Nmap Development mailing list archives
Re: Ncrack 0.2 Alpha - SSH behaviour
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Tue, 31 Aug 2010 19:33:28 +0300
On 08/31/2010 07:00 PM, Mike Westmacott wrote:
Hi Robin, As I understand it nmap will attempt to determine what the maximum number of concurrent connections is when it starts up, and will throttle back connections if it starts to see them being closed (according to debug). My issue here is that I have two large files (I'm not saying it's down to size though!) - both which contain the correct password for the user - and one of them will correctly identify the password, the other will not. I have run the tests with the same level of parallelism and connection delay. In my test scenario I was running 360000 passwords against 1 user in about 25 minutes (De-ICE VM is local to test machine). My 'good' file reported all instances of the correct password logged in successfully, my 'bad' one reported no successful logins - and in fact marked the logins as failed. Having said that after a while of testing my DeIce VM started to disconnect virtually all SSH logins early so it needed a reboot! Best regards, Mike
Hello Mike. The Ncrack engine is built that way so that it initially increases the number of parallel connections and then as it reaches the maximum capacity of the server (as determined by closed connections or timeouts), it will slowly decrease them before finally stabilizing. Ncrack also uses a username/password pool where it places credentials that weren't tested successfully (because the connection was prematurely closed or whatever other reason), so that all combinations are tested. It would be helpful if you could provide the tar with the info you mentioned, to debug the SSH issue.
Mike Westmacott | Security Consultant Information Risk Management Plc -----Original Message----- From: Robin Wood [mailto:robin () digininja org] Sent: 31 August 2010 12:58 To: Mike Westmacott Cc: nmap-dev () insecure org Subject: Re: Ncrack 0.2 Alpha - SSH behaviour On 31 August 2010 12:49, Mike Westmacott <mike.westmacott () irmplc com> wrote:Hi, I've been testing ncrack 0.2 and have found some behavior where for some wordlists it will report that a password failed even though it is the correct one yet on others it will be ok. This may be related to the overall size of the wordlist and also to the parallelicty in effect. I was testing against DeICE 1.100 with a username/password that is found as part of the testing against that VM (I will avoid divulging this info on the list!). I was using a 3.3mb wordlist which also contains some symbolic and alphanumeric passwords. If I extract all words that begin with the same letter as the password then I get a match. If I concat that file together to make it >3.3mb it still works. If I put the password at various intervals throughout the original password file it doesn't match (indeed it writes the login failed) - even when it's the first password. By removing parallelism the problem went away. I was only ever testing against 1 explicit user. I can put together a tar of options, results, debug output and the dictionary files - please let me know if you would like to see the results. Overall though I was hugely impressed by the speed although found tweaking the retry delay was essential to getting it working ok (or maybe I was being confused by the problem I have just described - not sure :)I've not tried ncrack but I am working on an ssh bruteforcer of my own and I've found a problem when testing against openssh, there is a MaxStartups value that governs the "maximum number of concurrent unauthenticated connections" check man sshd_config for more info. I don't know if it was designed to protect against brute force attacks but it does it because if you fire loads of passwords at once then you trigger this limit and all new connections are rejected. The default is 10 connections so when I go parallel I hit this limit fairly quickly, if I go single threaded and put a slight pause in between attempts then I can go through large lists. This may be completely down the wrong track but it worth looking at if it hasn't already been. Robin
Thanks, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Ncrack 0.2 Alpha - SSH behaviour Mike Westmacott (Aug 31)
- Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)
- RE: Ncrack 0.2 Alpha - SSH behaviour Mike Westmacott (Aug 31)
- Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)
- Re: Ncrack 0.2 Alpha - SSH behaviour ithilgore (Aug 31)
- RE: Ncrack 0.2 Alpha - SSH behaviour Mike Westmacott (Aug 31)
- Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)