176 IMAP 177 -STARTTLS extension support 178 -NTLM support 179 180 MYSQL 181 -Misc. bug fixes 182 183 POP3 184 -STARTTLS extension support 185 -Better handling of connections dropped by remote server 186 -Support user-supplied domain names 187 -LOGIN, PLAIN, and NTLM support 188 189 SMBNT 190 -Created framework for different authentication levels (e.g. LM, NTLM, etc). 191 -Support for basic LM authentication to allow for case insensitive bruting 192 -NTLMv2/LMv2 support (Vista bruting) 193 -Fix for guest user check 194 -Support for "DOMAIN\USER" and "DOMAIN\\USER" style names 195 196 SMTP 197 -Renamed SMTP-AUTH to SMTP 198 -NTLM support 199 200 SMTP-VRFY 201 -Misc. bug fixes 202 203 SSH 204 -Honor number of user specified retries 205 -Restart connection when server fails to respond with auth modes after several attempts 206 207 TELNET 208 -Basic AS/400 Telnet / TN5250 support 209 -Log hosts supplying only a password prompt (non-AAA) 210 211 VMAUTHD 212 -Misc. bug fixes 213 214 WEB-FORM 215 -Misc. bug fixes for user-supplied FORM-DATA value 216 217Misc. Updates: 218 -Added ZSH Functions file 219 -Updated Medusa ebuild version and added new module dependencies. 220 221================================================================ 222Version 1.4 223================================================================ 224 225Medusa Core Updates: 226 -Major re-working of the autoconf setup. Modules can now be enabled/disabled 227 individually. Also, modules for which the base dependencies are not 228 satisfied are simply not built. In the past they were compiled, but left in 229 a non-functional state. The default is to build all "stable" modules. 230 -APR version detection 231 -Misc bug fix in networking code 232 -SSL socket rework. Fixes issue with concurrent mixed SSL and non-SSL 233 connections (FTPS). 234 235Module Updates: 236 FTP 237 -Added support for explicit and implicit SFTP 238 -Better handling of FTP banners 239 240 HTTP 241 -Now leaves user specified value intact within Host: header 242 -Minor code cleanup 243 244 IMAP 245 -LOGIN AUTH support 246 -Added TAG module parameter 247 -No longer restarts connection after each attempt 248 249 NNTP 250 -Added module with AUTHINFO support 251 252 POP3 253 -No longer restarts connection after each attempt 254 255 MySQL 256 -Misc bug fixes / error handling 257 -Added MySQL pre-4.1 pass-the-hash support 258 259 NCP 260 -Misc bug fixes 261 262 SMBNT 263 -Misc bug fixes 264 265 SMTP-AUTH 266 -AUTH PLAIN support 267 -AUTH LOGIN (e.g. Exchange) support 268 269 SSH 270 -Handles new libssh2 error messages 271 -Libssh2 (0.18) should no longer cause Medusa to hang on SSHv1 hosts or when 272 the target refuses to send its banner. 273 -Added banner parameter verification (Luciano Bello) 274 275 VNC 276 -Misc bug fixes 277 278 WEB-FORM 279 -Added new module from Luciano Bello 280 281 WRAPPER 282 -Better handling of failed attempts within oracle.pl script 283 284================================================================ 285Version 1.3 286================================================================ 287 288Medusa Core Updates: 289 -Module listing fix for OpenBSD/AMD64 290 -Autoconf tweaks for NCP & SVN checks 291 -Autoconf tweaks for Solaris/OpenBSD 292 -Removed unnecessary IP address checks 293 -Other minor bug fixes 294 295================================================================ 296Version 1.2 297================================================================ 298 299Moved following modules to stable: 300 NCP, VNC, PostgreSQL, SVN, CVS, VmAuthd, SNMP 301 302Medusa Core Updates: 303 -Compile on x86_64, Mac OS X. 304 -Minor bug fixes. 305 -Modified license with OpenSSL GPL exemption. 306 307Module Updates: 308 SMBNT 309 -Added AS/400 target support. 310 -Global "-e" option now works with module "PASS:HASH". 311 312 FTP 313 -Modified response parsing code to support AS/400 brute-forcing. 314 315 REXEC 316 -Modified response parsing code. 317 318 Wrapper 319 -Added oracle script. 320 -Added SMB NULL session script. 321 322================================================================ 323Version 1.1 324================================================================ 325 326Added following modules (unstable): 327 CVS, NCP, PostgreSQL, SMTP/VRFY, SNMP, SVN, VmAuthd, VNC 328 329Moved following modules to stable: 330 PcAnywhere, FTP, IMAP, RSH, REXEC, RLOGIN, and generic wrapper 331 332Medusa Core Updates: 333 -Display module list sorted alphabetically 334 -Compiles on OpenBSD 335 -Added delayed receive functions which allow the modules to specify the timeout 336 for both the initial socket read and the second "is any more data there?" check. 337 -Modified SSL connect function. The function now takes an already existing socket 338 and switches it over to SSL. This is needed for modules like VMAUTHD. 339 -Major rework of network receive function. Original code was copied from Hydra and 340 seemed to have some issues. 341 342Module Updates: 343 HTTP 344 -Added check for 301 error code (success) 345 -NTLM authentication support 346 347 IMAP 348 -Minor code cleanup 349 350 MySQL 351 -Added support for testing accounts without password 352 353 PcAnywhere 354 -Added sleep to deal with servers freaking out when attempts arrive too quickly 355 356 POP3 357 -Added AS/400 mode. Examines error codes to give us better information about 358 account status. 359 360 SMBNT 361 -Added check to detect non-existent accounts when auditing an XP client 362 363 Telnet 364 -Moved receive functions to new delayed receive functions. This is slower, but 365 we should actually be able to brute devices with long logon banners now. 366 367 Wrapper 368 -Added support for scripts to pass error messages back to Medusa. 369 370Misc. Updates: 371 Rdesktop 372 -Added better success/failure detection 373 -Added support to detect various error messages 374 -Added basic W2K support 375 -Added basic OS detection 376 377 Ebuilds 378 -Updated libssh2 ebuild based on bugs.gentoo.org feedback. 379 -Updated Medusa ebuild based on bugs.gentoo.org feedback. 380 -Updated Medusa version and added new module dependencies. 381 -Modified ncpfs ebuild for "install-dev" option. 382 383================================================================ 384Version 1.0 385================================================================ 386 387Initial release 388Modules (stable): HTTP, MS-SQL, SMBNT, SSHv2, Telnet, POP3 and MySQL 389Modules (unstable): RSH, RLOGIN, REXEC, FTP, IMAP, PcAnywhere, and generic wrapper 390 391