1NCRACK(1) Ncrack Reference Guide NCRACK(1)
2
6 ncrack - Network authentication cracking tool
7
9 ncrack [Options] {target specification}
10
12 Ncrack is an open source tool for network authentication cracking. It
13 was designed for high-speed parallel cracking using a dynamic engine
14 that can adapt to different network situations. Ncrack can also be
15 extensively fine-tuned for special cases, though the default parameters
16 are generic enough to cover almost every situation. It is built on a
17 modular architecture that allows for easy extension to support
18 additional protocols. Ncrack is designed for companies and security
19 professionals to audit large networks for default or weak passwords in
20 a rapid and reliable way. It can also be used to conduct fairly
21 sophisticated and intensive brute force attacks against individual
22 services.
23 Warning
25 Ncrack is a project started in the Summer of 2009. While it is
26 already useful for some purposes, it is still unfinished, beta
27 quality software. You can help out by testing it and reporting any
28 problems as described in the section called “BUGS”.
29 The output from Ncrack is a list of found credentials, if any, for each
31 of the targets specified. Ncrack can also print an interactive status
32 report of progress so far and possibly additional debugging information
33 that can help track problems, if the user selected that option.
34 A typical Ncrack scan is shown in Example 1. The only Ncrack arguments
36 used in this example are the two target IP addresses along with the the
37 corresponding ports for each of them. The two example ports 21 and 22
38 are automatically resolved to the default services listening on them:
39 ftp and ssh.
40 Example 1. A representative Ncrack scan
42 $ ncrack 10.0.0.130:21 192.168.1.2:22
45 Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST
47 Discovered credentials for ftp on 10.0.0.130 21/tcp:
49 10.0.0.130 21/tcp ftp: admin hello1
50 Discovered credentials for ssh on 192.168.1.2 22/tcp:
51 192.168.1.2 22/tcp ssh: guest 12345
52 192.168.1.2 22/tcp ssh: admin money$
53 Ncrack done: 2 services scanned in 156.03 seconds.
55 Ncrack finished.
57 The latest version of Ncrack can be obtained from
61 http://nmap.org/ncrack. The latest version of this man page is
62 available at http://nmap.org/ncrack/man.html .
63
65 This options summary is printed when Ncrack is run with no arguments.
66 It helps people remember the most common options, but is no substitute
67 for the in-depth documentation in the rest of this manual.
68 Ncrack 0.7 ( http://ncrack.org )
70 Usage: ncrack [Options] {target and service specification}
71 TARGET SPECIFICATION:
72 Can pass hostnames, IP addresses, networks, etc.
73 Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
74 -iX <inputfilename>: Input from Nmap´s -oX XML output format
75 -iN <inputfilename>: Input from Nmap´s -oN Normal output format
76 -iL <inputfilename>: Input from list of hosts/networks
77 --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
78 --excludefile <exclude_file>: Exclude list from file
79 SERVICE SPECIFICATION:
80 Can pass target specific services in <service>://target (standard) notation or
81 using -p which will be applied to all hosts in non-standard notation.
82 Service arguments can be specified to be host-specific, type of service-specific
83 (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
84 Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
85 -p <service-list>: services will be applied to all non-standard notation hosts
86 -m <service>:<options>: options will be applied to all services of this type
87 -g <options>: options will be applied to every service globally
88 Misc options:
89 ssl: enable SSL over this service
90 path <name>: used in modules like HTTP (´=´ needs escaping if used)
91 db <name>: used in modules like MongoDB to specify the database
92 domain <name>: used in modules like WinRM to specify the domain
93 TIMING AND PERFORMANCE:
94 Options which take <time> are in seconds, unless you append ´ms´
95 (miliseconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).
96 Service-specific options:
97 cl (min connection limit): minimum number of concurrent parallel connections
98 CL (max connection limit): maximum number of concurrent parallel connections
99 at (authentication tries): authentication attempts per connection
100 cd (connection delay): delay <time> between each connection initiation
101 cr (connection retries): caps number of service connection attempts
102 to (time-out): maximum cracking <time> for service, regardless of success so far
103 -T<0-5>: Set timing template (higher is faster)
104 --connection-limit <number>: threshold for total concurrent connections
105 --stealthy-linear: try credentials using only one connection against each specified host
106 until you hit the same host again. Overrides all other timing options.
107 AUTHENTICATION:
108 -U <filename>: username file
109 -P <filename>: password file
110 --user <username_list>: comma-separated username list
111 --pass <password_list>: comma-separated password list
112 --passwords-first: Iterate password list for each username. Default is opposite.
113 --pairwise: Choose usernames and passwords in pairs.
114 OUTPUT:
115 -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
116 -oA <basename>: Output in the two major formats at once
117 -v: Increase verbosity level (use twice or more for greater effect)
118 -d[level]: Set or increase debugging level (Up to 10 is meaningful)
119 --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
120 --log-errors: Log errors/warnings to the normal-format output file
121 --append-output: Append to rather than clobber specified output files
122 MISC:
123 --resume <file>: Continue previously saved session
124 --save <file>: Save restoration file with specific filename
125 -f: quit cracking service after one found credential
126 -6: Enable IPv6 cracking
127 -sL or --list: only list hosts and services
128 --datadir <dirname>: Specify custom Ncrack data file location
129 --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
130 -V: Print version number
131 -h: Print this help summary page.
132 MODULES:
133 SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
134 EXAMPLES:
135 ncrack -v --user root localhost:22
136 ncrack -v -T5 https://192.168.0.1
137 ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
138 SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES
139
141 Everything on the Ncrack command-line that isn´t an option (or an
142 option argument) is treated as a target host specification. The
143 simplest case is to specify a target IP address or a hostname. Note,
144 that you also need to specify a service to crack for the selected
145 targets. Ncrack is very flexible in host/service specification. While
146 hostnames and IP addresses can be defined with the flexibility that you
147 are probably used to from Nmap, services along with service-specific
148 options have a unique specification style that enables a combination of
149 features to be taken advantage of.
150 Sometimes you wish to crack a whole network of adjacent hosts. For
152 this, Ncrack supports CIDR-style addressing. You can append /numbits to
153 an IPv4 address or hostname and Ncrack will try to crack every IP
154 address for which the first numbits are the same as for the reference
155 IP or hostname given. For example, 192.168.10.0/24 would send probes to
156 the 256 hosts between 192.168.10.0 11000000 10101000 00001010 00000000)
157 and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
158 inclusive. 192.168.10.40/24 would crack exactly the same targets. Given
159 that the host scanme.nmap.org is at the IP address 64.13.134.52, the
160 specification scanme.nmap.org/16 would send probes to the 65,536 IP
161 addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed
162 value is /0, which targets the whole Internet. The largest value is
163 /32, which targets just the named host or IP address because all
164 address bits are fixed.
165 CIDR notation is short but not always flexible enough. For example, you
167 might want to send probes to 192.168.0.0/16 but skip any IPs ending
168 with .0 or .255 because they may be used as subnet network and
169 broadcast addresses. Ncrack supports this through octet range
170 addressing. Rather than specify a normal IP address, you can specify a
171 comma-separated list of numbers or ranges for each octet. For example,
172 192.168.0-255.1-254 will skip all addresses in the range that end in .0
173 or .255, and 192.168.3-5,7.1 will target the four addresses
174 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
175 a range may be omitted; the default values are 0 on the left and 255 on
176 the right. Using - by itself is the same as 0-255, but remember to use
177 0- in the first octet so the target specification doesn´t look like a
178 command-line option. Ranges need not be limited to the final octets:
179 the specifier will send probes to all IP addresses on the Internet
180 ending in 13.37 This sort of broad sampling can be useful for Internet
181 surveys and research.
182 Ncrack accepts multiple host specifications on the command line, and
184 they don´t need to be the same type. The command ncrack scanme.nmap.org
185 192.168.0.0/8 10.0.0,1,3-7.- -p22 does what you would expect.
186 While targets are usually specified on the command lines, the following
188 options are also available to control target selection:
189 -iX inputfilename (Input from Nmap´s -oX XML output format) .
191 Reads target/service specifications from an Nmap XML output file.
192 The Nmap XML file is created by scanning any hosts and specifying
193 the Nmap -oX option. Ncrack will automatically parse the IP
194 addresses and the corresponding ports and services that are open
195 and will use these targets for authentication auditing. This is a
196 really useful option, since it lets you essentially combine these
197 two tools -Nmap and Ncrack- for cracking only those services that
198 are surely open. In addition, if version detection has been enabled
199 in Nmap (-sV option), Ncrack will use those findings to recognize
200 and crack those services that are supported but are listening on
201 non-default ports. For example, if a host is having a server
202 listening on port 41414 and Nmap has identified that it is a SSH
203 service, Ncrack will use that information to crack it using the SSH
204 module. Of course, Ncrack is going to ignore open ports/services
205 that are not supported for authentication cracking by its modules.
206 -iN inputfilename (Input from Nmap´s -oN Normal output format) .
208 Reads target/service specifications from an Nmap Normal output
209 file. The Nmap Normal file is created by scanning any hosts and
210 specifying the Nmap -oN option. This works exactly like Ncrack´s
211 -iX option, the only difference being the format of the input file.
212 -iL inputfilename (Input from list) .
214 Reads target specifications from inputfilename. Passing a huge list
215 of hosts is often awkward on the command line, yet it is a common
216 desire. For example, you might want to crack a list of very
217 specific servers that have been specified for penetration testing.
218 Simply generate the list of hosts to crack and pass that filename
219 to Ncrack as an argument to the -iL option. Entries can be in any
220 of the formats accepted by Ncrack on the command line (IP address,
221 hostname, CIDR, octet ranges or Ncrack´s special host-service
222 syntax. Each entry must be separated by one or more spaces, tabs,
223 or newlines. You can specify a hyphen (-) as the filename if you
224 want Ncrack to read hosts from standard input rather than an actual
225 file. Note, however, that if hosts are specified without any
226 service, you will have to also provide services/ports for the
227 targets using the -p option.
228 --exclude host1[, host2[, ...]] (Exclude hosts/networks) .
230 Specifies a comma-separated list of targets to be excluded from the
231 scan even if they are part of the overall network range you
232 specify. The list you pass in uses normal Ncrack syntax, so it can
233 include hostnames, CIDR netblocks, octet ranges, etc. This can be
234 useful when the network you wish to scan includes untouchable
235 mission-critical servers, systems that are known to react adversely
236 to heavy load, or subnets administered by other people.
237 --excludefile exclude_file (Exclude list from file) .
239 This offers the same functionality as the --exclude option, except
240 that the excluded targets are provided in a newline, space, or tab
241 delimited exclude_file rather than on the command line.
242
244 No cracking session can be carried out without targetting a certain
245 service to attack. Service specification is one of the most flexible
246 subsystems of Ncrack and collaborates with target-specification in a
247 way that allows different option combinations to be applied. For Ncrack
248 to start running, you will have to specify at least one target host and
249 one associated service to attack. Ncrack provides ways to specify a
250 service by its default port number, by its name (as extracted from the
251 ncrack-services file) or both. Normally, you need to define both name
252 and port number only in the special case where you know that a
253 particular service is listening on a non-default port.
254 Ncrack offers two distinct ways with which services will be applied to
256 your targets: per-host service specification and global specification.
257 Per-host service specification
259 Services specified in this mode are written next to the host and
261 apply to it only. Keep in mind, however, that target-specification
262 allows wildcards/netmasks, which essentially means that applying a
263 per-host service specification format to that particular target
264 will affect all of the expanded ones as a result. The general
265 format is:
266 [service-name]://target:[port-number]
268 where target is a hostname or IP address in any of the formats
270 described in the target-specification section, [service-name] is
271 one of the common service names as defined in the ncrack-services
272 file (e.g ssh, http) and [port-number] is what it obviously means.
273 Ncrack can determine the default port numbers for each of the
274 services it supports, as well as being able to deduce the service
275 name when a default port number has been specified. Specifying both
276 has meaning only when the user has a priori knowledge of a service
277 listening on a non-default port number. This can easily be
278 determined by using version detection like the one offered by
279 Nmap´s -sV option.
280 Example 2. Per-host service specification example
282 $ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910
285 The above command will try to crack hosts: scanme.nmap.org on SSH
289 service (default port 22), 10.0.0.10 on FTP service (default port
290 21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH
291 service on non-default port 5910 which has been explicitly
292 specified. In the last case, Ncrack wouldn´t be able to determine
293 that the subnet hosts are to be scanned against the SSH service on
294 that particular port without the user explicitly asking for it,
295 because there isn´t any mapping of port-number 5910 to service SSH.
296 Global service specification
298 Services specified in this mode are applied to all hosts that
300 haven´t been associated with the per-host service specification
301 format. This is done using the -p option. While this facility may
302 be similar to that of Nmap´s, you should try not to confuse it,
303 since the functionality is of a slightly different nature. Services
304 can be specified using comma separated directives of the general
305 format:
306 -p [service1]:[port-number1],[service2]:[port-number2],...
308 As usual, you need not specify both service name and port number
310 since Ncrack knows the mappings of default-services to default-port
311 numbers. Be careful though not to include any space between each
312 service-name and/or port number, because Ncrack will think that the
313 argument after the space is a host as per the rule "everything that
314 isn´t an option is a target specification".
315 Example 3. Global service specification example
317 $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
320 The above command will try to crack all of the specified hosts
324 scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class
325 subnet of 192.168.2.0 against the following services: SSH service
326 (mapped from default port 22), FTP service on non-default port
327 3210, and TELNET service on default port 23.
328 Of course, Ncrack allows you to combine both modes of service
330 specification if you deem that as necessary. Normally, you will only
331 need to specify a couple of services but cracking a lot of hosts
332 against many different services might be a longterm project for large
333 networks that need to be consistently audited for weak passwords. If
334 you are in doubt, about which hosts and services are going to be
335 cracked with the current command, you can use the -sL option (see below
336 for explanation).
337
339 Apart from general service specification, Ncrack allows you to provide
340 a multitude of options that apply to each or a subset of your targets.
341 Options include timing and performance optimizations (which are
342 thoroughly analyzed in a seperate section), SSL enabling/disabling and
343 other module-specific parameters like the relative URL path for the
344 HTTP module. Options can be defined in a variety of ways which include:
345 per-host options, per-module options and global options. Since a
346 combination of these options may be used, there is a strict hierarchy
347 of precedence which will be discussed later.
348 Per-host Options
350 Options in this mode apply only to the host(s) they are referring
352 to and are written next to it according to the following format:
353 [service-name]://target:[port-number],opt1=optval1,opt2=optval,...
355 The format concerning the service specification which comes before
357 the options, has been explained in the previous section. optN is
358 referring to any of the option names that are available (a list
359 will follow below), while optvalN determines the value of that
360 option and depends on the nature of it. For example, most
361 timing-related options expect to receive numbers as values, while
362 the path option obviously needs a string argument.
363 Per-module Options
365 Options in this mode apply to all hosts that are associated with
367 the particular service/module. This is accomplished using the -m
368 which is defined with the format:
369 -m service-name:opt1=optval1,opt2=optval2,...
371 This option can be invoked multiple times, for as many different
373 services as you might need to define service-wide applicable
374 options. Each iteration of this option must refer to only one
375 service. However, to avoid confusion, this option had better not be
376 called more than one time for the same service, although this is
377 allowed and the last iteration will take precedence over the
378 previous ones for all redefined option values.
379 Global Options
381 Options in this mode apply to all hosts regardless of which service
383 they are associated with. This is accomplished using the -g as
384 follows:
385 -g opt1=optval1,opt2=optval2,...
387 This acts as a convenience option, where you can apply options to
389 all services globally. Everything else regarding the available
390 options and option values is the same as the previous modes.
391 List of available Service Options
393 Below follows a list of all the currently available service options.
395 You can apply them with any of the three modes described above. The
396 last six of the options are timing related and will be analyzed in
397 Section "Timing and Performance" of this manual.
398 ssl: enable SSL over this service
400 path: path-name used in modules like HTTP (´=´ needs escaping if used)
401 db: used in modules like MongoDB to specify the database
402 domain: used in modules like WinRM to specify the domain
403 cl (min connection limit): minimum number of concurrent parallel connections
404 CL (max connection limit): maximum number of concurrent parallel connections
405 at (authentication tries): authentication attempts per connection
406 cd (connection delay): delay time between each connection initiation
407 cr (connection retries): caps number of service connection attempts
408 to (time-out): maximum cracking time for service, regardless of success so far
409 ssl (Enable/Disable SSL over service)
413 By enabling SSL, Ncrack will try to open a TCP connection and then
414 negotiate a SSL session with the target. Everything will then be
415 transparently encrypted and decrypted. However, since Ncrack´s job
416 is to provide speed rather than strong crypto, the algorithms and
417 ciphers for SSL are chosen on an efficiency basis. Possible values
418 for this option are ´yes´ but just specifying ssl would be enough.
419 Thus, this is the only option that doesn´t need to be written in
420 the opt=optval format. By default, SSL is disabled for all services
421 except those that are stricly dependent on it like HTTPS.
422 path <name> (Path name for relative URLs)
424 Some services like HTTP or SVN usually require a specific path in
425 the URL. This option takes that pathname string as its value. The
426 path is always relative to the hostname or IP address, so if you
427 want to target something like http://foobar.com/login.php the path
428 must take the value path=login.php . The initial ´/´ is added if
429 you omit it. However, it is usually better if you explicitly
430 specify it at the end of pathnames that are directories. For
431 example, to crack the directory for
432 http://foobar.com/protected-dir/ , it would be better if you wrote
433 it as path=protected-dir/ . This is to avoid the (very) slight
434 probability of a false positive, because there are cases where Web
435 servers might reply with a "301 Moved Permanently" for a
436 non-successful attempt. They normally send that reply, when a
437 successful attempt is made for a requested password-protected path
438 which has omitted the ending ´/´ but the requested source is
439 actually a directory. Consequently, Ncrack regards that reply as
440 having succeeded in the authentication attempt.
441 Also be careful with the symbol ´=´, since it is used by Ncrack for
443 argument parsing and you will have to espace it if it is included
444 in the URL.
445 By default, the path-name is initialized to ´/´, but will be
447 ignored by services that do not require it.
448 db <name> (Database name)
450 Some services like MongoDB require a specific database name to
451 crack. This option allows you to specify the database.
452 By default, the db name for MongoDB is initialized to ´admin´ but
454 will be ignored by services that do not require it.
455 domain <name> (Domain name)
457 Some services like WinRM require a specific domain to crack. This
458 option allows you to specify the domain.
459 By default, the domain name for WinRM is initialized to
461 ´Workstation´ but will be ignored by services that do not require
462 it.
463 Service Option Hierarchy
465 As already noted, Ncrack allows a combination of the three different
467 modes of service option specification. In that case, there is a strict
468 hierarchy that resolves the order in which conflicting values for these
469 options take precedence over each other. The order is as follows,
470 leftmost being the highest priority and rightmost the lowest one:
471 Per-host options > Per-module options > Global options >
473 Timing-Template (for timing options only)
474 The concept of the "Timing-Template" will be explained in the Section
476 "Timing and Performance", but for now, just have in mind that its
477 values have the least prevalence over everything else and essentially
478 act as defaults for everything timing-related. Global options specified
479 with -g have the directly higher precedence, while -m per-module
480 options are immediately higher. In the top of the hierarcy reside the
481 per-host options which are essentially the most specific ones.
482 Consequently, you can see that the pattern is: the more specific the
483 higher the precedence.
484 Example 4. Service Option Hierarchy example
486 $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3
489 The example demonstrates the hierarchy precedence. The services that
493 are going to be cracked are SSH for scanme.nmap.org and FTP for hosts
494 10.0.0.120, 10.0.0.20. No particular timing-template has been specified
495 and thus the default will be used (Normal - 3). The per-host options
496 for scanme.nmap.org define that the minimum connection limit (cl) is 10
497 and that Ncrack should attempt only 1 authentication try (at) per
498 connection. These values would override any other for service SSH of
499 host scanme.nmap.org if there were conflicts with other modes. Since a
500 global option of -g CL=3 was defined and there is no other
501 higher-precedence for service SSH and scanme.nmap.org in particular,
502 this value will also be applied. As for the FTP targets, the per-module
503 -m ftp:CL=1 defined for all FTP services will override the equivalent
504 global one. All these can get quite complex if overused, but they are
505 not expected to be leveraged by the average Ncrack user anyway.
506 Complicated network scanning scenarios might require them, though. To
507 make certain the results are the ones you expect them to be, don´t
508 forget to use the -sL option that prints out details about what Ncrack
509 would crack if invoked normally. You can add the debugging -d option if
510 you want even more verbose output. For the above example, Ncrack would
511 print the following:
512 Example 5. Service Option Hierarchy Output example
514 $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d
517 Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT
519 ----- [ Timing Template ] -----
521 cl=7, CL=80, at=0, cd=0, cr=30, to=0
522 ----- [ ServicesTable ] -----
524 SERVICE cl CL at cd cr to ssl path db domain
525 ftp:21 N/A 1 N/A N/A N/A N/A no null null null
526 ssh:22 N/A N/A N/A N/A N/A N/A no null null null
527 telnet:23 N/A N/A N/A N/A N/A N/A no null null null
528 http:80 N/A N/A N/A N/A N/A N/A no null null null
529 pop3:110 N/A N/A N/A N/A N/A N/A no null null null
530 imap:143 N/A N/A N/A N/A N/A N/A no null null null
531 netbios-ssn:445 N/A N/A N/A N/A N/A N/A no null null null
532 smb:445 N/A N/A N/A N/A N/A N/A no null null null
533 smb:139 N/A N/A N/A N/A N/A N/A no null null null
534 https:443 N/A N/A N/A N/A N/A N/A yes null null null
535 owa:443 N/A N/A N/A N/A N/A N/A yes null null null
536 sip:5060 N/A N/A N/A N/A N/A N/A no null null null
537 pop3s:995 N/A N/A N/A N/A N/A N/A yes null null null
538 mssql:1433 N/A N/A N/A N/A N/A N/A no null null null
539 mysql:3306 N/A N/A N/A N/A N/A N/A no null null null
540 ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no null null null
541 rdp:3389 N/A N/A N/A N/A N/A N/A no null null null
542 psql:5432 N/A N/A N/A N/A N/A N/A no null null null
543 vnc:5801 N/A N/A N/A N/A N/A N/A no null null null
544 vnc:5900 N/A N/A N/A N/A N/A N/A no null null null
545 vnc:5901 N/A N/A N/A N/A N/A N/A no null null null
546 vnc:6001 N/A N/A N/A N/A N/A N/A no null null null
547 redis:6379 N/A N/A N/A N/A N/A N/A no null null null
548 winrm:5985 N/A N/A N/A N/A N/A N/A no null null Workstation
549 winrm:5986 N/A N/A N/A N/A N/A N/A no null null Workstation
550 cassandra:9160 N/A N/A N/A N/A N/A N/A no null null null
551 cassandra:9042 N/A N/A N/A N/A N/A N/A no null null null
552 mongodb:27017 N/A N/A N/A N/A N/A N/A no null admin null
553 ----- [ Targets ] -----
555 Host: 45.33.32.156 ( scanme.nmap.org )
556 ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
557 Host: 10.0.0.120
558 ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
559 Host: 10.0.0.20
560 ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
561 Ncrack done: 3 services would be scanned.
564 Probes sent: 0 | timed-out: 0 | prematurely-closed: 0
565 Ncrack finished.
567 The ServicesTable just lists the per-module options for all available
572 services. As you can see, the only defined option is in the FTP service
573 for the CL . The Targets table is the most important part of this
574 output and lists all targets and associated options according to the
575 command-line invocation. No network operation takes place in this mode,
576 apart from forward DNS resolution for hostnames (like scanme.nmap.org
577 in this example).
578
580 The timing engine is perhaps the most important part of any serious
581 network authentication cracking tool. Ncrack´s timing engine offers a
582 great many options for optimization and can be bended to serve
583 virtually any user need. As Ncrack is progressing, this subsystem is
584 going to evolve into a dynamic autonomous engine that will be able to
585 automatically adjust its behaviour according to the network feedback it
586 gets, in order to achieve maximum performance and precision without any
587 user intervention.
588 Some options accept a time parameter. This is specified in seconds by
590 default, though you can append ‘ms’, ‘m’, or ‘h’ to the value to
591 specify milliseconds, minutes, or hours (‘s’ for seconds is redundant).
592 So the cd (connection delay) arguments 900000ms, 900s, and 15m all do
593 the same thing.
594 cl num-minconnections; CL num-maxconnections (Adjust number of
596 concurrent parallel connections)
597 Connection Limit
599 These options control the total number of connections that may be
601 outstanding for any service at the same time. Normally, Ncrack
602 tries to dynamically adjust the number of connections for each
603 individual target by counting how many drops or connection failures
604 happen. If a strange network condition occurs, that signifies that
605 something may be going wrong, like the host dropping any new
606 connection attempts, then Ncrack will immediately lower the total
607 number of connections hitting the service. However, the caps number
608 of the minimum or maximum connections that will take place can be
609 overriden using these two options. By properly adjusting them, you
610 can essentially optimize performance, if you can handle the tricky
611 part of knowing or discovering your target´s own limits. The
612 convention here is that cl with lowercase letters is referring to
613 the minimum connection limit, while CL with uppercase letters is
614 referring to the maximum number of connections.
615 The most common usage is to set cl (minimum connection limit) for
617 targets that you are almost certain are going to withstand these
618 many connections at any given time. This is a risky option to play
619 with, as setting it too high might actually do more harm than good
620 by effectively DoS-attacking the target and triggering firewall
621 rules that will ban your IP address.
622 On the other hand, for more stealthy missions, setting the CL
624 (maximum connection limit) to a low value might be what you want.
625 However, setting it too low will surely have a great impact in
626 overall cracking speed. For maximum stealth, this can be combined
627 with the cd (connection delay) described below.
628 at num-attempts (Adjust authentication attempts per connection)
630 Authentication Tries
632 Using this option, you can order Ncrack to limit the authentication
634 attempts it carries out per connection. Ncrack initially sends a
635 reconnaisance probe that lets it calculate the maximum number of
636 such authentication tries and from thereon it always tries to use
637 that number. Most servicse pose an upper limit on the number of
638 authentication per connection and in most cases finding that
639 maximum leads to better performance.
640 Setting this option to lower values can give you some stealth
642 bonus, since services such as SSH tend to log failed attempts after
643 more than a certain number of authentication tries per connection.
644 They use that as a metric rather than counting the total number of
645 authentication attempts or connections per IP address (which is
646 usually done by a firewall). Consequently, a number of 1 or 2
647 authentication tries might circumvent logging in some cases.
648 Note that setting that option to a high value will not have any
650 effect if Ncrack realizes that the server doesn´t allow that many
651 attempts per connection. In this case, it will just use that
652 maximum number and ignore your setting.
653 cd time (Adjust delay time between each new connection)
655 Connection Delay
657 This option essentially defines the imposed time delay between each
659 new connection. Ncrack will wait the amount of time you specify in
660 this option value, before starting a new connection against the
661 given service. The higher you set it, the slower Ncrack will
662 perform, but the stealthier your attack will become.
663 Ncrack by default tries to initiate new connections as fast as
665 possible given that new probes are actually allowed to be sent and
666 are not restricted by parameters such as Connection Limit which can
667 dynamically increase or decrease. Although this approach achieves
668 blazing speed as long as the host remains responsive, it can lead
669 to a number of disasters such as a firewall being triggered, the
670 targets´ or your bandwidth to be diminished and even the tested
671 service to suffer a Denial of Service attack. By carefully
672 adjusting this option, you can potentially avoid these annoying
673 situations.
674 cr max-conattempts (Adjust the max number of connection retries)
676 Connection Retries
678 This option allows the user to specify the maximum amount of
680 consecutive failed attempts against that particular service. If at
681 any time, during the cracking session, Ncrack fails to connect
682 against that particular service, then it will stop cracking it
683 entirely.
684 to time (Adjust the maximum overall cracking time)
686 Timeout
688 Define how much time Ncrack is going to spend cracking the service,
690 before giving up regardless of whether it has found any credentials
691 so far. However, any authentication token discovered until that
692 time, will be stored and printed normally. Ncrack marks a service
693 as finished when the username/password lists iteration ends or when
694 it can no longer crack it for some serious reason. If Ncrack
695 finishes cracking a service before the time specified in this
696 option, then it will not be taken into account at all.
697 Sometimes, you have a limited time window to scan/crack your hosts.
699 This might occur for various reasons. A common one would be that
700 normal user activity mustn´t be interrupted and since Ncrack can
701 become very aggressive, it might be allowed to scan the hosts only
702 at during certain time period like the night hours. Scanning during
703 certain such hours is also likely to make an attack less
704 detectable.
705 Don´t forget that Ncrack allows you to specify the time unit of
707 measure by appending ‘ms’, ‘m’, or ‘h’ for milliseconds, minutes or
708 hours (seconds is the default time unit). Using them in this
709 particular option, is really convenient as you can specify
710 something like to=8h to give Ncrack a total of 8 hours to crack
711 that service. Setting up cronjobs for scheduled scans in
712 combination with this option, might also be a good idea.
713 -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing
715 template) .
716 While the fine-grained timing controls discussed in the previous
717 section are powerful and effective, some people find them
718 confusing. Moreover, choosing the appropriate values can sometimes
719 take more time than the scan you are trying to optimize. So Ncrack
720 offers a simpler approach, with six timing templates. You can
721 specify them with the -T option and their number (0–5) or their
722 name. The template names are paranoid (0), sneaky (1), polite (2),
723 normal (3), aggressive (4), and insane (5). The first two are for
724 IDS evasion. Polite mode slows down the scan to use less bandwidth
725 and target machine resources. Normal mode is the default and so -T3
726 does nothing. Aggressive mode speeds scans up by making the
727 assumption that you are on a reasonably fast and reliable network.
728 Finally insane mode assumes that you are on an extraordinarily fast
729 network or are willing to sacrifice some accuracy for speed.
730 These templates allow the user to specify how aggressive they wish
732 to be, while leaving Ncrack to pick the exact timing values. If you
733 know that the network service is going to withstand a huge number
734 of connections you might try using the aggressive template of -T4 .
735 Even then, this is mostly advised for services residing in the
736 local network. Going over to insane mode -T5 is not recommended,
737 unless you absolutely know what you are doing.
738 While -T0. and -T1. may be useful for avoiding IDS alerts, they
740 will take an extraordinarily long time to crack even a few
741 services. For such a long scan, you may prefer to set the exact
742 timing values you need rather than rely on the canned -T0 and -T1
743 values.
744 --connection-limit numprobes (Adjust the threshold of total concurrent
746 connections)
747 NOT IMPLEMENTED YET.
748
750 This section describes ways of specifying your own username and
751 password lists as well as the available modes of iterating over them.
752 Ncrack ships in with a variety of username and password lists which
753 reside under the directory ´lists´ of the source tarball and later
754 installed under Ncrack´s data directory which usually is
755 /usr/local/share/ncrack or /usr/share/ncrack . You can omit specifying
756 any lists and Ncrack is going to use the default ones which contain
757 some of the most common usernames and passwords. The password list is
758 frequency-sorted with the top most common passwords at the beginning of
759 the list so they will be tried out first. The lists have been derived
760 from a combination of sorting publicly leaked password files and other
761 techniques.
762 -U filename (Specify username list)
764 Specify your own username list by giving the path to the filename
765 as argument to this option.
766 Usernames for specific environments can be gathered in numerous
768 ways including harvesting for email-addresses in the company´s
769 website, looking up information in whois databases, using the SMTP
770 VRFY technique at vulnerable mail servers or through social
771 engineering.
772 -P filename (Specify password list)
774 Specify your own password list by giving the path to the filename
775 as argument to this option.
776 Common passwords are usually derived from leaked lists as a result
778 of successful intrusions in public sites such as forums or other
779 social networking places. A great deal of them have already been
780 publicly disclosed and some of these have been used to assemble
781 Ncrack´s own lists.
782 --user username_list (Specify command-line comma-separated username
784 list)
785 Specify your own usernames directly in the command-line as a
786 comma-separated list.
787 --pass password_list (Specify command-line comma-separated password
789 list)
790 Specify your own passwords directly in the command-line as a
791 comma-separated list.
792 --passwords-first (Reverse the way passwords are iterated)
794 Ncrack by default iterates the username list for each password.
795 With this option, you can reverse that. For example, given the
796 username list of -> "root, guest, admin" and the password list of
797 "test, 12345, q1w2e3r4" Ncrack will normally go over them like this
798 -> root:test, guest:test, admin:test, root:12345 etc. By enabling
799 this option it will go over them like this -> root:test,
800 root:12345, root:q1w2e3r4, guest:test etc.
801 Most network authentication cracking tools prefer by default to
803 iterate the password list for each username. This is, however,
804 ineffective compared to the opposite iteration in most cases. This
805 holds true for the simple reason that password lists are usually
806 sorted on a frequency basis, meaning that the more common a
807 password is, the closer to the beginning of the password list it
808 is. Thus, iterating over all usernames for the most common
809 passwords first has usually more chances to get a positive result.
810 With the --passwords-first iteration, very common passwords might
811 not even be tried out for certain usernames if the user chooses to
812 abort the session early. However, this option might prove valuable
813 for cases where the attacker knows and has already verified that
814 the username list contains real usernames, instead of blindly
815 bruteforcing through them.
816 --pairwise (Choose usernames and passwords in pairs)
818 Enabling this option will make Ncrack iterate the username and
819 password list by choosing them in pairs. For example, given the
820 username list of "root, guest, admin" and the password list of
821 "test, 12345, q1w2e3r4" Ncrack will go over them like this:
822 "root:test", "guest:12345", "admin:q1w2e3r4". This is particulary
823 useful when inside knowledge of the infrastructure tested is
824 available and special username and password lists have been made.
825
827 Any security tool is only as useful as the output it generates. Complex
828 tests and algorithms are of little value if they aren´t presented in an
829 organized and comprehensible fashion. Of course, no single format can
830 please everyone. So Ncrack offers several formats, including the
831 interactive mode for humans to read directly and XML for easy parsing
832 by software.
833 In addition to offering different output formats, Ncrack provides
835 options for controlling the verbosity of output as well as debugging
836 messages. Output types may be sent to standard output or to named
837 files, which Ncrack can append to or clobber.
838 Ncrack makes output available in three different formats. The default
840 is called interactive output, and it is sent to standard output
841 (stdout). There is also normal output, which is similar to interactive
842 except that it displays less runtime information and warnings since it
843 is expected to be analyzed after the scan completes rather than
844 interactively.
845 XML output is one of the most important output types, as it can be
847 converted to HTML, easily parsed by programs such as Ncrack graphical
848 user interfaces, or imported into databases. Currently, XML output
849 hasn´t been implemented.
850 While interactive output is the default and has no associated
852 command-line options, the other two format options use the same syntax.
853 They take one argument, which is the filename that results should be
854 stored in. Multiple formats may be specified, but each format may only
855 be specified once. For example, you may wish to save normal output for
856 your own review while saving XML of the same scan for programmatic
857 analysis. You might do this with the options -oX myscan.xml -oN
858 myscan.ncrack. While this chapter uses the simple names like myscan.xml
859 for brevity, more descriptive names are generally recommended. The
860 names chosen are a matter of personal preference. A scheme could be
861 using long filenames that incorporate the scan date and a word or two
862 describing the scan, placed in a directory named after the company that
863 is being scanned.
864 While these options save results to files, Ncrack still prints
866 interactive output to stdout as usual. For example, the command nmap
867 -oX myscan.xml [target] prints XML to myscan.xml and fills standard
868 output with the same interactive results it would have printed if -oX
869 wasn´t specified at all. You can change this by passing a hyphen
870 character as the argument to one of the format types. This causes
871 Ncrack to deactivate interactive output, and instead print results in
872 the format you specified to the standard output stream. So the command
873 nmap -oX - target will send only XML output to stdout. Serious errors
874 may still be printed to the normal error stream, stderr.
875 Unlike some Ncrack arguments, the space between the logfile option flag
877 (such as -oX) and the filename or hyphen is mandatory.
878 All of these arguments support strftime-like conversions in the
880 filename. %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as
881 in strftime. %T is the same as %H%M%S, %R is the same as %H%M, and %D
882 is the same as %m%d%y. A % followed by any other character just yields
883 that character (%% gives you a percent symbol). So -oX ´scan-%T-%D.xml´
884 will use an XML file in the form of scan-144840-121307.xml.
885 Ncrack also offers options to control scan verbosity and to append to
887 output files rather than clobbering them. All of these options are
888 described below.
889 Ncrack Output Formats
891 -oN filespec (normal output) .
893 Requests that normal output be directed to the given filename. As
894 discussed above, this differs slightly from interactive output.
895 -oX filespec (XML output) .
897 Requests that XML output be directed to the given filename.
898 -oA basename (Output to all formats) .
900 As a convenience, you may specify -oA basename to store scan
901 results in normal and XML formats at once. They are stored in
902 basename.ncrack, and basename.xml respectively. As with most
903 programs, you can prefix the filenames with a directory path, such
904 as ~/ncracklogs/foocorp/ on Unix or c:\hacking\sco on Windows.
905 Verbosity and debugging options
907 -v (Increase verbosity level) .
909 Increases the verbosity level, causing Ncrack to print more
910 information about the scan in progress. Credentials are shown as
911 they are found and more statistical information is printed in the
912 end. Use it twice or more for even greater verbosity.
913 -d [level] (Increase or set debugging level) .
915 When even verbose mode doesn´t provide sufficient data for you,
916 debugging is available to flood you with much more! As with the
917 verbosity option (-v), debugging is enabled with a command-line
918 flag (-d) and the debug level can be increased by specifying it
919 multiple times. Alternatively, you can set a debug level by giving
920 an argument to -d. For example, -d10 sets level ten. That is the
921 highest effective level and will produce thousands of lines, unless
922 your cracking session is going really slow.
923 Debugging output is useful when a bug is suspected in Ncrack, or if
925 you are simply confused as to what Ncrack is doing and why. As this
926 feature is mostly intended for developers, debug lines aren´t
927 always self-explanatory. If you don´t understand a line, your only
928 recourses are to ignore it, look it up in the source code, or
929 request help from the development list (nmap-dev). Some lines are
930 self explanatory, but the messages become more obscure as the debug
931 level is increased.
932 --nsock-trace level (Set nsock trace level) .
934 This option is meant mostly for developers as enabling it will
935 activate the Nsock´s library debugging output. Nsock is the
936 underlying library for parallel socket handling. You will have to
937 specify a certain level for this option. Valid range is 0 up to 10.
938 Usually, a level of 1 or 2 is enough to get a good overview of
939 network operations happening behind the scenes. Nsock prints that
940 information to stdout by default.
941 --log-errors (Log errors/warnings to normal mode output file) .
943 Warnings and errors printed by Ncrack usually go only to the screen
944 (interactive output), leaving any normal-format output files
945 (usually specified with -oN) uncluttered. When you do want to see
946 those messages in the normal output file you specified, add this
947 option. It is useful when you aren´t watching the interactive
948 output or when you want to record errors while debugging a problem.
949 The error and warning messages will still appear in interactive
950 mode too. This won´t work for most errors related to bad
951 command-line arguments because Ncrack may not have initialized its
952 output files yet.
953 An alternative to --log-errors is redirecting interactive output
955 (including the standard error stream) to a file. Most Unix shells
956 make this approach easy, though it can be difficult on Windows.
957 Miscellaneous output options
959 --append-output (Append to rather than clobber output files) .
961 When you specify a filename to an output format flag such as -oX or
962 -oN, that file is overwritten by default. If you prefer to keep the
963 existing content of the file and append the new results, specify
964 the --append-output option. All output filenames specified in that
965 Ncrack execution will then be appended to rather than clobbered.
966 This doesn´t work well for XML (-oX) scan data as the resultant
967 file generally won´t parse properly until you fix it up by hand.
968
970 This section describes some important (and not-so-important) options
971 that don´t really fit anywhere else.
972 --resume file (Continue previously saved session) .
974 Whenever the user cancels a running session (usually by pressing
975 Ctrl+C), Ncrack saves the current state into a file which it can
976 later use to continue from where it had stopped. This file is saved
977 in subdirectory .ncrack/ of the user´s home path with a filename
978 format of "restore.YY-MM-DD_hh-mm". An example would be:
979 "/home/ithilgore/.ncrack/restore.2010-05-18_04-42". You can then
980 continue your session, by specifying this file as argument to the
981 --resume option.
982 -f (Quit cracking service after one found credential) .
984 This option will force Ncrack to quit cracking a service as soon as
985 it finds a valid username/password combination for it. Assuming
986 many parallel services are being cracked at the same time, this
987 option is applied on each of them separately. This means that
988 Ncrack will stop cracking each individual service after finding a
989 pair of credentials for it, but will not quit entirely. Supplying
990 the option two times, like -f -f will, however, make Ncrack exit
991 immediately as soon as it finds a valid credential for any service.
992 Frequently, attackers will try cracking several services in
994 parallel to maximize the chances of finding a pair of valid
995 credentials. Given that a network is no stronger than its weakest
996 link, this option and especially the -f -f counterpart will often
997 be used to lessen chances of detection and prevent network
998 resources from being wasted aimlessly.
999 -6 (Enable IPv6 scanning) .
1001 Warning: This option was just added and it is currently
1002 experimental, so please notify us for any problems and bugs related
1003 to it.
1004 The command syntax is the same as usual except that you also add
1006 the -6 option. Of course, you must use IPv6 syntax if you specify
1007 an address rather than a hostname. An address might look like
1008 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
1009 recommended. The output looks the same as usual, with the IPv6
1010 address on the “Discovered credentials” line being the only IPv6
1011 give away.
1012 While IPv6 hasn´t exactly taken the world by storm, it gets
1014 significant use in some (usually Asian) countries and most modern
1015 operating systems support it. To use Ncrack with IPv6, both the
1016 source and target of your scan must be configured for IPv6. If your
1017 ISP (like most of them) does not allocate IPv6 addresses to you,
1018 free tunnel brokers are widely available and will probably work
1019 fine with Ncrack. A popular IPv6 tunnel broker service is at
1020 http://www.tunnelbroker.net. 6to4 tunnels are another popular, free
1021 approach.
1022 -sL (List Scan) .
1024 The list scan simply lists each host and service that would be
1025 cracked if this option wasn´t specified. No packets are sent to the
1026 target hosts and the only network operation that might happen is
1027 DNS-resolution of any hostnames of targets. This option is really
1028 helpful in making sure that you have specified everything as you
1029 wanted. Service-specific options will also be printed so this acts
1030 as a good sanity check of potentially complex command-line
1031 arguments such as the advanced modes of Service Option
1032 Specification and the equivalent Hierarchy for sessions that
1033 require delicate timing handling. If list scan is called along with
1034 the -d debug option, then additional output, like the ServicesTable
1035 and the current Timing-Template´s parameters, is also going to be
1036 printed.
1037 --datadir directoryname (Specify custom Ncrack data file location) .
1039 Ncrack needs a file called ncrack-services to load a lookup-table
1040 of supported services/ports. This file shouldn´t be changed, unless
1041 you know what you are doing (e.g extending Ncrack for additional
1042 modules). In addition, Ncrack is shipped with various username and
1043 password lists, some of which are used by default in case the user
1044 doesn´t specify ones of his own. All these files are normally
1045 copied during the installation procedure to a directory such as
1046 /usr/share/ncrack or /usr/local/share/ncrack . Using the --datadir
1047 option, will force Ncrack to start searching for these files in
1048 specified directory. If the files aren´t found, then it will
1049 continue searching in the directory specified by the NCRACKDIR
1050 environmental variable NCRACKDIR (if it is defined). Next comes
1051 ~/.ncrack directory for real and effective UIDs (POSIX systems
1052 only) or location of the Ncrack executable (Win32 only), and then a
1053 compiled-in location such as /usr/local/share/ncrack or
1054 /usr/share/ncrack. As a last resort, Ncrack will look in the
1055 current directory.
1056 --proxy type://proxy:port (Make connections via socks4, 4a, http) .
1058 This will make Ncrack perform the authentication cracking session
1059 through the proxy host specified.
1060 -V; --version (Print version number) .
1062 Prints the Ncrack version number and exits.
1063 -h; --help (Print help summary page) .
1065 Prints a short help screen with the most common command flags.
1066 Running Ncrack without any arguments does the same thing.
1067
1069 During the execution of Ncrack, all key presses are captured. This
1070 allows you to interact with the program without aborting and restarting
1071 it. Certain special keys will change options, while any other keys will
1072 print out a status message telling you about the scan. The convention
1073 is that lowercase letters increase the amount of printing, and
1074 uppercase letters decrease the printing. You may also press ‘?’ for
1075 help.
1076 v / V
1078 Increase / decrease the verbosity level
1079 d / D
1081 Increase / decrease the debugging Level
1082 p / P
1084 Display found credentials
1085 ?
1087 Print a runtime interaction help screen
1088 Anything else
1090 Print out a status message like this:
1091 Stats: 0:00:20 elapsed; 0 services completed (1 total)
1093 Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17
1095 remaining)
1096
1098 Ncrack´s architecture is modular with each module corresponding to one
1099 particular service or protocol. Currently, Ncrack supports the
1100 protocols SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP
1101 Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA. If you
1102 want to write and contribute your own Ncrack modules, be sure to read
1103 the Ncrack Developer´s Guide at http://nmap.org/ncrack/devguide.html
1104 Below we describe some key points for each of them.
1105 FTP Module
1107 FTP authentication is quite fast, since there is very little
1109 protocol negotiation overhead. Most FTP daemons allow 3 to 6
1110 authentication attempts but usually impose a certain delay before
1111 replying with the results of a failed attempt. Filezilla is one of
1112 the most characteristic examples of this case, where the time delay
1113 is so great, that it is usually faster to open more connections
1114 against it, with each of them doing only 1 authentication per
1115 connection.
1116 Telnet Module
1118 Telnet daemons have been largely substituded by their safer
1120 ´counterpart´ of SSH. However, there are many boxes, mainly routers
1121 or printers, that still rely on Telnet for remote access. Usually
1122 these are also easier to crack, since default passwords for them
1123 are publicly known. The drawback is that telnet is a rather slow
1124 protocol, so you shouldn´t be expecting really high rates against
1125 it.
1126 SSH Module
1128 SSH is one of the most prevalent protocols in today´s networks. For
1130 this reason, a special library, named opensshlib and based on code
1131 from OpenSSH, was specifically built and tailored for Ncrack´s
1132 needs. Opensshlib ships in with Ncrack, so SSH support comes out of
1133 the box. OpenSSL will have to be installed in Unix systems though.
1134 Windows OpenSSL dlls are included in Ncrack, so Windows users
1135 shouldn´t be worrying about it at all.
1136 SSH bruteforcing holds many pitfalls and challenges, and you are
1138 well advised to read a paper that was written to explain them. The
1139 latest version of the "Hacking the OpenSSH library for Ncrack"
1140 document can be found under docs/openssh_library.txt or at
1141 http://sock-raw.org/papers/openssh_library
1142 HTTP(S) Module
1144 The HTTP Module currently supports basic and digest authentication.
1146 Ncrack tries to use the "Keepalive" HTTP option, whenever possible,
1147 which leads to really high speeds, since that allows dozens of
1148 attempts to be carried out per connection. The HTTP module can also
1149 be called over SSL.
1150 SMB Module
1152 The SMB module currently works over raw TCP. NetBIOS isn´t
1154 supported yet. This protocol allows for high parallelization, so
1155 users could potentially increase the number of concurrent probes
1156 against it. SMB is frequently used for file-sharing among other
1157 things and is one of the most ubiquitous protocols, being present
1158 in both Unix and Windows environments.
1159 RDP Module
1161 RDP (Remote Desktop Protocol) is a proprietary protocol developed
1163 by Microsoft for the purpose of providing remote terminal services
1164 by transfering graphics display information from the remote
1165 computer to the user and transporting input commands from the user
1166 to the remote computer. Fortunately, Microsoft recently decided to
1167 open the protocol´s internal workings to the public and has
1168 provided official documentation, which can be found at
1169 http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx
1170 RDP is one of the most complex protocols, requiring the exchange of
1172 many packets, even for just the authentication phase. For this
1173 reason, cracking it takes a lot of time and this is probably the
1174 slowest module. The connection phase is briefly described at
1175 http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx
1176 where you can also see a diagram of the various packets involved.
1177 Care must be taken against RDP servers in Windows XP versions,
1178 since they can´t handle multiple connections at the same time. It
1179 is advised to use a very slow timing template or even better limit
1180 the maximum parallel connections using timing options such as CL
1181 (Connection Limit) or cd (connection delay) against Windows XP (and
1182 relevant) RDP servers. Windows Vista and above don´t suffer from
1183 the same limitation.
1184 VNC Module
1186 The VNC protocol has known widespread usage among Unix
1188 administrators and users for remote graphical access. VNC is
1189 perhaps one of the most vulnerable protocols in terms of
1190 brute-forcing, since it often requires a password without a
1191 corresponding username for authentication. In addition, some
1192 versions of VNC impose an 8-character limit in password length. You
1193 should consider adding the --passwords-first option when cracking
1194 VNC systems to exploit the fact that the username often has no
1195 actual importance in authentication.
1196 POP3(S) Module
1198 POP3 support is still experimental and hasn´t been thoroughly
1200 tested. You can expect it to work against common mail servers,
1201 nevertheless.
1202 IMAP Module
1204 The Internet Message Access Protocol (IMAP) is used by email
1206 clients to retrieve email messages from a mail server. The module
1207 sends the LOGIN command to authenticate. The LOGIN command is the
1208 simplest, fastest and most supported authentication mechanism for
1209 IMAP.
1210 SIP Module
1212 The Session Initiation Protocol is a text-based protocol, very
1214 similar to HTTP in its structure. The most common application of
1215 SIP is in Internet telephony for voice and video calls. Nearly all
1216 enterprises have infrastructure that supports conference calls and
1217 part of them are based on SIP, making the authentication part a
1218 significant threat vector.
1219 Redis Module
1221 Redis is one of the most widely used caching servers and the most
1223 popular NoSQL database. Despite its reputation, the authentication
1224 mechanism is very simple, only allowing for a password to protect
1225 remote access to the service. Due to the high performance of Redis
1226 and the fact that only 2 packets are needed for the authentication
1227 phase, Ncrack can try a lot of passwords in parallel (‐
1228 http://redis.io/commands/AUTH). Specifying a username list or
1229 single username will have no effect in this module, since Redis
1230 only deals with passwords.
1231 PostgreSQL Module
1233 PostgreSQL is often used as a backend database. The PostgreSQL
1235 module supports md5 authentication, which is the most frequent
1236 password authentication method.
1237 MySQL Module
1239 The MySQL module supports native authentication.
1241 MySQL Module
1243 The MSSQL module supports mixed authentication.
1245 MongoDB Module
1247 The MongoDB module supports MongoDB-CR and SCRAM-SHA-1
1249 authentication. The pairwise and passwords-first option will be
1250 ignored for the MongoDB module, due to them being inefficient
1251 against MongoDB. The optimal way of cracking MongoDB is to take
1252 advantage of a user-enumeration vulnerability inherent in its
1253 authentication mechanism, which Ncrack exploits.
1254 Cassandra Module
1256 Apache Cassandra is a popular NoSQL database often left unsecured
1258 with weak credentials or no authentication.
1259 OWA Module
1261 Outlook Web App allows users to access a Microsoft Exchange Server
1263 mailbox from a web browser and experience Microsoft Outlook without
1264 a mail client. The module supports Basic Authentication.
1265 WinRM Module
1267 Windows Remote Management (WinRM) is the Microsoft implementation
1269 of WS-Management Protocol, a standard Simple Object Access Protocol
1270 (SOAP)-based, firewall-friendly protocol that allows hardware and
1271 operating systems, from different vendors, to interoperate. It is
1272 often used to administer Windows machines. The module supports
1273 Basic and Negotiate authentication.
1274 DICOM Module
1276 Digital Imaging and Communications in Medicine (DICOM) is a
1278 protocol used heavily in healthcare environments. Most commonly, it
1279 is used as both a file format and network protocol by Picture
1280 Archiving and Communication Systems (PACS). The client of a DICOM
1281 service is called a service class user (SCU) and the server a
1282 service class provider (SCP). DICOM is very unique in how it
1283 authenticates clients to servers; there are potentially one to
1284 three steps involved: Association, Find Service and Retrieve
1285 Images.
1286 Association: This is the initial step that almost all PACS servers
1288 require. By sending an A-ASSOCIATE request with the correct called
1289 Application Entity Title (AET) the client associates with the
1290 server and then can go on to perform query / retrieve requests in
1291 the next steps. This is the mode that Ncrack currently supports by
1292 iterating through the username field. Thus to brute-force the
1293 server´s AET, you can specify a list of AETs using the -U option
1294 and then specifying a null password. Example: ncrack
1295 dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER
1296 Find Service: This step involves being able to query the PACS
1298 server for patient studies that are associated with DICOM images.
1299 This takes place after the client has performed the Association
1300 phase. A C-FIND request must be sent with the correct calling AET.
1301 Knowing the correct allowed client AET (or calling AET) is required
1302 by securely configured PACS servers. Many PACS servers by default
1303 do not require this.
1304 Retrieve Images: This step allows a client to retrieve DICOM
1306 images. The most hardened PACS servers will require the client to
1307 have a specific allowed IP configured in order to send a C-MOVE /
1308 C-STORE request after the above two steps have been performed.
1309 MQTT Module
1311 The Message Queueing Telemetry Transport (MQTT) protocol is a
1313 publish / subscribe machine to machine protocol that allows IoT
1314 clients to publish to a broker. Each client device subscribes to a
1315 particular topic of interest and receives messages from publishers.
1316 Usually MQTT authentication is optional and when enabled can be
1317 brute-forced very easily as it only requires a single MQTT CONNECT
1318 packet to be sent for each attemped credential pair.
1319 Wordpress Module
1321 Wodpress is one of the most popular content management systems.
1323 This module attacks the web administration endpoint. By default it
1324 will try "wp-login.php" but you can change it by specifying the
1325 path. For example: ncrack
1326 wp://127.0.0.1,path=/non-default/wp-login.php
1327 CVS Module
1329 The Concurrent Versioning System (CVS) is a revision control system
1331 in software development. Although not as popular nowadays, there
1332 are many old, oudated CVS servers out there that might have default
1333 or weak credentials.
1334
1336 Like its authors, Ncrack isn´t perfect. But you can help make it better
1337 by sending bug reports or even writing patches. If Ncrack doesn´t
1338 behave the way you expect, first upgrade to the latest version
1339 available from http://nmap.org/ncrack. If the problem persists, do some
1340 research to determine whether it has already been discovered and
1341 addressed. Try searching for the error message on our search page at
1342 http://insecure.org/search.html or at Google. Also try browsing the
1343 nmap-dev archives at http://seclists.org/ . Read this full manual page
1344 as well. If you are developing your own Ncrack module, make sure you
1345 have first read the Ncrack Developer´s Guide at
1346 http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a
1347 bug report to nmap-dev@insecure.org . Please include everything you
1348 have learned about the problem, as well as what version of Ncrack you
1349 are running and what operating system version it is running on. Problem
1350 reports and Ncrack usage questions sent to nmap-dev@insecure.org are
1351 far more likely to be answered than those sent to Fyodor directly. If
1352 you subscribe to the nmap-dev list before posting, your message will
1353 bypass moderation and get through more quickly. Subscribe at
1354 http://cgi.insecure.org/mailman/listinfo/nmap-dev .
1355 Code patches to fix bugs are even better than bug reports. Basic
1357 instructions for creating patch files with your changes are available
1358 at http://nmap.org/data/HACKING . Patches may be sent to nmap-dev
1359 (recommended) or to Fyodor directly.
1360
1362 ithilgore (Fotios (Fotis) Chantzis) ithilgore@sock-raw.org (‐
1363 http://sock-raw.org)
1364 Fyodor fyodor@insecure.org (http://insecure.org)
1366
1368 While it isn´t distributed with Nmap, Ncrack is part of the Nmap
1369 project and falls under the same license and (non) warranty provisions,
1370 as described at http://nmap.org/book/man-legal.html.
1371Ncrack 08/23/2019 NCRACK(1)