Nmap Development mailing list archives
Re: Ncrack revived
From: Fotis Hantzis <ithilgore.ryu.l () gmail com>
Date: Thu, 5 Nov 2015 09:43:12 +0200
Thanks for the feedback! d33tah, do you think Travis CI is really worth the trouble? As far as I know, it's quite complicated to successfully set up. Dan, the interoperability between Nmap and Ncrack is a sought after goal, as already demonstrated by Ncrack's automatic service recognition (-iX, -iN). I think your idea about automatically feeding Ncrack new targets as they get discovered by Nmap, would be ideal if the network resources were segregated. So it would be even better if Ncrack was initiated through a different network segment (this could also be a cloud service). As for how this could be implemented, it would require some changes to Ncrack's architecture. Ncrack utilizes the nsock library (also used by Nmap for service detection [-sV]) which uses an asynchronous/non-blocking model. It would be better if we kept a total of one running process (not use any fork/pthread) and leverage another non-blocking socket to accomplish the communication between Ncrack and Nmap. The implementation of the pipeline would require some changes in Ncrack's core engine but that won't really be a problem. Since it's a task that would require a robust architecture - e.g properly authenticating Nmap requests to Ncrack (this could easily be abused otherwise since it won't necessarily be IPC) I would also like to hear the opinion of Fyodor on this one. It is overall a quite promising and exciting feature. Ithilgore On Wed, Nov 4, 2015 at 3:49 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
Ithilgore, This is exciting news! For me, Ncrack's primary use has been as an SSH brute-forcer, since NSE doesn't have that capability. I think it's greatest strength going forward as part of the Nmap Project will be its single-purpose design: NSE may support more protocols, but it has these primary weaknesses: 1. A brute-force NSE script stops a network scan until it completes. This means that Nmap's primary purpose is hindered in some way. 2. A brute NSE script can only handle as many hosts at a time as the current hostgroup size. At the moment, NSE parallelization isn't the most intelligent and probably under-utilizes the network. I think Ncrack could be improved by deliberately addressing these deficiencies in NSE. One option would be an RPC listener of some sort for a running Ncrack process to accept new targets. This would let us make a NSE script to pass along targets as discovered, letting the Nmap scan continue while Ncrack handles the brute-forcing, maybe even on a different computer. I'm not familiar enough with Ncrack's architecture to know whether it would easily support a pipelined approach (different targets starting at different times) but it would at least have a better chance of batching in an appropriate size group. Dan On Wed, Nov 4, 2015 at 2:10 AM, Fotis Hantzis <ithilgore.ryu.l () gmail com> wrote:Hello nmap-dev, it's been a while since I last updated Ncrack but I have been actively working on it for quite some time now. I already updated the SSH module by porting the latest openssh code (7.1) to the internal Ncrack ssh library (currently only on svn). Now it is working against all latest ssh servers. The analysis of how this was originally accomplished back when I originally built the first version of the Ncrack SSH module is here for anyone interested: http://sock-raw.org/papers/openssh_library I am aware that currently many people are using NSE for some of your brute-forcing tasks, but Ncrack still remains a highly specialized tool for this purpose, with a lot of useful features. Some of its main advantages are: * Intelligent core networking engine: Ncrack knows when to back off to avoid DoS-ing a service and when to increase its network connections by constantly trying to find a golden ration between efficiency (speed) and reliability. For example other competitors led to the shutdown of the FTP service while Ncrack managed to maintain a balance and find the credentials correctly: https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/ * Service recognition through Nmap: Ncrack can automatically get input from the normal (-oN) or XML (-oX) Nmap output, recognize which ports are open and brute-force the equivalent services that its modules support. * Fine-grained timing control: Ncrack provides a variety of timing options with which you can optimize your brute-force scans. Alongside the generic timing templates (T0 - T5), you can specify the upper and lower limit of network connections per service, the total number of connections, the authentication tries per connection, the delay between each connection initiation and others which give the penetration tester total control of a brute-force attack allowing him to be flexible both in terms of stealth and performance. Other features include: * Stop current session and restore it later. * Built-in lists of most frequently used usernames and passwords. * Various modes of username/password list iteration (username first, password first, pairwise) It would be great if nmap-dev voiced their opinion on which new features they would like to see in Ncrack: - Which new protocols should Ncrack support? (prioritization list) - What new features would be most helpful for the pentester? - Any other ideas for improvement For anyone that would like to help improve Ncrack by building more protocol modules, I have written an extensive guide on how this can easily be accomplished: https://nmap.org/ncrack/devguide.html Cheers, Ithilgore (Fotis Hantzis) -- http://sock-raw.org _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Ncrack revived Fotis Hantzis (Nov 04)
- Re: Ncrack revived Jacek Wielemborek (Nov 04)
- Re: Ncrack revived Daniel Miller (Nov 04)
- Re: Ncrack revived Fotis Hantzis (Nov 04)
- Re: Ncrack revived Jacek Wielemborek (Nov 05)
- Re: Ncrack revived Fotis Hantzis (Nov 04)