Ncrack [RDP Bruteforce]

By Cyb3rw0rM -

ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

Ncrack is released as a standalone tool and can be downloaded from the section below. Be sure to read the Ncrack man page to fully understand Ncrack usage. If you are a developer and want to write your own Ncrack modules, studying the Ncrack Developer’s Guide would be the first step.

Options Summary

This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual.

Ncrack 0.5 ( http://ncrack.org )
Usage: ncrack [Options] {target and service specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iX <inputfilename>: Input from Nmap’s -oX XML output format
-iN <inputfilename>: Input from Nmap’s -oN Normal output format
-iL <inputfilename>: Input from list of hosts/networks
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
SERVICE SPECIFICATION:
Can pass target specific services in <service>://target (standard) notation or
using -p which will be applied to all hosts in non-standard notation.
Service arguments can be specified to be host-specific, type of service-specific
(-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
-p <service-list>: services will be applied to all non-standard notation hosts
-m <service>:<options>: options will be applied to all services of this type
-g <options>: options will be applied to every service globally
Misc options:
ssl: enable SSL over this service
path <name>: used in modules like HTTP (‘=’ needs escaping if used)
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, unless you append ‘ms’
(miliseconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
Service-specific options:
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay <time> between each connection initiation
cr (connection retries): caps number of service connection attempts
to (time-out): maximum cracking <time> for service, regardless of success so far
-T<0-5>: Set timing template (higher is faster)
–connection-limit <number>: threshold for total concurrent connections
AUTHENTICATION:
-U <filename>: username file
-P <filename>: password file
–user <username_list>: comma-separated username list
–pass <password_list>: comma-separated password list
–passwords-first: Iterate password list for each username. Default is opposite.
–pairwise: Choose usernames and passwords in pairs.
OUTPUT:
-oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
-oA <basename>: Output in the two major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 10 is meaningful)
–nsock-trace <level>: Set nsock trace level (Valid range: 0 – 10)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
MISC:
–resume <file>: Continue previously saved session
–save <file>: Save restoration file with specific filename
-f: quit cracking service after one found credential
-6: Enable IPv6 cracking
-sL or –list: only list hosts and services
–datadir <dirname>: Specify custom Ncrack data file location
–proxy <type://proxy:port>: Make connections via socks4, 4a, http.
-V: Print version number
-h: Print this help summary page.
MODULES:
FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, MySQL
EXAMPLES:
ncrack -v –user root localhost:22
ncrack -v -T5 https://192.168.0.1
ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

Modules

Ncrack’s architecture is modular with each module corresponding to one particular service or protocol. Currently, Ncrack supports the protocols FTP, Telnet, SSH, RDP, VNC, HTTP(S), POP3(S), SIP, Redis and PostgreSQL. If you want to write and contribute your own Ncrack modules, be sure to read the Ncrack Developer’s Guide at http://nmap.org/ncrack/devguide.html Below we describe some key points for each of them.

FTP Module

FTP authentication is quite fast, since there is very little protocol negotiation overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a certain delay before replying with the results of a failed attempt. Filezilla is one of the most characteristic examples of this case, where the time delay is so great, that it is usually faster to open more connections against it, with each of them doing only 1 authentication per connection.

Telnet Module

Telnet daemons have been largely substituded by their safer ‘counterpart’ of SSH. However, there are many boxes, mainly routers or printers, that still rely on Telnet for remote access. Usually these are also easier to crack, since default passwords for them are publicly known. The drawback is that telnet is a rather slow protocol, so you shouldn’t be expecting really high rates against it.

SSH Module

SSH is one of the most prevalent protocols in today’s networks. For this reason, a special library, named opensshlib and based on code from OpenSSH, was specifically built and tailored for Ncrack’s needs. Opensshlib ships in with Ncrack, so SSH support comes out of the box. OpenSSL will have to be installed in Unix systems though. Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn’t be worrying about it at all.

SSH bruteforcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them. The latest version of the “Hacking the OpenSSH library for Ncrack” document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library

HTTP(S) Module

The HTTP Module currently supports basic and digest authentication. Ncrack tries to use the “Keepalive” HTTP option, whenever possible, which leads to really high speeds, since that allows dozens of attempts to be carried out per connection. The HTTP module can also be called over SSL.

SMB Module

The SMB module currently works over raw TCP. NetBIOS isn’t supported yet. This protocol allows for high parallelization, so users could potentially increase the number of concurrent probes against it. SMB is frequently used for file-sharing among other things and is one of the most ubiquitous protocols, being present in both Unix and Windows environments.

RDP Module

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the purpose of providing remote terminal services by transfering graphics display information from the remote computer to the user and transporting input commands from the user to the remote computer. Fortunately, Microsoft recently decided to open the protocol’s internal workings to the public and has provided official documentation, which can be found at  http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx

RDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase. For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved. Care must be taken against RDP servers in Windows XP versions, since they can’t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don’t suffer from the same limitation.

VNC Module

The VNC protocol has known widespread usage among Unix administrators and users for remote graphical access. VNC is perhaps one of the most vulnerable protocols in terms of brute-forcing, since it often requires a password without a corresponding username for authentication. In addition, some versions of VNC impose an 8-character limit in password length. You should consider adding the --passwords-first option when cracking VNC systems to exploit the fact that the username often has no actual importance in authentication.

POP3(S) Module

POP3 support is still experimental and hasn’t been thoroughly tested. You can expect it to work against common mail servers, nevertheless.

SIP Module

The Session Initiation Protocol is a text-based protocol, very similar to HTTP in its structure. The most common application of SIP is in Internet telephony for voice and video calls. Nearly all enterprises have infrastructure that supports conference calls and part of them are based on SIP, making the authentication part a significant threat vector.

Redis Module

Redis is one of the most widely used caching servers and the most popular NoSQL database. Despite its reputation, the authentication mechanism is very simple, only allowing for a password to protect remote access to the service. Due to the high performance of Redis and the fact that only 2 packets are needed for the authentication phase, Ncrack can try a lot of passwords in parallel ( http://redis.io/commands/AUTH). Specifying a username list or single username will have no effect in this module, since Redis only deals with passwords.

PostgreSQL Module

PostgreSQL is often used as a backend database. The PostgreSQL module supports md5 authentication, which is the most frequent password authentication method.

MySQL Module

The MySQL module supports native authentication.

DOWNLOADING Ncrack

Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and a universal source code tarball that can be compiled on every system. You can also download the latest version straight from the SVN repository. Older versions are available from the dist directory. For the more security-paranoid (smart) users, GPG detached signatures and SHA-1 hashes for each release are available in the sigs directory (verification is similar to the Nmap verification instructions).

Specific details and instructions are available for the source code distribution, Windows binaries, and Mac OS X binaries, and Current development source.

VIDEO TUTORIAL: