Re: Ncrack revived

[Daniel Miller <bonsaiviking () gmail com>]

Ithilgore,

This is exciting news! For me, Ncrack's primary use has been as an SSH
brute-forcer, since NSE doesn't have that capability. I think it's greatest
strength going forward as part of the Nmap Project will be its
single-purpose design: NSE may support more protocols, but it has these
primary weaknesses:

1. A brute-force NSE script stops a network scan until it completes. This
means that Nmap's primary purpose is hindered in some way.

2. A brute NSE script can only handle as many hosts at a time as the
current hostgroup size. At the moment, NSE parallelization isn't the most
intelligent and probably under-utilizes the network.

I think Ncrack could be improved by deliberately addressing these
deficiencies in NSE. One option would be an RPC listener of some sort for a
running Ncrack process to accept new targets. This would let us make a NSE
script to pass along targets as discovered, letting the Nmap scan continue
while Ncrack handles the brute-forcing, maybe even on a different computer.
I'm not familiar enough with Ncrack's architecture to know whether it would
easily support a pipelined approach (different targets starting at
different times) but it would at least have a better chance of batching in
an appropriate size group.

Dan

On Wed, Nov 4, 2015 at 2:10 AM, Fotis Hantzis <ithilgore.ryu.l () gmail com>
wrote:

> Hello nmap-dev,
> it's been a while since I last updated Ncrack but I have been actively
> working on it for quite some time now. I already updated the SSH module by
> porting the latest openssh code (7.1) to the internal Ncrack ssh library
> (currently only on svn). Now it is working against all latest ssh servers.
> The analysis of how this was originally accomplished back when I
> originally built the first version of the Ncrack SSH module is here for
> anyone interested:
> http://sock-raw.org/papers/openssh_library
>
> I am aware that currently many people are using NSE for some of your
> brute-forcing tasks, but Ncrack still remains a highly specialized tool for
> this purpose, with a lot of useful features. Some of its main advantages
> are:
>
> * Intelligent core networking engine:
>
> Ncrack knows when to back off to avoid DoS-ing a service and when to
> increase its network connections by constantly trying to find a golden
> ration between efficiency (speed) and reliability.
> For example other competitors led to the shutdown of the FTP service while
> Ncrack managed to maintain a balance and find the credentials correctly:
> https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/
>
> * Service recognition through Nmap:
>
> Ncrack can automatically get input from the normal (-oN) or XML (-oX) Nmap
> output, recognize which ports are open and brute-force the equivalent
> services that its modules support.
>
> *  Fine-grained timing control:
>
> Ncrack provides a variety of timing options with which you can optimize
> your brute-force scans. Alongside the generic timing templates (T0 - T5),
> you can specify the upper and lower limit of network connections per
> service, the total number of connections, the authentication tries per
> connection, the delay between each connection initiation and others which
> give the penetration tester total control of a brute-force attack allowing
> him to be flexible both in terms of stealth and performance.
>
> Other features include:
> * Stop current session and restore it later.
> * Built-in lists of most frequently used usernames and passwords.
> * Various modes of username/password list iteration (username first,
> password first, pairwise)
>
> It would be great if nmap-dev voiced their opinion on which new features
> they would like to see in Ncrack:
>
> - Which new protocols should Ncrack support? (prioritization list)
> - What new features would be most helpful for the pentester?
> - Any other ideas for improvement
>
> For anyone that would like to help improve Ncrack by building more
> protocol modules, I have written an extensive guide on how this can easily
> be accomplished: https://nmap.org/ncrack/devguide.html
>
> Cheers,
> Ithilgore
> (Fotis Hantzis)
>
> --
> http://sock-raw.org
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/