Medusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7.

Related tags

Networking Medusa
Overview

Medusa Logo

Medusa

Medusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7.

Installation

To install Medusa, you'll need Mythic installed on a remote computer. You can find installation instructions for Mythic at the Mythic project page.

From the Mythic install root, run the command:

./mythic-cli payload install github https://github.com/MythicAgents/Medusa.git

Once installed, restart Mythic to build a new agent.

Notable Features

  • File browser compatibility with upload/download
  • Windows injection example using CreateRemoteThread
  • maOS clipboard reader, screenshot grabber and TCC database parsing examples
  • Eval() of dynamic Python code
  • Basic Authentication Proxy compatibility

Commands Manual Quick Reference

The base agent and included commands all use built-in Python libraries, so do not need additional packages to function. Agents will run the commands in threads, so long-running uploads or downloads won't block the main agent.

Command Syntax Description
cat cat path/to/file Read and output file content.
cd cd [.. dir] Change working directory (.. to go up one directory).
clipboard clipboard Output contents of clipboard (uses Objective-C API, as outlined by Cedric Owens here. macOS only, Python 2.7 only).
cp cp src_file_or_dir dst_file_or_dir Copy file or folder to destination.
cwd cwd Print working directory.
download download [path] Download a file from the target system.
exit exit Exit a callback.
env env Print environment variables.
eval eval [commands] Execute python code and return output.
jobs jobs List long-running tasks, such as downloads.
ls ls [. path] List files and folders in [path] or use . for current working directory.
list_tcc list_tcc [path] List entries in macOS TCC database (requires full-disk access and Big Sur only atm).
mv mv src_file_or_dir dst_file_or_dir Move file or folder to destination.
rm rm file_or_dir Delete file or folder.
screenshot screenshot Take a screenshot (uses Objective-C API, macOS only, Python 2.7 only).
shell shell [command] Run a shell command which will spawn using subprocess.Popen(). Note that this will wait for command to complete so be careful not to block your agent.
shinject shinject Inject shellcode into target PID using CreateRemoteThread (Windows only - adapted from here).
sleep sleep [seconds] [jitter percentage] Set the callback interval of the agent in seconds.
upload upload Upload a file to a remote path on the machine.

Python Versions

Both versions of the Medusa agent use an AES256 HMAC implementation written with built-in libraries (adapted from here), removing the need for any additional dependencies beyond a standard Python install. As such the agent should operate across Windows, Linux and macOS hosts. It's worth mentioning that this crypto implementation does introduce some overhead when handling large files (screenshotting, downloads, etc.) but it's workable.

Py2 vs Py3 Commands

Within the Payload_Type/Medusa/agent_code directory, you will see base_agent files with both py2 and py3 suffixes. Likewise, similar file extensions can be seen for individual function files too.

These are read by the builder.py script to firstly select the right base Python version of the Medusa agent. builder.py will then include commands that are specific to the chosen python version. In the case where a command only has a .py extension, this will be used by default, with the assumption being that no alternative code is needed between the Py2 and Py3 versions.

Supported C2 Profiles

Currently, only one C2 profile is available to use when creating a new Medusa agent: http (both with and without AES256 HMAC encryption).

HTTP Profile

The HTTP profile calls back to the Mythic server over the basic, non-dynamic profile. GET requests for taskings, POST requests with responses.

Thanks

Comments
  • Upload command

    Upload command

    Upload command seems not working! It adds in padding slashes and getting upload command output: [Errno 13] Permission denied: 'C:\Users\minka\Downloads Running it as Administrator

    opened by Chomikmarkus 9
  • Added support for self signed certificates

    Added support for self signed certificates

    Hello!

    I've been playing with Medusa and I noticed that if the HTTP C2 Profile uses HTTPS with self-signed certificates Medusa won't work because urlopen will check the certificate.

    I added the option to choose if you want to verify the certificate or not so we can use self-signed certificates.

    opened by litios 2
  • error handling: name of ssl protocol does not exist on target system

    error handling: name of ssl protocol does not exist on target system

    Hi, somehow on one of the target systems the ssl module does not have PROTOCOL_TLS as it is included here https://github.com/MythicAgents/Medusa/blob/4309cbe97dc1d876bd0017aa03112ab102c37eff/Payload_Type/medusa/mythic/agent_functions/builder.py#L118

    This results at the end in the following error: AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLS'

    I'm not entirely sure how this happens, just fixed it up with the following, which ends up taking PROTOCOL_TLSv1 on the system:

    gcontext = ssl.SSLContext([e for e in dir(ssl) if e.startswith('PROTOCOL_TLS')][0])
if "PROTOCOL_TLS" in dir(ssl):
  gcontext = ssl.SSLContext(ssl.PROTOCOL_TLS)

    I'm not sure how common this is, if it is worth adding

    opened by gmatuz 1
  • Using pipes in shell command seems to have escaping problems

    Using pipes in shell command seems to have escaping problems

    When attempting the following shell command:

    ps auxwww | grep something

    an error is returned saying that the pipe is an invalid character. Is there another way to run a piped shell command via medusa?

    opened by Viss 1
  • Local IP address resolution fails on macOS

    Local IP address resolution fails on macOS

    The agent uses socket.gethostbyname() to retrieve the IP address of the host by looking up the hostname, returned from socket.gethostname(), against either the local resolver or the hosts file.

    On macOS the device hostname is not present in /etc/hosts by default, so looking up the hostname fails, causing the agent to exit.

    opened by sysophost 2
  • Mythic create new callback issue

    Mythic create new callback issue

    Hi,

    when spawning a new linux payload (python3), the active callback cannot be created as the username field is empty:

    image

    Failed to create new callback null value in column "user" of relation "callback" violates not-null constraint
DETAIL:  Failing row contains (1, e11d1b05-1279-445e-af89-7cdf6a829c8f, 2022-02-06 08:56:10.628592, 2022-02-06 08:56:10.628595, null, WEB50, 35668, 172.10.10.50, 172.10.10.50, , First linux-python-payload, 1, t, 1, 2, f, null, 1, null, null, null, Linux 5.11.0-49-generic, x64, , null, , , null).

    It seems as the os.getlogin() function causes the trouble, so I decided to replace it with getpass.getuser() which is also supported according to this article: https://stackoverflow.com/questions/47444178/difference-between-os-getlogin-and-os-environ-for-getting-username

    https://github.com/MythicAgents/Medusa/blob/9266936ed16e105d6d69aa6fb2e38d66f03382ea/Payload_Type/medusa/agent_code/base_agent/base_agent.py3#L15

    opened by who1smrrobot 1
Owner
Mythic Agents
A centralized area for installable Mythic Agents based on https://github.com/its-a-feature/Mythic_External_Agent
Mythic Agents
GitHub
Free,Cross-platform,Single-file mass network protocol server simulator

FaPro Free,Cross-platform,Single-file mass network protocol server simulator 中文Readme Description FaPro is a Fake Protocol Server tool, Can easily sta

FOFA Pro 1.4k Jan 6, 2023
It can be used both locally and remotely (indicating IP and port)

It can be used both locally and remotely (indicating IP and port). It automatically finds the offset to the Instruction Pointer stored in the stack.

DiegoAltF4 13 Dec 29, 2022
Monitoring plugin to check network interfaces with Icinga, Nagios and other compatible monitoring solutions

check_network_interface - Monitor network interfaces This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check

DinoTools 3 Nov 15, 2022
Lightweight asyncio compatible utilities for consuming broker messages.

A simple asyncio compatible consumer for handling amqp messages.

Mehdi Kamani 3 Apr 10, 2022
Nautobot is a Network Source of Truth and Network Automation Platform.

Nautobot is a Network Source of Truth and Network Automation Platform. Nautobot was initially developed as a fork of NetBox (v2.10.4). Nautobot runs as a web application atop the Django Python framework with a PostgreSQL database.

Nautobot 549 Dec 31, 2022
MS Iot Device Can Platform

Kavo MS IoT Platform Version: 2.0 Author: Luke Garceau Requirements Read CAN messages in real-time Convert the given variables to engineering useful v

Luke Garceau 1 Oct 13, 2021
Fast and configurable script to get and check free HTTP, SOCKS4 and SOCKS5 proxy lists from different sources and save them to files

Fast and configurable script to get and check free HTTP, SOCKS4 and SOCKS5 proxy lists from different sources and save them to files. It can also get geolocation for each proxy and check if proxies are anonymous.

Almaz 385 Dec 31, 2022
A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other.

A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other. It also provides an Admin role with features including kicking and baning of users.

null 3 May 22, 2022
NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks.

NetworkX 12k Jan 2, 2023
🥑 A Python ARP and DNS Spoofer CLI and INTERFACE 🥓

NEXTGEN SPOOFER ?? A Python ARP and DNS Spoofer CLI and INTERFACE ?? CLI -> advanced pentesters INTERFACE -> beginners SetUp Make sure you installed P

null 9 Dec 25, 2022
A lightweight python script that can monitor the T-Mobile Home Internet Nokia 5G Gateway for band and connectivity and reboot as needed.

tmo-monitor A lightweight Python 3 script that can monitor the T-Mobile Home Internet Nokia 5G Gateway for band and connectivity and reboot as needed.

null 61 Dec 17, 2022
List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

Anders Pitman 7.3k Jan 3, 2023
Start a simple TCP Listener on a specified IP Address and Port Number and receive incoming connections.

About Start a simple TCP Listener on a specified IP Address and Port Number and receive incoming connections. Download Clone using git in terminal(git

AgentGeneric 5 Feb 24, 2022
An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputation and historical data. It also performs automatic enrichment and threat scoring by collecting, processing and correlating observables based on different factors.

CRED 225 Dec 31, 2022
This script helps us to add IP, host name entry in hosts file and create directory run nmap scan and directory scan with your favourite tools

A python script to automate your set-up for Hack The Box, It sets up Workspace, Opens TMUX session, connects to OpenVPN, Runs Nmap and many more...

Cognizance 7 Mar 25, 2022
Take a list of domains and probe for working HTTP and HTTPS servers

httprobe Take a list of domains and probe for working http and https servers. Install ▶ go get -u github.com/tomnomnom/httprobe Basic Usage httprobe

Tom Hudson 2.3k Dec 28, 2022
A simple and lightweight server that allows clients to connect and launch a shell remotely through a browser.

carrotsh A simple and lightweight server that allows clients to connect and launch a shell remotely through a browser. Uses xterm.js for the frontend

V9 31 Dec 27, 2022
This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

null 12 Dec 13, 2022
This application aims to read all wifi passwords and visualizes the complexity in graph formation by taking into account several criteria and help you generate new random passwords.

This application aims to read all wifi passwords and visualizes the complexity in graph formation by taking into account several criteria and help you generate new random passwords.

Njomza Rexhepi 0 May 29, 2022