lunar (1) ncrack.1.gz

Provided by: ncrack_0.7+debian-3build1_amd64 bug

NAME

       ncrack - Network authentication cracking tool

SYNOPSIS

       ncrack [Options] {target specification}

DESCRIPTION

       Ncrack is an open source tool for network authentication cracking. It was designed for
       high-speed parallel cracking using a dynamic engine that can adapt to different network
       situations. Ncrack can also be extensively fine-tuned for special cases, though the
       default parameters are generic enough to cover almost every situation. It is built on a
       modular architecture that allows for easy extension to support additional protocols.
       Ncrack is designed for companies and security professionals to audit large networks for
       default or weak passwords in a rapid and reliable way. It can also be used to conduct
       fairly sophisticated and intensive brute force attacks against individual services.

           Warning
           Ncrack is a project started in the Summer of 2009. While it is already useful for some
           purposes, it is still unfinished, beta quality software. You can help out by testing
           it and reporting any problems as described in the section called “BUGS”.

       The output from Ncrack is a list of found credentials, if any, for each of the targets
       specified. Ncrack can also print an interactive status report of progress so far and
       possibly additional debugging information that can help track problems, if the user
       selected that option.

       A typical Ncrack scan is shown in Example 1. The only Ncrack arguments used in this
       example are the two target IP addresses along with the the corresponding ports for each of
       them. The two example ports 21 and 22 are automatically resolved to the default services
       listening on them: ftp and ssh.

       Example 1. A representative Ncrack scan

           $ ncrack 10.0.0.130:21 192.168.1.2:22

           Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST

           Discovered credentials for ftp on 10.0.0.130 21/tcp:
           10.0.0.130 21/tcp ftp: admin hello1
           Discovered credentials for ssh on 192.168.1.2 22/tcp:
           192.168.1.2 22/tcp ssh: guest 12345
           192.168.1.2 22/tcp ssh: admin money$

           Ncrack done: 2 services scanned in 156.03 seconds.

           Ncrack finished.

       The latest version of Ncrack can be obtained from http://nmap.org/ncrack. The latest
       version of this man page is available at http://nmap.org/ncrack/man.html .

OPTIONS SUMMARY

       This options summary is printed when Ncrack is run with no arguments. It helps people
       remember the most common options, but is no substitute for the in-depth documentation in
       the rest of this manual.

           Ncrack 0.7 ( http://ncrack.org )
           Usage: ncrack [Options] {target and service specification}
           TARGET SPECIFICATION:
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
             -iX <inputfilename>: Input from Nmap´s -oX XML output format
             -iN <inputfilename>: Input from Nmap´s -oN Normal output format
             -iL <inputfilename>: Input from list of hosts/networks
             --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
             --excludefile <exclude_file>: Exclude list from file
           SERVICE SPECIFICATION:
             Can pass target specific services in <service>://target (standard) notation or
             using -p which will be applied to all hosts in non-standard notation.
             Service arguments can be specified to be host-specific, type of service-specific
             (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
             Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
             -p <service-list>: services will be applied to all non-standard notation hosts
             -m <service>:<options>: options will be applied to all services of this type
             -g <options>: options will be applied to every service globally
             Misc options:
               ssl: enable SSL over this service
               path <name>: used in modules like HTTP (´=´ needs escaping if used)
               db <name>: used in modules like MongoDB to specify the database
               domain <name>: used in modules like WinRM to specify the domain
           TIMING AND PERFORMANCE:
             Options which take <time> are in seconds, unless you append ´ms´
             (milliseconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).
             Service-specific options:
               cl (min connection limit): minimum number of concurrent parallel connections
               CL (max connection limit): maximum number of concurrent parallel connections
               at (authentication tries): authentication attempts per connection
               cd (connection delay): delay <time> between each connection initiation
               cr (connection retries): caps number of service connection attempts
               to (time-out): maximum cracking <time> for service, regardless of success so far
             -T<0-5>: Set timing template (higher is faster)
             --connection-limit <number>: threshold for total concurrent connections
             --stealthy-linear: try credentials using only one connection against each specified host
               until you hit the same host again. Overrides all other timing options.
           AUTHENTICATION:
             -U <filename>: username file
             -P <filename>: password file
             --user <username_list>: comma-separated username list
             --pass <password_list>: comma-separated password list
             --passwords-first: Iterate password list for each username. Default is opposite.
             --pairwise: Choose usernames and passwords in pairs.
           OUTPUT:
             -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
             -oA <basename>: Output in the two major formats at once
             -v: Increase verbosity level (use twice or more for greater effect)
             -d[level]: Set or increase debugging level (Up to 10 is meaningful)
             --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
             --log-errors: Log errors/warnings to the normal-format output file
             --append-output: Append to rather than clobber specified output files
           MISC:
             --resume <file>: Continue previously saved session
             --save <file>: Save restoration file with specific filename
             -f: quit cracking service after one found credential
             -6: Enable IPv6 cracking
             -sL or --list: only list hosts and services
             --datadir <dirname>: Specify custom Ncrack data file location
             --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
             -V: Print version number
             -h: Print this help summary page.
           MODULES:
             SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
           EXAMPLES:
             ncrack -v --user root localhost:22
             ncrack -v -T5 https://192.168.0.1
             ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
           SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

TARGET SPECIFICATION

       Everything on the Ncrack command-line that isn´t an option (or an option argument) is
       treated as a target host specification. The simplest case is to specify a target IP
       address or a hostname. Note, that you also need to specify a service to crack for the
       selected targets. Ncrack is very flexible in host/service specification. While hostnames
       and IP addresses can be defined with the flexibility that you are probably used to from
       Nmap, services along with service-specific options have a unique specification style that
       enables a combination of features to be taken advantage of.

       Sometimes you wish to crack a whole network of adjacent hosts. For this, Ncrack supports
       CIDR-style addressing. You can append /numbits to an IPv4 address or hostname and Ncrack
       will try to crack every IP address for which the first numbits are the same as for the
       reference IP or hostname given. For example, 192.168.10.0/24 would send probes to the 256
       hosts between 192.168.10.0 11000000 10101000 00001010 00000000) and 192.168.10.255
       (binary: 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would crack
       exactly the same targets. Given that the host scanme.nmap.org is at the IP address
       64.13.134.52, the specification scanme.nmap.org/16 would send probes to the 65,536 IP
       addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0, which
       targets the whole Internet. The largest value is /32, which targets just the named host or
       IP address because all address bits are fixed.

       CIDR notation is short but not always flexible enough. For example, you might want to send
       probes to 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used
       as subnet network and broadcast addresses. Ncrack supports this through octet range
       addressing. Rather than specify a normal IP address, you can specify a comma-separated
       list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all
       addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will target the four
       addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range
       may be omitted; the default values are 0 on the left and 255 on the right. Using - by
       itself is the same as 0-255, but remember to use 0- in the first octet so the target
       specification doesn´t look like a command-line option. Ranges need not be limited to the
       final octets: the specifier will send probes to all IP addresses on the Internet ending in
       13.37 This sort of broad sampling can be useful for Internet surveys and research.

       Ncrack accepts multiple host specifications on the command line, and they don´t need to be
       the same type. The command ncrack scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- -p22 does
       what you would expect.

       While targets are usually specified on the command lines, the following options are also
       available to control target selection:

       -iX inputfilename (Input from Nmap´s -oX XML output format) .
           Reads target/service specifications from an Nmap XML output file. The Nmap XML file is
           created by scanning any hosts and specifying the Nmap -oX option. Ncrack will
           automatically parse the IP addresses and the corresponding ports and services that are
           open and will use these targets for authentication auditing. This is a really useful
           option, since it lets you essentially combine these two tools -Nmap and Ncrack- for
           cracking only those services that are surely open. In addition, if version detection
           has been enabled in Nmap (-sV option), Ncrack will use those findings to recognize and
           crack those services that are supported but are listening on non-default ports. For
           example, if a host is having a server listening on port 41414 and Nmap has identified
           that it is a SSH service, Ncrack will use that information to crack it using the SSH
           module. Of course, Ncrack is going to ignore open ports/services that are not
           supported for authentication cracking by its modules.

       -iN inputfilename (Input from Nmap´s -oN Normal output format) .
           Reads target/service specifications from an Nmap Normal output file. The Nmap Normal
           file is created by scanning any hosts and specifying the Nmap -oN option. This works
           exactly like Ncrack´s -iX option, the only difference being the format of the input
           file.

       -iL inputfilename (Input from list) .
           Reads target specifications from inputfilename. Passing a huge list of hosts is often
           awkward on the command line, yet it is a common desire. For example, you might want to
           crack a list of very specific servers that have been specified for penetration
           testing. Simply generate the list of hosts to crack and pass that filename to Ncrack
           as an argument to the -iL option. Entries can be in any of the formats accepted by
           Ncrack on the command line (IP address, hostname, CIDR, octet ranges or Ncrack´s
           special host-service syntax. Each entry must be separated by one or more spaces, tabs,
           or newlines. You can specify a hyphen (-) as the filename if you want Ncrack to read
           hosts from standard input rather than an actual file. Note, however, that if hosts are
           specified without any service, you will have to also provide services/ports for the
           targets using the -p option.

       --exclude host1[, host2[, ...]] (Exclude hosts/networks) .
           Specifies a comma-separated list of targets to be excluded from the scan even if they
           are part of the overall network range you specify. The list you pass in uses normal
           Ncrack syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This
           can be useful when the network you wish to scan includes untouchable mission-critical
           servers, systems that are known to react adversely to heavy load, or subnets
           administered by other people.

       --excludefile exclude_file  (Exclude list from file) .
           This offers the same functionality as the --exclude option, except that the excluded
           targets are provided in a newline, space, or tab delimited exclude_file rather than on
           the command line.

SERVICE SPECIFICATION

       No cracking session can be carried out without targeting a certain service to attack.
       Service specification is one of the most flexible subsystems of Ncrack and collaborates
       with target-specification in a way that allows different option combinations to be
       applied. For Ncrack to start running, you will have to specify at least one target host
       and one associated service to attack. Ncrack provides ways to specify a service by its
       default port number, by its name (as extracted from the ncrack-services file) or both.
       Normally, you need to define both name and port number only in the special case where you
       know that a particular service is listening on a non-default port.

       Ncrack offers two distinct ways with which services will be applied to your targets:
       per-host service specification and global specification.

       Per-host service specification

           Services specified in this mode are written next to the host and apply to it only.
           Keep in mind, however, that target-specification allows wildcards/netmasks, which
           essentially means that applying a per-host service specification format to that
           particular target will affect all of the expanded ones as a result. The general format
           is:

            [service-name]://target:[port-number]

           where target is a hostname or IP address in any of the formats described in the
           target-specification section, [service-name] is one of the common service names as
           defined in the ncrack-services file (e.g ssh, http) and [port-number] is what it
           obviously means. Ncrack can determine the default port numbers for each of the
           services it supports, as well as being able to deduce the service name when a default
           port number has been specified. Specifying both has meaning only when the user has a
           priori knowledge of a service listening on a non-default port number. This can easily
           be determined by using version detection like the one offered by Nmap´s -sV option.

           Example 2. Per-host service specification example

               $ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910

           The above command will try to crack hosts: scanme.nmap.org on SSH service (default
           port 22), 10.0.0.10 on FTP service (default port 21) and 192.168.1.0 - 192.168.1.255
           (all of this C subnet) on SSH service on non-default port 5910 which has been
           explicitly specified. In the last case, Ncrack wouldn´t be able to determine that the
           subnet hosts are to be scanned against the SSH service on that particular port without
           the user explicitly asking for it, because there isn´t any mapping of port-number 5910
           to service SSH.

       Global service specification

           Services specified in this mode are applied to all hosts that haven´t been associated
           with the per-host service specification format. This is done using the -p option.
           While this facility may be similar to that of Nmap´s, you should try not to confuse
           it, since the functionality is of a slightly different nature. Services can be
           specified using comma separated directives of the general format:

            -p [service1]:[port-number1],[service2]:[port-number2],...

           As usual, you need not specify both service name and port number since Ncrack knows
           the mappings of default-services to default-port numbers. Be careful though not to
           include any space between each service-name and/or port number, because Ncrack will
           think that the argument after the space is a host as per the rule "everything that
           isn´t an option is a target specification".

           Example 3. Global service specification example

               $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet

           The above command will try to crack all of the specified hosts scanme.nmap.org,
           10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class subnet of 192.168.2.0 against the
           following services: SSH service (mapped from default port 22), FTP service on
           non-default port 3210, and TELNET service on default port 23.

       Of course, Ncrack allows you to combine both modes of service specification if you deem
       that as necessary. Normally, you will only need to specify a couple of services but
       cracking a lot of hosts against many different services might be a longterm project for
       large networks that need to be consistently audited for weak passwords. If you are in
       doubt, about which hosts and services are going to be cracked with the current command,
       you can use the -sL option (see below for explanation).

SERVICE OPTIONS

       Apart from general service specification, Ncrack allows you to provide a multitude of
       options that apply to each or a subset of your targets. Options include timing and
       performance optimizations (which are thoroughly analyzed in a separate section), SSL
       enabling/disabling and other module-specific parameters like the relative URL path for the
       HTTP module. Options can be defined in a variety of ways which include: per-host options,
       per-module options and global options. Since a combination of these options may be used,
       there is a strict hierarchy of precedence which will be discussed later.

       Per-host Options

           Options in this mode apply only to the host(s) they are referring to and are written
           next to it according to the following format:

            [service-name]://target:[port-number],opt1=optval1,opt2=optval,...

           The format concerning the service specification which comes before the options, has
           been explained in the previous section.  optN is referring to any of the option names
           that are available (a list will follow below), while optvalN determines the value of
           that option and depends on the nature of it. For example, most timing-related options
           expect to receive numbers as values, while the path option obviously needs a string
           argument.

       Per-module Options

           Options in this mode apply to all hosts that are associated with the particular
           service/module. This is accomplished using the -m which is defined with the format:

            -m service-name:opt1=optval1,opt2=optval2,...

           This option can be invoked multiple times, for as many different services as you might
           need to define service-wide applicable options. Each iteration of this option must
           refer to only one service. However, to avoid confusion, this option had better not be
           called more than one time for the same service, although this is allowed and the last
           iteration will take precedence over the previous ones for all redefined option values.

       Global Options

           Options in this mode apply to all hosts regardless of which service they are
           associated with. This is accomplished using the -g as follows:

            -g opt1=optval1,opt2=optval2,...

           This acts as a convenience option, where you can apply options to all services
           globally. Everything else regarding the available options and option values is the
           same as the previous modes.

       List of available Service Options

       Below follows a list of all the currently available service options. You can apply them
       with any of the three modes described above. The last six of the options are timing
       related and will be analyzed in Section "Timing and Performance" of this manual.

               ssl: enable SSL over this service
               path: path-name used in modules like HTTP (´=´ needs escaping if used)
               db: used in modules like MongoDB to specify the database
               domain: used in modules like WinRM to specify the domain
               cl (min connection limit): minimum number of concurrent parallel connections
               CL (max connection limit): maximum number of concurrent parallel connections
               at (authentication tries): authentication attempts per connection
               cd (connection delay): delay time between each connection initiation
               cr (connection retries): caps number of service connection attempts
               to (time-out): maximum cracking time for service, regardless of success so far

       ssl (Enable/Disable SSL over service)
           By enabling SSL, Ncrack will try to open a TCP connection and then negotiate a SSL
           session with the target. Everything will then be transparently encrypted and
           decrypted. However, since Ncrack´s job is to provide speed rather than strong crypto,
           the algorithms and ciphers for SSL are chosen on an efficiency basis. Possible values
           for this option are ´yes´ but just specifying ssl would be enough. Thus, this is the
           only option that doesn´t need to be written in the opt=optval format. By default, SSL
           is disabled for all services except those that are stricly dependent on it like HTTPS.

       path <name> (Path name for relative URLs)
           Some services like HTTP or SVN usually require a specific path in the URL. This option
           takes that pathname string as its value. The path is always relative to the hostname
           or IP address, so if you want to target something like http://foobar.com/login.php the
           path must take the value path=login.php . The initial ´/´ is added if you omit it.
           However, it is usually better if you explicitly specify it at the end of pathnames
           that are directories. For example, to crack the directory for
           http://foobar.com/protected-dir/ , it would be better if you wrote it as
           path=protected-dir/ . This is to avoid the (very) slight probability of a false
           positive, because there are cases where Web servers might reply with a "301 Moved
           Permanently" for a non-successful attempt. They normally send that reply, when a
           successful attempt is made for a requested password-protected path which has omitted
           the ending ´/´ but the requested source is actually a directory. Consequently, Ncrack
           regards that reply as having succeeded in the authentication attempt.

           Also be careful with the symbol ´=´, since it is used by Ncrack for argument parsing
           and you will have to espace it if it is included in the URL.

           By default, the path-name is initialized to ´/´, but will be ignored by services that
           do not require it.

       db <name> (Database name)
           Some services like MongoDB require a specific database name to crack. This option
           allows you to specify the database.

           By default, the db name for MongoDB is initialized to ´admin´ but will be ignored by
           services that do not require it.

       domain <name> (Domain name)
           Some services like WinRM require a specific domain to crack. This option allows you to
           specify the domain.

           By default, the domain name for WinRM is initialized to ´Workstation´ but will be
           ignored by services that do not require it.

       Service Option Hierarchy

       As already noted, Ncrack allows a combination of the three different modes of service
       option specification. In that case, there is a strict hierarchy that resolves the order in
       which conflicting values for these options take precedence over each other. The order is
       as follows, leftmost being the highest priority and rightmost the lowest one:

       Per-host options > Per-module options > Global options > Timing-Template (for timing
       options only)

       The concept of the "Timing-Template" will be explained in the Section "Timing and
       Performance", but for now, just have in mind that its values have the least prevalence
       over everything else and essentially act as defaults for everything timing-related. Global
       options specified with -g have the directly higher precedence, while -m per-module options
       are immediately higher. In the top of the hierarcy reside the per-host options which are
       essentially the most specific ones. Consequently, you can see that the pattern is: the
       more specific the higher the precedence.

       Example 4. Service Option Hierarchy example

           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3

       The example demonstrates the hierarchy precedence. The services that are going to be
       cracked are SSH for scanme.nmap.org and FTP for hosts 10.0.0.120, 10.0.0.20. No particular
       timing-template has been specified and thus the default will be used (Normal - 3). The
       per-host options for scanme.nmap.org define that the minimum connection limit (cl) is 10
       and that Ncrack should attempt only 1 authentication try (at) per connection. These values
       would override any other for service SSH of host scanme.nmap.org if there were conflicts
       with other modes. Since a global option of -g CL=3 was defined and there is no other
       higher-precedence for service SSH and scanme.nmap.org in particular, this value will also
       be applied. As for the FTP targets, the per-module -m ftp:CL=1 defined for all FTP
       services will override the equivalent global one. All these can get quite complex if
       overused, but they are not expected to be leveraged by the average Ncrack user anyway.
       Complicated network scanning scenarios might require them, though. To make certain the
       results are the ones you expect them to be, don´t forget to use the -sL option that prints
       out details about what Ncrack would crack if invoked normally. You can add the debugging
       -d option if you want even more verbose output. For the above example, Ncrack would print
       the following:

       Example 5. Service Option Hierarchy Output example

           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d

           Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT

           ----- [ Timing Template ] -----
           cl=7, CL=80, at=0, cd=0, cr=30, to=0

           ----- [ ServicesTable ] -----
           SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
           ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
           ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
           telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
           http:80            N/A N/A N/A N/A N/A N/A no  null null  null
           pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
           imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
           netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
           smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
           smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
           https:443          N/A N/A N/A N/A N/A N/A yes null null  null
           owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
           sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
           pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
           mssql:1433         N/A N/A N/A N/A N/A N/A no  null null  null
           mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
           ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
           rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
           psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
           redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
           winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
           winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
           cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
           cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
           mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null

           ----- [ Targets ] -----
           Host: 45.33.32.156 ( scanme.nmap.org )
             ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
           Host: 10.0.0.120
             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
           Host: 10.0.0.20
             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation

           Ncrack done: 3 services would be scanned.
           Probes sent: 0 | timed-out: 0 | prematurely-closed: 0

           Ncrack finished.

       The ServicesTable just lists the per-module options for all available services. As you can
       see, the only defined option is in the FTP service for the CL . The Targets table is the
       most important part of this output and lists all targets and associated options according
       to the command-line invocation. No network operation takes place in this mode, apart from
       forward DNS resolution for hostnames (like scanme.nmap.org in this example).

TIMING AND PERFORMANCE

       The timing engine is perhaps the most important part of any serious network authentication
       cracking tool. Ncrack´s timing engine offers a great many options for optimization and can
       be bended to serve virtually any user need. As Ncrack is progressing, this subsystem is
       going to evolve into a dynamic autonomous engine that will be able to automatically adjust
       its behaviour according to the network feedback it gets, in order to achieve maximum
       performance and precision without any user intervention.

       Some options accept a time parameter. This is specified in seconds by default, though you
       can append ‘ms’, ‘m’, or ‘h’ to the value to specify milliseconds, minutes, or hours (‘s’
       for seconds is redundant). So the cd (connection delay) arguments 900000ms, 900s, and 15m
       all do the same thing.

       cl num-minconnections; CL num-maxconnections (Adjust number of concurrent parallel
       connections)

           Connection Limit

           These options control the total number of connections that may be outstanding for any
           service at the same time. Normally, Ncrack tries to dynamically adjust the number of
           connections for each individual target by counting how many drops or connection
           failures happen. If a strange network condition occurs, that signifies that something
           may be going wrong, like the host dropping any new connection attempts, then Ncrack
           will immediately lower the total number of connections hitting the service. However,
           the caps number of the minimum or maximum connections that will take place can be
           overridden using these two options. By properly adjusting them, you can essentially
           optimize performance, if you can handle the tricky part of knowing or discovering your
           target´s own limits. The convention here is that cl with lowercase letters is
           referring to the minimum connection limit, while CL with uppercase letters is
           referring to the maximum number of connections.

           The most common usage is to set cl (minimum connection limit) for targets that you are
           almost certain are going to withstand these many connections at any given time. This
           is a risky option to play with, as setting it too high might actually do more harm
           than good by effectively DoS-attacking the target and triggering firewall rules that
           will ban your IP address.

           On the other hand, for more stealthy missions, setting the CL (maximum connection
           limit) to a low value might be what you want. However, setting it too low will surely
           have a great impact in overall cracking speed. For maximum stealth, this can be
           combined with the cd (connection delay) described below.

       at num-attempts (Adjust authentication attempts per connection)

           Authentication Tries

           Using this option, you can order Ncrack to limit the authentication attempts it
           carries out per connection. Ncrack initially sends a reconnaisance probe that lets it
           calculate the maximum number of such authentication tries and from thereon it always
           tries to use that number. Most servicse pose an upper limit on the number of
           authentication per connection and in most cases finding that maximum leads to better
           performance.

           Setting this option to lower values can give you some stealth bonus, since services
           such as SSH tend to log failed attempts after more than a certain number of
           authentication tries per connection. They use that as a metric rather than counting
           the total number of authentication attempts or connections per IP address (which is
           usually done by a firewall). Consequently, a number of 1 or 2 authentication tries
           might circumvent logging in some cases.

           Note that setting that option to a high value will not have any effect if Ncrack
           realizes that the server doesn´t allow that many attempts per connection. In this
           case, it will just use that maximum number and ignore your setting.

       cd time (Adjust delay time between each new connection)

           Connection Delay

           This option essentially defines the imposed time delay between each new connection.
           Ncrack will wait the amount of time you specify in this option value, before starting
           a new connection against the given service. The higher you set it, the slower Ncrack
           will perform, but the stealthier your attack will become.

           Ncrack by default tries to initiate new connections as fast as possible given that new
           probes are actually allowed to be sent and are not restricted by parameters such as
           Connection Limit which can dynamically increase or decrease. Although this approach
           achieves blazing speed as long as the host remains responsive, it can lead to a number
           of disasters such as a firewall being triggered, the targets´ or your bandwidth to be
           diminished and even the tested service to suffer a Denial of Service attack. By
           carefully adjusting this option, you can potentially avoid these annoying situations.

       cr max-conattempts (Adjust the max number of connection retries)

           Connection Retries

           This option allows the user to specify the maximum amount of consecutive failed
           attempts against that particular service. If at any time, during the cracking session,
           Ncrack fails to connect against that particular service, then it will stop cracking it
           entirely.

       to time (Adjust the maximum overall cracking time)

           Timeout

           Define how much time Ncrack is going to spend cracking the service, before giving up
           regardless of whether it has found any credentials so far. However, any authentication
           token discovered until that time, will be stored and printed normally. Ncrack marks a
           service as finished when the username/password lists iteration ends or when it can no
           longer crack it for some serious reason. If Ncrack finishes cracking a service before
           the time specified in this option, then it will not be taken into account at all.

           Sometimes, you have a limited time window to scan/crack your hosts. This might occur
           for various reasons. A common one would be that normal user activity mustn´t be
           interrupted and since Ncrack can become very aggressive, it might be allowed to scan
           the hosts only at during certain time period like the night hours. Scanning during
           certain such hours is also likely to make an attack less detectable.

           Don´t forget that Ncrack allows you to specify the time unit of measure by appending
           ‘ms’, ‘m’, or ‘h’ for milliseconds, minutes or hours (seconds is the default time
           unit). Using them in this particular option, is really convenient as you can specify
           something like to=8h to give Ncrack a total of 8 hours to crack that service. Setting
           up cronjobs for scheduled scans in combination with this option, might also be a good
           idea.

       -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
           While the fine-grained timing controls discussed in the previous section are powerful
           and effective, some people find them confusing. Moreover, choosing the appropriate
           values can sometimes take more time than the scan you are trying to optimize. So
           Ncrack offers a simpler approach, with six timing templates. You can specify them with
           the -T option and their number (0–5) or their name. The template names are
           paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The
           first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth
           and target machine resources. Normal mode is the default and so -T3 does nothing.
           Aggressive mode speeds scans up by making the assumption that you are on a reasonably
           fast and reliable network. Finally insane mode assumes that you are on an
           extraordinarily fast network or are willing to sacrifice some accuracy for speed.

           These templates allow the user to specify how aggressive they wish to be, while
           leaving Ncrack to pick the exact timing values. If you know that the network service
           is going to withstand a huge number of connections you might try using the aggressive
           template of -T4 . Even then, this is mostly advised for services residing in the local
           network. Going over to insane mode -T5 is not recommended, unless you absolutely know
           what you are doing.

           While -T0.  and -T1.  may be useful for avoiding IDS alerts, they will take an
           extraordinarily long time to crack even a few services. For such a long scan, you may
           prefer to set the exact timing values you need rather than rely on the canned -T0 and
           -T1 values.

       --connection-limit numprobes (Adjust the threshold of total concurrent connections)
           NOT IMPLEMENTED YET.

AUTHENTICATION

       This section describes ways of specifying your own username and password lists as well as
       the available modes of iterating over them. Ncrack ships in with a variety of username and
       password lists which reside under the directory ´lists´ of the source tarball and later
       installed under Ncrack´s data directory which usually is /usr/local/share/ncrack or
       /usr/share/ncrack . You can omit specifying any lists and Ncrack is going to use the
       default ones which contain some of the most common usernames and passwords. The password
       list is frequency-sorted with the top most common passwords at the beginning of the list
       so they will be tried out first. The lists have been derived from a combination of sorting
       publicly leaked password files and other techniques.

       -U filename (Specify username list)
           Specify your own username list by giving the path to the filename as argument to this
           option.

           Usernames for specific environments can be gathered in numerous ways including
           harvesting for email-addresses in the company´s website, looking up information in
           whois databases, using the SMTP VRFY technique at vulnerable mail servers or through
           social engineering.

       -P filename (Specify password list)
           Specify your own password list by giving the path to the filename as argument to this
           option.

           Common passwords are usually derived from leaked lists as a result of successful
           intrusions in public sites such as forums or other social networking places. A great
           deal of them have already been publicly disclosed and some of these have been used to
           assemble Ncrack´s own lists.

       --user username_list (Specify command-line comma-separated username list)
           Specify your own usernames directly in the command-line as a comma-separated list.

       --pass password_list (Specify command-line comma-separated password list)
           Specify your own passwords directly in the command-line as a comma-separated list.

       --passwords-first (Reverse the way passwords are iterated)
           Ncrack by default iterates the username list for each password. With this option, you
           can reverse that. For example, given the username list of -> "root, guest, admin" and
           the password list of "test, 12345, q1w2e3r4" Ncrack will normally go over them like
           this -> root:test, guest:test, admin:test, root:12345 etc. By enabling this option it
           will go over them like this -> root:test, root:12345, root:q1w2e3r4, guest:test etc.

           Most network authentication cracking tools prefer by default to iterate the password
           list for each username. This is, however, ineffective compared to the opposite
           iteration in most cases. This holds true for the simple reason that password lists are
           usually sorted on a frequency basis, meaning that the more common a password is, the
           closer to the beginning of the password list it is. Thus, iterating over all usernames
           for the most common passwords first has usually more chances to get a positive result.
           With the --passwords-first iteration, very common passwords might not even be tried
           out for certain usernames if the user chooses to abort the session early. However,
           this option might prove valuable for cases where the attacker knows and has already
           verified that the username list contains real usernames, instead of blindly
           bruteforcing through them.

       --pairwise (Choose usernames and passwords in pairs)
           Enabling this option will make Ncrack iterate the username and password list by
           choosing them in pairs. For example, given the username list of "root, guest, admin"
           and the password list of "test, 12345, q1w2e3r4" Ncrack will go over them like this:
           "root:test", "guest:12345", "admin:q1w2e3r4". This is particularly useful when inside
           knowledge of the infrastructure tested is available and special username and password
           lists have been made.

OUTPUT

       Any security tool is only as useful as the output it generates. Complex tests and
       algorithms are of little value if they aren´t presented in an organized and comprehensible
       fashion. Of course, no single format can please everyone. So Ncrack offers several
       formats, including the interactive mode for humans to read directly and XML for easy
       parsing by software.

       In addition to offering different output formats, Ncrack provides options for controlling
       the verbosity of output as well as debugging messages. Output types may be sent to
       standard output or to named files, which Ncrack can append to or clobber.

       Ncrack makes output available in three different formats. The default is called
       interactive output, and it is sent to standard output (stdout). There is also normal
       output, which is similar to interactive except that it displays less runtime information
       and warnings since it is expected to be analyzed after the scan completes rather than
       interactively.

       XML output is one of the most important output types, as it can be converted to HTML,
       easily parsed by programs such as Ncrack graphical user interfaces, or imported into
       databases. Currently, XML output hasn´t been implemented.

       While interactive output is the default and has no associated command-line options, the
       other two format options use the same syntax. They take one argument, which is the
       filename that results should be stored in. Multiple formats may be specified, but each
       format may only be specified once. For example, you may wish to save normal output for
       your own review while saving XML of the same scan for programmatic analysis. You might do
       this with the options -oX myscan.xml -oN myscan.ncrack. While this chapter uses the simple
       names like myscan.xml for brevity, more descriptive names are generally recommended. The
       names chosen are a matter of personal preference. A scheme could be using long filenames
       that incorporate the scan date and a word or two describing the scan, placed in a
       directory named after the company that is being scanned.

       While these options save results to files, Ncrack still prints interactive output to
       stdout as usual. For example, the command nmap -oX myscan.xml [target] prints XML to
       myscan.xml and fills standard output with the same interactive results it would have
       printed if -oX wasn´t specified at all. You can change this by passing a hyphen character
       as the argument to one of the format types. This causes Ncrack to deactivate interactive
       output, and instead print results in the format you specified to the standard output
       stream. So the command nmap -oX - target will send only XML output to stdout. Serious
       errors may still be printed to the normal error stream, stderr.

       Unlike some Ncrack arguments, the space between the logfile option flag (such as -oX) and
       the filename or hyphen is mandatory.

       All of these arguments support strftime-like conversions in the filename.  %H, %M, %S, %m,
       %d, %y, and %Y are all exactly the same as in strftime.  %T is the same as %H%M%S, %R is
       the same as %H%M, and %D is the same as %m%d%y. A % followed by any other character just
       yields that character (%% gives you a percent symbol). So -oX ´scan-%T-%D.xml´ will use an
       XML file in the form of scan-144840-121307.xml.

       Ncrack also offers options to control scan verbosity and to append to output files rather
       than clobbering them. All of these options are described below.

       Ncrack Output Formats

       -oN filespec (normal output) .
           Requests that normal output be directed to the given filename. As discussed above,
           this differs slightly from interactive output.

       -oX filespec (XML output) .
           Requests that XML output be directed to the given filename.

       -oA basename (Output to all formats) .
           As a convenience, you may specify -oA basename to store scan results in normal and XML
           formats at once. They are stored in basename.ncrack, and basename.xml respectively. As
           with most programs, you can prefix the filenames with a directory path, such as
           ~/ncracklogs/foocorp/ on Unix or c:\hacking\sco on Windows.

       Verbosity and debugging options

       -v (Increase verbosity level) .
           Increases the verbosity level, causing Ncrack to print more information about the scan
           in progress. Credentials are shown as they are found and more statistical information
           is printed in the end. Use it twice or more for even greater verbosity.

       -d [level] (Increase or set debugging level) .
           When even verbose mode doesn´t provide sufficient data for you, debugging is available
           to flood you with much more! As with the verbosity option (-v), debugging is enabled
           with a command-line flag (-d) and the debug level can be increased by specifying it
           multiple times. Alternatively, you can set a debug level by giving an argument to -d.
           For example, -d10 sets level ten. That is the highest effective level and will produce
           thousands of lines, unless your cracking session is going really slow.

           Debugging output is useful when a bug is suspected in Ncrack, or if you are simply
           confused as to what Ncrack is doing and why. As this feature is mostly intended for
           developers, debug lines aren´t always self-explanatory. If you don´t understand a
           line, your only recourses are to ignore it, look it up in the source code, or request
           help from the development list (nmap-dev). Some lines are self explanatory, but the
           messages become more obscure as the debug level is increased.

       --nsock-trace level (Set nsock trace level) .
           This option is meant mostly for developers as enabling it will activate the Nsock´s
           library debugging output. Nsock is the underlying library for parallel socket
           handling. You will have to specify a certain level for this option. Valid range is 0
           up to 10. Usually, a level of 1 or 2 is enough to get a good overview of network
           operations happening behind the scenes. Nsock prints that information to stdout by
           default.

       --log-errors (Log errors/warnings to normal mode output file) .
           Warnings and errors printed by Ncrack usually go only to the screen (interactive
           output), leaving any normal-format output files (usually specified with -oN)
           uncluttered. When you do want to see those messages in the normal output file you
           specified, add this option. It is useful when you aren´t watching the interactive
           output or when you want to record errors while debugging a problem. The error and
           warning messages will still appear in interactive mode too. This won´t work for most
           errors related to bad command-line arguments because Ncrack may not have initialized
           its output files yet.

           An alternative to --log-errors is redirecting interactive output (including the
           standard error stream) to a file. Most Unix shells make this approach easy, though it
           can be difficult on Windows.

       Miscellaneous output options

       --append-output (Append to rather than clobber output files) .
           When you specify a filename to an output format flag such as -oX or -oN, that file is
           overwritten by default. If you prefer to keep the existing content of the file and
           append the new results, specify the --append-output option. All output filenames
           specified in that Ncrack execution will then be appended to rather than clobbered.
           This doesn´t work well for XML (-oX) scan data as the resultant file generally won´t
           parse properly until you fix it up by hand.

MISCELLANEOUS OPTIONS

       This section describes some important (and not-so-important) options that don´t really fit
       anywhere else.

       --resume file (Continue previously saved session) .
           Whenever the user cancels a running session (usually by pressing Ctrl+C), Ncrack saves
           the current state into a file which it can later use to continue from where it had
           stopped. This file is saved in subdirectory .ncrack/ of the user´s home path with a
           filename format of "restore.YY-MM-DD_hh-mm". An example would be:
           "/home/ithilgore/.ncrack/restore.2010-05-18_04-42". You can then continue your
           session, by specifying this file as argument to the --resume option.

       -f  (Quit cracking service after one found credential) .
           This option will force Ncrack to quit cracking a service as soon as it finds a valid
           username/password combination for it. Assuming many parallel services are being
           cracked at the same time, this option is applied on each of them separately. This
           means that Ncrack will stop cracking each individual service after finding a pair of
           credentials for it, but will not quit entirely. Supplying the option two times, like
           -f -f will, however, make Ncrack exit immediately as soon as it finds a valid
           credential for any service.

           Frequently, attackers will try cracking several services in parallel to maximize the
           chances of finding a pair of valid credentials. Given that a network is no stronger
           than its weakest link, this option and especially the -f -f counterpart will often be
           used to lessen chances of detection and prevent network resources from being wasted
           aimlessly.

       -6 (Enable IPv6 scanning) .
           Warning: This option was just added and it is currently experimental, so please notify
           us for any problems and bugs related to it.

           The command syntax is the same as usual except that you also add the -6 option. Of
           course, you must use IPv6 syntax if you specify an address rather than a hostname. An
           address might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
           recommended. The output looks the same as usual, with the IPv6 address on the
           “Discovered credentials” line being the only IPv6 give away.

           While IPv6 hasn´t exactly taken the world by storm, it gets significant use in some
           (usually Asian) countries and most modern operating systems support it. To use Ncrack
           with IPv6, both the source and target of your scan must be configured for IPv6. If
           your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel
           brokers are widely available and will probably work fine with Ncrack. A popular IPv6
           tunnel broker service is at http://www.tunnelbroker.net. 6to4 tunnels are another
           popular, free approach.

       -sL (List Scan) .
           The list scan simply lists each host and service that would be cracked if this option
           wasn´t specified. No packets are sent to the target hosts and the only network
           operation that might happen is DNS-resolution of any hostnames of targets. This option
           is really helpful in making sure that you have specified everything as you wanted.
           Service-specific options will also be printed so this acts as a good sanity check of
           potentially complex command-line arguments such as the advanced modes of Service
           Option Specification and the equivalent Hierarchy for sessions that require delicate
           timing handling. If list scan is called along with the -d debug option, then
           additional output, like the ServicesTable and the current Timing-Template´s
           parameters, is also going to be printed.

       --datadir directoryname (Specify custom Ncrack data file location) .
           Ncrack needs a file called ncrack-services to load a lookup-table of supported
           services/ports. This file shouldn´t be changed, unless you know what you are doing
           (e.g extending Ncrack for additional modules). In addition, Ncrack is shipped with
           various username and password lists, some of which are used by default in case the
           user doesn´t specify ones of his own. All these files are normally copied during the
           installation procedure to a directory such as /usr/share/ncrack or
           /usr/local/share/ncrack . Using the --datadir option, will force Ncrack to start
           searching for these files in specified directory. If the files aren´t found, then it
           will continue searching in the directory specified by the NCRACKDIR environmental
           variable NCRACKDIR (if it is defined). Next comes ~/.ncrack directory for real and
           effective UIDs (POSIX systems only) or location of the Ncrack executable (Win32 only),
           and then a compiled-in location such as /usr/local/share/ncrack or /usr/share/ncrack.
           As a last resort, Ncrack will look in the current directory.

       --proxy type://proxy:port (Make connections via socks4, 4a, http) .
           This will make Ncrack perform the authentication cracking session through the proxy
           host specified.

       -V; --version (Print version number) .
           Prints the Ncrack version number and exits.

       -h; --help (Print help summary page) .
           Prints a short help screen with the most common command flags. Running Ncrack without
           any arguments does the same thing.

RUNTIME INTERACTION

       During the execution of Ncrack, all key presses are captured. This allows you to interact
       with the program without aborting and restarting it. Certain special keys will change
       options, while any other keys will print out a status message telling you about the scan.
       The convention is that lowercase letters increase the amount of printing, and uppercase
       letters decrease the printing. You may also press ‘?’ for help.

       v / V
           Increase / decrease the verbosity level

       d / D
           Increase / decrease the debugging Level

       p / P
           Display found credentials

       ?
           Print a runtime interaction help screen

       Anything else
           Print out a status message like this:

           Stats: 0:00:20 elapsed; 0 services completed (1 total)

           Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17 remaining)

MODULES

       Ncrack´s architecture is modular with each module corresponding to one particular service
       or protocol. Currently, Ncrack supports the protocols SSH, RDP, FTP, Telnet, HTTP(S),
       POP3(S), IMAP, SMB, VNC, SIP Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM,
       OWA. If you want to write and contribute your own Ncrack modules, be sure to read the
       Ncrack Developer´s Guide at http://nmap.org/ncrack/devguide.html Below we describe some
       key points for each of them.

       FTP Module

           FTP authentication is quite fast, since there is very little protocol negotiation
           overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a
           certain delay before replying with the results of a failed attempt. Filezilla is one
           of the most characteristic examples of this case, where the time delay is so great,
           that it is usually faster to open more connections against it, with each of them doing
           only 1 authentication per connection.

       Telnet Module

           Telnet daemons have been largely substituted by their safer ´counterpart´ of SSH.
           However, there are many boxes, mainly routers or printers, that still rely on Telnet
           for remote access. Usually these are also easier to crack, since default passwords for
           them are publicly known. The drawback is that telnet is a rather slow protocol, so you
           shouldn´t be expecting really high rates against it.

       SSH Module

           SSH is one of the most prevalent protocols in today´s networks. For this reason, a
           special library, named opensshlib and based on code from OpenSSH, was specifically
           built and tailored for Ncrack´s needs. Opensshlib ships in with Ncrack, so SSH support
           comes out of the box. OpenSSL will have to be installed in Unix systems though.
           Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn´t be worrying
           about it at all.

           SSH bruteforcing holds many pitfalls and challenges, and you are well advised to read
           a paper that was written to explain them. The latest version of the "Hacking the
           OpenSSH library for Ncrack" document can be found under docs/openssh_library.txt or at
           http://sock-raw.org/papers/openssh_library

       HTTP(S) Module

           The HTTP Module currently supports basic and digest authentication. Ncrack tries to
           use the "Keepalive" HTTP option, whenever possible, which leads to really high speeds,
           since that allows dozens of attempts to be carried out per connection. The HTTP module
           can also be called over SSL.

       SMB Module

           The SMB module currently works over raw TCP. NetBIOS isn´t supported yet. This
           protocol allows for high parallelization, so users could potentially increase the
           number of concurrent probes against it. SMB is frequently used for file-sharing among
           other things and is one of the most ubiquitous protocols, being present in both Unix
           and Windows environments.

       RDP Module

           RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the
           purpose of providing remote terminal services by transferring graphics display
           information from the remote computer to the user and transporting input commands from
           the user to the remote computer. Fortunately, Microsoft recently decided to open the
           protocol´s internal workings to the public and has provided official documentation,
           which can be found at
           http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx

           RDP is one of the most complex protocols, requiring the exchange of many packets, even
           for just the authentication phase. For this reason, cracking it takes a lot of time
           and this is probably the slowest module. The connection phase is briefly described at
           http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can
           also see a diagram of the various packets involved. Care must be taken against RDP
           servers in Windows XP versions, since they can´t handle multiple connections at the
           same time. It is advised to use a very slow timing template or even better limit the
           maximum parallel connections using timing options such as CL (Connection Limit) or cd
           (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and
           above don´t suffer from the same limitation.

       VNC Module

           The VNC protocol has known widespread usage among Unix administrators and users for
           remote graphical access. VNC is perhaps one of the most vulnerable protocols in terms
           of brute-forcing, since it often requires a password without a corresponding username
           for authentication. In addition, some versions of VNC impose an 8-character limit in
           password length. You should consider adding the --passwords-first option when cracking
           VNC systems to exploit the fact that the username often has no actual importance in
           authentication.

       POP3(S) Module

           POP3 support is still experimental and hasn´t been thoroughly tested. You can expect
           it to work against common mail servers, nevertheless.

       IMAP Module

           The Internet Message Access Protocol (IMAP) is used by email clients to retrieve email
           messages from a mail server. The module sends the LOGIN command to authenticate. The
           LOGIN command is the simplest, fastest and most supported authentication mechanism for
           IMAP.

       SIP Module

           The Session Initiation Protocol is a text-based protocol, very similar to HTTP in its
           structure. The most common application of SIP is in Internet telephony for voice and
           video calls. Nearly all enterprises have infrastructure that supports conference calls
           and part of them are based on SIP, making the authentication part a significant threat
           vector.

       Redis Module

           Redis is one of the most widely used caching servers and the most popular NoSQL
           database. Despite its reputation, the authentication mechanism is very simple, only
           allowing for a password to protect remote access to the service. Due to the high
           performance of Redis and the fact that only 2 packets are needed for the
           authentication phase, Ncrack can try a lot of passwords in parallel (‐
           http://redis.io/commands/AUTH). Specifying a username list or single username will
           have no effect in this module, since Redis only deals with passwords.

       PostgreSQL Module

           PostgreSQL is often used as a backend database. The PostgreSQL module supports md5
           authentication, which is the most frequent password authentication method.

       MySQL Module

           The MySQL module supports native authentication.

       MySQL Module

           The MSSQL module supports mixed authentication.

       MongoDB Module

           The MongoDB module supports MongoDB-CR and SCRAM-SHA-1 authentication. The pairwise
           and passwords-first option will be ignored for the MongoDB module, due to them being
           inefficient against MongoDB. The optimal way of cracking MongoDB is to take advantage
           of a user-enumeration vulnerability inherent in its authentication mechanism, which
           Ncrack exploits.

       Cassandra Module

           Apache Cassandra is a popular NoSQL database often left unsecured with weak
           credentials or no authentication.

       OWA Module

           Outlook Web App allows users to access a Microsoft Exchange Server mailbox from a web
           browser and experience Microsoft Outlook without a mail client. The module supports
           Basic Authentication.

       WinRM Module

           Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management
           Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly
           protocol that allows hardware and operating systems, from different vendors, to
           interoperate. It is often used to administer Windows machines. The module supports
           Basic and Negotiate authentication.

       DICOM Module

           Digital Imaging and Communications in Medicine (DICOM) is a protocol used heavily in
           healthcare environments. Most commonly, it is used as both a file format and network
           protocol by Picture Archiving and Communication Systems (PACS). The client of a DICOM
           service is called a service class user (SCU) and the server a service class provider
           (SCP). DICOM is very unique in how it authenticates clients to servers; there are
           potentially one to three steps involved: Association, Find Service and Retrieve
           Images.

           Association: This is the initial step that almost all PACS servers require. By sending
           an A-ASSOCIATE request with the correct called Application Entity Title (AET) the
           client associates with the server and then can go on to perform query / retrieve
           requests in the next steps. This is the mode that Ncrack currently supports by
           iterating through the username field. Thus to brute-force the server´s AET, you can
           specify a list of AETs using the -U option and then specifying a null password.
           Example: ncrack dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER

           Find Service: This step involves being able to query the PACS server for patient
           studies that are associated with DICOM images. This takes place after the client has
           performed the Association phase. A C-FIND request must be sent with the correct
           calling AET. Knowing the correct allowed client AET (or calling AET) is required by
           securely configured PACS servers. Many PACS servers by default do not require this.

           Retrieve Images: This step allows a client to retrieve DICOM images. The most hardened
           PACS servers will require the client to have a specific allowed IP configured in order
           to send a C-MOVE / C-STORE request after the above two steps have been performed.

       MQTT Module

           The Message Queueing Telemetry Transport (MQTT) protocol is a publish / subscribe
           machine to machine protocol that allows IoT clients to publish to a broker. Each
           client device subscribes to a particular topic of interest and receives messages from
           publishers. Usually MQTT authentication is optional and when enabled can be
           brute-forced very easily as it only requires a single MQTT CONNECT packet to be sent
           for each attempted credential pair.

       Wordpress Module

           Wodpress is one of the most popular content management systems. This module attacks
           the web administration endpoint. By default it will try "wp-login.php" but you can
           change it by specifying the path. For example: ncrack
           wp://127.0.0.1,path=/non-default/wp-login.php

       CVS Module

           The Concurrent Versioning System (CVS) is a revision control system in software
           development. Although not as popular nowadays, there are many old, oudated CVS servers
           out there that might have default or weak credentials.

BUGS

       Like its authors, Ncrack isn´t perfect. But you can help make it better by sending bug
       reports or even writing patches. If Ncrack doesn´t behave the way you expect, first
       upgrade to the latest version available from http://nmap.org/ncrack. If the problem
       persists, do some research to determine whether it has already been discovered and
       addressed. Try searching for the error message on our search page at
       http://insecure.org/search.html or at Google. Also try browsing the nmap-dev archives at
       http://seclists.org/ .  Read this full manual page as well. If you are developing your own
       Ncrack module, make sure you have first read the Ncrack Developer´s Guide at
       http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a bug report to
       nmap-dev@insecure.org . Please include everything you have learned about the problem, as
       well as what version of Ncrack you are running and what operating system version it is
       running on. Problem reports and Ncrack usage questions sent to nmap-dev@insecure.org are
       far more likely to be answered than those sent to Fyodor directly. If you subscribe to the
       nmap-dev list before posting, your message will bypass moderation and get through more
       quickly. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-dev .

       Code patches to fix bugs are even better than bug reports. Basic instructions for creating
       patch files with your changes are available at http://nmap.org/data/HACKING . Patches may
       be sent to nmap-dev (recommended) or to Fyodor directly.

AUTHORS

       ithilgore (Fotios (Fotis) Chantzis) ithilgore@sock-raw.org (http://sock-raw.org)

       Fyodor fyodor@insecure.org (http://insecure.org)

       While it isn´t distributed with Nmap, Ncrack is part of the Nmap project and falls under
       the same license and (non) warranty provisions, as described at
       http://nmap.org/book/man-legal.html.