Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Thoughts on SMB cracking

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 24 Jun 2010 15:57:31 +0300
Hello nmap-dev.

As of late, I am experimenting with the SMB protocol with the purpose of
creating a high-speed SMB module for Ncrack.

After studying Ron's smb scripts and relevant documentation/papers, I
considered using a technique similar to smb-enum to get users from a SMB
service if possible. Then Ncrack can add those users to its username lists
and try them first. One question that arises from this, is which would be
the most efficient way of trying them? Normally Ncrack, tries all the
passwords from the passlist for each of the usernames. If Ncrack, adds
those newly found usernames, it should probably try this new group for all
the most common passwords and then try the less "intelligent bruteforcing".
For example, say you have:

username list:
---------------
user1
user2
user3


password list:
---------------
123456
test
password1


Normally Ncrack tries them like this:
user1 123456
user2 123456
user3 123456
user1 test
...


Of course, you can activate the --passwords-first option, so that Ncrack
will try and crack them in the opposite way:

user1 123456
user1 test
user1 password1
user2 123456
...


Now, if Ncrack finds that usernames "Bob" and "Alice" exist for an SMB
service (using an enumeration technique like SAMR or LSA bruteforcing),
then it should instead try to crack them in this order:

New username list:
------------------
Bob
Alice
user1
user2
user3

Cracking:
---------
Bob   123456
Alice 123456
Bob   test
Alice test
Bob   password1
Alice password1
user1 123456
user2 123456
user4 123456
user1 test

which essentially means that you virtually split the username list into two
groups, the user-enumerated one and the normal username list (coming from a
file or the command-line), and you try to authenticate the former group first.

Probably, there should be an option however to override this functionality
in case the user just wants to crack a specific username/password list of
his own choosing first. In addition, he could also probably be able to
disable the enum-phase in this case (to save the extra time needed for it).

So what are your thoughts on it? I am expecting Ron or other SMB experts to
have a strong say on this.

Regards,
ithilgore


-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: