NCRACK(1) | Ncrack Reference Guide | NCRACK(1) |
NAME¶
ncrack - Network authentication cracking tool
SYNOPSIS¶
ncrack [Options] {target specification}
DESCRIPTION¶
Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic engine that can adapt to different network situations. Ncrack can also be extensively fine-tuned for special cases, though the default parameters are generic enough to cover almost every situation. It is built on a modular architecture that allows for easy extension to support additional protocols. Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords in a rapid and reliable way. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services.
Warning
Ncrack is a project started in the Summer of 2009. While it is already useful for some purposes, it is still unfinished, beta quality software. You can help out by testing it and reporting any problems as described in the section called “BUGS”.
The output from Ncrack is a list of found credentials, if any, for each of the targets specified. Ncrack can also print an interactive status report of progress so far and possibly additional debugging information that can help track problems, if the user selected that option.
A typical Ncrack scan is shown in Example 1. The only Ncrack arguments used in this example are the two target IP addresses along with the the corresponding ports for each of them. The two example ports 21 and 22 are automatically resolved to the default services listening on them: ftp and ssh.
Example 1. A representative Ncrack scan
$ ncrack 10.0.0.130:21 192.168.1.2:22 Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST Discovered credentials for ftp on 10.0.0.130 21/tcp: 10.0.0.130 21/tcp ftp: admin hello1 Discovered credentials for ssh on 192.168.1.2 22/tcp: 192.168.1.2 22/tcp ssh: guest 12345 192.168.1.2 22/tcp ssh: admin money$ Ncrack done: 2 services scanned in 156.03 seconds. Ncrack finished.
The latest version of Ncrack can be obtained from http://nmap.org/ncrack. The latest version of this man page is available at http://nmap.org/ncrack/man.html .
OPTIONS SUMMARY¶
This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual.
Ncrack 0.7 ( http://ncrack.org ) Usage: ncrack [Options] {target and service specification} TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iX <inputfilename>: Input from Nmap´s -oX XML output format
-iN <inputfilename>: Input from Nmap´s -oN Normal output format
-iL <inputfilename>: Input from list of hosts/networks
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file SERVICE SPECIFICATION:
Can pass target specific services in <service>://target (standard) notation or
using -p which will be applied to all hosts in non-standard notation.
Service arguments can be specified to be host-specific, type of service-specific
(-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
-p <service-list>: services will be applied to all non-standard notation hosts
-m <service>:<options>: options will be applied to all services of this type
-g <options>: options will be applied to every service globally
Misc options:
ssl: enable SSL over this service
path <name>: used in modules like HTTP (´=´ needs escaping if used)
db <name>: used in modules like MongoDB to specify the database
domain <name>: used in modules like WinRM to specify the domain TIMING AND PERFORMANCE:
Options which take <time> are in seconds, unless you append ´ms´
(milliseconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).
Service-specific options:
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay <time> between each connection initiation
cr (connection retries): caps number of service connection attempts
to (time-out): maximum cracking <time> for service, regardless of success so far
-T<0-5>: Set timing template (higher is faster)
--connection-limit <number>: threshold for total concurrent connections
--stealthy-linear: try credentials using only one connection against each specified host
until you hit the same host again. Overrides all other timing options. AUTHENTICATION:
-U <filename>: username file
-P <filename>: password file
--user <username_list>: comma-separated username list
--pass <password_list>: comma-separated password list
--passwords-first: Iterate password list for each username. Default is opposite.
--pairwise: Choose usernames and passwords in pairs. OUTPUT:
-oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
-oA <basename>: Output in the two major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 10 is meaningful)
--nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files MISC:
--resume <file>: Continue previously saved session
--save <file>: Save restoration file with specific filename
-f: quit cracking service after one found credential
-6: Enable IPv6 cracking
-sL or --list: only list hosts and services
--datadir <dirname>: Specify custom Ncrack data file location
--proxy <type://proxy:port>: Make connections via socks4, 4a, http.
-V: Print version number
-h: Print this help summary page. MODULES:
SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM EXAMPLES:
ncrack -v --user root localhost:22
ncrack -v -T5 https://192.168.0.1
ncrack -v -iX ~/nmap.xml -g CL=5,to=1h SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES
TARGET SPECIFICATION¶
Everything on the Ncrack command-line that isn´t an option (or an option argument) is treated as a target host specification. The simplest case is to specify a target IP address or a hostname. Note, that you also need to specify a service to crack for the selected targets. Ncrack is very flexible in host/service specification. While hostnames and IP addresses can be defined with the flexibility that you are probably used to from Nmap, services along with service-specific options have a unique specification style that enables a combination of features to be taken advantage of.
Sometimes you wish to crack a whole network of adjacent hosts. For this, Ncrack supports CIDR-style addressing. You can append /numbits to an IPv4 address or hostname and Ncrack will try to crack every IP address for which the first numbits are the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would send probes to the 256 hosts between 192.168.10.0 11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would crack exactly the same targets. Given that the host scanme.nmap.org is at the IP address 64.13.134.52, the specification scanme.nmap.org/16 would send probes to the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0, which targets the whole Internet. The largest value is /32, which targets just the named host or IP address because all address bits are fixed.
CIDR notation is short but not always flexible enough. For example, you might want to send probes to 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Ncrack supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will target the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn´t look like a command-line option. Ranges need not be limited to the final octets: the specifier will send probes to all IP addresses on the Internet ending in 13.37 This sort of broad sampling can be useful for Internet surveys and research.
Ncrack accepts multiple host specifications on the command line, and they don´t need to be the same type. The command ncrack scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- -p22 does what you would expect.
While targets are usually specified on the command lines, the following options are also available to control target selection:
-iX inputfilename (Input from Nmap´s -oX XML output format) .
-iN inputfilename (Input from Nmap´s -oN Normal output format) .
-iL inputfilename (Input from list) .
--exclude host1[, host2[, ...]] (Exclude hosts/networks) .
--excludefile exclude_file (Exclude list from file) .
SERVICE SPECIFICATION¶
No cracking session can be carried out without targeting a certain service to attack. Service specification is one of the most flexible subsystems of Ncrack and collaborates with target-specification in a way that allows different option combinations to be applied. For Ncrack to start running, you will have to specify at least one target host and one associated service to attack. Ncrack provides ways to specify a service by its default port number, by its name (as extracted from the ncrack-services file) or both. Normally, you need to define both name and port number only in the special case where you know that a particular service is listening on a non-default port.
Ncrack offers two distinct ways with which services will be applied to your targets: per-host service specification and global specification.
Per-host service specification
[service-name]://target:[port-number]
where target is a hostname or IP address in any of the formats described in the target-specification section, [service-name] is one of the common service names as defined in the ncrack-services file (e.g ssh, http) and [port-number] is what it obviously means. Ncrack can determine the default port numbers for each of the services it supports, as well as being able to deduce the service name when a default port number has been specified. Specifying both has meaning only when the user has a priori knowledge of a service listening on a non-default port number. This can easily be determined by using version detection like the one offered by Nmap´s -sV option.
Example 2. Per-host service specification example
$ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910
The above command will try to crack hosts: scanme.nmap.org on SSH service (default port 22), 10.0.0.10 on FTP service (default port 21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH service on non-default port 5910 which has been explicitly specified. In the last case, Ncrack wouldn´t be able to determine that the subnet hosts are to be scanned against the SSH service on that particular port without the user explicitly asking for it, because there isn´t any mapping of port-number 5910 to service SSH.
Global service specification
-p [service1]:[port-number1],[service2]:[port-number2],...
As usual, you need not specify both service name and port number since Ncrack knows the mappings of default-services to default-port numbers. Be careful though not to include any space between each service-name and/or port number, because Ncrack will think that the argument after the space is a host as per the rule "everything that isn´t an option is a target specification".
Example 3. Global service specification example
$ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
The above command will try to crack all of the specified hosts scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class subnet of 192.168.2.0 against the following services: SSH service (mapped from default port 22), FTP service on non-default port 3210, and TELNET service on default port 23.
Of course, Ncrack allows you to combine both modes of service specification if you deem that as necessary. Normally, you will only need to specify a couple of services but cracking a lot of hosts against many different services might be a longterm project for large networks that need to be consistently audited for weak passwords. If you are in doubt, about which hosts and services are going to be cracked with the current command, you can use the -sL option (see below for explanation).
SERVICE OPTIONS¶
Apart from general service specification, Ncrack allows you to provide a multitude of options that apply to each or a subset of your targets. Options include timing and performance optimizations (which are thoroughly analyzed in a separate section), SSL enabling/disabling and other module-specific parameters like the relative URL path for the HTTP module. Options can be defined in a variety of ways which include: per-host options, per-module options and global options. Since a combination of these options may be used, there is a strict hierarchy of precedence which will be discussed later.
Per-host Options
[service-name]://target:[port-number],opt1=optval1,opt2=optval,...
The format concerning the service specification which comes before the options, has been explained in the previous section. optN is referring to any of the option names that are available (a list will follow below), while optvalN determines the value of that option and depends on the nature of it. For example, most timing-related options expect to receive numbers as values, while the path option obviously needs a string argument.
Per-module Options
-m service-name:opt1=optval1,opt2=optval2,...
This option can be invoked multiple times, for as many different services as you might need to define service-wide applicable options. Each iteration of this option must refer to only one service. However, to avoid confusion, this option had better not be called more than one time for the same service, although this is allowed and the last iteration will take precedence over the previous ones for all redefined option values.
Global Options
-g opt1=optval1,opt2=optval2,...
This acts as a convenience option, where you can apply options to all services globally. Everything else regarding the available options and option values is the same as the previous modes.
List of available Service Options
Below follows a list of all the currently available service options. You can apply them with any of the three modes described above. The last six of the options are timing related and will be analyzed in Section "Timing and Performance" of this manual.
ssl: enable SSL over this service path: path-name used in modules like HTTP (´=´ needs escaping if used) db: used in modules like MongoDB to specify the database domain: used in modules like WinRM to specify the domain cl (min connection limit): minimum number of concurrent parallel connections CL (max connection limit): maximum number of concurrent parallel connections at (authentication tries): authentication attempts per connection cd (connection delay): delay time between each connection initiation cr (connection retries): caps number of service connection attempts to (time-out): maximum cracking time for service, regardless of success so far
ssl (Enable/Disable SSL over service)
path <name> (Path name for relative URLs)
Also be careful with the symbol ´=´, since it is used by Ncrack for argument parsing and you will have to espace it if it is included in the URL.
By default, the path-name is initialized to ´/´, but will be ignored by services that do not require it.
db <name> (Database name)
By default, the db name for MongoDB is initialized to ´admin´ but will be ignored by services that do not require it.
domain <name> (Domain name)
By default, the domain name for WinRM is initialized to ´Workstation´ but will be ignored by services that do not require it.
Service Option Hierarchy
As already noted, Ncrack allows a combination of the three different modes of service option specification. In that case, there is a strict hierarchy that resolves the order in which conflicting values for these options take precedence over each other. The order is as follows, leftmost being the highest priority and rightmost the lowest one:
Per-host options > Per-module options > Global options > Timing-Template (for timing options only)
The concept of the "Timing-Template" will be explained in the Section "Timing and Performance", but for now, just have in mind that its values have the least prevalence over everything else and essentially act as defaults for everything timing-related. Global options specified with -g have the directly higher precedence, while -m per-module options are immediately higher. In the top of the hierarcy reside the per-host options which are essentially the most specific ones. Consequently, you can see that the pattern is: the more specific the higher the precedence.
Example 4. Service Option Hierarchy example
$ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3
The example demonstrates the hierarchy precedence. The services that are going to be cracked are SSH for scanme.nmap.org and FTP for hosts 10.0.0.120, 10.0.0.20. No particular timing-template has been specified and thus the default will be used (Normal - 3). The per-host options for scanme.nmap.org define that the minimum connection limit (cl) is 10 and that Ncrack should attempt only 1 authentication try (at) per connection. These values would override any other for service SSH of host scanme.nmap.org if there were conflicts with other modes. Since a global option of -g CL=3 was defined and there is no other higher-precedence for service SSH and scanme.nmap.org in particular, this value will also be applied. As for the FTP targets, the per-module -m ftp:CL=1 defined for all FTP services will override the equivalent global one. All these can get quite complex if overused, but they are not expected to be leveraged by the average Ncrack user anyway. Complicated network scanning scenarios might require them, though. To make certain the results are the ones you expect them to be, don´t forget to use the -sL option that prints out details about what Ncrack would crack if invoked normally. You can add the debugging -d option if you want even more verbose output. For the above example, Ncrack would print the following:
Example 5. Service Option Hierarchy Output example
$ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT ----- [ Timing Template ] ----- cl=7, CL=80, at=0, cd=0, cr=30, to=0 ----- [ ServicesTable ] ----- SERVICE cl CL at cd cr to ssl path db domain ftp:21 N/A 1 N/A N/A N/A N/A no null null null ssh:22 N/A N/A N/A N/A N/A N/A no null null null telnet:23 N/A N/A N/A N/A N/A N/A no null null null http:80 N/A N/A N/A N/A N/A N/A no null null null pop3:110 N/A N/A N/A N/A N/A N/A no null null null imap:143 N/A N/A N/A N/A N/A N/A no null null null netbios-ssn:445 N/A N/A N/A N/A N/A N/A no null null null smb:445 N/A N/A N/A N/A N/A N/A no null null null smb:139 N/A N/A N/A N/A N/A N/A no null null null https:443 N/A N/A N/A N/A N/A N/A yes null null null owa:443 N/A N/A N/A N/A N/A N/A yes null null null sip:5060 N/A N/A N/A N/A N/A N/A no null null null pop3s:995 N/A N/A N/A N/A N/A N/A yes null null null mssql:1433 N/A N/A N/A N/A N/A N/A no null null null mysql:3306 N/A N/A N/A N/A N/A N/A no null null null ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no null null null rdp:3389 N/A N/A N/A N/A N/A N/A no null null null psql:5432 N/A N/A N/A N/A N/A N/A no null null null vnc:5801 N/A N/A N/A N/A N/A N/A no null null null vnc:5900 N/A N/A N/A N/A N/A N/A no null null null vnc:5901 N/A N/A N/A N/A N/A N/A no null null null vnc:6001 N/A N/A N/A N/A N/A N/A no null null null redis:6379 N/A N/A N/A N/A N/A N/A no null null null winrm:5985 N/A N/A N/A N/A N/A N/A no null null Workstation winrm:5986 N/A N/A N/A N/A N/A N/A no null null Workstation cassandra:9160 N/A N/A N/A N/A N/A N/A no null null null cassandra:9042 N/A N/A N/A N/A N/A N/A no null null null mongodb:27017 N/A N/A N/A N/A N/A N/A no null admin null ----- [ Targets ] ----- Host: 45.33.32.156 ( scanme.nmap.org )
ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation Host: 10.0.0.120
ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation Host: 10.0.0.20
ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation Ncrack done: 3 services would be scanned. Probes sent: 0 | timed-out: 0 | prematurely-closed: 0 Ncrack finished.
The ServicesTable just lists the per-module options for all available services. As you can see, the only defined option is in the FTP service for the CL . The Targets table is the most important part of this output and lists all targets and associated options according to the command-line invocation. No network operation takes place in this mode, apart from forward DNS resolution for hostnames (like scanme.nmap.org in this example).
TIMING AND PERFORMANCE¶
The timing engine is perhaps the most important part of any serious network authentication cracking tool. Ncrack´s timing engine offers a great many options for optimization and can be bended to serve virtually any user need. As Ncrack is progressing, this subsystem is going to evolve into a dynamic autonomous engine that will be able to automatically adjust its behaviour according to the network feedback it gets, in order to achieve maximum performance and precision without any user intervention.
Some options accept a time parameter. This is specified in seconds by default, though you can append ‘ms’, ‘m’, or ‘h’ to the value to specify milliseconds, minutes, or hours (‘s’ for seconds is redundant). So the cd (connection delay) arguments 900000ms, 900s, and 15m all do the same thing.
cl num-minconnections; CL num-maxconnections (Adjust number of concurrent parallel connections)
Connection Limit
These options control the total number of connections that may be outstanding for any service at the same time. Normally, Ncrack tries to dynamically adjust the number of connections for each individual target by counting how many drops or connection failures happen. If a strange network condition occurs, that signifies that something may be going wrong, like the host dropping any new connection attempts, then Ncrack will immediately lower the total number of connections hitting the service. However, the caps number of the minimum or maximum connections that will take place can be overridden using these two options. By properly adjusting them, you can essentially optimize performance, if you can handle the tricky part of knowing or discovering your target´s own limits. The convention here is that cl with lowercase letters is referring to the minimum connection limit, while CL with uppercase letters is referring to the maximum number of connections.
The most common usage is to set cl (minimum connection limit) for targets that you are almost certain are going to withstand these many connections at any given time. This is a risky option to play with, as setting it too high might actually do more harm than good by effectively DoS-attacking the target and triggering firewall rules that will ban your IP address.
On the other hand, for more stealthy missions, setting the CL (maximum connection limit) to a low value might be what you want. However, setting it too low will surely have a great impact in overall cracking speed. For maximum stealth, this can be combined with the cd (connection delay) described below.
at num-attempts (Adjust authentication attempts per connection)
Authentication Tries
Using this option, you can order Ncrack to limit the authentication attempts it carries out per connection. Ncrack initially sends a reconnaisance probe that lets it calculate the maximum number of such authentication tries and from thereon it always tries to use that number. Most servicse pose an upper limit on the number of authentication per connection and in most cases finding that maximum leads to better performance.
Setting this option to lower values can give you some stealth bonus, since services such as SSH tend to log failed attempts after more than a certain number of authentication tries per connection. They use that as a metric rather than counting the total number of authentication attempts or connections per IP address (which is usually done by a firewall). Consequently, a number of 1 or 2 authentication tries might circumvent logging in some cases.
Note that setting that option to a high value will not have any effect if Ncrack realizes that the server doesn´t allow that many attempts per connection. In this case, it will just use that maximum number and ignore your setting.
cd time (Adjust delay time between each new connection)
Connection Delay
This option essentially defines the imposed time delay between each new connection. Ncrack will wait the amount of time you specify in this option value, before starting a new connection against the given service. The higher you set it, the slower Ncrack will perform, but the stealthier your attack will become.
Ncrack by default tries to initiate new connections as fast as possible given that new probes are actually allowed to be sent and are not restricted by parameters such as Connection Limit which can dynamically increase or decrease. Although this approach achieves blazing speed as long as the host remains responsive, it can lead to a number of disasters such as a firewall being triggered, the targets´ or your bandwidth to be diminished and even the tested service to suffer a Denial of Service attack. By carefully adjusting this option, you can potentially avoid these annoying situations.
cr max-conattempts (Adjust the max number of connection retries)
Connection Retries
This option allows the user to specify the maximum amount of consecutive failed attempts against that particular service. If at any time, during the cracking session, Ncrack fails to connect against that particular service, then it will stop cracking it entirely.
to time (Adjust the maximum overall cracking time)
Timeout
Define how much time Ncrack is going to spend cracking the service, before giving up regardless of whether it has found any credentials so far. However, any authentication token discovered until that time, will be stored and printed normally. Ncrack marks a service as finished when the username/password lists iteration ends or when it can no longer crack it for some serious reason. If Ncrack finishes cracking a service before the time specified in this option, then it will not be taken into account at all.
Sometimes, you have a limited time window to scan/crack your hosts. This might occur for various reasons. A common one would be that normal user activity mustn´t be interrupted and since Ncrack can become very aggressive, it might be allowed to scan the hosts only at during certain time period like the night hours. Scanning during certain such hours is also likely to make an attack less detectable.
Don´t forget that Ncrack allows you to specify the time unit of measure by appending ‘ms’, ‘m’, or ‘h’ for milliseconds, minutes or hours (seconds is the default time unit). Using them in this particular option, is really convenient as you can specify something like to=8h to give Ncrack a total of 8 hours to crack that service. Setting up cronjobs for scheduled scans in combination with this option, might also be a good idea.
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
These templates allow the user to specify how aggressive they wish to be, while leaving Ncrack to pick the exact timing values. If you know that the network service is going to withstand a huge number of connections you might try using the aggressive template of -T4 . Even then, this is mostly advised for services residing in the local network. Going over to insane mode -T5 is not recommended, unless you absolutely know what you are doing.
While -T0. and -T1. may be useful for avoiding IDS alerts, they will take an extraordinarily long time to crack even a few services. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned -T0 and -T1 values.
--connection-limit numprobes (Adjust the threshold of total concurrent connections)
AUTHENTICATION¶
This section describes ways of specifying your own username and password lists as well as the available modes of iterating over them. Ncrack ships in with a variety of username and password lists which reside under the directory ´lists´ of the source tarball and later installed under Ncrack´s data directory which usually is /usr/local/share/ncrack or /usr/share/ncrack . You can omit specifying any lists and Ncrack is going to use the default ones which contain some of the most common usernames and passwords. The password list is frequency-sorted with the top most common passwords at the beginning of the list so they will be tried out first. The lists have been derived from a combination of sorting publicly leaked password files and other techniques.
-U filename (Specify username list)
Usernames for specific environments can be gathered in numerous ways including harvesting for email-addresses in the company´s website, looking up information in whois databases, using the SMTP VRFY technique at vulnerable mail servers or through social engineering.
-P filename (Specify password list)
Common passwords are usually derived from leaked lists as a result of successful intrusions in public sites such as forums or other social networking places. A great deal of them have already been publicly disclosed and some of these have been used to assemble Ncrack´s own lists.
--user username_list (Specify command-line comma-separated username list)
--pass password_list (Specify command-line comma-separated password list)
--passwords-first (Reverse the way passwords are iterated)
Most network authentication cracking tools prefer by default to iterate the password list for each username. This is, however, ineffective compared to the opposite iteration in most cases. This holds true for the simple reason that password lists are usually sorted on a frequency basis, meaning that the more common a password is, the closer to the beginning of the password list it is. Thus, iterating over all usernames for the most common passwords first has usually more chances to get a positive result. With the --passwords-first iteration, very common passwords might not even be tried out for certain usernames if the user chooses to abort the session early. However, this option might prove valuable for cases where the attacker knows and has already verified that the username list contains real usernames, instead of blindly bruteforcing through them.
--pairwise (Choose usernames and passwords in pairs)
OUTPUT¶
Any security tool is only as useful as the output it generates. Complex tests and algorithms are of little value if they aren´t presented in an organized and comprehensible fashion. Of course, no single format can please everyone. So Ncrack offers several formats, including the interactive mode for humans to read directly and XML for easy parsing by software.
In addition to offering different output formats, Ncrack provides options for controlling the verbosity of output as well as debugging messages. Output types may be sent to standard output or to named files, which Ncrack can append to or clobber.
Ncrack makes output available in three different formats. The default is called interactive output, and it is sent to standard output (stdout). There is also normal output, which is similar to interactive except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively.
XML output is one of the most important output types, as it can be converted to HTML, easily parsed by programs such as Ncrack graphical user interfaces, or imported into databases. Currently, XML output hasn´t been implemented.
While interactive output is the default and has no associated command-line options, the other two format options use the same syntax. They take one argument, which is the filename that results should be stored in. Multiple formats may be specified, but each format may only be specified once. For example, you may wish to save normal output for your own review while saving XML of the same scan for programmatic analysis. You might do this with the options -oX myscan.xml -oN myscan.ncrack. While this chapter uses the simple names like myscan.xml for brevity, more descriptive names are generally recommended. The names chosen are a matter of personal preference. A scheme could be using long filenames that incorporate the scan date and a word or two describing the scan, placed in a directory named after the company that is being scanned.
While these options save results to files, Ncrack still prints interactive output to stdout as usual. For example, the command nmap -oX myscan.xml [target] prints XML to myscan.xml and fills standard output with the same interactive results it would have printed if -oX wasn´t specified at all. You can change this by passing a hyphen character as the argument to one of the format types. This causes Ncrack to deactivate interactive output, and instead print results in the format you specified to the standard output stream. So the command nmap -oX - target will send only XML output to stdout. Serious errors may still be printed to the normal error stream, stderr.
Unlike some Ncrack arguments, the space between the logfile option flag (such as -oX) and the filename or hyphen is mandatory.
All of these arguments support strftime-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as in strftime. %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y. A % followed by any other character just yields that character (%% gives you a percent symbol). So -oX ´scan-%T-%D.xml´ will use an XML file in the form of scan-144840-121307.xml.
Ncrack also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described below.
Ncrack Output Formats
-oN filespec (normal output) .
-oX filespec (XML output) .
-oA basename (Output to all formats) .
Verbosity and debugging options
-v (Increase verbosity level) .
-d [level] (Increase or set debugging level) .
Debugging output is useful when a bug is suspected in Ncrack, or if you are simply confused as to what Ncrack is doing and why. As this feature is mostly intended for developers, debug lines aren´t always self-explanatory. If you don´t understand a line, your only recourses are to ignore it, look it up in the source code, or request help from the development list (nmap-dev). Some lines are self explanatory, but the messages become more obscure as the debug level is increased.
--nsock-trace level (Set nsock trace level) .
--log-errors (Log errors/warnings to normal mode output file) .
An alternative to --log-errors is redirecting interactive output (including the standard error stream) to a file. Most Unix shells make this approach easy, though it can be difficult on Windows.
Miscellaneous output options
--append-output (Append to rather than clobber output files) .
MISCELLANEOUS OPTIONS¶
This section describes some important (and not-so-important) options that don´t really fit anywhere else.
--resume file (Continue previously saved session) .
-f (Quit cracking service after one found credential) .
Frequently, attackers will try cracking several services in parallel to maximize the chances of finding a pair of valid credentials. Given that a network is no stronger than its weakest link, this option and especially the -f -f counterpart will often be used to lessen chances of detection and prevent network resources from being wasted aimlessly.
-6 (Enable IPv6 scanning) .
The command syntax is the same as usual except that you also add the -6 option. Of course, you must use IPv6 syntax if you specify an address rather than a hostname. An address might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended. The output looks the same as usual, with the IPv6 address on the “Discovered credentials” line being the only IPv6 give away.
While IPv6 hasn´t exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it. To use Ncrack with IPv6, both the source and target of your scan must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and will probably work fine with Ncrack. A popular IPv6 tunnel broker service is at http://www.tunnelbroker.net. 6to4 tunnels are another popular, free approach.
-sL (List Scan) .
--datadir directoryname (Specify custom Ncrack data file location) .
--proxy type://proxy:port (Make connections via socks4, 4a, http) .
-V; --version (Print version number) .
-h; --help (Print help summary page) .
RUNTIME INTERACTION¶
During the execution of Ncrack, all key presses are captured. This allows you to interact with the program without aborting and restarting it. Certain special keys will change options, while any other keys will print out a status message telling you about the scan. The convention is that lowercase letters increase the amount of printing, and uppercase letters decrease the printing. You may also press ‘?’ for help.
v / V
d / D
p / P
?
Anything else
Stats: 0:00:20 elapsed; 0 services completed (1 total)
Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17 remaining)
MODULES¶
Ncrack´s architecture is modular with each module corresponding to one particular service or protocol. Currently, Ncrack supports the protocols SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA. If you want to write and contribute your own Ncrack modules, be sure to read the Ncrack Developer´s Guide at http://nmap.org/ncrack/devguide.html Below we describe some key points for each of them.
FTP Module
Telnet Module
SSH Module
SSH bruteforcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them. The latest version of the "Hacking the OpenSSH library for Ncrack" document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library
HTTP(S) Module
SMB Module
RDP Module
RDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase. For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved. Care must be taken against RDP servers in Windows XP versions, since they can´t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don´t suffer from the same limitation.
VNC Module
POP3(S) Module
IMAP Module
SIP Module
Redis Module
PostgreSQL Module
MySQL Module
MySQL Module
MongoDB Module
Cassandra Module
OWA Module
WinRM Module
DICOM Module
Association: This is the initial step that almost all PACS servers require. By sending an A-ASSOCIATE request with the correct called Application Entity Title (AET) the client associates with the server and then can go on to perform query / retrieve requests in the next steps. This is the mode that Ncrack currently supports by iterating through the username field. Thus to brute-force the server´s AET, you can specify a list of AETs using the -U option and then specifying a null password. Example: ncrack dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER
Find Service: This step involves being able to query the PACS server for patient studies that are associated with DICOM images. This takes place after the client has performed the Association phase. A C-FIND request must be sent with the correct calling AET. Knowing the correct allowed client AET (or calling AET) is required by securely configured PACS servers. Many PACS servers by default do not require this.
Retrieve Images: This step allows a client to retrieve DICOM images. The most hardened PACS servers will require the client to have a specific allowed IP configured in order to send a C-MOVE / C-STORE request after the above two steps have been performed.
MQTT Module
Wordpress Module
CVS Module
BUGS¶
Like its authors, Ncrack isn´t perfect. But you can help make it better by sending bug reports or even writing patches. If Ncrack doesn´t behave the way you expect, first upgrade to the latest version available from http://nmap.org/ncrack. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try searching for the error message on our search page at http://insecure.org/search.html or at Google. Also try browsing the nmap-dev archives at http://seclists.org/ . Read this full manual page as well. If you are developing your own Ncrack module, make sure you have first read the Ncrack Developer´s Guide at http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a bug report to nmap-dev@insecure.org . Please include everything you have learned about the problem, as well as what version of Ncrack you are running and what operating system version it is running on. Problem reports and Ncrack usage questions sent to nmap-dev@insecure.org are far more likely to be answered than those sent to Fyodor directly. If you subscribe to the nmap-dev list before posting, your message will bypass moderation and get through more quickly. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-dev .
Code patches to fix bugs are even better than bug reports. Basic instructions for creating patch files with your changes are available at http://nmap.org/data/HACKING . Patches may be sent to nmap-dev (recommended) or to Fyodor directly.
AUTHORS¶
ithilgore (Fotios (Fotis) Chantzis) ithilgore@sock-raw.org (http://sock-raw.org)
Fyodor fyodor@insecure.org (http://insecure.org)
NCRACK COPYRIGHT AND LICENSING¶
While it isn´t distributed with Nmap, Ncrack is part of the Nmap project and falls under the same license and (non) warranty provisions, as described at http://nmap.org/book/man-legal.html.
08/23/2019 | Ncrack |