Skip to main content

ncrack

A common software used for bruteforcing network services developed under the same house of nmap is ncrack.

Ncrack is a high-speed network authentication cracking tool designed for easy extension and large-scale scanning.

Notice that common flags include: -u/-U, to specify a single user/a list of uers in a file --pass/-P, to specify a single password/a list of password in a file -iL, to specify a list of hosts -iX, to specify as input the nmap output XML file * -f, stop after the first valid found credentials

Let's see some examples of the usage of ncrack:

ncrack -V
# this will show the ncrack version and supported modes
ncrack -f ftp://192.168.0.105
# this will start an ftp bruteforce
# -f, stop after having found the first successful login credentials  
ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21
# in this case we will try to bruteforce RDP on port 3389

We can also try to specify a different port for a specific service for example:

ncrack ssh://192.168.1.1:5910
# here we try to bruteforce ssh on port 5910

we can also specify services in another form:

ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
ncrack -u test -P 500-worst-passwords.txt -T 5 -p 21 10.10.10.10
# -T allows to specify how aggressive the bruteforce will be as with nmap
# so the value goes from 0 (paranoid bruteforce) to 5 (insane bruteforce)

Or if we already know the password but don't know the user we may try:

ncrack -U users.txt --pass admin123 10.10.10.10:21
ncrack -vv  -U users.txt -P rockyou.txt 192.168.56.10:3389,CL=1
# CL=1, memans that the maximum number of connections will be limited to 1
# -vv will be very verbose
# -U allows us to specify a list of users taken from a file
# -P selects the list of passwords

We can also specify a list of hosts as with nmap:

ncrack -vv -U users.txt -P passwords.txt -iL host.txt -oA output_ncrack

we can also restore an interrupted session by doing:

ncrack --resume /root/.ncrack/restore.<datetime>

Another cool thing about ncrack is its ability to parse xml output from nmap and try to bruteforce all the services, let's see how:

ncrack -u users.txt -P passwords.txt -iX nmap.xml
# -iX takes as input the XML file provided by nmap
# notice that if nmap identifies an SSH service running port 4142
# then ncrack will automatically and correctly try to bruteforce SSH on that
# port

Ncrack also allows the fine-tuning of the bruteforce attack with the following options: cl (min connection limit): minimum number of concurrent parallel connections CL (max connection limit): maximum number of concurrent parallel connections at (authentication tries): authentication attempts per connection cd (connection delay): delay

An example using some of these options may be:

ncrack 193.168.0.105 -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d

Another possible option that can be specified is the maximum number of concurrent connections which can be specified by --connection-limit <number>, so an example may be:

ncrack 193.168.0.105 -p 22 --connection-limit 10

We can specify targets with different formats:

ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910
# here we try to bruteforce scanme.nmap.org on port 22
# but also ftp on host 10.0.0.10
# and also ssh for all 192.168.1.0/24 hosts on port 5910

anther example may be:

ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
# in this case we are telling nmap to scan all the addresses on port 22
# (defaults to SSH), port 3210 for FTP and port of telnet (which is the 21)

Notice that ncrack can also use a proxy when bruteforcing.