Nmap Development mailing list archives
Re: [Call for Testers] Ncrack RDP module
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 19 Aug 2010 22:10:34 +0200
On 08/19/10 18:56, Thomas Buchanan wrote:
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev- bounces () insecure org] On Behalf Of ithilgore Sent: Monday, August 16, 2010 10:12 PM To: nmap-dev Subject: [Call for Testers] Ncrack RDP module Hello nmap-dev, As you already know, I was lately working on a Ncrack module meant to crack Microsoft's Remote Desktop Protocol. This was a lot of work given the complexity of it, but finally it is here! You can grab a copy of it along with the latest version of Ncrack from the SVN repository: $ svn co --username guest --password "" svn://svn.insecure.org/ncrack Note, that because of the large number of packets involved, even for the connection/authentication phase, this module is very slow. I have some ideas to make it faster in the near future but this will probably take a while. As I mention in the man page, care must be taken against RDP serversinWindows XP versions, since they can't handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don't suffer from the same limitation. An example (against Windows XP) would be: $ ncrack 192.168.1.2:3389,CL=1,cd=5s The above command will limit Ncrack to 1 concurrent connection and a delay of 5 seconds between each connection probe. I have tested the module successfully against Windows XP, Vista, 7, Server 2008. Let me know if you find any problems. I would appreciate any feedback on it. Cheers, ithilgore -- http://sock-raw.org http://twitter.com/ithilgoreithilgore, I was excited to see your call for testing on the RDP module for ncrack. It looks like it will be an excellent addition to a security tester's toolkit, filling what for me has been a noticeable hole in the past. After updating my svn checkout this morning, I was able to successfully compile and build ncrack with no problems on my CentOS 5.5 development system. I created a test account on a Windows XP SP2 laptop, enabled the RDP service, and used your suggested command line with a custom password list which included three incorrect passwords and one password which was valid for the test account. Here are the results: $ ./ncrack -v --user 'COMPUTER\test' -P /home/tbuchanan/tmp/custom.list 192.168.128.136:3389,CL=1,cd=5s Starting Ncrack 0.2ALPHA ( http://ncrack.org ) at 2010-08-19 11:14 CDT Account credentials are NOT valid. Account credentials are NOT valid. Account credentials are NOT valid. Account credentials are valid, however, the account is denied interactive logon. Discovered credentials on rdp://192.168.128.136:3389 'COMPUTER\test' 'Password1' rdp://192.168.128.136:3389 finished. Discovered credentials for rdp on 192.168.128.136 3389/tcp: 192.168.128.136 3389/tcp rdp: 'COMPUTER\test' 'Password1' Ncrack done: 1 service scanned in 20.01 seconds. Probes sent: 4 | timed-out: 0 | prematurely-closed: 0 Ncrack finished. As you can see, it worked great, even detecting the fact that I hadn't granted that test user access to logon remotely. I then tried the same steps on a Windows 7 Ultimate system. Unfortunately, it didn't go quite as smoothly. One thing I noticed is that it didn't print the Account credentials lines that were printed during the test of the Windows XP system.
That's normal because the heuristics for Windows Vista and above are different and no such messages are printed anyway.
$ ./ncrack -v --user 'Test' -P /home/tbuchanan/tmp/custom.list 192.168.128.176:3389,CL=1,cd=5s Starting Ncrack 0.2ALPHA ( http://ncrack.org ) at 2010-08-19 11:19 CDT rdp://192.168.128.176:3389 finished. Ncrack done: 1 service scanned in 35.00 seconds. Probes sent: 4 | timed-out: 0 | prematurely-closed: 0 Ncrack finished. I increased the verbosity and debug level, and still didn't see any successful login attempts: $ ./ncrack -vv -d --user 'Test' -P /home/tbuchanan/tmp/custom.list 192.168.128.176:3389,CL=1,cd=5s Starting Ncrack 0.2ALPHA ( http://ncrack.org ) at 2010-08-19 11:25 CDT rdp://192.168.128.176:3389 Attempts: total 1 completed 1 supported 1 --- rate 0.97 rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1 rdp://192.168.128.176:3389 Increasing connection limit to: 1 rdp://192.168.128.176:3389 Attempts: total 2 completed 2 supported 1 --- rate 0.20 rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1 rdp://192.168.128.176:3389 Increasing connection limit to: 1 rdp://192.168.128.176:3389 Attempts: total 3 completed 3 supported 1 --- rate 0.20 rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1 rdp://192.168.128.176:3389 Increasing connection limit to: 1 rdp://192.168.128.176:3389 Attempts: total 4 completed 4 supported 1 --- rate 0.20 rdp://192.168.128.176:3389 finished. Ncrack done: 1 service scanned in 20.00 seconds. Probes sent: 4 | timed-out: 0 | prematurely-closed: 0 Ncrack finished.
That's strange. The heuristics for Windows 7 only affect the failure part, since the successful authentication packet is a generic one (it's the same for all Windows versions). Can you rerun Ncrack with -d10 and give me the output? You can redirect both stderr and stdout with &> outfile. I have to warn you that it is going to produce a lot of output, but that's the only helpful way for me to see what's going on behind the scenes. The network traffic data would be a valuable asset too.
I used the Remote Desktop Connection client on a Windows XP system to verify that I had the correct password in the list I had put together. I then tried different variations of including the computer name as part of the username, for example user="computer\Test", but was still unable to get a successful attempt. I'd be happy to provide some network traffic captures if needed to help diagnose what might be going on. Thanks again for all your efforts on the ncrack tool, looks like it's really shaping up very nicely. Thomas
Thanks, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Call for Testers] Ncrack RDP module ithilgore (Aug 16)
- RE: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 19)
- Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 24)
- Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 24)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 25)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 19)
- RE: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)