Nmap Development mailing list archives

Re: Ncrack: -iX, -iN input from Nmap

From: David Fifield <david () bamsoftware com>
Date: Wed, 26 Aug 2009 11:40:38 -0600

On Wed, Aug 26, 2009 at 06:11:02PM +0300, ithilgore wrote:

I just finished implementing two new options for Ncrack: -iX and -iN.
These options let the user specify the attacked targets/services using
Nmap's XML and Normal output files correspondingly. Ncrack is going
to parse Nmap's output file and will see which ports are open and to which
hostnames/IP-addresses these ports correspond so that 
it uses these as its targets. In addition, if Nmap's version detection
is enabled, Ncrack is also going to use this additional info to crack
services that listen on non-default ports. For example, there might
be a SSH Service listening on a port other than 22, which Nmap's version
detection is probably going to detect. That information is stored in Nmap's output
files and is consequently used by Ncrack to deduce which module to use for
those non-default-port services. If a service is not supported by Ncrack's modules,
it is going to be ignored.

I have tested both options against a variety of files, however more testing
is going to be needed, especially with the -iN option since Nmap's -oN format
is more loose than the XML one.


There seems to be something wrong with extraports handling in -iX.
Ncrack finds the ssh service with

# nmap localhost
<ports><extraports state="closed" count="997">
<extrareasons reason="resets" count="997"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" 
method="table" conf="3" /></port>
<port protocol="tcp" portid="631"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ipp" 
method="table" conf="3" /></port>
<port protocol="tcp" portid="6000"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="X11" 
method="table" conf="3" /></port>
</ports>

But it doesn't work with

# nmap -p 22 localhost
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" 
method="table" conf="3" /></port>
</ports>
No services specified!
QUITTING!

Opening an XML file in Zenmap and saving it again changes the file
format enough that it's not recognized.

$ ncrack -iX zenmap.xml -v -v localhost
-iX file doesn't seem to be in Nmap's XML output format option -oX <filename>!

QUITTING!

A lightweight XML parser would be better than pattern matching, but I
can sympathize with the difficulty there. The fact that we couldn't find
a small C or C++ XML library with a suitable license is one of the
reasons Ndiff is written in Python.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Ncrack: -iX, -iN input from Nmap ithilgore (Aug 26)
- Re: Ncrack: -iX, -iN input from Nmap David Fifield (Aug 26)
  - Re: Ncrack: -iX, -iN input from Nmap ithilgore (Aug 26)
    - Re: Ncrack: -iX, -iN input from Nmap David Fifield (Aug 26)
    - Re: Ncrack: -iX, -iN input from Nmap ithilgore (Aug 26)
    - Re: Ncrack: -iX, -iN input from Nmap Fyodor (Aug 27)
    - Re: Ncrack: -iX, -iN input from Nmap Dirk Loss (Aug 27)
    - Re: Ncrack: -iX, -iN input from Nmap Fyodor (Aug 28)
    - Re: Ncrack: -iX, -iN input from Nmap Dirk Loss (Aug 28)