Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ncrack RDP test

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Fri, 03 Sep 2010 23:55:57 +0300
On 09/03/2010 03:56 PM, not () null net wrote:

Hello everyone.
Today, decided to check in step a new RDP module.
Ncrack was compiled from the latest SVN revision.
The first two tests conducted on Windows 2003 and Windows XP with RDP enabled.
I use Windows XP SP3 to do this action.
ncrack --user admin --pass password -p rdp -d10 -T5 -g CL=1,cd=5s,to=10s
xxx.xxx.xxx.xxx
In both I have received this:

rdp://xxx.xxx.xxx.xxx:3389 Initiating new Connection
rdp://xxx.xxx.xxx.xxx:3389 pushed to list WAIT
username: administrator pass: password
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 34
SEC LICENSE
rdp packet NULL!
LOOP NOTH NULL DATA
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 327
 Sec length: 300
   RDP length: 300
PDU DEMAND ACTIVE
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 48
 Sec length: 22
   RDP length: 22
PDU DATA
-- DATA PDU SYNC
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 52
 Sec length: 26
   RDP length: 26
PDU DATA
-- DATA PDU CONTROL
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 52
 Sec length: 26
   RDP length: 26
PDU DATA
-- DATA PDU CONTROL
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 52
 Sec length: 26
   RDP length: 26
PDU DATA
PDU data unimplemented 40
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 1932
 Sec length: 1905
   RDP length: 22
PDU DATA
-- DATA PDU UPDATE
------------------ RDP LOOP -----------------
NEXT PACKET
   RDP length: 794
PDU DATA
-- DATA PDU UPDATE
------------------ RDP LOOP -----------------
NEXT PACKET
   RDP length: 1089
PDU DATA
-- DATA PDU UPDATE
-----> UPDATE ORDERs
ORDER MEMBLT
MEMBLT(op=0xcc,x=0,y=0,cx=16,cy=1,id=0,idx=0)
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 4141
 Sec length: 4114
   RDP length: 794
PDU DATA
-- DATA PDU UPDATE
------------------ RDP LOOP -----------------
NEXT PACKET
   RDP length: 35
PDU DATA
-- DATA PDU UPDATE
-----> UPDATE ORDERs
ORDER MEMBLT
MEMBLT(op=0xcc,x=0,y=0,cx=16,cy=1,id=0,idx=0)
ORDER RECT
ORDER RECT
------------------ RDP LOOP -----------------
NEXT PACKET
   RDP length: 49
PDU DATA
-- DATA PDU UPDATE
------------------ RDP LOOP -----------------
NEXT PACKET
   RDP length: 3236
PDU DATA
-- DATA PDU POINTER
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 50
 Sec length: 24
   RDP length: 24
PDU DATA
-- DATA PDU POINTER
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 50
 Sec length: 24
   RDP length: 24
PDU DATA
-- DATA PDU POINTER
RDP LOOP STATE
 --------------------------------------- FUNCTION LOOP
-------------------------
--------
------------------ RDP LOOP -----------------
TCP length: 54
 Sec length: 28
   RDP length: 28
PDU DATA
-- DATA PDU UPDATE
-----> UPDATE ORDERs
ORDER RECT
ORDER RECT
rdp://xxx.xxx.xxx.xxx:3389 popped from list WAIT
... (some time).................

and after, fatal program error.

My friend also could not get a normal result on Windows 2003.
His OS Windows XP SP2. And the same as my error.

With respect,
ROleg

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



You run Ncrack giving it only 10 seconds with the to=10s to crack the
service. Note that this option doesn't have anything to do with how long
Ncrack waits before stopping cracking a service that appears to be
unresponsive rather it's the *total* time Ncrack devotes for that
particular service.

Are the same results reproduced without specifying this option?
Does it work normally against Windows 2003 Server?


-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: