Nmap Development mailing list archives
RE: [Call for Testers] Ncrack RDP module
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Fri, 20 Aug 2010 08:03:52 +0100
Hi ithilgore, I had to make a couple of tweaks (see attached) to get this to compile on Windows. I also had to create a LICENSE file for Ncrack.nsi (I copied an existing one for Nmap to make NSIS happy). I've tested against 2008R2 and Windows 7 and it seems to work fine when the option "Allow connections from computers running any version of Remote Desktop (less secure)", but it didn't appear to cope particularly well when "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" is selected. It seems (from Wireshark) that the host sees the less secure request, responds with an [ACK], then responds with [RST, ACK]. Ncrack seems to constantly retry without getting anywhere: rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate 0.00 Presumably it'd keep going until it reaches a timeout, assuming one has been set. Is there a more elegant way of dealing with systems that are configured to support NLA, or do we have to put up with this limitation until Ncrack can support NLA? I'll see if I can test against a 2003 host at some point, I'm especially interested in seeing how well it copes when the host is configured to use SSL rather than RDP, as I imagine it might fail in a similar way. It's fantastic to see Ncrack support RDP, it seems to be a lot more reliable and easier to use than some of the old tools I've played with in the past (tsgrind, tscrack). I must admit there's a part of me that'll be quite concerned when NLA support is in place. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of ithilgore Sent: 17 August 2010 04:12 To: nmap-dev Subject: [Call for Testers] Ncrack RDP module Hello nmap-dev, As you already know, I was lately working on a Ncrack module meant to crack Microsoft's Remote Desktop Protocol. This was a lot of work given the complexity of it, but finally it is here! You can grab a copy of it along with the latest version of Ncrack from the SVN repository: $ svn co --username guest --password "" svn://svn.insecure.org/ncrack Note, that because of the large number of packets involved, even for the connection/authentication phase, this module is very slow. I have some ideas to make it faster in the near future but this will probably take a while. As I mention in the man page, care must be taken against RDP servers in Windows XP versions, since they can't handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don't suffer from the same limitation. An example (against Windows XP) would be: $ ncrack 192.168.1.2:3389,CL=1,cd=5s The above command will limit Ncrack to 1 concurrent connection and a delay of 5 seconds between each connection probe. I have tested the module successfully against Windows XP, Vista, 7, Server 2008. Let me know if you find any problems. I would appreciate any feedback on it. Cheers, ithilgore -- http://sock-raw.org http://twitter.com/ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
ncrack_win32_tweaks.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Call for Testers] Ncrack RDP module ithilgore (Aug 16)
- RE: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 19)
- Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 24)
- Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 24)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 25)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 19)
- RE: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
- Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)