Nmap Development mailing list archives
Ncrack command-line reloaded
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Wed, 27 May 2009 20:51:56 +0300
After a lot of brainstorming with Fyodor, we decided on Ncrack's UI final format. It differs quite a bit from the previous version, so I am going to demonstrate its various capabilities in this mail. Target/Service-specification ------------------------------ Hosts will usually be specified in the following format: <service>://<IP or hostname>:<optional non-default port>?arg1=arg1val,arg2=arg2val e.g ssh://10.0.0.10:3000?cl=50,al=20 This will crack host 10.0.0.10 for ssh on port 3000 and will additionally pass values 50 and 20 to options cl (connection limit) and al (authentication limit) for that particular host for that particular service. Both the non-default port and the arguments are optional. In case a port is not specified, then a default will be applied (22 for ssh in the example). In case no arguments are specified, then default ones will be applied. More on the arguments below. So an example specification would be the following: $ ./ncrack ssh://10.0.0.10 http://10.0.0.10 http://scanme.nmap.org \ ftp://scanme.nmap.org?al=10 -sL Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:18 EEST === Targets === Host: 10.0.0.10 ssh:22 cl=40, al=5, cd=1000, mr=10 http:80 cl=40, al=5, cd=1000, mr=10 Host: 64.13.134.52 ( scanme.nmap.org ) http:80 cl=40, al=5, cd=1000, mr=10 ftp:21 cl=40, al=10, cd=1000, mr=10 Ncrack finished. Remember that -sL like Nmap, only prints the hosts that would be cracked and exits. As you can see, we specified al=10 for host scanme.nmap.org for service ftp, so the default value of 5 was overrided. Ncrack also experimentally supports Nmap's target/service specification where you can specify hosts as IPs/hostnames and services with -p <port/servicename> For example: ./ncrack -p ssh,ftp -sL 10.0.0.10 scanme.nmap.org Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:55 EEST === Targets === Host: 10.0.0.10 ssh:22 cl=40, al=5, cd=1000, mr=10 ftp:21 cl=40, al=5, cd=1000, mr=10 Host: 64.13.134.52 ( scanme.nmap.org ) ssh:22 cl=40, al=5, cd=1000, mr=10 ftp:21 cl=40, al=5, cd=1000, mr=10 Ncrack finished. Notice that -p options apply to every host that is in plain IP/hostname notation. You can also mix the two styles, but note down that -p will only apply to hosts that don't have explicitly specified their service in url-like notation. So: ./ncrack 10.0.0.10 scanme.nmap.org smtp://www.google.com http://www.google.com -p ssh,ftp -sL Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 16:58 EEST Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.103.Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.103. === Targets === Host: 10.0.0.10 ssh:22 cl=40, al=5, cd=1000, mr=10 ftp:21 cl=40, al=5, cd=1000, mr=10 Host: 64.13.134.52 ( scanme.nmap.org ) ssh:22 cl=40, al=5, cd=1000, mr=10 ftp:21 cl=40, al=5, cd=1000, mr=10 Host: 74.125.39.103 ( www.google.com ) smtp:25 cl=40, al=5, cd=1000, mr=10 http:80 cl=40, al=5, cd=1000, mr=10 Ncrack finished. Now let's go into explaining the services/module option hierarchy. Service Options ---------------- Each service can take a number of options which can be divided into 2 categories: generic and service-specific. Generic options are all the timing options plus some other: cl (connection limit) al (authentication limit) cd (connection delay) mr (maximum retries) ssl (use ssl or not) ... (possibly more to be added) Service-specific are all those options that pertain only to a specific service. For example for http you might have to specify which url path you will want to try cracking against. So that would apply only for http as for example: path=private.html -- Timing template Ncrack provides a quite flexible interface for providing service options. First of all, you all know Nmap's -T option which basically acts as a generic timing template ranging from a very slow (Sneaky) mode to a very aggressive (Insane) mode. Ncrack uses the same technique to initialize all timing options in case they are not explicitly specified (default template = 3 = Normal). The timing options from -T are the lowest in the option hierarchy. -- g option The user will be able to specify global options by using -g <options>. For example: -g al=30,cl=20 These will be override the timing template options and will be applied to every service option for every host. -g is one step higher than -T in hierarchy. -- m option Service-specific options can be applied for every particular service for every host by using -m <service_name>:<service_options> For example: -m ssh:cl=30,al=10 These options will override any previous in the hierarchy (-g and -T) and will be applied to every host that has chosen this particular service. -- host options These options are the highest in the hiearchy and override any other. They are the ones mentioned above in target-specification and apply for the service of that particular host only. For example: ssh://10.0.0.10?al=30 Now let's take a look into an example: ./ncrack ssh://10.0.0.10?cl=100,al=30 http://scanme.nmap.org http://www.google.com -m http:cl=150 -g mr=40 -sL Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:44 EEST Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.106. === Targets === Host: 10.0.0.10 ssh:22 cl=100, al=30, cd=1000, mr=40 Host: 64.13.134.52 ( scanme.nmap.org ) http:80 cl=150, al=5, cd=1000, mr=40 Host: 74.125.39.106 ( www.google.com ) http:80 cl=150, al=5, cd=1000, mr=40 Ncrack finished. The same example with the most aggressive template: ./ncrack ssh://10.0.0.10?cl=100,al=30 http://scanme.nmap.org http://www.google.com -m http:cl=150 -g mr=40 -sL -T5 Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:46 EEST Warning: Hostname www.google.com resolves to 6 IPs. Using 74.125.39.106. === Targets === Host: 10.0.0.10 ssh:22 cl=100, al=30, cd=0, mr=40 Host: 64.13.134.52 ( scanme.nmap.org ) http:80 cl=150, al=10, cd=0, mr=40 Host: 74.125.39.106 ( www.google.com ) http:80 cl=150, al=10, cd=0, mr=40 Ncrack finished. As you see only the connetion delay (cd) is influenced, since it is the only option that doesn't get overrided by the rest of the hierarchy. Finally, Ncrack also supports Nmap's advanced host specification (address ranges, netmasks etc) and you can do things like this: ./ncrack ssh://10.0.0.0-5 -T2 -sL Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-27 20:48 EEST === Targets === Host: 10.0.0.0 ssh:22 cl=3, al=5, cd=5000, mr=1 Host: 10.0.0.1 ssh:22 cl=3, al=5, cd=5000, mr=1 Host: 10.0.0.2 ssh:22 cl=3, al=5, cd=5000, mr=1 Host: 10.0.0.3 ssh:22 cl=3, al=5, cd=5000, mr=1 Host: 10.0.0.4 ssh:22 cl=3, al=5, cd=5000, mr=1 Host: 10.0.0.5 ssh:22 cl=3, al=5, cd=5000, mr=1 Ncrack finished. That's it for now. A second mail will probably follow later for more clarifications. Feel free to comment/ask and give feedback for anything. Cheers, ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Ncrack command-line reloaded ithilgore (May 27)
- Re: Ncrack command-line reloaded Toni Ruottu (May 27)
- Re: Ncrack command-line reloaded ithilgore (May 27)
- Re: Ncrack command-line reloaded Toni Ruottu (May 27)
- Re: Ncrack command-line reloaded Fyodor (Jun 01)
- Re: Ncrack command-line reloaded Toni Ruottu (Jun 02)
- Re: Ncrack command-line reloaded ithilgore (May 27)
- Re: Ncrack command-line reloaded Toni Ruottu (May 27)