[ news ]   [ Nmap/Ncrack ]   [ projects ]   [ papers ]   [ netsec ]   [ about ]   rss twitter LinkedIn profile
--- [ Nmap/Ncrack ] ---

Nmap

ServiceScan

Nsock

Ncrack

Initial Draft

Core Engine

Command Line

Status Reports 2009

Status Reports 2010

GSoC/Ncrack presentation

Ncrack Developer's Guide

Network Exploitation with Ncrack

Network Exploitation with Ncrack video at AthCon2011 


 OUTDATED! 

Target/Service-specification
------------------------------

Hosts will usually be specified in the following format:
<service>://<IP or hostname>:<optional non-default port>?arg1=arg1val,arg2=arg2val

e.g  ssh://10.0.0.10:3000?cl=50,al=20

This will crack host 10.0.0.10 for ssh on port 3000 and will additionally pass
values 50 and 20 to options cl (connection limit) and al (authentication limit)
for that particular host for that particular service.

Both the non-default port and the arguments are optional. In case a port is not
specified, then a default will be applied (22 for ssh in the example). In case
no arguments are specified, then default ones will be applied. More on the
arguments below.

So an example specification would be the following:

$ ./ncrack ssh://10.0.0.10 http://10.0.0.10 http://scanme.nmap.org \
ftp://scanme.nmap.org?al=10 -sL

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:18 EEST


=== Targets ===
Host: 10.0.0.10
  ssh:22 cl=40, al=5, cd=1000, mr=10
  http:80 cl=40, al=5, cd=1000, mr=10
Host: 64.13.134.52 ( scanme.nmap.org )
  http:80 cl=40, al=5, cd=1000, mr=10
  ftp:21 cl=40, al=10, cd=1000, mr=10

Ncrack finished.


Remember that -sL like Nmap, only prints the hosts that would be cracked and
exits. As you can see, we specified al=10 for host scanme.nmap.org for service
ftp, so the default value of 5 was overrided.


Ncrack also experimentally supports Nmap's target/service specification where
you can specify hosts as IPs/hostnames and services with -p <port/servicename>

For example:

./ncrack -p ssh,ftp -sL 10.0.0.10 scanme.nmap.org

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:55 EEST


=== Targets ===
Host: 10.0.0.10
  ssh:22 cl=40, al=5, cd=1000, mr=10
  ftp:21 cl=40, al=5, cd=1000, mr=10
Host: 64.13.134.52 ( scanme.nmap.org )
  ssh:22 cl=40, al=5, cd=1000, mr=10
  ftp:21 cl=40, al=5, cd=1000, mr=10

Ncrack finished.

Notice that -p options apply to every host that is in plain IP/hostname notation.


You can also mix the two styles, but note down that -p will only apply to hosts
that don't have explicitly specified their service in url-like notation. So:

./ncrack 10.0.0.10 scanme.nmap.org smtp://www.google.com http://www.google.com
-p ssh,ftp -sL

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:58 EEST

Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.103.Warning:
Hostname www.google.com resolves to 6 IPs. Using 74.125.39.103.
=== Targets ===
Host: 10.0.0.10
  ssh:22 cl=40, al=5, cd=1000, mr=10
  ftp:21 cl=40, al=5, cd=1000, mr=10
Host: 64.13.134.52 ( scanme.nmap.org )
  ssh:22 cl=40, al=5, cd=1000, mr=10
  ftp:21 cl=40, al=5, cd=1000, mr=10
Host: 74.125.39.103 ( www.google.com )
  smtp:25 cl=40, al=5, cd=1000, mr=10
  http:80 cl=40, al=5, cd=1000, mr=10

Ncrack finished.


Now let's go into explaining the services/module option hierarchy.


Service Options
----------------

Each service can take a number of options which can be divided into 2
categories: generic and service-specific.

Generic options are all the timing options plus some other:
cl (connection limit)
al (authentication limit)
cd (connection delay)
mr (maximum retries)
ssl (use ssl or not)
... (possibly more to be added)

Service-specific are all those options that pertain only to a specific service.
For example for http you might have to specify which url path you will want to
try cracking against. So that would apply only for http as for example:

path=private.html


-- Timing template

Ncrack provides a quite flexible interface for providing service options. First
of all, you all know Nmap's -T option which basically acts as a generic timing
template ranging from a very slow (Sneaky) mode to a very aggressive (Insane)
mode. Ncrack uses the same technique to initialize all timing options in case
they are not explicitly specified (default template = 3 = Normal). The timing
options from -T are the lowest in the option hierarchy.

-- g option

The user will be able to specify global options by using -g <options>.
For example: -g al=30,cl=20
These will be override the timing template options and will be applied to every
service option for every host. -g is one step higher than -T in hierarchy.

-- m option

Service-specific options can be applied for every particular service for every
host by using -m <service_name>:<service_options>
For example:  -m ssh:cl=30,al=10

These options will override any previous in the hierarchy (-g and -T) and will
be applied to every host that has chosen this particular service.

-- host options

These options are the highest in the hiearchy and override any other. They are
the ones mentioned above in target-specification and apply for the service of
that particular host only. For example:
ssh://10.0.0.10?al=30

Now let's take  a look into an example:


./ncrack ssh://10.0.0.10?cl=100,al=30 http://scanme.nmap.org
http://www.google.com  -m http:cl=150  -g mr=40 -sL

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:44 EEST

Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.106.
=== Targets ===
Host: 10.0.0.10
  ssh:22 cl=100, al=30, cd=1000, mr=40
Host: 64.13.134.52 ( scanme.nmap.org )
  http:80 cl=150, al=5, cd=1000, mr=40
Host: 74.125.39.106 ( www.google.com )
  http:80 cl=150, al=5, cd=1000, mr=40

Ncrack finished.


The same example with the most aggressive template:

./ncrack ssh://10.0.0.10?cl=100,al=30 http://scanme.nmap.org
http://www.google.com  -m http:cl=150  -g mr=40 -sL -T5

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:46 EEST

Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.106.
=== Targets ===
Host: 10.0.0.10
  ssh:22 cl=100, al=30, cd=0, mr=40
Host: 64.13.134.52 ( scanme.nmap.org )
  http:80 cl=150, al=10, cd=0, mr=40
Host: 74.125.39.106 ( www.google.com )
  http:80 cl=150, al=10, cd=0, mr=40

Ncrack finished.


As you see only the connetion delay (cd) is influenced, since it is the only
option that doesn't get overrided by the rest of the hierarchy.

Finally, Ncrack also supports Nmap's advanced host specification (address
ranges, netmasks etc) and you can do things like this:

./ncrack ssh://10.0.0.0-5 -T2 -sL

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:48 EEST


=== Targets ===
Host: 10.0.0.0
  ssh:22 cl=3, al=5, cd=5000, mr=1
Host: 10.0.0.1
  ssh:22 cl=3, al=5, cd=5000, mr=1
Host: 10.0.0.2
  ssh:22 cl=3, al=5, cd=5000, mr=1
Host: 10.0.0.3
  ssh:22 cl=3, al=5, cd=5000, mr=1
Host: 10.0.0.4
  ssh:22 cl=3, al=5, cd=5000, mr=1
Host: 10.0.0.5
  ssh:22 cl=3, al=5, cd=5000, mr=1

Ncrack finished.