Taken from the author’s site…
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated brute-forcing attacks, timing templates for ease of use, run-time interaction similar to Nmap’s and many more.
Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool and can be downloaded from the section below. Be sure to read the Ncrack man page to fully understand Ncrack usage.
Ncrack’s architecture is modular with each module corresponding to one particular service or protocol. Currently, Ncrack supports the protocols FTP, TELNET, SSH and HTTP(S) (basic authentication). Below we describe some key points for each of them.
- FTP authentication is quite fast, since there is very little protocol negotiation overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a certain delay before replying with the results of a failed attempt. Filezilla is one of the most characteristic examples of this case, where the time delay is so great, that it is usually faster to open more connections against it, with each of them doing only 1 authentication per connection.
- Telnet daemons have been largely substituted by their safer ‘counterpart’ of SSH. However, there are many boxes, mainly routers or printers, that still rely on Telnet for remote access. Usually these are also easier to crack, since default passwords for them are publicly known. The drawback is that telnet is a rather slow protocol, so you shouldn’t be expecting really high rates against it.
- SSH is one of the most prevalent protocols in today’s networks. For this reason, a special library, named opensshlib and based on code from OpenSSH, was specifically build and tailored for Ncrack’s needs. Opensshlib ships in with Ncrack, so SSH support comes out of the box. OpenSSL will have to be installed in Unix systems though. Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn’t be worrying about it at all.
SSH brute-forcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them. The latest version of the “Hacking the OpenSSH library for Ncrack” document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library
- The HTTP Module currently supports basic authentication only, however additional methods will be added soon. Ncrack tries to use the “Keepalive” HTTP option, whenever possible, which leads to really high speeds, since that allows dozens of attempts to be carried out per connection. The HTTP module can also be called over SSL.
- The SMB module currently works over raw TCP. NetBIOS isn’t supported yet. This protocol allows for high parallelization, so users could potentially increase the number of concurrent probes against it. SMB is frequently used for file-sharing among other things and is one of the most ubiquitous protocols, being present in both Unix and Windows environments.
- RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the purpose of providing remote terminal services by transferring graphics display information from the remote computer to the user and transporting input commands from the user to the remote computer. Fortunately, Microsoft recently decided to open the protocol’s internal workings to the public and has provided official documentation, which can be found at http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx
RDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase. For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved. Care must be taken against RDP servers in Windows XP versions, since they can’t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as
CL(Connection Limit) or
cd(connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don’t suffer from the same limitation.
POP3 support is still experimental and hasn’t been thoroughly tested. You can expect it to work against common mail servers, nevertheless.
Installation and Basic usage:
Once you have download the latest version from the Ncrack website, the installation process is as follows:
Or download the development svn:
Before you attempt to start using this tool its recommended that you first read the Manual, either online or issue “man ncrack”, from your console.
I first fired up nmap and ran it against a Lexmark network printer.
infolookup@TestSrvr:~# nmap -A 172.29.19.85
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-22 22:26 EDT
Nmap scan report for rnp92a8d6.localhost (172.29.19.85)
Host is up (0.00020s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Lanier LP125cx/LP126cn ftpd 4.15.1
|_ftp-bounce: bounce working!
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp open tcpwrapped
80/tcp open http Ricoh Aficio printer web image monitor (Web-Server httpd 3.0)
|_html-title: Web Image Monitor
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
139/tcp open tcpwrapped
514/tcp open login Aficio/NRG/Ricoh printer logind
515/tcp open printer lpd (error: Illegal service request)
631/tcp open ipp NRG copier or Ricoh Aficio printer (Embedded Web-Server 3.0)
9100/tcp open jetdirect?
MAC Address: 00:00:23:92:G8:F1 (Ricoh Company)
Device type: printer
Running: Ricoh embedded, Savin embedded
OS details: Ricoh Aficio 3045/3245C multifunction printer, Savin 8025e multifunction printer
Network Distance: 1 hop
Service Info: Device: printer
Now that we have our open ports we can now feed them to ncrack to test if we have any weak passwords. As you can see from the below command I am using NCrack to look for weak authentication via Telnet, FTP, HTTP. You can either specify the port number, the service name or both.
infolookup@TestSrvr:~# ncrack -v –log-errors /tmp/ncrack.txt 172.29.19.85 -p telnet,ftp:21,http
Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2010-09-22 22:41 EDT
Failed to resolve given hostname/IP: . Note that you can’t use ‘/mask’ AND ‘1-4,7,100-‘ style IP ranges
Discovered credentials on ftp://172.29.19.85:21 ‘root’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘administrator’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘guest’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘info’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘security’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘support’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘abuse’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘admin’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘postmaster’ ‘123456’
Discovered credentials on ftp://172.29.19.85:21 ‘lists’ ‘123456’
caught SIGINT signal, cleaning up
Saved current session state at: /root/.ncrack/restore.2010-09-22_22-42
We can conclude from the above test that our FTP service was mis-configured because we left “Anonymous FTP login ” turned on. Our Nmap scan shown us this and we were able to confirm it, since every possible login via FTP was granted access.
Now this was just a basic test, however you can do much more like stop and restart your session, specify your own username and password list, and much more. If you don’t have a good password list visit –> SkullSecurity , and I must end by saying ” for an Alpha release I am very impressed”, and I cant wait to see what the future has to offer for this program.