π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π KALI LINUX MASTERY
FREE
Part of the Kali Linux 180-Day Course
Day 20 of 180 Β· 11.1% complete
β οΈ Authorised Testing Only: Medusa is a login brute force tool. Use it exclusively against systems you own, systems in authorised penetration test scope, or designated lab environments (DVWA, Metasploitable, HackTheBox, TryHackMe). Brute-forcing login systems without explicit written authorisation is a criminal offence under the Computer Fraud and Abuse Act and equivalent laws worldwide.
Medusa Tutorial Kali Linux for 2026 :β When a password list meets a live service, Medusa is the engine that bridges them at speed. Where Hashcat cracks hashes offline at billions of attempts per second using your GPU, Medusa operates online β sending real authentication attempts to real services across the network. SSH servers, FTP servers, web login forms, RDP endpoints, SMB shares β if a service accepts a username and password, Medusa can test your wordlist against it in parallel. Day 20 teaches you how to use it properly: the right thread counts per protocol, how to handle web forms with custom parameters, how to avoid triggering lockouts, and when Medusa is the right tool versus reaching for Hydra.
π― What Youβll Master in Day 20
Run Medusa against SSH, FTP, and HTTP services with correct module syntax
Configure parallel threads and rate limits to balance speed against lockout risk
Attack web login forms using the web-form module with custom POST parameters
Compare Medusa vs Hydra β when each tool is the better choice
Build a complete credential attack workflow combining Day 18 Crunch + Day 19 Hashcat + Day 20 Medusa
β±οΈ 40 min Β· 3 terminal exercises Β· Kali Linux required ### π Prerequisites β Day 20 - Day 18: Crunch β Custom wordlist generation used in todayβs exercises - Day 19: Hashcat β Offline hash cracking; Medusa is the online equivalent for live services - A lab target β DVWA, Metasploitable, or a HackTheBox/TryHackMe machine. Never test against systems you donβt own. ### π Medusa Tutorial β Day 20 Contents 1. How Medusa Works β Parallel Architecture and Module System 2. Core Syntax and Essential Flags 3. SSH Brute Force with Medusa 4. HTTP Form Brute Force 5. Thread Control and Lockout Avoidance 6. Medusa vs Hydra β Choosing the Right Tool ## How Medusa Works β Parallel Architecture and Module System Medusa is a speedy, massively parallel, modular login brute forcer. Its architecture separates the core engine from the protocol-specific modules β each protocol (SSH, FTP, HTTP, SMB, RDP, LDAP, etc.) is implemented as a separate module, allowing Medusa to support new services by adding modules without changing the core engine. Run medusa -d to list all installed modules on your Kali system. Each module handles the specific authentication flow for its protocol, including the handshake, credential submission format, and success/failure detection logic.
The parallelism model is thread-based. Medusa spawns a pool of worker threads, each handling a separate authentication attempt simultaneously. The -t flag controls the total number of parallel threads across all hosts. The -T flag controls threads per host when attacking multiple targets simultaneously. This architecture means Medusaβs speed scales with thread count and CPU cores β on a modern multi-core system with a fast network connection, Medusa can test thousands of credentials per minute against protocols with low per-attempt overhead.
securityelites.com
Medusa Module List β medusa -d (selected)
ssh
ftp
http
https
smb
rdp
telnet
smtp
imap
pop3
ldap
mysql
mssql
postgres
web-form
Full list: medusa -d | grep Module
πΈ Medusa module list showing 15 of 20+ supported protocols. Each module is a separate .mod file handling the authentication specifics for its protocol. The web-form module is the most configuration-intensive β it requires specifying the POST parameters, the target URL path, and the failure string. All other modules work with minimal configuration beyond host, username/password source, and module name.
Core Syntax and Essential Flags
Medusaβs syntax follows a consistent pattern across all modules. The minimum required flags are: -h (target host), credentials (either single values with -u/-p or list files with -U/-P), and -M (the module/protocol). All other flags modify behaviour β thread count, output format, module-specific options.
MEDUSA CORE FLAGS REFERENCECopy
Target specification
-h [host] # single host IP or hostname
-H [file] # host list file (one per line)
Credentials
-u [username] # single username
-U [file] # username list file
-p [password] # single password
-P [file] # password list file
Module and output
-M [module] # protocol module (ssh, ftp, http, etc.)
-t [N] # total parallel threads (default: 16)
-T [N] # threads per host
-f # stop on first success per host
-F # stop on first success across all hosts
-O [file] # output to file
-v [0-6] # verbosity level (6 = max debug)
-w [seconds] # wait between attempts
-m [options] # module-specific options (varies per module)
SSH Brute Force with Medusa
SSH is the most common Medusa target in penetration testing because SSH is exposed on virtually every Linux server and many network devices. The SSH module handles the protocol handshake automatically β you only need to specify the target, credentials, and thread count. The primary consideration for SSH brute force is thread count: SSH servers commonly implement rate limiting and tools like fail2ban monitor SSH authentication failures. Setting too many threads triggers blocking after a small number of attempts. For authorised assessments, start with 2-4 threads and verify the clientβs lockout policy before increasing.
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)