Nmap Development mailing list archives

Re: [Call for Testers] Ncrack RDP module

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Mon, 23 Aug 2010 21:19:35 +0200

On 08/19/10 21:51, Thomas Buchanan wrote:

ithilgore wrote:

On 08/19/10 18:56, Thomas Buchanan wrote:
 > I increased the verbosity and debug level, and still didn't see any
 > successful login attempts:
 >
 > $ ./ncrack -vv -d --user 'Test' -P /home/tbuchanan/tmp/custom.list
 > 192.168.128.176:3389,CL=1,cd=5s
 >
 > Starting Ncrack 0.2ALPHA ( http://ncrack.org ) at 2010-08-19 11:25 CDT
 >
 > rdp://192.168.128.176:3389 Attempts: total 1 completed 1 supported 1 ---
 > rate 0.97
 > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
 > rdp://192.168.128.176:3389 Increasing connection limit to: 1
 > rdp://192.168.128.176:3389 Attempts: total 2 completed 2 supported 1 ---
 > rate 0.20
 > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
 > rdp://192.168.128.176:3389 Increasing connection limit to: 1
 > rdp://192.168.128.176:3389 Attempts: total 3 completed 3 supported 1 ---
 > rate 0.20
 > rdp://192.168.128.176:3389 last: 0.00 current 0.00 parallelism 1
 > rdp://192.168.128.176:3389 Increasing connection limit to: 1
 > rdp://192.168.128.176:3389 Attempts: total 4 completed 4 supported 1 ---
 > rate 0.20
 > rdp://192.168.128.176:3389 finished.
 >
 >
 > Ncrack done: 1 service scanned in 20.00 seconds.
 > Probes sent: 4 | timed-out: 0 | prematurely-closed: 0
 >
 > Ncrack finished.

That's strange. The heuristics for Windows 7 only affect the failure part,
since the successful authentication packet is a generic one (it's the same
for all Windows versions).

Can you rerun Ncrack with -d10 and give me the output? You can redirect
both stderr and stdout with &> outfile. I have to warn you that it is going
to produce a lot of output, but that's the only helpful way for me to see
what's going on behind the scenes.

The network traffic data would be a valuable asset too.

 >
 > I used the Remote Desktop Connection client on a Windows XP system to
 > verify that I had the correct password in the list I had put together.
 > I then tried different variations of including the computer name as part
 > of the username, for example user="computer\Test", but was still unable
 > to get a successful attempt.
 >
 > I'd be happy to provide some network traffic captures if needed to help
 > diagnose what might be going on.
 >
 > Thanks again for all your efforts on the ncrack tool, looks like it's
 > really shaping up very nicely.
 >
 > Thomas

Thanks,
ithilgore

-- 
http://sock-raw.org
http://twitter.com/ithilgore


I tested this a little more, and it seems that when I tried it before I was
actively logged into the Windows 7 system.  When I logged off and tried
again, ncrack successfully detected the correct username and password
combination.  Apparently when someone is logged in, Windows 7 RDP presents
a screen that allows you to choose whether or not to forcibly disconnect
that active session.  I'll send you the debug log files off list so you can
review them.

Thanks,

Thomas


OK I checked this against both Windows Vista Business SP 2 and Windows 7
Professional and whenever I already have an active remote desktop session
OR I am locally logged in and I start off a new remote desktop session
giving the right credentials, then the previous session immediately shuts
down and I can log in normally with the new one. I am *not* presented with
a screen in which I get to choose whether or not I want to forcibly
disconnect the currently active session.

You said that you tried this in Windows 7 Ultimate (which I unfortunately
can't test right now), so it might be that this screen pertains only to
that Windows version.

I might be able to get another unique fingerprint to detect that special
case, but first tell me if there were some other special configurations in
relation to the remote desktop server in your Windows 7 Ultimate box. This
might be a local group policy configuration perhaps. Was it a new and clean
Windows installation? If it was, then we can be almost certain that it is
the *Ultimate* version that does this kind of thing and not some other
configuration option.

Thanks,
ithilgore


-- 
http://sock-raw.org
http://twitter.com/ithilgore
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[Call for Testers] Ncrack RDP module ithilgore (Aug 16)
- RE: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
  - Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 19)
    - Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 19)
    - Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)
    - Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 24)
    - Re: [Call for Testers] Ncrack RDP module Thomas Buchanan (Aug 24)
    - Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 25)
- RE: [Call for Testers] Ncrack RDP module Rob Nicholls (Aug 20)
  - Re: [Call for Testers] Ncrack RDP module ithilgore (Aug 23)