1NCRACK(1)                   Ncrack Reference Guide                   NCRACK(1)
2
3
4

NAME

6       ncrack - Network authentication cracking tool
7

SYNOPSIS

9       ncrack [Options] {target specification}
10

DESCRIPTION

12       Ncrack is an open source tool for network authentication cracking. It
13       was designed for high-speed parallel cracking using a dynamic engine
14       that can adapt to different network situations. Ncrack can also be
15       extensively fine-tuned for special cases, though the default parameters
16       are generic enough to cover almost every situation. It is built on a
17       modular architecture that allows for easy extension to support
18       additional protocols. Ncrack is designed for companies and security
19       professionals to audit large networks for default or weak passwords in
20       a rapid and reliable way. It can also be used to conduct fairly
21       sophisticated and intensive brute force attacks against individual
22       services.
23
24           Warning
25           Ncrack is a project started in the Summer of 2009. While it is
26           already useful for some purposes, it is still unfinished, beta
27           quality software. You can help out by testing it and reporting any
28           problems as described in the section called “BUGS”.
29
30       The output from Ncrack is a list of found credentials, if any, for each
31       of the targets specified. Ncrack can also print an interactive status
32       report of progress so far and possibly additional debugging information
33       that can help track problems, if the user selected that option.
34
35       A typical Ncrack scan is shown in Example 1. The only Ncrack arguments
36       used in this example are the two target IP addresses along with the the
37       corresponding ports for each of them. The two example ports 21 and 22
38       are automatically resolved to the default services listening on them:
39       ftp and ssh.
40
41       Example 1. A representative Ncrack scan
42
43
44           $ ncrack 10.0.0.130:21 192.168.1.2:22
45
46           Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST
47
48           Discovered credentials for ftp on 10.0.0.130 21/tcp:
49           10.0.0.130 21/tcp ftp: admin hello1
50           Discovered credentials for ssh on 192.168.1.2 22/tcp:
51           192.168.1.2 22/tcp ssh: guest 12345
52           192.168.1.2 22/tcp ssh: admin money$
53
54           Ncrack done: 2 services scanned in 156.03 seconds.
55
56           Ncrack finished.
57
58
59
60       The latest version of Ncrack can be obtained from
61       http://nmap.org/ncrack. The latest version of this man page is
62       available at http://nmap.org/ncrack/man.html .
63

OPTIONS SUMMARY

65       This options summary is printed when Ncrack is run with no arguments.
66       It helps people remember the most common options, but is no substitute
67       for the in-depth documentation in the rest of this manual.
68
69           Ncrack 0.7 ( http://ncrack.org )
70           Usage: ncrack [Options] {target and service specification}
71           TARGET SPECIFICATION:
72             Can pass hostnames, IP addresses, networks, etc.
73             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
74             -iX <inputfilename>: Input from Nmap´s -oX XML output format
75             -iN <inputfilename>: Input from Nmap´s -oN Normal output format
76             -iL <inputfilename>: Input from list of hosts/networks
77             --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
78             --excludefile <exclude_file>: Exclude list from file
79           SERVICE SPECIFICATION:
80             Can pass target specific services in <service>://target (standard) notation or
81             using -p which will be applied to all hosts in non-standard notation.
82             Service arguments can be specified to be host-specific, type of service-specific
83             (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
84             Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
85             -p <service-list>: services will be applied to all non-standard notation hosts
86             -m <service>:<options>: options will be applied to all services of this type
87             -g <options>: options will be applied to every service globally
88             Misc options:
89               ssl: enable SSL over this service
90               path <name>: used in modules like HTTP (´=´ needs escaping if used)
91               db <name>: used in modules like MongoDB to specify the database
92               domain <name>: used in modules like WinRM to specify the domain
93           TIMING AND PERFORMANCE:
94             Options which take <time> are in seconds, unless you append ´ms´
95             (miliseconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).
96             Service-specific options:
97               cl (min connection limit): minimum number of concurrent parallel connections
98               CL (max connection limit): maximum number of concurrent parallel connections
99               at (authentication tries): authentication attempts per connection
100               cd (connection delay): delay <time> between each connection initiation
101               cr (connection retries): caps number of service connection attempts
102               to (time-out): maximum cracking <time> for service, regardless of success so far
103             -T<0-5>: Set timing template (higher is faster)
104             --connection-limit <number>: threshold for total concurrent connections
105             --stealthy-linear: try credentials using only one connection against each specified host
106               until you hit the same host again. Overrides all other timing options.
107           AUTHENTICATION:
108             -U <filename>: username file
109             -P <filename>: password file
110             --user <username_list>: comma-separated username list
111             --pass <password_list>: comma-separated password list
112             --passwords-first: Iterate password list for each username. Default is opposite.
113             --pairwise: Choose usernames and passwords in pairs.
114           OUTPUT:
115             -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
116             -oA <basename>: Output in the two major formats at once
117             -v: Increase verbosity level (use twice or more for greater effect)
118             -d[level]: Set or increase debugging level (Up to 10 is meaningful)
119             --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
120             --log-errors: Log errors/warnings to the normal-format output file
121             --append-output: Append to rather than clobber specified output files
122           MISC:
123             --resume <file>: Continue previously saved session
124             --save <file>: Save restoration file with specific filename
125             -f: quit cracking service after one found credential
126             -6: Enable IPv6 cracking
127             -sL or --list: only list hosts and services
128             --datadir <dirname>: Specify custom Ncrack data file location
129             --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
130             -V: Print version number
131             -h: Print this help summary page.
132           MODULES:
133             SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
134           EXAMPLES:
135             ncrack -v --user root localhost:22
136             ncrack -v -T5 https://192.168.0.1
137             ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
138           SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES
139

TARGET SPECIFICATION

141       Everything on the Ncrack command-line that isn´t an option (or an
142       option argument) is treated as a target host specification. The
143       simplest case is to specify a target IP address or a hostname. Note,
144       that you also need to specify a service to crack for the selected
145       targets. Ncrack is very flexible in host/service specification. While
146       hostnames and IP addresses can be defined with the flexibility that you
147       are probably used to from Nmap, services along with service-specific
148       options have a unique specification style that enables a combination of
149       features to be taken advantage of.
150
151       Sometimes you wish to crack a whole network of adjacent hosts. For
152       this, Ncrack supports CIDR-style addressing. You can append /numbits to
153       an IPv4 address or hostname and Ncrack will try to crack every IP
154       address for which the first numbits are the same as for the reference
155       IP or hostname given. For example, 192.168.10.0/24 would send probes to
156       the 256 hosts between 192.168.10.0 11000000 10101000 00001010 00000000)
157       and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
158       inclusive. 192.168.10.40/24 would crack exactly the same targets. Given
159       that the host scanme.nmap.org is at the IP address 64.13.134.52, the
160       specification scanme.nmap.org/16 would send probes to the 65,536 IP
161       addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed
162       value is /0, which targets the whole Internet. The largest value is
163       /32, which targets just the named host or IP address because all
164       address bits are fixed.
165
166       CIDR notation is short but not always flexible enough. For example, you
167       might want to send probes to 192.168.0.0/16 but skip any IPs ending
168       with .0 or .255 because they may be used as subnet network and
169       broadcast addresses. Ncrack supports this through octet range
170       addressing. Rather than specify a normal IP address, you can specify a
171       comma-separated list of numbers or ranges for each octet. For example,
172       192.168.0-255.1-254 will skip all addresses in the range that end in .0
173       or .255, and 192.168.3-5,7.1 will target the four addresses
174       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
175       a range may be omitted; the default values are 0 on the left and 255 on
176       the right. Using - by itself is the same as 0-255, but remember to use
177       0- in the first octet so the target specification doesn´t look like a
178       command-line option. Ranges need not be limited to the final octets:
179       the specifier will send probes to all IP addresses on the Internet
180       ending in 13.37 This sort of broad sampling can be useful for Internet
181       surveys and research.
182
183       Ncrack accepts multiple host specifications on the command line, and
184       they don´t need to be the same type. The command ncrack scanme.nmap.org
185       192.168.0.0/8 10.0.0,1,3-7.- -p22 does what you would expect.
186
187       While targets are usually specified on the command lines, the following
188       options are also available to control target selection:
189
190       -iX inputfilename (Input from Nmap´s -oX XML output format) .
191           Reads target/service specifications from an Nmap XML output file.
192           The Nmap XML file is created by scanning any hosts and specifying
193           the Nmap -oX option. Ncrack will automatically parse the IP
194           addresses and the corresponding ports and services that are open
195           and will use these targets for authentication auditing. This is a
196           really useful option, since it lets you essentially combine these
197           two tools -Nmap and Ncrack- for cracking only those services that
198           are surely open. In addition, if version detection has been enabled
199           in Nmap (-sV option), Ncrack will use those findings to recognize
200           and crack those services that are supported but are listening on
201           non-default ports. For example, if a host is having a server
202           listening on port 41414 and Nmap has identified that it is a SSH
203           service, Ncrack will use that information to crack it using the SSH
204           module. Of course, Ncrack is going to ignore open ports/services
205           that are not supported for authentication cracking by its modules.
206
207       -iN inputfilename (Input from Nmap´s -oN Normal output format) .
208           Reads target/service specifications from an Nmap Normal output
209           file. The Nmap Normal file is created by scanning any hosts and
210           specifying the Nmap -oN option. This works exactly like Ncrack´s
211           -iX option, the only difference being the format of the input file.
212
213       -iL inputfilename (Input from list) .
214           Reads target specifications from inputfilename. Passing a huge list
215           of hosts is often awkward on the command line, yet it is a common
216           desire. For example, you might want to crack a list of very
217           specific servers that have been specified for penetration testing.
218           Simply generate the list of hosts to crack and pass that filename
219           to Ncrack as an argument to the -iL option. Entries can be in any
220           of the formats accepted by Ncrack on the command line (IP address,
221           hostname, CIDR, octet ranges or Ncrack´s special host-service
222           syntax. Each entry must be separated by one or more spaces, tabs,
223           or newlines. You can specify a hyphen (-) as the filename if you
224           want Ncrack to read hosts from standard input rather than an actual
225           file. Note, however, that if hosts are specified without any
226           service, you will have to also provide services/ports for the
227           targets using the -p option.
228
229       --exclude host1[, host2[, ...]] (Exclude hosts/networks) .
230           Specifies a comma-separated list of targets to be excluded from the
231           scan even if they are part of the overall network range you
232           specify. The list you pass in uses normal Ncrack syntax, so it can
233           include hostnames, CIDR netblocks, octet ranges, etc. This can be
234           useful when the network you wish to scan includes untouchable
235           mission-critical servers, systems that are known to react adversely
236           to heavy load, or subnets administered by other people.
237
238       --excludefile exclude_file  (Exclude list from file) .
239           This offers the same functionality as the --exclude option, except
240           that the excluded targets are provided in a newline, space, or tab
241           delimited exclude_file rather than on the command line.
242

SERVICE SPECIFICATION

244       No cracking session can be carried out without targetting a certain
245       service to attack. Service specification is one of the most flexible
246       subsystems of Ncrack and collaborates with target-specification in a
247       way that allows different option combinations to be applied. For Ncrack
248       to start running, you will have to specify at least one target host and
249       one associated service to attack. Ncrack provides ways to specify a
250       service by its default port number, by its name (as extracted from the
251       ncrack-services file) or both. Normally, you need to define both name
252       and port number only in the special case where you know that a
253       particular service is listening on a non-default port.
254
255       Ncrack offers two distinct ways with which services will be applied to
256       your targets: per-host service specification and global specification.
257
258       Per-host service specification
259
260           Services specified in this mode are written next to the host and
261           apply to it only. Keep in mind, however, that target-specification
262           allows wildcards/netmasks, which essentially means that applying a
263           per-host service specification format to that particular target
264           will affect all of the expanded ones as a result. The general
265           format is:
266
267            [service-name]://target:[port-number]
268
269           where target is a hostname or IP address in any of the formats
270           described in the target-specification section, [service-name] is
271           one of the common service names as defined in the ncrack-services
272           file (e.g ssh, http) and [port-number] is what it obviously means.
273           Ncrack can determine the default port numbers for each of the
274           services it supports, as well as being able to deduce the service
275           name when a default port number has been specified. Specifying both
276           has meaning only when the user has a priori knowledge of a service
277           listening on a non-default port number. This can easily be
278           determined by using version detection like the one offered by
279           Nmap´s -sV option.
280
281           Example 2. Per-host service specification example
282
283
284               $ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910
285
286
287
288           The above command will try to crack hosts: scanme.nmap.org on SSH
289           service (default port 22), 10.0.0.10 on FTP service (default port
290           21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH
291           service on non-default port 5910 which has been explicitly
292           specified. In the last case, Ncrack wouldn´t be able to determine
293           that the subnet hosts are to be scanned against the SSH service on
294           that particular port without the user explicitly asking for it,
295           because there isn´t any mapping of port-number 5910 to service SSH.
296
297       Global service specification
298
299           Services specified in this mode are applied to all hosts that
300           haven´t been associated with the per-host service specification
301           format. This is done using the -p option. While this facility may
302           be similar to that of Nmap´s, you should try not to confuse it,
303           since the functionality is of a slightly different nature. Services
304           can be specified using comma separated directives of the general
305           format:
306
307            -p [service1]:[port-number1],[service2]:[port-number2],...
308
309           As usual, you need not specify both service name and port number
310           since Ncrack knows the mappings of default-services to default-port
311           numbers. Be careful though not to include any space between each
312           service-name and/or port number, because Ncrack will think that the
313           argument after the space is a host as per the rule "everything that
314           isn´t an option is a target specification".
315
316           Example 3. Global service specification example
317
318
319               $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
320
321
322
323           The above command will try to crack all of the specified hosts
324           scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class
325           subnet of 192.168.2.0 against the following services: SSH service
326           (mapped from default port 22), FTP service on non-default port
327           3210, and TELNET service on default port 23.
328
329       Of course, Ncrack allows you to combine both modes of service
330       specification if you deem that as necessary. Normally, you will only
331       need to specify a couple of services but cracking a lot of hosts
332       against many different services might be a longterm project for large
333       networks that need to be consistently audited for weak passwords. If
334       you are in doubt, about which hosts and services are going to be
335       cracked with the current command, you can use the -sL option (see below
336       for explanation).
337

SERVICE OPTIONS

339       Apart from general service specification, Ncrack allows you to provide
340       a multitude of options that apply to each or a subset of your targets.
341       Options include timing and performance optimizations (which are
342       thoroughly analyzed in a seperate section), SSL enabling/disabling and
343       other module-specific parameters like the relative URL path for the
344       HTTP module. Options can be defined in a variety of ways which include:
345       per-host options, per-module options and global options. Since a
346       combination of these options may be used, there is a strict hierarchy
347       of precedence which will be discussed later.
348
349       Per-host Options
350
351           Options in this mode apply only to the host(s) they are referring
352           to and are written next to it according to the following format:
353
354            [service-name]://target:[port-number],opt1=optval1,opt2=optval,...
355
356           The format concerning the service specification which comes before
357           the options, has been explained in the previous section.  optN is
358           referring to any of the option names that are available (a list
359           will follow below), while optvalN determines the value of that
360           option and depends on the nature of it. For example, most
361           timing-related options expect to receive numbers as values, while
362           the path option obviously needs a string argument.
363
364       Per-module Options
365
366           Options in this mode apply to all hosts that are associated with
367           the particular service/module. This is accomplished using the -m
368           which is defined with the format:
369
370            -m service-name:opt1=optval1,opt2=optval2,...
371
372           This option can be invoked multiple times, for as many different
373           services as you might need to define service-wide applicable
374           options. Each iteration of this option must refer to only one
375           service. However, to avoid confusion, this option had better not be
376           called more than one time for the same service, although this is
377           allowed and the last iteration will take precedence over the
378           previous ones for all redefined option values.
379
380       Global Options
381
382           Options in this mode apply to all hosts regardless of which service
383           they are associated with. This is accomplished using the -g as
384           follows:
385
386            -g opt1=optval1,opt2=optval2,...
387
388           This acts as a convenience option, where you can apply options to
389           all services globally. Everything else regarding the available
390           options and option values is the same as the previous modes.
391
392       List of available Service Options
393
394       Below follows a list of all the currently available service options.
395       You can apply them with any of the three modes described above. The
396       last six of the options are timing related and will be analyzed in
397       Section "Timing and Performance" of this manual.
398
399               ssl: enable SSL over this service
400               path: path-name used in modules like HTTP (´=´ needs escaping if used)
401               db: used in modules like MongoDB to specify the database
402               domain: used in modules like WinRM to specify the domain
403               cl (min connection limit): minimum number of concurrent parallel connections
404               CL (max connection limit): maximum number of concurrent parallel connections
405               at (authentication tries): authentication attempts per connection
406               cd (connection delay): delay time between each connection initiation
407               cr (connection retries): caps number of service connection attempts
408               to (time-out): maximum cracking time for service, regardless of success so far
409
410
411
412       ssl (Enable/Disable SSL over service)
413           By enabling SSL, Ncrack will try to open a TCP connection and then
414           negotiate a SSL session with the target. Everything will then be
415           transparently encrypted and decrypted. However, since Ncrack´s job
416           is to provide speed rather than strong crypto, the algorithms and
417           ciphers for SSL are chosen on an efficiency basis. Possible values
418           for this option are ´yes´ but just specifying ssl would be enough.
419           Thus, this is the only option that doesn´t need to be written in
420           the opt=optval format. By default, SSL is disabled for all services
421           except those that are stricly dependent on it like HTTPS.
422
423       path <name> (Path name for relative URLs)
424           Some services like HTTP or SVN usually require a specific path in
425           the URL. This option takes that pathname string as its value. The
426           path is always relative to the hostname or IP address, so if you
427           want to target something like http://foobar.com/login.php the path
428           must take the value path=login.php . The initial ´/´ is added if
429           you omit it. However, it is usually better if you explicitly
430           specify it at the end of pathnames that are directories. For
431           example, to crack the directory for
432           http://foobar.com/protected-dir/ , it would be better if you wrote
433           it as path=protected-dir/ . This is to avoid the (very) slight
434           probability of a false positive, because there are cases where Web
435           servers might reply with a "301 Moved Permanently" for a
436           non-successful attempt. They normally send that reply, when a
437           successful attempt is made for a requested password-protected path
438           which has omitted the ending ´/´ but the requested source is
439           actually a directory. Consequently, Ncrack regards that reply as
440           having succeeded in the authentication attempt.
441
442           Also be careful with the symbol ´=´, since it is used by Ncrack for
443           argument parsing and you will have to espace it if it is included
444           in the URL.
445
446           By default, the path-name is initialized to ´/´, but will be
447           ignored by services that do not require it.
448
449       db <name> (Database name)
450           Some services like MongoDB require a specific database name to
451           crack. This option allows you to specify the database.
452
453           By default, the db name for MongoDB is initialized to ´admin´ but
454           will be ignored by services that do not require it.
455
456       domain <name> (Domain name)
457           Some services like WinRM require a specific domain to crack. This
458           option allows you to specify the domain.
459
460           By default, the domain name for WinRM is initialized to
461           ´Workstation´ but will be ignored by services that do not require
462           it.
463
464       Service Option Hierarchy
465
466       As already noted, Ncrack allows a combination of the three different
467       modes of service option specification. In that case, there is a strict
468       hierarchy that resolves the order in which conflicting values for these
469       options take precedence over each other. The order is as follows,
470       leftmost being the highest priority and rightmost the lowest one:
471
472       Per-host options > Per-module options > Global options >
473       Timing-Template (for timing options only)
474
475       The concept of the "Timing-Template" will be explained in the Section
476       "Timing and Performance", but for now, just have in mind that its
477       values have the least prevalence over everything else and essentially
478       act as defaults for everything timing-related. Global options specified
479       with -g have the directly higher precedence, while -m per-module
480       options are immediately higher. In the top of the hierarcy reside the
481       per-host options which are essentially the most specific ones.
482       Consequently, you can see that the pattern is: the more specific the
483       higher the precedence.
484
485       Example 4. Service Option Hierarchy example
486
487
488           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3
489
490
491
492       The example demonstrates the hierarchy precedence. The services that
493       are going to be cracked are SSH for scanme.nmap.org and FTP for hosts
494       10.0.0.120, 10.0.0.20. No particular timing-template has been specified
495       and thus the default will be used (Normal - 3). The per-host options
496       for scanme.nmap.org define that the minimum connection limit (cl) is 10
497       and that Ncrack should attempt only 1 authentication try (at) per
498       connection. These values would override any other for service SSH of
499       host scanme.nmap.org if there were conflicts with other modes. Since a
500       global option of -g CL=3 was defined and there is no other
501       higher-precedence for service SSH and scanme.nmap.org in particular,
502       this value will also be applied. As for the FTP targets, the per-module
503       -m ftp:CL=1 defined for all FTP services will override the equivalent
504       global one. All these can get quite complex if overused, but they are
505       not expected to be leveraged by the average Ncrack user anyway.
506       Complicated network scanning scenarios might require them, though. To
507       make certain the results are the ones you expect them to be, don´t
508       forget to use the -sL option that prints out details about what Ncrack
509       would crack if invoked normally. You can add the debugging -d option if
510       you want even more verbose output. For the above example, Ncrack would
511       print the following:
512
513       Example 5. Service Option Hierarchy Output example
514
515
516           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d
517
518           Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT
519
520           ----- [ Timing Template ] -----
521           cl=7, CL=80, at=0, cd=0, cr=30, to=0
522
523           ----- [ ServicesTable ] -----
524           SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
525           ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
526           ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
527           telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
528           http:80            N/A N/A N/A N/A N/A N/A no  null null  null
529           pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
530           imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
531           netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
532           smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
533           smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
534           https:443          N/A N/A N/A N/A N/A N/A yes null null  null
535           owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
536           sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
537           pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
538           mssql:1433         N/A N/A N/A N/A N/A N/A no  null null  null
539           mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
540           ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
541           rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
542           psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
543           vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
544           vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
545           vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
546           vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
547           redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
548           winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
549           winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
550           cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
551           cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
552           mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null
553
554           ----- [ Targets ] -----
555           Host: 45.33.32.156 ( scanme.nmap.org )
556             ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
557           Host: 10.0.0.120
558             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
559           Host: 10.0.0.20
560             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
561
562
563           Ncrack done: 3 services would be scanned.
564           Probes sent: 0 | timed-out: 0 | prematurely-closed: 0
565
566           Ncrack finished.
567
568
569
570
571       The ServicesTable just lists the per-module options for all available
572       services. As you can see, the only defined option is in the FTP service
573       for the CL . The Targets table is the most important part of this
574       output and lists all targets and associated options according to the
575       command-line invocation. No network operation takes place in this mode,
576       apart from forward DNS resolution for hostnames (like scanme.nmap.org
577       in this example).
578

TIMING AND PERFORMANCE

580       The timing engine is perhaps the most important part of any serious
581       network authentication cracking tool. Ncrack´s timing engine offers a
582       great many options for optimization and can be bended to serve
583       virtually any user need. As Ncrack is progressing, this subsystem is
584       going to evolve into a dynamic autonomous engine that will be able to
585       automatically adjust its behaviour according to the network feedback it
586       gets, in order to achieve maximum performance and precision without any
587       user intervention.
588
589       Some options accept a time parameter. This is specified in seconds by
590       default, though you can append ‘ms’, ‘m’, or ‘h’ to the value to
591       specify milliseconds, minutes, or hours (‘s’ for seconds is redundant).
592       So the cd (connection delay) arguments 900000ms, 900s, and 15m all do
593       the same thing.
594
595       cl num-minconnections; CL num-maxconnections (Adjust number of
596       concurrent parallel connections)
597
598           Connection Limit
599
600           These options control the total number of connections that may be
601           outstanding for any service at the same time. Normally, Ncrack
602           tries to dynamically adjust the number of connections for each
603           individual target by counting how many drops or connection failures
604           happen. If a strange network condition occurs, that signifies that
605           something may be going wrong, like the host dropping any new
606           connection attempts, then Ncrack will immediately lower the total
607           number of connections hitting the service. However, the caps number
608           of the minimum or maximum connections that will take place can be
609           overriden using these two options. By properly adjusting them, you
610           can essentially optimize performance, if you can handle the tricky
611           part of knowing or discovering your target´s own limits. The
612           convention here is that cl with lowercase letters is referring to
613           the minimum connection limit, while CL with uppercase letters is
614           referring to the maximum number of connections.
615
616           The most common usage is to set cl (minimum connection limit) for
617           targets that you are almost certain are going to withstand these
618           many connections at any given time. This is a risky option to play
619           with, as setting it too high might actually do more harm than good
620           by effectively DoS-attacking the target and triggering firewall
621           rules that will ban your IP address.
622
623           On the other hand, for more stealthy missions, setting the CL
624           (maximum connection limit) to a low value might be what you want.
625           However, setting it too low will surely have a great impact in
626           overall cracking speed. For maximum stealth, this can be combined
627           with the cd (connection delay) described below.
628
629       at num-attempts (Adjust authentication attempts per connection)
630
631           Authentication Tries
632
633           Using this option, you can order Ncrack to limit the authentication
634           attempts it carries out per connection. Ncrack initially sends a
635           reconnaisance probe that lets it calculate the maximum number of
636           such authentication tries and from thereon it always tries to use
637           that number. Most servicse pose an upper limit on the number of
638           authentication per connection and in most cases finding that
639           maximum leads to better performance.
640
641           Setting this option to lower values can give you some stealth
642           bonus, since services such as SSH tend to log failed attempts after
643           more than a certain number of authentication tries per connection.
644           They use that as a metric rather than counting the total number of
645           authentication attempts or connections per IP address (which is
646           usually done by a firewall). Consequently, a number of 1 or 2
647           authentication tries might circumvent logging in some cases.
648
649           Note that setting that option to a high value will not have any
650           effect if Ncrack realizes that the server doesn´t allow that many
651           attempts per connection. In this case, it will just use that
652           maximum number and ignore your setting.
653
654       cd time (Adjust delay time between each new connection)
655
656           Connection Delay
657
658           This option essentially defines the imposed time delay between each
659           new connection. Ncrack will wait the amount of time you specify in
660           this option value, before starting a new connection against the
661           given service. The higher you set it, the slower Ncrack will
662           perform, but the stealthier your attack will become.
663
664           Ncrack by default tries to initiate new connections as fast as
665           possible given that new probes are actually allowed to be sent and
666           are not restricted by parameters such as Connection Limit which can
667           dynamically increase or decrease. Although this approach achieves
668           blazing speed as long as the host remains responsive, it can lead
669           to a number of disasters such as a firewall being triggered, the
670           targets´ or your bandwidth to be diminished and even the tested
671           service to suffer a Denial of Service attack. By carefully
672           adjusting this option, you can potentially avoid these annoying
673           situations.
674
675       cr max-conattempts (Adjust the max number of connection retries)
676
677           Connection Retries
678
679           This option allows the user to specify the maximum amount of
680           consecutive failed attempts against that particular service. If at
681           any time, during the cracking session, Ncrack fails to connect
682           against that particular service, then it will stop cracking it
683           entirely.
684
685       to time (Adjust the maximum overall cracking time)
686
687           Timeout
688
689           Define how much time Ncrack is going to spend cracking the service,
690           before giving up regardless of whether it has found any credentials
691           so far. However, any authentication token discovered until that
692           time, will be stored and printed normally. Ncrack marks a service
693           as finished when the username/password lists iteration ends or when
694           it can no longer crack it for some serious reason. If Ncrack
695           finishes cracking a service before the time specified in this
696           option, then it will not be taken into account at all.
697
698           Sometimes, you have a limited time window to scan/crack your hosts.
699           This might occur for various reasons. A common one would be that
700           normal user activity mustn´t be interrupted and since Ncrack can
701           become very aggressive, it might be allowed to scan the hosts only
702           at during certain time period like the night hours. Scanning during
703           certain such hours is also likely to make an attack less
704           detectable.
705
706           Don´t forget that Ncrack allows you to specify the time unit of
707           measure by appending ‘ms’, ‘m’, or ‘h’ for milliseconds, minutes or
708           hours (seconds is the default time unit). Using them in this
709           particular option, is really convenient as you can specify
710           something like to=8h to give Ncrack a total of 8 hours to crack
711           that service. Setting up cronjobs for scheduled scans in
712           combination with this option, might also be a good idea.
713
714       -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing
715       template) .
716           While the fine-grained timing controls discussed in the previous
717           section are powerful and effective, some people find them
718           confusing. Moreover, choosing the appropriate values can sometimes
719           take more time than the scan you are trying to optimize. So Ncrack
720           offers a simpler approach, with six timing templates. You can
721           specify them with the -T option and their number (0–5) or their
722           name. The template names are paranoid (0), sneaky (1), polite (2),
723           normal (3), aggressive (4), and insane (5). The first two are for
724           IDS evasion. Polite mode slows down the scan to use less bandwidth
725           and target machine resources. Normal mode is the default and so -T3
726           does nothing. Aggressive mode speeds scans up by making the
727           assumption that you are on a reasonably fast and reliable network.
728           Finally insane mode assumes that you are on an extraordinarily fast
729           network or are willing to sacrifice some accuracy for speed.
730
731           These templates allow the user to specify how aggressive they wish
732           to be, while leaving Ncrack to pick the exact timing values. If you
733           know that the network service is going to withstand a huge number
734           of connections you might try using the aggressive template of -T4 .
735           Even then, this is mostly advised for services residing in the
736           local network. Going over to insane mode -T5 is not recommended,
737           unless you absolutely know what you are doing.
738
739           While -T0.  and -T1.  may be useful for avoiding IDS alerts, they
740           will take an extraordinarily long time to crack even a few
741           services. For such a long scan, you may prefer to set the exact
742           timing values you need rather than rely on the canned -T0 and -T1
743           values.
744
745       --connection-limit numprobes (Adjust the threshold of total concurrent
746       connections)
747           NOT IMPLEMENTED YET.
748

AUTHENTICATION

750       This section describes ways of specifying your own username and
751       password lists as well as the available modes of iterating over them.
752       Ncrack ships in with a variety of username and password lists which
753       reside under the directory ´lists´ of the source tarball and later
754       installed under Ncrack´s data directory which usually is
755       /usr/local/share/ncrack or /usr/share/ncrack . You can omit specifying
756       any lists and Ncrack is going to use the default ones which contain
757       some of the most common usernames and passwords. The password list is
758       frequency-sorted with the top most common passwords at the beginning of
759       the list so they will be tried out first. The lists have been derived
760       from a combination of sorting publicly leaked password files and other
761       techniques.
762
763       -U filename (Specify username list)
764           Specify your own username list by giving the path to the filename
765           as argument to this option.
766
767           Usernames for specific environments can be gathered in numerous
768           ways including harvesting for email-addresses in the company´s
769           website, looking up information in whois databases, using the SMTP
770           VRFY technique at vulnerable mail servers or through social
771           engineering.
772
773       -P filename (Specify password list)
774           Specify your own password list by giving the path to the filename
775           as argument to this option.
776
777           Common passwords are usually derived from leaked lists as a result
778           of successful intrusions in public sites such as forums or other
779           social networking places. A great deal of them have already been
780           publicly disclosed and some of these have been used to assemble
781           Ncrack´s own lists.
782
783       --user username_list (Specify command-line comma-separated username
784       list)
785           Specify your own usernames directly in the command-line as a
786           comma-separated list.
787
788       --pass password_list (Specify command-line comma-separated password
789       list)
790           Specify your own passwords directly in the command-line as a
791           comma-separated list.
792
793       --passwords-first (Reverse the way passwords are iterated)
794           Ncrack by default iterates the username list for each password.
795           With this option, you can reverse that. For example, given the
796           username list of -> "root, guest, admin" and the password list of
797           "test, 12345, q1w2e3r4" Ncrack will normally go over them like this
798           -> root:test, guest:test, admin:test, root:12345 etc. By enabling
799           this option it will go over them like this -> root:test,
800           root:12345, root:q1w2e3r4, guest:test etc.
801
802           Most network authentication cracking tools prefer by default to
803           iterate the password list for each username. This is, however,
804           ineffective compared to the opposite iteration in most cases. This
805           holds true for the simple reason that password lists are usually
806           sorted on a frequency basis, meaning that the more common a
807           password is, the closer to the beginning of the password list it
808           is. Thus, iterating over all usernames for the most common
809           passwords first has usually more chances to get a positive result.
810           With the --passwords-first iteration, very common passwords might
811           not even be tried out for certain usernames if the user chooses to
812           abort the session early. However, this option might prove valuable
813           for cases where the attacker knows and has already verified that
814           the username list contains real usernames, instead of blindly
815           bruteforcing through them.
816
817       --pairwise (Choose usernames and passwords in pairs)
818           Enabling this option will make Ncrack iterate the username and
819           password list by choosing them in pairs. For example, given the
820           username list of "root, guest, admin" and the password list of
821           "test, 12345, q1w2e3r4" Ncrack will go over them like this:
822           "root:test", "guest:12345", "admin:q1w2e3r4". This is particulary
823           useful when inside knowledge of the infrastructure tested is
824           available and special username and password lists have been made.
825

OUTPUT

827       Any security tool is only as useful as the output it generates. Complex
828       tests and algorithms are of little value if they aren´t presented in an
829       organized and comprehensible fashion. Of course, no single format can
830       please everyone. So Ncrack offers several formats, including the
831       interactive mode for humans to read directly and XML for easy parsing
832       by software.
833
834       In addition to offering different output formats, Ncrack provides
835       options for controlling the verbosity of output as well as debugging
836       messages. Output types may be sent to standard output or to named
837       files, which Ncrack can append to or clobber.
838
839       Ncrack makes output available in three different formats. The default
840       is called interactive output, and it is sent to standard output
841       (stdout). There is also normal output, which is similar to interactive
842       except that it displays less runtime information and warnings since it
843       is expected to be analyzed after the scan completes rather than
844       interactively.
845
846       XML output is one of the most important output types, as it can be
847       converted to HTML, easily parsed by programs such as Ncrack graphical
848       user interfaces, or imported into databases. Currently, XML output
849       hasn´t been implemented.
850
851       While interactive output is the default and has no associated
852       command-line options, the other two format options use the same syntax.
853       They take one argument, which is the filename that results should be
854       stored in. Multiple formats may be specified, but each format may only
855       be specified once. For example, you may wish to save normal output for
856       your own review while saving XML of the same scan for programmatic
857       analysis. You might do this with the options -oX myscan.xml -oN
858       myscan.ncrack. While this chapter uses the simple names like myscan.xml
859       for brevity, more descriptive names are generally recommended. The
860       names chosen are a matter of personal preference. A scheme could be
861       using long filenames that incorporate the scan date and a word or two
862       describing the scan, placed in a directory named after the company that
863       is being scanned.
864
865       While these options save results to files, Ncrack still prints
866       interactive output to stdout as usual. For example, the command nmap
867       -oX myscan.xml [target] prints XML to myscan.xml and fills standard
868       output with the same interactive results it would have printed if -oX
869       wasn´t specified at all. You can change this by passing a hyphen
870       character as the argument to one of the format types. This causes
871       Ncrack to deactivate interactive output, and instead print results in
872       the format you specified to the standard output stream. So the command
873       nmap -oX - target will send only XML output to stdout. Serious errors
874       may still be printed to the normal error stream, stderr.
875
876       Unlike some Ncrack arguments, the space between the logfile option flag
877       (such as -oX) and the filename or hyphen is mandatory.
878
879       All of these arguments support strftime-like conversions in the
880       filename.  %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as
881       in strftime.  %T is the same as %H%M%S, %R is the same as %H%M, and %D
882       is the same as %m%d%y. A % followed by any other character just yields
883       that character (%% gives you a percent symbol). So -oX ´scan-%T-%D.xml´
884       will use an XML file in the form of scan-144840-121307.xml.
885
886       Ncrack also offers options to control scan verbosity and to append to
887       output files rather than clobbering them. All of these options are
888       described below.
889
890       Ncrack Output Formats
891
892       -oN filespec (normal output) .
893           Requests that normal output be directed to the given filename. As
894           discussed above, this differs slightly from interactive output.
895
896       -oX filespec (XML output) .
897           Requests that XML output be directed to the given filename.
898
899       -oA basename (Output to all formats) .
900           As a convenience, you may specify -oA basename to store scan
901           results in normal and XML formats at once. They are stored in
902           basename.ncrack, and basename.xml respectively. As with most
903           programs, you can prefix the filenames with a directory path, such
904           as ~/ncracklogs/foocorp/ on Unix or c:\hacking\sco on Windows.
905
906       Verbosity and debugging options
907
908       -v (Increase verbosity level) .
909           Increases the verbosity level, causing Ncrack to print more
910           information about the scan in progress. Credentials are shown as
911           they are found and more statistical information is printed in the
912           end. Use it twice or more for even greater verbosity.
913
914       -d [level] (Increase or set debugging level) .
915           When even verbose mode doesn´t provide sufficient data for you,
916           debugging is available to flood you with much more! As with the
917           verbosity option (-v), debugging is enabled with a command-line
918           flag (-d) and the debug level can be increased by specifying it
919           multiple times. Alternatively, you can set a debug level by giving
920           an argument to -d. For example, -d10 sets level ten. That is the
921           highest effective level and will produce thousands of lines, unless
922           your cracking session is going really slow.
923
924           Debugging output is useful when a bug is suspected in Ncrack, or if
925           you are simply confused as to what Ncrack is doing and why. As this
926           feature is mostly intended for developers, debug lines aren´t
927           always self-explanatory. If you don´t understand a line, your only
928           recourses are to ignore it, look it up in the source code, or
929           request help from the development list (nmap-dev). Some lines are
930           self explanatory, but the messages become more obscure as the debug
931           level is increased.
932
933       --nsock-trace level (Set nsock trace level) .
934           This option is meant mostly for developers as enabling it will
935           activate the Nsock´s library debugging output. Nsock is the
936           underlying library for parallel socket handling. You will have to
937           specify a certain level for this option. Valid range is 0 up to 10.
938           Usually, a level of 1 or 2 is enough to get a good overview of
939           network operations happening behind the scenes. Nsock prints that
940           information to stdout by default.
941
942       --log-errors (Log errors/warnings to normal mode output file) .
943           Warnings and errors printed by Ncrack usually go only to the screen
944           (interactive output), leaving any normal-format output files
945           (usually specified with -oN) uncluttered. When you do want to see
946           those messages in the normal output file you specified, add this
947           option. It is useful when you aren´t watching the interactive
948           output or when you want to record errors while debugging a problem.
949           The error and warning messages will still appear in interactive
950           mode too. This won´t work for most errors related to bad
951           command-line arguments because Ncrack may not have initialized its
952           output files yet.
953
954           An alternative to --log-errors is redirecting interactive output
955           (including the standard error stream) to a file. Most Unix shells
956           make this approach easy, though it can be difficult on Windows.
957
958       Miscellaneous output options
959
960       --append-output (Append to rather than clobber output files) .
961           When you specify a filename to an output format flag such as -oX or
962           -oN, that file is overwritten by default. If you prefer to keep the
963           existing content of the file and append the new results, specify
964           the --append-output option. All output filenames specified in that
965           Ncrack execution will then be appended to rather than clobbered.
966           This doesn´t work well for XML (-oX) scan data as the resultant
967           file generally won´t parse properly until you fix it up by hand.
968

MISCELLANEOUS OPTIONS

970       This section describes some important (and not-so-important) options
971       that don´t really fit anywhere else.
972
973       --resume file (Continue previously saved session) .
974           Whenever the user cancels a running session (usually by pressing
975           Ctrl+C), Ncrack saves the current state into a file which it can
976           later use to continue from where it had stopped. This file is saved
977           in subdirectory .ncrack/ of the user´s home path with a filename
978           format of "restore.YY-MM-DD_hh-mm". An example would be:
979           "/home/ithilgore/.ncrack/restore.2010-05-18_04-42". You can then
980           continue your session, by specifying this file as argument to the
981           --resume option.
982
983       -f  (Quit cracking service after one found credential) .
984           This option will force Ncrack to quit cracking a service as soon as
985           it finds a valid username/password combination for it. Assuming
986           many parallel services are being cracked at the same time, this
987           option is applied on each of them separately. This means that
988           Ncrack will stop cracking each individual service after finding a
989           pair of credentials for it, but will not quit entirely. Supplying
990           the option two times, like -f -f will, however, make Ncrack exit
991           immediately as soon as it finds a valid credential for any service.
992
993           Frequently, attackers will try cracking several services in
994           parallel to maximize the chances of finding a pair of valid
995           credentials. Given that a network is no stronger than its weakest
996           link, this option and especially the -f -f counterpart will often
997           be used to lessen chances of detection and prevent network
998           resources from being wasted aimlessly.
999
1000       -6 (Enable IPv6 scanning) .
1001           Warning: This option was just added and it is currently
1002           experimental, so please notify us for any problems and bugs related
1003           to it.
1004
1005           The command syntax is the same as usual except that you also add
1006           the -6 option. Of course, you must use IPv6 syntax if you specify
1007           an address rather than a hostname. An address might look like
1008           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1009           recommended. The output looks the same as usual, with the IPv6
1010           address on the “Discovered credentials” line being the only IPv6
1011           give away.
1012
1013           While IPv6 hasn´t exactly taken the world by storm, it gets
1014           significant use in some (usually Asian) countries and most modern
1015           operating systems support it. To use Ncrack with IPv6, both the
1016           source and target of your scan must be configured for IPv6. If your
1017           ISP (like most of them) does not allocate IPv6 addresses to you,
1018           free tunnel brokers are widely available and will probably work
1019           fine with Ncrack. A popular IPv6 tunnel broker service is at
1020           http://www.tunnelbroker.net. 6to4 tunnels are another popular, free
1021           approach.
1022
1023       -sL (List Scan) .
1024           The list scan simply lists each host and service that would be
1025           cracked if this option wasn´t specified. No packets are sent to the
1026           target hosts and the only network operation that might happen is
1027           DNS-resolution of any hostnames of targets. This option is really
1028           helpful in making sure that you have specified everything as you
1029           wanted. Service-specific options will also be printed so this acts
1030           as a good sanity check of potentially complex command-line
1031           arguments such as the advanced modes of Service Option
1032           Specification and the equivalent Hierarchy for sessions that
1033           require delicate timing handling. If list scan is called along with
1034           the -d debug option, then additional output, like the ServicesTable
1035           and the current Timing-Template´s parameters, is also going to be
1036           printed.
1037
1038       --datadir directoryname (Specify custom Ncrack data file location) .
1039           Ncrack needs a file called ncrack-services to load a lookup-table
1040           of supported services/ports. This file shouldn´t be changed, unless
1041           you know what you are doing (e.g extending Ncrack for additional
1042           modules). In addition, Ncrack is shipped with various username and
1043           password lists, some of which are used by default in case the user
1044           doesn´t specify ones of his own. All these files are normally
1045           copied during the installation procedure to a directory such as
1046           /usr/share/ncrack or /usr/local/share/ncrack . Using the --datadir
1047           option, will force Ncrack to start searching for these files in
1048           specified directory. If the files aren´t found, then it will
1049           continue searching in the directory specified by the NCRACKDIR
1050           environmental variable NCRACKDIR (if it is defined). Next comes
1051           ~/.ncrack directory for real and effective UIDs (POSIX systems
1052           only) or location of the Ncrack executable (Win32 only), and then a
1053           compiled-in location such as /usr/local/share/ncrack or
1054           /usr/share/ncrack. As a last resort, Ncrack will look in the
1055           current directory.
1056
1057       --proxy type://proxy:port (Make connections via socks4, 4a, http) .
1058           This will make Ncrack perform the authentication cracking session
1059           through the proxy host specified.
1060
1061       -V; --version (Print version number) .
1062           Prints the Ncrack version number and exits.
1063
1064       -h; --help (Print help summary page) .
1065           Prints a short help screen with the most common command flags.
1066           Running Ncrack without any arguments does the same thing.
1067

RUNTIME INTERACTION

1069       During the execution of Ncrack, all key presses are captured. This
1070       allows you to interact with the program without aborting and restarting
1071       it. Certain special keys will change options, while any other keys will
1072       print out a status message telling you about the scan. The convention
1073       is that lowercase letters increase the amount of printing, and
1074       uppercase letters decrease the printing. You may also press ‘?’ for
1075       help.
1076
1077       v / V
1078           Increase / decrease the verbosity level
1079
1080       d / D
1081           Increase / decrease the debugging Level
1082
1083       p / P
1084           Display found credentials
1085
1086       ?
1087           Print a runtime interaction help screen
1088
1089       Anything else
1090           Print out a status message like this:
1091
1092           Stats: 0:00:20 elapsed; 0 services completed (1 total)
1093
1094           Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17
1095           remaining)
1096

MODULES

1098       Ncrack´s architecture is modular with each module corresponding to one
1099       particular service or protocol. Currently, Ncrack supports the
1100       protocols SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP
1101       Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA. If you
1102       want to write and contribute your own Ncrack modules, be sure to read
1103       the Ncrack Developer´s Guide at http://nmap.org/ncrack/devguide.html
1104       Below we describe some key points for each of them.
1105
1106       FTP Module
1107
1108           FTP authentication is quite fast, since there is very little
1109           protocol negotiation overhead. Most FTP daemons allow 3 to 6
1110           authentication attempts but usually impose a certain delay before
1111           replying with the results of a failed attempt. Filezilla is one of
1112           the most characteristic examples of this case, where the time delay
1113           is so great, that it is usually faster to open more connections
1114           against it, with each of them doing only 1 authentication per
1115           connection.
1116
1117       Telnet Module
1118
1119           Telnet daemons have been largely substituded by their safer
1120           ´counterpart´ of SSH. However, there are many boxes, mainly routers
1121           or printers, that still rely on Telnet for remote access. Usually
1122           these are also easier to crack, since default passwords for them
1123           are publicly known. The drawback is that telnet is a rather slow
1124           protocol, so you shouldn´t be expecting really high rates against
1125           it.
1126
1127       SSH Module
1128
1129           SSH is one of the most prevalent protocols in today´s networks. For
1130           this reason, a special library, named opensshlib and based on code
1131           from OpenSSH, was specifically built and tailored for Ncrack´s
1132           needs. Opensshlib ships in with Ncrack, so SSH support comes out of
1133           the box. OpenSSL will have to be installed in Unix systems though.
1134           Windows OpenSSL dlls are included in Ncrack, so Windows users
1135           shouldn´t be worrying about it at all.
1136
1137           SSH bruteforcing holds many pitfalls and challenges, and you are
1138           well advised to read a paper that was written to explain them. The
1139           latest version of the "Hacking the OpenSSH library for Ncrack"
1140           document can be found under docs/openssh_library.txt or at
1141           http://sock-raw.org/papers/openssh_library
1142
1143       HTTP(S) Module
1144
1145           The HTTP Module currently supports basic and digest authentication.
1146           Ncrack tries to use the "Keepalive" HTTP option, whenever possible,
1147           which leads to really high speeds, since that allows dozens of
1148           attempts to be carried out per connection. The HTTP module can also
1149           be called over SSL.
1150
1151       SMB Module
1152
1153           The SMB module currently works over raw TCP. NetBIOS isn´t
1154           supported yet. This protocol allows for high parallelization, so
1155           users could potentially increase the number of concurrent probes
1156           against it. SMB is frequently used for file-sharing among other
1157           things and is one of the most ubiquitous protocols, being present
1158           in both Unix and Windows environments.
1159
1160       RDP Module
1161
1162           RDP (Remote Desktop Protocol) is a proprietary protocol developed
1163           by Microsoft for the purpose of providing remote terminal services
1164           by transfering graphics display information from the remote
1165           computer to the user and transporting input commands from the user
1166           to the remote computer. Fortunately, Microsoft recently decided to
1167           open the protocol´s internal workings to the public and has
1168           provided official documentation, which can be found at
1169           http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx
1170
1171           RDP is one of the most complex protocols, requiring the exchange of
1172           many packets, even for just the authentication phase. For this
1173           reason, cracking it takes a lot of time and this is probably the
1174           slowest module. The connection phase is briefly described at
1175           http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx
1176           where you can also see a diagram of the various packets involved.
1177           Care must be taken against RDP servers in Windows XP versions,
1178           since they can´t handle multiple connections at the same time. It
1179           is advised to use a very slow timing template or even better limit
1180           the maximum parallel connections using timing options such as CL
1181           (Connection Limit) or cd (connection delay) against Windows XP (and
1182           relevant) RDP servers. Windows Vista and above don´t suffer from
1183           the same limitation.
1184
1185       VNC Module
1186
1187           The VNC protocol has known widespread usage among Unix
1188           administrators and users for remote graphical access. VNC is
1189           perhaps one of the most vulnerable protocols in terms of
1190           brute-forcing, since it often requires a password without a
1191           corresponding username for authentication. In addition, some
1192           versions of VNC impose an 8-character limit in password length. You
1193           should consider adding the --passwords-first option when cracking
1194           VNC systems to exploit the fact that the username often has no
1195           actual importance in authentication.
1196
1197       POP3(S) Module
1198
1199           POP3 support is still experimental and hasn´t been thoroughly
1200           tested. You can expect it to work against common mail servers,
1201           nevertheless.
1202
1203       IMAP Module
1204
1205           The Internet Message Access Protocol (IMAP) is used by email
1206           clients to retrieve email messages from a mail server. The module
1207           sends the LOGIN command to authenticate. The LOGIN command is the
1208           simplest, fastest and most supported authentication mechanism for
1209           IMAP.
1210
1211       SIP Module
1212
1213           The Session Initiation Protocol is a text-based protocol, very
1214           similar to HTTP in its structure. The most common application of
1215           SIP is in Internet telephony for voice and video calls. Nearly all
1216           enterprises have infrastructure that supports conference calls and
1217           part of them are based on SIP, making the authentication part a
1218           significant threat vector.
1219
1220       Redis Module
1221
1222           Redis is one of the most widely used caching servers and the most
1223           popular NoSQL database. Despite its reputation, the authentication
1224           mechanism is very simple, only allowing for a password to protect
1225           remote access to the service. Due to the high performance of Redis
1226           and the fact that only 2 packets are needed for the authentication
1227           phase, Ncrack can try a lot of passwords in parallel (‐
1228           http://redis.io/commands/AUTH). Specifying a username list or
1229           single username will have no effect in this module, since Redis
1230           only deals with passwords.
1231
1232       PostgreSQL Module
1233
1234           PostgreSQL is often used as a backend database. The PostgreSQL
1235           module supports md5 authentication, which is the most frequent
1236           password authentication method.
1237
1238       MySQL Module
1239
1240           The MySQL module supports native authentication.
1241
1242       MySQL Module
1243
1244           The MSSQL module supports mixed authentication.
1245
1246       MongoDB Module
1247
1248           The MongoDB module supports MongoDB-CR and SCRAM-SHA-1
1249           authentication. The pairwise and passwords-first option will be
1250           ignored for the MongoDB module, due to them being inefficient
1251           against MongoDB. The optimal way of cracking MongoDB is to take
1252           advantage of a user-enumeration vulnerability inherent in its
1253           authentication mechanism, which Ncrack exploits.
1254
1255       Cassandra Module
1256
1257           Apache Cassandra is a popular NoSQL database often left unsecured
1258           with weak credentials or no authentication.
1259
1260       OWA Module
1261
1262           Outlook Web App allows users to access a Microsoft Exchange Server
1263           mailbox from a web browser and experience Microsoft Outlook without
1264           a mail client. The module supports Basic Authentication.
1265
1266       WinRM Module
1267
1268           Windows Remote Management (WinRM) is the Microsoft implementation
1269           of WS-Management Protocol, a standard Simple Object Access Protocol
1270           (SOAP)-based, firewall-friendly protocol that allows hardware and
1271           operating systems, from different vendors, to interoperate. It is
1272           often used to administer Windows machines. The module supports
1273           Basic and Negotiate authentication.
1274
1275       DICOM Module
1276
1277           Digital Imaging and Communications in Medicine (DICOM) is a
1278           protocol used heavily in healthcare environments. Most commonly, it
1279           is used as both a file format and network protocol by Picture
1280           Archiving and Communication Systems (PACS). The client of a DICOM
1281           service is called a service class user (SCU) and the server a
1282           service class provider (SCP). DICOM is very unique in how it
1283           authenticates clients to servers; there are potentially one to
1284           three steps involved: Association, Find Service and Retrieve
1285           Images.
1286
1287           Association: This is the initial step that almost all PACS servers
1288           require. By sending an A-ASSOCIATE request with the correct called
1289           Application Entity Title (AET) the client associates with the
1290           server and then can go on to perform query / retrieve requests in
1291           the next steps. This is the mode that Ncrack currently supports by
1292           iterating through the username field. Thus to brute-force the
1293           server´s AET, you can specify a list of AETs using the -U option
1294           and then specifying a null password. Example: ncrack
1295           dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER
1296
1297           Find Service: This step involves being able to query the PACS
1298           server for patient studies that are associated with DICOM images.
1299           This takes place after the client has performed the Association
1300           phase. A C-FIND request must be sent with the correct calling AET.
1301           Knowing the correct allowed client AET (or calling AET) is required
1302           by securely configured PACS servers. Many PACS servers by default
1303           do not require this.
1304
1305           Retrieve Images: This step allows a client to retrieve DICOM
1306           images. The most hardened PACS servers will require the client to
1307           have a specific allowed IP configured in order to send a C-MOVE /
1308           C-STORE request after the above two steps have been performed.
1309
1310       MQTT Module
1311
1312           The Message Queueing Telemetry Transport (MQTT) protocol is a
1313           publish / subscribe machine to machine protocol that allows IoT
1314           clients to publish to a broker. Each client device subscribes to a
1315           particular topic of interest and receives messages from publishers.
1316           Usually MQTT authentication is optional and when enabled can be
1317           brute-forced very easily as it only requires a single MQTT CONNECT
1318           packet to be sent for each attemped credential pair.
1319
1320       Wordpress Module
1321
1322           Wodpress is one of the most popular content management systems.
1323           This module attacks the web administration endpoint. By default it
1324           will try "wp-login.php" but you can change it by specifying the
1325           path. For example: ncrack
1326           wp://127.0.0.1,path=/non-default/wp-login.php
1327
1328       CVS Module
1329
1330           The Concurrent Versioning System (CVS) is a revision control system
1331           in software development. Although not as popular nowadays, there
1332           are many old, oudated CVS servers out there that might have default
1333           or weak credentials.
1334

BUGS

1336       Like its authors, Ncrack isn´t perfect. But you can help make it better
1337       by sending bug reports or even writing patches. If Ncrack doesn´t
1338       behave the way you expect, first upgrade to the latest version
1339       available from http://nmap.org/ncrack. If the problem persists, do some
1340       research to determine whether it has already been discovered and
1341       addressed. Try searching for the error message on our search page at
1342       http://insecure.org/search.html or at Google. Also try browsing the
1343       nmap-dev archives at http://seclists.org/ .  Read this full manual page
1344       as well. If you are developing your own Ncrack module, make sure you
1345       have first read the Ncrack Developer´s Guide at
1346       http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a
1347       bug report to nmap-dev@insecure.org . Please include everything you
1348       have learned about the problem, as well as what version of Ncrack you
1349       are running and what operating system version it is running on. Problem
1350       reports and Ncrack usage questions sent to nmap-dev@insecure.org are
1351       far more likely to be answered than those sent to Fyodor directly. If
1352       you subscribe to the nmap-dev list before posting, your message will
1353       bypass moderation and get through more quickly. Subscribe at
1354       http://cgi.insecure.org/mailman/listinfo/nmap-dev .
1355
1356       Code patches to fix bugs are even better than bug reports. Basic
1357       instructions for creating patch files with your changes are available
1358       at http://nmap.org/data/HACKING . Patches may be sent to nmap-dev
1359       (recommended) or to Fyodor directly.
1360

AUTHORS

1362       ithilgore (Fotios (Fotis) Chantzis) ithilgore@sock-raw.org (‐
1363       http://sock-raw.org)
1364
1365       Fyodor fyodor@insecure.org (http://insecure.org)
1366
1368       While it isn´t distributed with Nmap, Ncrack is part of the Nmap
1369       project and falls under the same license and (non) warranty provisions,
1370       as described at http://nmap.org/book/man-legal.html.
1371
1372
1373
1374Ncrack                            08/23/2019                         NCRACK(1)
Impressum