--- [ Nmap/Ncrack ] ---

Nmap

ServiceScan

Nsock

Ncrack

Initial Draft

Core Engine

Command Line

Status Reports 2009

Status Reports 2010

GSoC/Ncrack presentation

Ncrack Developer's Guide

Network Exploitation with Ncrack

Network Exploitation with Ncrack video at AthCon2011

GSoC 2010 Status Reports



---Status Report #1 of 16---


For those of you who don't already know me, I am ithilgore who originally
developed Ncrack in GSoC 2009. Of course, Ncrack wouldn't have gotten so
far without your help, ideas and suggestions and I certainly I hope this
year will prove at least as and hopefully more fruitful than the last one.

For the time being, I am very busy preparing a paper and presentation on
"Abusing Network Protocols" for a security conference, so I haven't started
any hardcore coding as of yet. Nevertheless, some work was still done:


Accomplishments:

* Added experimental pop3(s) support. I committed a modified version of
  Bal√°zs Bucsay's initial patch.

* Fixed bug that caused Ncrack not to recognize all verbose-option
  formats. Now you can give -vv or -vvv etc as well as -v and it
  will work as expected.
.
* Fixed compilation bug that was caused by stricter gcc policies on C++
  constructors.

* Restudied some of the opensshlib code.


Priorities:

  * Schedule a meeting with Fyodor.
  * Start working on top issues in TODO list.



---Status Report #2 of 16---

Accomplishments:

* Had a meeting with Fyodor and discussed about new Ncrack tasks.

* Updated -iN parser (Ncrack's option for getting targets through Nmap's
  plaintext/normal output) for the latest Nmap -oN format, since it had
  recently undergone some changes.

* Integrated Nmap's password lists.

* Fixed some minor bugs.



Priorities:

* Work on Ncrack memory leaks.
* Start working on newer version of opensshlib.



---Status Report #3 of 16---

Accomplishments

* Had a meeting with Fyodor, the end of which bore a revamped TODO file
with higher priorities for a new 0.2ALPHA release.

* Ncrack now has the capability of interactively printing the credentials
found so far whenever the user presses the 'p' key. It will print the
username/password pairs in a way similar to the one it uses to print the
results when it finishes cracking. For example:

Starting Ncrack 0.01ALPHA ( http://ncrack.org ) at 2010-05-18 05:09 CEST
Stats: 0:00:04 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 1; About 0.00% done
(press 'p' to list discovered credentials)
Discovered credentials for ssh on 127.0.0.1 22/tcp:
127.0.0.1 22/tcp ssh: testuser 123456

The user above first pressed space (or any other non-assigned key) and the
current stats were printed, along with the line mentioning that he can
press 'p' since credentials were found. If no credentials had been found so
far then that line wouldn't have been printed. Then he pressed 'p'. In
addition, pressing 'p' when no credentials have been found, prints nothing.
Also, when -v (verbose) mode has been specified, Ncrack prints any
credentials found at the time they are discovered.

* Updated manual pages to document the latest version of Ncrack. Entries
for --user, --pass and --resume options as well as a brief mention of the
experimental POP3 support were added.

* Fixed configure-script issue where it was called twice for each of the
libraries on which Ncrack relies. The fix has really sped up installation
speed.

* In verbose mode, Ncrack now tells you when a service has completed
(either with a failure or normally).

* Added some real-life examples at the end of -h output, the way Nmap does it.

* Added the printing of a the list of modules supported by Ncrack for -h
and -V output.

* Fixed bug with -v parsing.

* Fixed one memory leak and improved telnet module to use the new I/O
subsystem.


Priorites

* Continue tackling with the rest of the TODO entries needed for the Ncrack
0.2ALPHA release.



---Status Report #4 of 16---

Accomplishments

* Fixed several memory leaks related to the ssh module.

* Began tackling with the problem of sharing the nsock and nbase libraries
between Ncrack and Nmap. I have found a few solutions but they are hacks
with the configure script. Hopefully I can implement more 'official' ways
soon enough.

* Updated Ncrack license terms for 2010 (script run by Fyodor).


Priorities

* Fix remaining memory leaks.
* Do some Windows testing for latest Ncrack version.
* Probably ask at the gnu autoconf mailing list for solutions on the above
mentioned problem.
* Complete rest of TODO items for 0.2ALPHA release (basically all that is
left are the above 3 problems and one other easy to add feature)



---Status Report #5 of 16---

Report delayed due to attending the ph-neutral conference and because of a
lot of traveling in between.


Accomplishments:

* Finished with openssh module related memory leaks.
* Decided, after meeting with Fyodor, to do a valgrind memory leak and bug
audit for all the modules.
* Found with Fyodor some quick and easy solution for the nsock sharing problem.

Priorities

* Deal with the rest of TODO items for next Ncrack release.


---Status Report #6 of 16---

Hello all,
after attending two security conferences, PH-Neutral and Athcon (speaking
on abusing network protocols - another separate email discussing this work
on a new (zombie/idle) stealthy portscanning technique abusing XMPP is
imminent) and now having settled back home, time has come for some
productive coding.


Accomplishments

* Made changes to Nsock library so that Nmap and Ncrack can share Nsock as
a common external svn object.

* Discussed changes with David and Fyodor and decided for some more elegant
solutions.

* Started valgrind testing of several modules.

* Did some Windows testing.



Priorities

* Finish Nsock changes for Windows.
* Make next Ncrack release.
* Schedule next meeting with Fyodor.


---Status Report #7 of 16---


This week's highlight was the release of Ncrack 0.2ALPHA which has already
been announced at http://seclists.org/nmap-dev/2010/q2/827


Accomplishments:

* Completed testing of modules with valgrind.

* Fixed some memory leaks.

* Improved HTTP module.

* Fixed a timeout-related error which was due to the way Nsock caches
  its time values to avoid too many gettimeofday() system calls,
  leading to Ncrack thinking that negative time had elapsed in some
  cases.

* Fixed bug which caused an endless loop before Ncrack could exit
  properly.

* Made Nsock configuration (NoPcap) for Windows, so that Ncrack and Nmap
  can share Nsock.

* Wrote CHANGELOG file.

* Created source-code tarball, Windows setup-executable and a dmg
  installer (made by David) for Ncrack 0.2ALPHA release.

* Updated Ncrack website.

* Created a first version of Ncrack website logo.

* Released Ncrack 0.2ALPHA.

* Got some feedback on username/password file-format improvements.



Priorities

* Discuss with Fyodor on next TODO things.
* Start improving the Ncrack engine.
* Start coding additional protocol modules.


---Status Report #8 of 16---


Accomplishments:

* Added several new ideas to the TODO list and discussed them with Fyodor.

* Added support for '-f' option, which forces Ncrack to quit cracking a
  service after it finds one credential for it.

* Added support for blank-password testing. Ncrack will now test a blank
  entry whenever it sees an empty line in any of the wordlists. Also added
  single quotes at the begginning and end of usernames/passwords whenever
  they are printed on screen.

* Researched SMB protocol, read Ron's scripts and started coding SMB
  module. I hope it will be ready by next week and then we can do some
  benchmarks and see the difference between NSE's performance and
  Ncrack's.

* Improved Ncrack logo font.


Priorities:

* Write SMB module.
* Start username-gathering project.



---Status Report #9 of 16---

Accomplishments

* Almost finished coding the SMB module. The smb.lua library and
  smb-brute.nse (both written by Ron) have been a great help, acting as a
  guideline for tackling with SMB's overall weird behavior.

* Added some crypto functions (NTLM, LM) that were needed for the SMB
  module and might potentially be used for other MS services (like rdp).
  The code was based on Ron's Nbtool.
  (http://www.skullsecurity.org/wiki/index.php/Nbtool)

* Fixed a nasty bug related to the save/resume process.

* Implemented feature which allows the user to supply a blank password to
  the command-line (--pass "") and made relevant modifications so that the
  .restore file, which is saved by Ncrack at the user's home directory for
  future use with the --resume option, can be parsed correctly.

* Ncrack now supports the double -f (-f -f) option. As I had described
  last week, giving the -f option to Ncrack will make it stop cracking a
  service as soon as it finds a valid username/password combination for
  it. With the -f -f option, Ncrack will stop cracking all services and
  quit immediately, as soon as it finds a valid credential for *any* of
  the services.

* Shared some thoughts on SMB cracking with nmap-dev
  (http://seclists.org/nmap-dev/2010/q2/942)


Priorities

* Finish coding the SMB module.
* Discuss with Fyodor and nmap-dev about user-enumeration possibilities.
* Make improvements on SMB module according to Ron's tricks.
* If time allows, start coding the next module (rdp or http form-auth)


---Status Report #10 of 16---

Accomplishments:

* Finished the SMB module.
I achieved an incredible rate of ~5000 passwords/sec against a Windows XP
SP 3 box and successfully cracked my test account in almost 3 seconds
trying the whole default.pwd list for one username!
The module will be extended in the near future to support more
authentication mechanisms (now default is NTLMv1) and NetBIOS but we
decided with Fyodor that right now there are higher priorities that need to
be addressed.

* Found a large source of usernames to be potentially included in the new
username list that is being compiled. We are talking about 4 million here.

* Started doing research on the new RDP module. Right now, as far as I
know, the only (public) tool close to a real RDP bruteforcer is a patch by
jmk of foofus for the rdesktop application
(http://www.foofus.net/~jmk/rdesktop.html) which was based on patches made
by Nmap contributor/developer Patrik Karlsson
(http://www.cqure.net/wp/rdesktop-patches/). There is also a closed source
Windows-only rdp-only program called tsgrinder.
Microsoft has already opened the specifications of the Remote Desktop
Protocol and extensive documentation can be found in their MSDN library
(http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx).
Although RDP is a fairly complex protocol, the rdesktop source code has
proven really valuable in dissecting it.


Priorities:

* Start compiling username list.
* Continue research on RDP and start coding the module.


---Status Report #11 of 16---


The focus of this week was the dissection of the Remote Desktop Protocol
and the creation of the RDP module for Ncrack. RDP has proven to be quite
complex and requires a lot of work even with the help of the rdesktop
source code as a general guideline. As you can see in Microsoft's official
specs http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx
there are quite a lot of packets involved in RDP negotiation. In addition,
it seems there are many fields in the packet headers and PDUs that are
quite ambiguous with regard to their actual importance and meaning. There
is also a newer version of RDP (version 5) which has some differences with
the older version 4. Unfortunately, a wireshark RDP dissector doesn't exist
yet: http://wiki.wireshark.org/RDP



Accomplishments:

* Coded and tested a large part of the RDP module.

* Studied a thesis on reverse-engineering RDP:
  http://efod.se/media/thesis.pdf

* Found a copy of rdpproxy, which is a tool for conducting a MITM attack
  against an RDP session. This will prove very valuable in watching the
  decrypted network data exchanged even after the encryption phase.


Priorities:

* Continue working on RDP module.


---Status Report #12 of 16---


Development for the RDP module is continuing and I hope to have at last
finished it by the end of this week.

Accomplishments

* Added a lot of code for crypto functions. The Remote Desktop Protocol
  uses by default strong encryption which is based on the RSA algorithm
  for public key cryptography and then on RC4 for the symmetric encryption
  part (session keys). Of course, these functions depend on OpenSSL, which
  as you can see gradually becomes a dependency for more and more modules:
  OpenSSH, SMB and now RDP

* Completed the RDP MCS connection phase, which involves the exchange and
  parsing of a lot of packets.

* Studied more of the rdesktop source code.


Priorities

* Try to finish the RDP module as fast as possible to move on to other
  tasks.



---Status Report #13 of 16---

Accomplishments

* Almost finished with the RDP module. It's more than 2600 lines of code
  at the moment (mostly pure code; comments are to be added soon).
  Only some minor coding is needed for the first cracking attempts to take
  place.

* Tested the available rdesktop brute forcing patches and came across some
  problems, which will be nullified, however, in Ncrack's RDP module.

* Made a new Ncrack logo for the website. This one is based on an SVG
  file. You can find it here: http://nmap.org/ncrack/images/ncrack_logo.png
  or just visit Ncrack's site: http://nmap.org/ncrack


Priorities

* Post the first RDP cracking results.
* Gather more usernames for Ncrack's lists.
* Consider adding NetBIOS support to SMB module.



---Status Report #14 of 16---

Accomplishments

* Took the week off

Priorities
(Same as last week's)
* Post the first RDP cracking results.
* Gather more usernames for Ncrack's lists.
* Consider adding NetBIOS support to SMB module.


---Status Report #15 of 16---


As I promised, the first RDP cracking attempt was successful! There are
still some final touches needed, but it is a fact that the RDP module can
now recognize a successful attempt from a failed one, at least against the
latest version of Windows XP (the only box I managed to test as of yet).
I still need to add iteration, which is now pretty easy (the tests were
made using a single pair of username/password each time). Most of the
annoying bugs, that halted further progress, were exterminated after some
thorough debugging took place during the last week.

Now let me give you a brief analysis of the bug squashing that almost
followed the Ninety-ninety rule [1] (a phenomenon which seems to be pretty
frequent in software development):

One of the most frustrating bugs and perhaps the most difficult to spot was
the resetting of our connection by the MS RDP server whenever a certain
flag that concerned bitmap compression (something we don't even care about)
in a certain packet was 0 instead of 1!
The solution was simple (flip that bit) but finding the bug was most of the
work: since no wireshark RDP dissector exists [2] ("The RDP dissector does
not yet exist. The TCP dissector decodes the headers and the rest is just
so much data."), I had to manually check and compare the raw hex data (byte
by byte) of a session of rdesktop with a session of Ncrack and note the
differences. Finally, the culprit bit was found and the problem was solved.

Another problem that needed careful attention and a lot of code rewriting
concerned the proper parsing of the RDP packets. Some background is first
needed: an RDP packet consists of the following layers:

-------TCP data-----
ISO header
MCS header
SEC header
RDP header
RDP sub_packet1
RDP sub_packet2
...
RDP sub_packetN
--------------------

As you can see, there are 4 different headers and an RDP packet may contain
more than 1 RDP sub_packets (which contain the actual RDP data). Apart from
the logic that is essential in looping through the potentially multiple RDP
sub_packets embedded in an RDP packet, there is also another corner-case:
The RDP server can send partial TCP segments (usually because many packets
are of over 4k length) that contain for example one full RDP packet (that
may contain one or more RDP sub_packets) and another which is a partial
one. This means that the TCP data contain more than one RDP packets, but
the last one will not be complete (more TCP segments will need to arrive
from the network to get the rest of the data for it).
The problem is that there is no way to tell Nsock to get an exact amount of
bytes from its buffers (this hasn't been implemented yet although a
proposal has been made for an abstraction layer by Venkat in last year's
GSoC: http://seclists.org/nmap-dev/2009/q3/600 .) This means that whenever
you issue a read call to Nsock, it will usually return the whole TCP data
which Ncrack will then have to manually buffer and parse in a logic that
can separate the RDP packets from each other, the RDP sub_packets from each
other, and leave the partial RDP packets unread until the rest of the TCP
data have arrived. The whole thing is getting even nastier because of
Ncrack's unavoidable event-driven programming (due to the use of Nsock for
socket handling).
Part of the solution was to extend the Buf class (which is based on
OpenSSH's buffer subsystem and which Ncrack uses for internal buffering)
for additional functionality where you can move the internal data pointer
as you move on reading the TCP data from the incoming data buffer, without
necessarily copying them anywhere. Of course, the whole solution was much
more complex but we would have to delve into too many details to document
it here.

Another problem with RDP is that there are no status codes. For example,
there is no 200 OK status code like in HTTP or in FTP, where you can parse
a certain number and then associate it with the equivalent RFC-specified
status. Hence, the only way to know if you have authenticated correctly is
by manually parsing the text messages that the RDP server returns in one of
the countless packets it spews at you after you complete the RDP handshake
phase (which as I have previously mentioned involves the the exchange of a
great *many* packets [3]). Most of the data that the RDP server sends
afterward, inevitably has to do with the graphical interface (polylines,
polygons, rectangles etc) which Ncrack has to ignore but will nevertheless
still have to parse up to a point since the text messages may be part of an
RDP sub_packet (along with all the above GUI-related data). This creates
the necessity for a tiny RDP fingerprinting system which can detect the
different text messages that each Windows version returns upon a successful
or failed authentication attempt. This is the reason why the current
version of the RDP module will only work against Windows XP and Win2.3k (I
haven't fingerprinted Vista or Win7 etc yet).



Accomplishments

* Conducted thorough debugging and fixed many bugs spread all over
  the RDP module code.

* Found and resolved issue where the connection was reset whenever a
  certain bitmpap-caching related flag was off instead of on.

* Solved the problem of parsing multiple RDP sub_packets.

* Resolved the issue of parsing partial RDP packets by
  working around the Nsock inefficiency on buffer abstraction.

* Added fingerprints for Windows XP and Windows 2003 Server.

* Added a lot of code for parsing 'orders' (the GUI-data which are ignored
  and the text messages which need to be checked extensively for
  authentication-related information)

* Added several comments to some important functions. More to be added
  soon.

* Set up some virtual machines with Windows Vista and Windows7 for adding
  more fingerprints.

* Worked on the username gathering project.


Priorities

* RDP code cleanup, final comments, more fingerprints and iteration logic.
* Continue working on username gathering project.



---Status Report #16 of 16---


This week was spent finalizing the RDP module: fixing some remnant bugs,
adding iteration logic (which of course spawned a couple more bugs),
general testing and finally finding generic fingerprints for the RDP
service in Windows Vista and above.

Let me remind you from my last Status Report that there are no special
status codes in RDP to signify that you failed to authenticate. In
addition, as I discovered, Microsoft changed the way the RDP service tells
you that for Windows Vista editions and above. Previously (Windows XP etc),
you would only need to parse a text message which was embedded in some
certain packets and then check that message against certain patterns.
However, the latest Windows versions don't send any kind of such text
strings, rather they show you the message in a completely "graphical" way.
By this I mean that whenever Windows RDP shows you that your password was
wrong or any relevant message, this isn't a string but a collection of
graphical data that when combined, show you the visual representation of
the text message.

As a result, this required different methods of fingerprinting.
The good news is that I managed to find a certain fingerprint that seems to
be working against all Windows Vista, Windows 7, Windows Server 2008
editions. This required some deep RDP packet inspection and parsing, since
other patterns like for example checking for the length of some packets or
the sequence of them wasn't good enough: these things tended to change the
whole time and they would vary depending on network conditions etc.


Accomplishments

* Added iteration logic to RDP module.

* Fixed several bugs.

* Found generic fingerprint for all Windows Vista, Windows 7 and Windows
  Server 2008 versions.

* Finalized module by removing debugging output, which previously
  appeared by default.

* Updated the manual page by adding sections with brief documentation on
  the SMB and RDP modules.

* Updated the TODO file with some ideas on potentially extending and
  making the RDP module faster.


Priorities

* Write call-for-testers RDP email.
* Make new Ncack release.
* Finish username gathering project.
* Complete GSoC paperwork and code submission.