The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave. -Jakob Nielsen
If you are like me (tak, Huggles on HTS), and playing with, using professionally, or writing list requiring brute-forcing software. You do not want to waste the hard drive space for massive all-encompassing password lists which have a limited chance of success. Luckily you do not have to do that at all leveraging some john the ripper and (l/u)nix functionality.
When using Aircrack-ng to try and figure out the key for say WPA2 encryption, you can pipe john generated password lists into aircrack on the fly in the following manner. #john --incremental=all --stdout | aircrack-ng -a 2 -e WirelessNetwork WirelessNetwork-01.cap -w -
There is still a bit of an issue here however. if you have to shutdown your machine and you have not yet retrieved the key you do not want to have to re-run this command and restart johns list generation, you want to pick up where you left off (I assume anyway).
Luckily for us jtr has the ability to store and resume sessions, so some tweaking will allow you to pick at the encryption at your leisure.
When using a utility like Medusa you need to get a little trickier, utilising a bash utility called xargs.
We will still be leveraging jtrs ability to store sessions, however we will not quite be directly piping johns output into medusa, we will pipe it into xargs which will execute the command following it for each line of stdin. We can use this to brute-force utilising medusa without a stored dictionary.
In reality you most likely will not be trying to brute-force a username/password based authentication without one or the other, so you will probably have either a list, or singleton value for one or the other (moth likely username).
To preform a brute-force attack utilising medusa and jtr, you can use something similar to the following command.
The -L 1 flag passed to xargs means execute for every 1 line of input.
This does however slow down the brute-force, having to launch/quit medusa every attempt, also it means it will not stop when an account has been found, so it would help to pipe the output into a separate file in this way:
#john --restore=RouterBrute | xargs -L 1 medusa -h 192.168.1.1 -u admin -M web-form -p >> check.txt
then later run a grep on the output file, or write a script to do a periodic grep and kill the process / alert you when it finds the string FOUND in the medusa output
This method of course can be implemented within the Medusa-GUI utilising its ability to edit the command you before execution, make sure you have JTR installed, launch the medusa-gui, and append the jtr command / pipes, as well as the output appendage to a separate file, and go, the medusa-gui may add a toggle button for this in the future.