Re: [Call for Testers] Ncrack RDP module

[ithilgore <ithilgore.ryu.l () gmail com>]

On 08/20/10 09:03, Rob Nicholls wrote:
> Hi ithilgore,
>
> I had to make a couple of tweaks (see attached) to get this to compile on
> Windows. I also had to create a LICENSE file for Ncrack.nsi (I copied an
> existing one for Nmap to make NSIS happy).
>
> I've tested against 2008R2 and Windows 7 and it seems to work fine when the
> option "Allow connections from computers running any version of Remote
> Desktop (less secure)", but it didn't appear to cope particularly well when
> "Allow connections only from computers running Remote Desktop with Network
> Level Authentication (more secure)" is selected. It seems (from Wireshark)
> that the host sees the less secure request, responds with an [ACK], then
> responds with [RST, ACK]. Ncrack seems to constantly retry without getting
> anywhere:
>
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
> rdp://192.168.1.11:3389 Attempts: total 0 completed 0 supported 0 --- rate
> 0.00
>
> Presumably it'd keep going until it reaches a timeout, assuming one has been
> set. Is there a more elegant way of dealing with systems that are configured
> to support NLA, or do we have to put up with this limitation until Ncrack
> can support NLA?

I will have to implement the connection retry (cr) timing option in the
Ncrack engine, so one can place a limit in the number of retries that
Ncrack does against a server that continually times out. This isn't really
hard to code, so I might as well put this task as one of the top priorities
in the TODO list.

> I'll see if I can test against a 2003 host at some point, I'm especially
> interested in seeing how well it copes when the host is configured to use
> SSL rather than RDP, as I imagine it might fail in a similar way.

Please let me know about any such special cases so that I might fix any
problem that might arise.

> It's fantastic to see Ncrack support RDP, it seems to be a lot more reliable
> and easier to use than some of the old tools I've played with in the past
> (tsgrind, tscrack). I must admit there's a part of me that'll be quite
> concerned when NLA support is in place.
>
> Rob

As far as I have read about NLA, it requires much additional work to be
done, but I will implement it in the near future, rest assured.

Cheers,
ithilgore


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/