1NCRACK(1) Ncrack Reference Guide NCRACK(1)
2
3
4
6 ncrack - Network authentication cracking tool
7
9 ncrack [Options] {target specification}
10
12 Ncrack is an open source tool for network authentication cracking. It
13 was designed for high-speed parallel cracking using a dynamic engine
14 that can adapt to different network situations. Ncrack can also be
15 extensively fine-tuned for special cases, though the default parameters
16 are generic enough to cover almost every situation. It is built on a
17 modular architecture that allows for easy extension to support
18 additional protocols. Ncrack is designed for companies and security
19 professionals to audit large networks for default or weak passwords in
20 a rapid and reliable way. It can also be used to conduct fairly
21 sophisticated and intensive brute force attacks against individual
22 services.
23
24 Warning
25 Ncrack is a new project started in the Summer of 2009. While it is
26 already useful for some purposes, it is still unfinished, alpha
27 quality software. You can help out by testing it and reporting any
28 problems as described in the section called “BUGS”.
29
30 The output from Ncrack is a list of found credentials, if any, for each
31 of the targets specified. Ncrack can also print an interactive status
32 report of progress so far and possibly additional debugging information
33 that can help track problems, if the user selected that option.
34
35 A typical Ncrack scan is shown in Example 1. The only Ncrack arguments
36 used in this example are the two target IP addresses along with the the
37 corresponding ports for each of them. The two example ports 21 and 22
38 are automatically resolved to the default services listening on them:
39 ftp and ssh.
40
41 Example 1. A representative Ncrack scan
42
43
44 $ ncrack 10.0.0.130:21 192.168.1.2:22
45
46 Starting Ncrack 0.01ALPHA ( http://ncrack.org ) at 2009-07-24 23:05 EEST
47
48 Discovered credentials for ftp on 10.0.0.130 21/tcp:
49 10.0.0.130 21/tcp ftp: admin hello1
50 Discovered credentials for ssh on 192.168.1.2 22/tcp:
51 192.168.1.2 22/tcp ssh: guest 12345
52 192.168.1.2 22/tcp ssh: admin money$
53
54 Ncrack done: 2 services scanned in 156.03 seconds.
55
56 Ncrack finished.
57
58
59
60 The latest version of Ncrack can be obtained from
61 http://nmap.org/ncrack. The latest version of this man page is
62 available at http://nmap.org/ncrack/man.html .
63
65 This options summary is printed when Ncrack is run with no arguments.
66 It helps people remember the most common options, but is no substitute
67 for the in-depth documentation in the rest of this manual.
68
69 Ncrack 0.2ALPHA ( http://ncrack.org )
70 Usage: ncrack [Options] {target and service specification}
71 TARGET SPECIFICATION:
72 Can pass hostnames, IP addresses, networks, etc.
73 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
74 -iX <inputfilename>: Input from Nmap´s -oX XML output format
75 -iN <inputfilename>: Input from Nmap´s -oN Normal output format
76 -iL <inputfilename>: Input from list of hosts/networks
77 --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
78 --excludefile <exclude_file>: Exclude list from file
79 SERVICE SPECIFICATION:
80 Can pass target specific services in <service>://target (standard) notation or
81 using -p which will be applied to all hosts in non-standard notation.
82 Service arguments can be specified to be host-specific, type of service-specific
83 (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
84 Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
85 -p <service-list>: services will be applied to all non-standard notation hosts
86 -m <service>:<options>: options will be applied to all services of this type
87 -g <options>: options will be applied to every service globally
88 Misc options:
89 ssl: enable SSL over this service
90 path <name>: used in modules like HTTP (´=´ needs escaping if used)
91 TIMING AND PERFORMANCE:
92 Options which take <time> are in seconds, unless you append ´ms´
93 (miliseconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).
94 Service-specific options:
95 cl (min connection limit): minimum number of concurrent parallel connections
96 CL (max connection limit): maximum number of concurrent parallel connections
97 at (authentication tries): authentication attempts per connection
98 cd (connection delay): delay <time> between each connection initiation
99 cr (connection retries): caps number of service connection attempts
100 to (time-out): maximum cracking <time> for service, regardless of success so far
101 -T<0-5>: Set timing template (higher is faster)
102 --connection-limit <number>: threshold for total concurrent connections
103 AUTHENTICATION:
104 -U <filename>: username file
105 -P <filename>: password file
106 --user <username_list>: comma-separated username list
107 --pass <password_list>: comma-separated password list
108 --passwords-first: Iterate password list for each username. Default is opposite.
109 OUTPUT:
110 -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
111 -oA <basename>: Output in the two major formats at once
112 -v: Increase verbosity level (use twice or more for greater effect)
113 -d[level]: Set or increase debugging level (Up to 10 is meaningful)
114 --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
115 --log-errors: Log errors/warnings to the normal-format output file
116 --append-output: Append to rather than clobber specified output files
117 MISC:
118 --resume <file>: Continue previously saved session
119 -f: quit cracking service after one found credential
120 -6: Enable IPv6 cracking
121 -sL or --list: only list hosts and services
122 --datadir <dirname>: Specify custom Ncrack data file location
123 -V: Print version number
124 -h: Print this help summary page.
125 MODULES:
126 FTP, SSH, TELNET, HTTP(S), POP3(S)
127 EXAMPLES:
128 ncrack -v --user root localhost:22
129 ncrack -v -T5 https://192.168.0.1
130 ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
131 SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES
132
134 Everything on the Ncrack command-line that isn´t an option (or an
135 option argument) is treated as a target host specification. The
136 simplest case is to specify a target IP address or a hostname. Note,
137 that you also need to specify a service to crack for the selected
138 targets. Ncrack is very flexible in host/service specification. While
139 hostnames and IP addresses can be defined with the flexibility that you
140 are probably used to from Nmap, services along with service-specific
141 options have a unique specification style that enables a combination of
142 features to be taken advantage of.
143
144 Sometimes you wish to crack a whole network of adjacent hosts. For
145 this, Ncrack supports CIDR-style addressing. You can append /numbits to
146 an IPv4 address or hostname and Ncrack will try to crack every IP
147 address for which the first numbits are the same as for the reference
148 IP or hostname given. For example, 192.168.10.0/24 would send probes to
149 the 256 hosts between 192.168.10.0 11000000 10101000 00001010 00000000)
150 and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
151 inclusive. 192.168.10.40/24 would crack exactly the same targets. Given
152 that the host scanme.nmap.org is at the IP address 64.13.134.52, the
153 specification scanme.nmap.org/16 would send probes to the 65,536 IP
154 addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed
155 value is /0, which targets the whole Internet. The largest value is
156 /32, which targets just the named host or IP address because all
157 address bits are fixed.
158
159 CIDR notation is short but not always flexible enough. For example, you
160 might want to send probes to 192.168.0.0/16 but skip any IPs ending
161 with .0 or .255 because they may be used as subnet network and
162 broadcast addresses. Ncrack supports this through octet range
163 addressing. Rather than specify a normal IP address, you can specify a
164 comma-separated list of numbers or ranges for each octet. For example,
165 192.168.0-255.1-254 will skip all addresses in the range that end in .0
166 or .255, and 192.168.3-5,7.1 will target the four addresses
167 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
168 a range may be omitted; the default values are 0 on the left and 255 on
169 the right. Using - by itself is the same as 0-255, but remember to use
170 0- in the first octet so the target specification doesn´t look like a
171 command-line option. Ranges need not be limited to the final octets:
172 the specifier will send probes to all IP addresses on the Internet
173 ending in 13.37 This sort of broad sampling can be useful for Internet
174 surveys and research.
175
176 Ncrack accepts multiple host specifications on the command line, and
177 they don´t need to be the same type. The command ncrack scanme.nmap.org
178 192.168.0.0/8 10.0.0,1,3-7.- -p22 does what you would expect.
179
180 While targets are usually specified on the command lines, the following
181 options are also available to control target selection:
182
183 -iX inputfilename (Input from Nmap´s -oX XML output format) .
184 Reads target/service specifications from an Nmap XML output file.
185 The Nmap XML file is created by scanning any hosts and specifying
186 the Nmap -oX option. Ncrack will automatically parse the IP
187 addresses and the corresponding ports and services that are open
188 and will use these targets for authentication auditing. This is a
189 really useful option, since it lets you essentially combine these
190 two tools -Nmap and Ncrack- for cracking only those services that
191 are surely open. In addition, if version detection has been enabled
192 in Nmap (-sV option), Ncrack will use those findings to recognize
193 and crack those services that are supported but are listening on
194 non-default ports. For example, if a host is having a server
195 listening on port 41414 and Nmap has identified that it is a SSH
196 service, Ncrack will use that information to crack it using the SSH
197 module. Of course, Ncrack is going to ignore open ports/services
198 that are not supported for authentication cracking by its modules.
199
200 -iN inputfilename (Input from Nmap´s -oN Normal output format) .
201 Reads target/service specifications from an Nmap Normal output
202 file. The Nmap Normal file is created by scanning any hosts and
203 specifying the Nmap -oN option. This works exactly like Ncrack´s
204 -iX option, the only difference being the format of the input file.
205
206 -iL inputfilename (Input from list) .
207 Reads target specifications from inputfilename. Passing a huge list
208 of hosts is often awkward on the command line, yet it is a common
209 desire. For example, you might want to crack a list of very
210 specific servers that have been specified for penetration testing.
211 Simply generate the list of hosts to crack and pass that filename
212 to Ncrack as an argument to the -iL option. Entries can be in any
213 of the formats accepted by Ncrack on the command line (IP address,
214 hostname, CIDR, octet ranges or Ncrack´s special host-service
215 syntax. Each entry must be separated by one or more spaces, tabs,
216 or newlines. You can specify a hyphen (-) as the filename if you
217 want Ncrack to read hosts from standard input rather than an actual
218 file. Note, however, that if hosts are specified without any
219 service, you will have to also provide services/ports for the
220 targets using the -p option.
221
222 --exclude host1[, host2[, ...]] (Exclude hosts/networks) .
223 Specifies a comma-separated list of targets to be excluded from the
224 scan even if they are part of the overall network range you
225 specify. The list you pass in uses normal Ncrack syntax, so it can
226 include hostnames, CIDR netblocks, octet ranges, etc. This can be
227 useful when the network you wish to scan includes untouchable
228 mission-critical servers, systems that are known to react adversely
229 to heavy load, or subnets administered by other people.
230
231 --excludefile exclude_file (Exclude list from file) .
232 This offers the same functionality as the --exclude option, except
233 that the excluded targets are provided in a newline, space, or tab
234 delimited exclude_file rather than on the command line.
235
237 No cracking session can be carried out without targetting a certain
238 service to attack. Service specification is one of the most flexible
239 subsystems of Ncrack and collaborates with target-specification in a
240 way that allows different option combinations to be applied. For Ncrack
241 to start running, you will have to specify at least one target host and
242 one associated service to attack. Ncrack provides ways to specify a
243 service by its default port number, by its name (as extracted from the
244 ncrack-services file) or both. Normally, you need to define both name
245 and port number only in the special case where you know that a
246 particular service is listening on a non-default port.
247
248 Ncrack offers two distinct ways with which services will be applied to
249 your targets: per-host service specification and global specification.
250
251 Per-host service specification
252
253 Services specified in this mode are written next to the host and
254 apply to it only. Keep in mind, however, that target-specification
255 allows wildcards/netmasks, which essentially means that applying a
256 per-host service specification format to that particular target
257 will affect all of the expanded ones as a result. The general
258 format is:
259
260 [service-name]://target:[port-number]
261
262 where target is a hostname or IP address in any of the formats
263 described in the target-specification section, [service-name] is
264 one of the common service names as defined in the ncrack-services
265 file (e.g ssh, http) and [port-number] is what it obviously means.
266 Ncrack can determine the default port numbers for each of the
267 services it supports, as well as being able to deduce the service
268 name when a default port number has been specified. Specifying both
269 has meaning only when the user has a priori knowledge of a service
270 listening on a non-default port number. This can easily be
271 determined by using version detection like the one offered by
272 Nmap´s -sV option.
273
274 Example 2. Per-host service specification example
275
276
277 $ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910
278
279
280
281 The above command will try to crack hosts: scanme.nmap.org on SSH
282 service (default port 22), 10.0.0.10 on FTP service (default port
283 21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH
284 service on non-default port 5910 which has been explicitly
285 specified. In the last case, Ncrack wouldn´t be able to determine
286 that the subnet hosts are to be scanned against the SSH service on
287 that particular port without the user explicitly asking for it,
288 because there isn´t any mapping of port-number 5910 to service SSH.
289
290 Global service specification
291
292 Services specified in this mode are applied to all hosts that
293 haven´t been associated with the per-host service specification
294 format. This is done using the -p option. While this facility may
295 be similar to that of Nmap´s, you should try not to confuse it,
296 since the functionality is of a slightly different nature. Services
297 can be specified using comma separated directives of the general
298 format:
299
300 -p [service1]:[port-number1],[service2]:[port-number2],...
301
302 As usual, you need not specify both service name and port number
303 since Ncrack knows the mappings of default-services to default-port
304 numbers. Be careful though not to include any space between each
305 service-name and/or port number, because Ncrack will think that the
306 argument after the space is a host as per the rule "everything that
307 isn´t an option is a target specification".
308
309 Example 3. Global service specification example
310
311
312 $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
313
314
315
316 The above command will try to crack all of the specified hosts
317 scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class
318 subnet of 192.168.2.0 against the following services: SSH service
319 (mapped from default port 22), FTP service on non-default port
320 3210, and TELNET service on default port 23.
321
322 Of course, Ncrack allows you to combine both modes of service
323 specification if you deem that as necessary. Normally, you will only
324 need to specify a couple of services but cracking a lot of hosts
325 against many different services might be a longterm project for large
326 networks that need to be consistently audited for weak passwords. If
327 you are in doubt, about which hosts and services are going to be
328 cracked with the current command, you can use the -sL option (see below
329 for explanation).
330
332 Apart from general service specification, Ncrack allows you to provide
333 a multitude of options that apply to each or a subset of your targets.
334 Options include timing and performance optimizations (which are
335 thoroughly analyzed in a seperate section), SSL enabling/disabling and
336 other module-specific parameters like the relative URL path for the
337 HTTP module. Options can be defined in a variety of ways which include:
338 per-host options, per-module options and global options. Since a
339 combination of these options may be used, there is a strict hierarchy
340 of precedence which will be discussed later.
341
342 Per-host Options
343
344 Options in this mode apply only to the host(s) they are referring
345 to and are written next to it according to the following format:
346
347 [service-name]://target:[port-number],opt1=optval1,opt2=optval,...
348
349 The format concerning the service specification which comes before
350 the options, has been explained in the previous section. optN is
351 referring to any of the option names that are available (a list
352 will follow below), while optvalN determines the value of that
353 option and depends on the nature of it. For example, most
354 timing-related options expect to receive numbers as values, while
355 the path option obviously needs a string argument.
356
357 Per-module Options
358
359 Options in this mode apply to all hosts that are associated with
360 the particular service/module. This is accomplished using the -m
361 which is defined with the format:
362
363 -m service-name:opt1=optval1,opt2=optval2,...
364
365 This option can be invoked multiple times, for as many different
366 services as you might need to define service-wide applicable
367 options. Each iteration of this option must refer to only one
368 service. However, to avoid confusion, this option had better not be
369 called more than one time for the same service, although this is
370 allowed and the last iteration will take precedence over the
371 previous ones for all redefined option values.
372
373 Global Options
374
375 Options in this mode apply to all hosts regardless of which service
376 they are associated with. This is accomplished using the -g as
377 follows:
378
379 -g opt1=optval1,opt2=optval2,...
380
381 This acts as a convenience option, where you can apply options to
382 all services globally. Everything else regarding the available
383 options and option values is the same as the previous modes.
384
385 List of available Service Options
386
387 Below follows a list of all the currently available service options.
388 You can apply them with any of the three modes described above. The
389 last six of the options are timing related and will be analyzed in
390 Section "Timing and Performance" of this manual.
391
392 ssl: enable SSL over this service
393 path: path-name used in modules like HTTP (´=´ needs escaping if used)
394 cl (min connection limit): minimum number of concurrent parallel connections
395 CL (max connection limit): maximum number of concurrent parallel connections
396 at (authentication tries): authentication attempts per connection
397 cd (connection delay): delay time between each connection initiation
398 cr (connection retries): caps number of service connection attempts
399 to (time-out): maximum cracking time for service, regardless of success so far
400
401
402
403 ssl (Enable/Disable SSL over service)
404 By enabling SSL, Ncrack will try to open a TCP connection and then
405 negotiate a SSL session with the target. Everything will then be
406 transparently encrypted and decrypted. However, since Ncrack´s job
407 is to provide speed rather than strong crypto, the algorithms and
408 ciphers for SSL are chosen on an efficiency basis. Possible values
409 for this option are ´yes´ but just specifying ssl would be enough.
410 Thus, this is the only option that doesn´t need to be written in
411 the opt=optval format. By default, SSL is disabled for all services
412 except those that are stricly dependent on it like HTTPS.
413
414 path <name> (Path name for relative URLs)
415 Some services like HTTP or SVN usually require a specific path in
416 the URL. This option takes that pathname string as its value. The
417 path is always relative to the hostname or IP address, so if you
418 want to target something like http://foobar.com/login.php the path
419 must take the value path=login.php . The initial ´/´ is added if
420 you omit it. However, it is usually better if you explicitly
421 specify it at the end of pathnames that are directories. For
422 example, to crack the directory for
423 http://foobar.com/protected-dir/ , it would be better if you wrote
424 it as path=protected-dir/ . This is to avoid the (very) slight
425 probability of a false positive, because there are cases where Web
426 servers might reply with a "301 Moved Permanently" for a
427 non-successful attempt. They normally send that reply, when a
428 successful attempt is made for a requested password-protected path
429 which has omitted the ending ´/´ but the requested source is
430 actually a directory. Consequently, Ncrack regards that reply as
431 having succeeded in the authentication attempt.
432
433 Also be careful with the symbol ´=´, since it is used by Ncrack for
434 argument parsing and you will have to espace it if it is included
435 in the URL.
436
437 By default, the path-name is initialized to ´/´, but will be
438 ignored by services that do not require it.
439
440 Service Option Hierarchy
441
442 As already noted, Ncrack allows a combination of the three different
443 modes of service option specification. In that case, there is a strict
444 hierarchy that resolves the order in which conflicting values for these
445 options take precedence over each other. The order is as follows,
446 leftmost being the highest priority and rightmost the lowest one:
447
448 Per-host options > Per-module options > Global options >
449 Timing-Template (for timing options only)
450
451 The concept of the "Timing-Template" will be explained in the Section
452 "Timing and Performance", but for now, just have in mind that its
453 values have the least prevalence over everything else and essentially
454 act as defaults for everything timing-related. Global options specified
455 with -g have the directly higher precedence, while -m per-module
456 options are immediately higher. In the top of the hierarcy reside the
457 per-host options which are essentially the most specific ones.
458 Consequently, you can see that the pattern is: the more specific the
459 higher the precedence.
460
461 Example 4. Service Option Hierarchy example
462
463
464 $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3
465
466
467
468 The example demonstrates the hierarchy precedence. The services that
469 are going to be cracked are SSH for scanme.nmap.org and FTP for hosts
470 10.0.0.120, 10.0.0.20. No particular timing-template has been specified
471 and thus the default will be used (Normal - 3). The per-host options
472 for scanme.nmap.org define that the minimum connection limit (cl) is 10
473 and that Ncrack should attempt only 1 authentication try (at) per
474 connection. These values would override any other for service SSH of
475 host scanme.nmap.org if there were conflicts with other modes. Since a
476 global option of -g CL=3 was defined and there is no other
477 higher-precedence for service SSH and scanme.nmap.org in particular,
478 this value will also be applied. As for the FTP targets, the per-module
479 -m ftp:CL=1 defined for all FTP services will override the equivalent
480 global one. All these can get quite complex if overused, but they are
481 not expected to be leveraged by the average Ncrack user anyway.
482 Complicated network scanning scenarios might require them, though. To
483 make certain the results are the ones you expect them to be, don´t
484 forget to use the -sL option that prints out details about what Ncrack
485 would crack if invoked normally. You can add the debugging -d option if
486 you want even more verbose output. For the above example, Ncrack would
487 print the following:
488
489 Example 5. Service Option Hierarchy Output example
490
491
492 $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d
493
494 Starting Ncrack 0.01ALPHA ( http://ncrack.org ) at 2009-08-05 18:32 EEST
495
496 ----- [ Timing Template ] -----
497 cl=7, CL=80, at=0, cd=0, cr=10, to=0
498
499 ----- [ ServicesTable ] -----
500 SERVICE cl CL at cd cr to ssl path
501 ftp:21 N/A 1 N/A N/A N/A N/A no null
502 ssh:22 N/A N/A N/A N/A N/A N/A no null
503 telnet:23 N/A N/A N/A N/A N/A N/A no null
504 smtp:25 N/A N/A N/A N/A N/A N/A no null
505 http:80 N/A N/A N/A N/A N/A N/A no null
506 https:443 N/A N/A N/A N/A N/A N/A yes null
507
508 ----- [ Targets ] -----
509 Host: 64.13.134.52 ( scanme.nmap.org )
510 ssh:22 cl=10, CL=10, at=1, cd=0, cr=10, to=0, ssl=no, path=/
511 Host: 10.0.0.120
512 ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
513 Host: 10.0.0.20
514 ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
515
516 Ncrack done: 3 services would be scanned.
517 Probes sent: 0 | timed-out: 0 | prematurely-closed: 0
518
519 Ncrack finished.
520
521
522
523 The ServicesTable just lists the per-module options for all available
524 services. As you can see, the only defined option is in the FTP service
525 for the CL . The Targets table is the most important part of this
526 output and lists all targets and associated options according to the
527 command-line invocation. No network operation takes place in this mode,
528 apart from forward DNS resolution for hostnames (like scanme.nmap.org
529 in this example).
530
532 The timing engine is perhaps the most important part of any serious
533 network authentication cracking tool. Ncrack´s timing engine offers a
534 great many options for optimization and can be bended to serve
535 virtually any user need. As Ncrack is progressing, this subsystem is
536 going to evolve into a dynamic autonomous engine that will be able to
537 automatically adjust its behaviour according to the network feedback it
538 gets, in order to achieve maximum performance and precision without any
539 user intervention.
540
541 Some options accept a time parameter. This is specified in seconds by
542 default, though you can append ‘ms’, ‘m’, or ‘h’ to the value to
543 specify milliseconds, minutes, or hours (‘s’ for seconds is redundant).
544 So the cd (connection delay) arguments 900000ms, 900s, and 15m all do
545 the same thing.
546
547 cl num-minconnections; CL num-maxconnections (Adjust number of
548 concurrent parallel connections)
549
550 Connection Limit
551
552 These options control the total number of connections that may be
553 outstanding for any service at the same time. Normally, Ncrack
554 tries to dynamically adjust the number of connections for each
555 individual target by counting how many drops or connection failures
556 happen. If a strange network condition occurs, that signifies that
557 something may be going wrong, like the host dropping any new
558 connection attempts, then Ncrack will immediately lower the total
559 number of connections hitting the service. However, the caps number
560 of the minimum or maximum connections that will take place can be
561 overriden using these two options. By properly adjusting them, you
562 can essentially optimize performance, if you can handle the tricky
563 part of knowing or discovering your target´s own limits. The
564 convention here is that cl with lowercase letters is referring to
565 the minimum connection limit, while CL with uppercase letters is
566 referring to the maximum number of connections.
567
568 The most common usage is to set cl (minimum connection limit) for
569 targets that you are almost certain are going to withstand these
570 many connections at any given time. This is a risky option to play
571 with, as setting it too high might actually do more harm than good
572 by effectively DoS-attacking the target and triggering firewall
573 rules that will ban your IP address.
574
575 On the other hand, for more stealthy missions, setting the CL
576 (maximum connection limit) to a low value might be what you want.
577 However, setting it too low will surely have a great impact in
578 overall cracking speed. For maximum stealth, this can be combined
579 with the cd (connection delay) described below.
580
581 at num-attempts (Adjust authentication attempts per connection)
582
583 Authentication Tries
584
585 Using this option, you can order Ncrack to limit the authentication
586 attempts it carries out per connection. Ncrack initially sends a
587 reconnaisance probe that lets it calculate the maximum number of
588 such authentication tries and from thereon it always tries to use
589 that number. Most servicse pose an upper limit on the number of
590 authentication per connection and in most cases finding that
591 maximum leads to better performance.
592
593 Setting this option to lower values can give you some stealth
594 bonus, since services such as SSH tend to log failed attempts after
595 more than a certain number of authentication tries per connection.
596 They use that as a metric rather than counting the total number of
597 authentication attempts or connections per IP address (which is
598 usually done by a firewall). Consequently, a number of 1 or 2
599 authentication tries might circumvent logging in some cases.
600
601 Note that setting that option to a high value will not have any
602 effect if Ncrack realizes that the server doesn´t allow that many
603 attempts per connection. In this case, it will just use that
604 maximum number and ignore your setting.
605
606 cd time (Adjust delay time between each new connection)
607
608 Connection Delay
609
610 This option essentially defines the imposed time delay between each
611 new connection. Ncrack will wait the amount of time you specify in
612 this option value, before starting a new connection against the
613 given service. The higher you set it, the slower Ncrack will
614 perform, but the stealthier your attack will become.
615
616 Ncrack by default tries to initiate new connections as fast as
617 possible given that new probes are actually allowed to be sent and
618 are not restricted by parameters such as Connection Limit which can
619 dynamically increase or decrease. Although this approach achieves
620 blazing speed as long as the host remains responsive, it can lead
621 to a number of disasters such as a firewall being triggered, the
622 targets´ or your bandwidth to be diminished and even the tested
623 service to suffer a Denial of Service attack. By carefully
624 adjusting this option, you can potentially avoid these annoying
625 situations.
626
627 cr max-conattempts (Adjust the max number of connection attempts)
628
629 Connection Retries
630
631 NOT IMPLEMENTED YET.
632
633 to time (Adjust the maximum overall cracking time)
634
635 Timeout
636
637 Define how much time Ncrack is going to spend cracking the service,
638 before giving up regardless of whether it has found any credentials
639 so far. However, any authentication token discovered until that
640 time, will be stored and printed normally. Ncrack marks a service
641 as finished when the username/password lists iteration ends or when
642 it can no longer crack it for some serious reason. If Ncrack
643 finishes cracking a service before the time specified in this
644 option, then it will not be taken into account at all.
645
646 Sometimes, you have a limited time window to scan/crack your hosts.
647 This might occur for various reasons. A common one would be that
648 normal user activity mustn´t be interrupted and since Ncrack can
649 become very aggressive, it might be allowed to scan the hosts only
650 at during certain time period like the night hours. Scanning during
651 certain such hours is also likely to make an attack less
652 detectable.
653
654 Don´t forget that Ncrack allows you to specify the time unit of
655 measure by appending ‘ms’, ‘m’, or ‘h’ for milliseconds, minutes or
656 hours (seconds is the default time unit). Using them in this
657 particular option, is really convenient as you can specify
658 something like to=8h to give Ncrack a total of 8 hours to crack
659 that service. Setting up cronjobs for scheduled scans in
660 combination with this option, might also be a good idea.
661
662 -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing
663 template) .
664 While the fine-grained timing controls discussed in the previous
665 section are powerful and effective, some people find them
666 confusing. Moreover, choosing the appropriate values can sometimes
667 take more time than the scan you are trying to optimize. So Ncrack
668 offers a simpler approach, with six timing templates. You can
669 specify them with the -T option and their number (0–5) or their
670 name. The template names are paranoid (0), sneaky (1), polite (2),
671 normal (3), aggressive (4), and insane (5). The first two are for
672 IDS evasion. Polite mode slows down the scan to use less bandwidth
673 and target machine resources. Normal mode is the default and so -T3
674 does nothing. Aggressive mode speeds scans up by making the
675 assumption that you are on a reasonably fast and reliable network.
676 Finally insane mode assumes that you are on an extraordinarily fast
677 network or are willing to sacrifice some accuracy for speed.
678
679 These templates allow the user to specify how aggressive they wish
680 to be, while leaving Ncrack to pick the exact timing values. If you
681 know that the network service is going to withstand a huge number
682 of connections you might try using the aggressive template of -T4 .
683 Even then, this is mostly advised for services residing in the
684 local network. Going over to insane mode -T5 is not recommended,
685 unless you absolutely know what you are doing.
686
687 While -T0. and -T1. may be useful for avoiding IDS alerts, they
688 will take an extraordinarily long time to crack even a few
689 services. For such a long scan, you may prefer to set the exact
690 timing values you need rather than rely on the canned -T0 and -T1
691 values.
692
693 --connection-limit numprobes (Adjust the threshold of total concurrent
694 connections)
695 NOT IMPLEMENTED YET.
696
698 This section describes ways of specifying your own username and
699 password lists as well as the available modes of iterating over them.
700 Ncrack ships in with a variety of username and password lists which
701 reside under the directory ´lists´ of the source tarball and later
702 installed under Ncrack´s data directory which usually is
703 /usr/local/share/ncrack or /usr/share/ncrack . You can omit specifying
704 any lists and Ncrack is going to use the default ones which contain
705 some of the most common usernames and passwords. The password list is
706 frequency-sorted with the top most common passwords at the beginning of
707 the list so they will be tried out first. The lists have been derived
708 from a combination of sorting publicly leaked password files and other
709 techniques.
710
711 -U filename (Specify username list)
712 Specify your own username list by giving the path to the filename
713 as argument to this option.
714
715 Usernames for specific environments can be gathered in numerous
716 ways including harvesting for email-addresses in the company´s
717 website, looking up information in whois databases, using the SMTP
718 VRFY technique at vulnerable mail servers or through social
719 engineering.
720
721 -P filename (Specify password list)
722 Specify your own password list by giving the path to the filename
723 as argument to this option.
724
725 Common passwords are usually derived from leaked lists as a result
726 of successful intrusions in public sites such as forums or other
727 social networking places. A great deal of them have already been
728 publicly disclosed and some of these have been used to assemble
729 Ncrack´s own lists.
730
731 --user username_list (Specify command-line comma-separated username
732 list)
733 Specify your own usernames directly in the command-line as a
734 comma-separated list.
735
736 --pass password_list (Specify command-line comma-separated password
737 list)
738 Specify your own passwords directly in the command-line as a
739 comma-separated list.
740
741 --passwords-first (Reverse the way passwords are iterated)
742 Ncrack by default iterates the username list for each password.
743 With this option, you can reverse that. For example, given the
744 username list of -> "root, guest, admin" and the password list of
745 "test, 12345, q1w2e3r4" Ncrack will normally go over them like this
746 -> root:test, guest:test, admin:test, root:12345 etc. By enabling
747 this option it will over them like this -> root:test, root:12345,
748 root:q1w2e3r4, guest:test etc.
749
750 Most network authentication cracking tools prefer by default to
751 iterate the password list for each username. This is, however,
752 ineffective compared to the opposite iteration in most cases. This
753 holds true for the simple reason that password lists are usually
754 sorted on a frequency basis, meaning that the more common a
755 password is, the closer to the beginning of the password list it
756 is. Thus, iterating over all usernames for the most common
757 passwords first has usually more chances to get a positive result.
758 With the --passwords-first iteration, very common passwords might
759 not even be tried out for certain usernames if the user chooses to
760 abort the session early. However, this option might prove valuable
761 for cases where the attacker knows and has already verified that
762 the username list contains real usernames, instead of blindly
763 bruteforcing through them.
764
766 Any security tool is only as useful as the output it generates. Complex
767 tests and algorithms are of little value if they aren´t presented in an
768 organized and comprehensible fashion. Of course, no single format can
769 please everyone. So Ncrack offers several formats, including the
770 interactive mode for humans to read directly and XML for easy parsing
771 by software.
772
773 In addition to offering different output formats, Ncrack provides
774 options for controlling the verbosity of output as well as debugging
775 messages. Output types may be sent to standard output or to named
776 files, which Ncrack can append to or clobber.
777
778 Ncrack makes output available in three different formats. The default
779 is called interactive output, and it is sent to standard output
780 (stdout). There is also normal output, which is similar to interactive
781 except that it displays less runtime information and warnings since it
782 is expected to be analyzed after the scan completes rather than
783 interactively.
784
785 XML output is one of the most important output types, as it can be
786 converted to HTML, easily parsed by programs such as Ncrack graphical
787 user interfaces, or imported into databases. Currently, XML output
788 hasn´t been implemented.
789
790 While interactive output is the default and has no associated
791 command-line options, the other two format options use the same syntax.
792 They take one argument, which is the filename that results should be
793 stored in. Multiple formats may be specified, but each format may only
794 be specified once. For example, you may wish to save normal output for
795 your own review while saving XML of the same scan for programmatic
796 analysis. You might do this with the options -oX myscan.xml -oN
797 myscan.ncrack. While this chapter uses the simple names like myscan.xml
798 for brevity, more descriptive names are generally recommended. The
799 names chosen are a matter of personal preference. A scheme could be
800 using long filenames that incorporate the scan date and a word or two
801 describing the scan, placed in a directory named after the company that
802 is being scanned.
803
804 While these options save results to files, Ncrack still prints
805 interactive output to stdout as usual. For example, the command nmap
806 -oX myscan.xml [target] prints XML to myscan.xml and fills standard
807 output with the same interactive results it would have printed if -oX
808 wasn´t specified at all. You can change this by passing a hyphen
809 character as the argument to one of the format types. This causes
810 Ncrack to deactivate interactive output, and instead print results in
811 the format you specified to the standard output stream. So the command
812 nmap -oX - target will send only XML output to stdout. Serious errors
813 may still be printed to the normal error stream, stderr.
814
815 Unlike some Ncrack arguments, the space between the logfile option flag
816 (such as -oX) and the filename or hyphen is mandatory.
817
818 All of these arguments support strftime-like conversions in the
819 filename. %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as
820 in strftime. %T is the same as %H%M%S, %R is the same as %H%M, and %D
821 is the same as %m%d%y. A % followed by any other character just yields
822 that character (%% gives you a percent symbol). So -oX ´scan-%T-%D.xml´
823 will use an XML file in the form of scan-144840-121307.xml.
824
825 Ncrack also offers options to control scan verbosity and to append to
826 output files rather than clobbering them. All of these options are
827 described below.
828
829 Ncrack Output Formats
830
831 -oN filespec (normal output) .
832 Requests that normal output be directed to the given filename. As
833 discussed above, this differs slightly from interactive output.
834
835 -oX filespec (XML output) .
836 Requests that XML output be directed to the given filename.
837 Currently this is not implemented.
838
839 -oA basename (Output to all formats) .
840 As a convenience, you may specify -oA basename to store scan
841 results in normal and XML formats at once. They are stored in
842 basename.ncrack, and basename.xml respectively. As with most
843 programs, you can prefix the filenames with a directory path, such
844 as ~/ncracklogs/foocorp/ on Unix or c:\hacking\sco on Windows.
845
846 Verbosity and debugging options
847
848 -v (Increase verbosity level) .
849 Increases the verbosity level, causing Ncrack to print more
850 information about the scan in progress. Credentials are shown as
851 they are found and more statistical information is printed in the
852 end. Use it twice or more for even greater verbosity.
853
854 -d [level] (Increase or set debugging level) .
855 When even verbose mode doesn´t provide sufficient data for you,
856 debugging is available to flood you with much more! As with the
857 verbosity option (-v), debugging is enabled with a command-line
858 flag (-d) and the debug level can be increased by specifying it
859 multiple times. Alternatively, you can set a debug level by giving
860 an argument to -d. For example, -d10 sets level ten. That is the
861 highest effective level and will produce thousands of lines, unless
862 your cracking session is going really slow.
863
864 Debugging output is useful when a bug is suspected in Ncrack, or if
865 you are simply confused as to what Ncrack is doing and why. As this
866 feature is mostly intended for developers, debug lines aren´t
867 always self-explanatory. If you don´t understand a line, your only
868 recourses are to ignore it, look it up in the source code, or
869 request help from the development list (nmap-dev). Some lines are
870 self explanatory, but the messages become more obscure as the debug
871 level is increased.
872
873 --nsock-trace level (Set nsock trace level) .
874 This option is meant mostly for developers as enabling it will
875 activate the Nsock´s library debugging output. Nsock is the
876 underlying library for parallel socket handling. You will have to
877 specify a certain level for this option. Valid range is 0 up to 10.
878 Usually, a level of 1 or 2 is enough to get a good overview of
879 network operations happening behind the scenes. Nsock prints that
880 information to stdout by default.
881
882 --log-errors (Log errors/warnings to normal mode output file) .
883 Warnings and errors printed by Ncrack usually go only to the screen
884 (interactive output), leaving any normal-format output files
885 (usually specified with -oN) uncluttered. When you do want to see
886 those messages in the normal output file you specified, add this
887 option. It is useful when you aren´t watching the interactive
888 output or when you want to record errors while debugging a problem.
889 The error and warning messages will still appear in interactive
890 mode too. This won´t work for most errors related to bad
891 command-line arguments because Ncrack may not have initialized its
892 output files yet.
893
894 An alternative to --log-errors is redirecting interactive output
895 (including the standard error stream) to a file. Most Unix shells
896 make this approach easy, though it can be difficult on Windows.
897
898 Miscellaneous output options
899
900 --append-output (Append to rather than clobber output files) .
901 When you specify a filename to an output format flag such as -oX or
902 -oN, that file is overwritten by default. If you prefer to keep the
903 existing content of the file and append the new results, specify
904 the --append-output option. All output filenames specified in that
905 Ncrack execution will then be appended to rather than clobbered.
906 This doesn´t work well for XML (-oX) scan data as the resultant
907 file generally won´t parse properly until you fix it up by hand.
908
910 This section describes some important (and not-so-important) options
911 that don´t really fit anywhere else.
912
913 --resume file (Continue previously saved session) .
914 Whenever the user cancels a running session (usually by pressing
915 Ctrl+C), Ncrack saves the current state into a file which it can
916 later use to continue from where it had stopped. This file is saved
917 in subdirectory .ncrack/ of the user´s home path with a filename
918 format of "restore.YY-MM-DD_hh-mm". An example would be:
919 "/home/ithilgore/.ncrack/restore.2010-05-18_04-42". You can then
920 continue your session, by specifying this file as argument to the
921 --resume option.
922
923 -f (Quit cracking service after one found credential) .
924 This option will force Ncrack to quit cracking a service as soon as
925 it finds a valid username/password combination for it. Assuming
926 many parallel services are being cracked at the same time, this
927 option is applied on each of them separately. This means that
928 Ncrack will stop cracking each individual service after finding a
929 pair of credentials for it, but will not quit entirely. Supplying
930 the option two times, like -f -f will, however, make Ncrack exit
931 immediately as soon as it finds a valid credential for any service.
932
933 Frequently, attackers will try cracking several services in
934 parallel to maximize the chances of finding a pair of valid
935 credentials. Given that a network is no stronger than its weakest
936 link, this option and especially the -f -f counterpart will often
937 be used to lessen chances of detection and prevent network
938 resources from being wasted aimlessly.
939
940 -6 (Enable IPv6 scanning) .
941 Warning: This option was just added and it is currently
942 experimental, so please notify us for any problems and bugs related
943 to it.
944
945 The command syntax is the same as usual except that you also add
946 the -6 option. Of course, you must use IPv6 syntax if you specify
947 an address rather than a hostname. An address might look like
948 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
949 recommended. The output looks the same as usual, with the IPv6
950 address on the “Discovered credentials” line being the only IPv6
951 give away.
952
953 While IPv6 hasn´t exactly taken the world by storm, it gets
954 significant use in some (usually Asian) countries and most modern
955 operating systems support it. To use Ncrack with IPv6, both the
956 source and target of your scan must be configured for IPv6. If your
957 ISP (like most of them) does not allocate IPv6 addresses to you,
958 free tunnel brokers are widely available and will probably work
959 fine with Ncrack. A popular IPv6 tunnel broker service is at
960 http://www.tunnelbroker.net. 6to4 tunnels are another popular, free
961 approach.
962
963 -sL (List Scan) .
964 The list scan simply lists each host and service that would be
965 cracked if this option wasn´t specified. No packets are sent to the
966 target hosts and the only network operation that might happen is
967 DNS-resolution of any hostnames of targets. This option is really
968 helpful in making sure that you have specified everything as you
969 wanted. Service-specific options will also be printed so this acts
970 as a good sanity check of potentially complex command-line
971 arguments such as the advanced modes of Service Option
972 Specification and the equivalent Hierarchy for sessions that
973 require delicate timing handling. If list scan is called along with
974 the -d debug option, then additional output, like the ServicesTable
975 and the current Timing-Template´s parameters, is also going to be
976 printed.
977
978 --datadir directoryname (Specify custom Ncrack data file location) .
979 Ncrack needs a file called ncrack-services to load a lookup-table
980 of supported services/ports. This file shouldn´t be changed, unless
981 you know what you are doing (e.g extending Ncrack for additional
982 modules). In addition, Ncrack is shipped with various username and
983 password lists, some of which are used by default in case the user
984 doesn´t specify ones of his own. All these files are normally
985 copied during the installation procedure to a directory such as
986 /usr/share/ncrack or /usr/local/share/ncrack . Using the --datadir
987 option, will force Ncrack to start searching for these files in
988 specified directory. If the files aren´t found, then it will
989 continue searching in the directory specified by the NCRACKDIR
990 environmental variable NCRACKDIR (if it is defined). Next comes
991 ~/.ncrack directory for real and effective UIDs (POSIX systems
992 only) or location of the Ncrack executable (Win32 only), and then a
993 compiled-in location such as /usr/local/share/ncrack or
994 /usr/share/ncrack. As a last resort, Ncrack will look in the
995 current directory.
996
997 -V; --version (Print version number) .
998 Prints the Ncrack version number and exits.
999
1000 -h; --help (Print help summary page) .
1001 Prints a short help screen with the most common command flags.
1002 Running Ncrack without any arguments does the same thing.
1003
1005 During the execution of Ncrack, all key presses are captured. This
1006 allows you to interact with the program without aborting and restarting
1007 it. Certain special keys will change options, while any other keys will
1008 print out a status message telling you about the scan. The convention
1009 is that lowercase letters increase the amount of printing, and
1010 uppercase letters decrease the printing. You may also press ‘?’ for
1011 help.
1012
1013 v / V
1014 Increase / decrease the verbosity level
1015
1016 d / D
1017 Increase / decrease the debugging Level
1018
1019 ?
1020 Print a runtime interaction help screen
1021
1022 Anything else
1023 Print out a status message like this:
1024
1025 Stats: 0:00:20 elapsed; 0 services completed (1 total)
1026
1027 Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17
1028 remaining)
1029
1031 Ncrack´s architecture is modular with each module corresponding to one
1032 particular service or protocol. Currently, Ncrack supports the
1033 protocols FTP, TELNET, SSH, RDP, VNC and HTTP(S) (basic
1034 authentication). If you want to write and contribute your own Ncrack
1035 modules, be sure to read the Ncrack Developer´s Guide at
1036 http://nmap.org/ncrack/devguide.html Below we describe some key points
1037 for each of them.
1038
1039 FTP Module
1040
1041 FTP authentication is quite fast, since there is very little
1042 protocol negotiation overhead. Most FTP daemons allow 3 to 6
1043 authentication attempts but usually impose a certain delay before
1044 replying with the results of a failed attempt. Filezilla is one of
1045 the most characteristic examples of this case, where the time delay
1046 is so great, that it is usually faster to open more connections
1047 against it, with each of them doing only 1 authentication per
1048 connection.
1049
1050 TELNET Module
1051
1052 Telnet daemons have been largely substituded by their safer
1053 ´counterpart´ of SSH. However, there are many boxes, mainly routers
1054 or printers, that still rely on Telnet for remote access. Usually
1055 these are also easier to crack, since default passwords for them
1056 are publicly known. The drawback is that telnet is a rather slow
1057 protocol, so you shouldn´t be expecting really high rates against
1058 it.
1059
1060 SSH Module
1061
1062 SSH is one of the most prevalent protocols in today´s networks. For
1063 this reason, a special library, named opensshlib and based on code
1064 from OpenSSH, was specifically build and tailored for Ncrack´s
1065 needs. Opensshlib ships in with Ncrack, so SSH support comes out of
1066 the box. OpenSSL will have to be installed in Unix systems though.
1067 Windows OpenSSL dlls are included in Ncrack, so Windows users
1068 shouldn´t be worrying about it at all.
1069
1070 SSH bruteforcing holds many pitfalls and challenges, and you are
1071 well advised to read a paper that was written to explain them. The
1072 latest version of the "Hacking the OpenSSH library for Ncrack"
1073 document can be found under docs/openssh_library.txt or at
1074 http://sock-raw.org/papers/openssh_library
1075
1076 HTTP(S) Module
1077
1078 The HTTP Module currently supports basic authentication only,
1079 however additional methods will be added soon. Ncrack tries to use
1080 the "Keepalive" HTTP option, whenever possible, which leads to
1081 really high speeds, since that allows dozens of attempts to be
1082 carried out per connection. The HTTP module can also be called over
1083 SSL.
1084
1085 SMB Module
1086
1087 The SMB module currently works over raw TCP. NetBIOS isn´t
1088 supported yet. This protocol allows for high parallelization, so
1089 users could potentially increase the number of concurrent probes
1090 against it. SMB is frequently used for file-sharing among other
1091 things and is one of the most ubiquitous protocols, being present
1092 in both Unix and Windows environments.
1093
1094 RDP Module
1095
1096 RDP (Remote Desktop Protocol) is a proprietary protocol developed
1097 by Microsoft for the purpose of providing remote terminal services
1098 by transfering graphics display information from the remote
1099 computer to the user and transporting input commands from the user
1100 to the remote computer. Fortunately, Microsoft recently decided to
1101 open the protocol´s internal workings to the public and has
1102 provided official documentation, which can be found at
1103 http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx
1104
1105 RDP is one of the most complex protocols, requiring the exchange of
1106 many packets, even for just the authentication phase. For this
1107 reason, cracking it takes a lot of time and this is probably the
1108 slowest module. The connection phase is briefly described at
1109 http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx
1110 where you can also see a diagram of the various packets involved.
1111 Care must be taken against RDP servers in Windows XP versions,
1112 since they can´t handle multiple connections at the same time. It
1113 is advised to use a very slow timing template or even better limit
1114 the maximum parallel connections using timing options such as CL
1115 (Connection Limit) or cd (connection delay) against Windows XP (and
1116 relevant) RDP servers. Windows Vista and above don´t suffer from
1117 the same limitation.
1118
1119 VNC Module
1120
1121 The VNC protocol has known widespread usage among Unix
1122 administrators and users for remote graphical access. VNC is
1123 perhaps one of the most vulnerable protocols in terms of
1124 brute-forcing, since it often requires a password without a
1125 corresponding username for authentication. In addition, some
1126 versions of VNC impose an 8-character limit in password length. You
1127 should consider adding the --passwords-first option when cracking
1128 VNC systems to exploit the fact that the username often has no
1129 actual importance in authentication.
1130
1131 POP3(S) Module
1132
1133 POP3 support is still experimental and hasn´t been thoroughly
1134 tested. You can expect it to work against common mail servers,
1135 nevertheless.
1136
1138 Like its authors, Ncrack isn´t perfect. But you can help make it better
1139 by sending bug reports or even writing patches. If Ncrack doesn´t
1140 behave the way you expect, first upgrade to the latest version
1141 available from http://nmap.org/ncrack. If the problem persists, do some
1142 research to determine whether it has already been discovered and
1143 addressed. Try searching for the error message on our search page at
1144 http://insecure.org/search.html or at Google. Also try browsing the
1145 nmap-dev archives at http://seclists.org/ . Read this full manual page
1146 as well. If you are developing your own Ncrack module, make sure you
1147 have first read the Ncrack Developer´s Guide at
1148 http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a
1149 bug report to nmap-dev@insecure.org . Please include everything you
1150 have learned about the problem, as well as what version of Ncrack you
1151 are running and what operating system version it is running on. Problem
1152 reports and Ncrack usage questions sent to nmap-dev@insecure.org are
1153 far more likely to be answered than those sent to Fyodor directly. If
1154 you subscribe to the nmap-dev list before posting, your message will
1155 bypass moderation and get through more quickly. Subscribe at
1156 http://cgi.insecure.org/mailman/listinfo/nmap-dev .
1157
1158 Code patches to fix bugs are even better than bug reports. Basic
1159 instructions for creating patch files with your changes are available
1160 at http://nmap.org/data/HACKING . Patches may be sent to nmap-dev
1161 (recommended) or to Fyodor directly.
1162
1164 ithilgore (Fotis Hantzis) ithilgore.ryu.l@gmail.com (‐
1165 http://sock-raw.org)
1166
1167 Fyodor fyodor@insecure.org (http://insecure.org)
1168
1170 While it isn´t distributed with Nmap, Ncrack is part of the Nmap
1171 project and falls under the same license and (non) warranty provisions,
1172 as described at http://nmap.org/book/man-legal.html.
1173
1174
1175
1176Ncrack 04/23/2011 NCRACK(1)