Re: [Call for Testers] Ncrack RDP module

[Thomas Buchanan <tbuchanan () thecompassgrp net>]

ithilgore wrote:
> On 08/19/10 18:56, Thomas Buchanan wrote:
>  > I increased the verbosity and debug level, and still didn't see any
>  > successful login attempts:
>  >
>  > $ ./ncrack -vv -d --user 'Test' -P /home/tbuchanan/tmp/custom.list
>  > 192.168.128.176:3389,CL=1,cd=5s
>  >
>  > Starting Ncrack 0.2ALPHA ( http://ncrack.org ) at 2010-08-19 11:25 CDT
>  >
>  > rdp://192.168.128.176:3389 Attempts: total 1 completed 1 supported 1 ---
>  > rate 0.97
>  > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
>  > rdp://192.168.128.176:3389 Increasing connection limit to: 1
>  > rdp://192.168.128.176:3389 Attempts: total 2 completed 2 supported 1 ---
>  > rate 0.20
>  > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
>  > rdp://192.168.128.176:3389 Increasing connection limit to: 1
>  > rdp://192.168.128.176:3389 Attempts: total 3 completed 3 supported 1 ---
>  > rate 0.20
>  > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
>  > rdp://192.168.128.176:3389 Increasing connection limit to: 1
>  > rdp://192.168.128.176:3389 Attempts: total 4 completed 4 supported 1 ---
>  > rate 0.20
>  > rdp://192.168.128.176:3389 finished.
>  >
>  >
>  > Ncrack done: 1 service scanned in 20.00 seconds.
>  > Probes sent: 4 | timed-out: 0 | prematurely-closed: 0
>  >
>  > Ncrack finished.
>
> That's strange. The heuristics for Windows 7 only affect the failure part,
> since the successful authentication packet is a generic one (it's the same
> for all Windows versions).
>
> Can you rerun Ncrack with -d10 and give me the output? You can redirect
> both stderr and stdout with &> outfile. I have to warn you that it is going
> to produce a lot of output, but that's the only helpful way for me to see
> what's going on behind the scenes.
>
> The network traffic data would be a valuable asset too.
>
>  >
>  > I used the Remote Desktop Connection client on a Windows XP system to
>  > verify that I had the correct password in the list I had put together.
>  > I then tried different variations of including the computer name as part
>  > of the username, for example user="computer\Test", but was still unable
>  > to get a successful attempt.
>  >
>  > I'd be happy to provide some network traffic captures if needed to help
>  > diagnose what might be going on.
>  >
>  > Thanks again for all your efforts on the ncrack tool, looks like it's
>  > really shaping up very nicely.
>  >
>  > Thomas
>
> Thanks,
> ithilgore
>
> --
> http://sock-raw.org
> http://twitter.com/ithilgore

I tested this a little more, and it seems that when I tried it before I 
was actively logged into the Windows 7 system.  When I logged off and 
tried again, ncrack successfully detected the correct username and 
password combination.  Apparently when someone is logged in, Windows 7 
RDP presents a screen that allows you to choose whether or not to 
forcibly disconnect that active session.  I'll send you the debug log 
files off list so you can review them.

Thanks,

Thomas
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/