Testing a private network host for poor passwords with Ncrack.
What is Ncrack?
Ncrack is a cross-platform high-speed network authentication cracking tool. It was built to help human beings secure their networks by proactively testing their hosts and networking devices for poor passwords.
Ncrack supports the following protocols: RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, and telnet.
This article is for educational purposes only. An excerpt from the Computer Misuse Act 1990:
A person is guilty of an offence if:
- he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
- the access he intends to secure, or to enable to be secured, is unauthorised; and
- he knows at the time when he causes the computer to perform the function that that is the case.
Install build essentials and encryption libraries:
# apt-get install build-essential checkinstall libssl-dev libssh-dev
Download Ncrack archive package:
# cd ~ && wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
Extract the tarball:
# tar -xzvf ncrack-0.4ALPHA.tar.gz && cd ncrack-0.4ALPHA
# ./configure [...] configure: creating ./config.status config.status: creating Makefile config.status: creating config.h Configuration complete. Type make (or gmake on some *BSD machines) to compile.
Compile the source:
# make ... Ncrack compiled successfully! make: Leaving directory `/root/ncrack-0.4ALPHA'
Create some directories:
# mkdir /usr/local/share/ncrack /usr/local/share/man/man1
Create and install Ncrack Debian package:
# checkinstall -D --nodoc -y Done. The new package has been installed and saved to /root/ncrack-0.4ALPHA/ncrack_0.4ALPHA-1_i386.deb
Check installation status:
# dpkg -s ncrack Package: ncrack Status: install ok installed Priority: extra Section: checkinstall Installed-Size: 1304 Maintainer: [email protected] Architecture: i386 Version: 0.4ALPHA-1 Provides: ncrack Description: Package created with checkinstall 1.6.2
Usage (with SSH)
SSH penetration testing is likely one the most common Ncrack usage areas. As an example, we are going to use Ncrack to check for weak regular users’ SSH passwords.
As you may remember, the Adobe password leak revealed the most commonly used passwords. We’re going to use the top 100 of them today.
Download a list of top 100 leaked Adobe passwords:
# cd ~ && wget http://stricture-group.com/files/adobe-top100.txt
The below command extracts and sorts the password column only so we can use records for Ncrack:
# sed '/^[1-9]/!d' adobe-top100.txt | cut -d= -f2-3 | \ sed -e 's/^[ \t]*//' -e 's/^=[ \t]*//'|sort > p.txt
The output file containing the top 100 passwords is called p.txt. We can now check if our regular user sandy is using one of these poor passwords. For simplicity purposes, we use localhost address here, however, the same approach applies to any host address:
# ncrack -v -f --user sandy -P p.txt ssh://127.0.0.1:12,CL=1 Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2014-05-10 16:36 BST Discovered credentials on ssh://127.0.0.1:12 'sandy' 'abcd1234' ssh://127.0.0.1:12 finished. Discovered credentials for ssh on 127.0.0.1 12/tcp: 127.0.0.1 12/tcp ssh: 'sandy' 'abcd1234' Ncrack done: 1 service scanned in 30.01 seconds. Probes sent: 7 | timed-out: 0 | prematurely-closed: 0 Ncrack finished.
Parameters that were used:
- -v: increase verbosity level (use twice or more for greater effect).
- -f: quit cracking service after one found credential.
- – -user: comma-separated username list.
- -P: password file.
- CL: maximum number of concurrent parallel connections.
- [service-name]://target:[port-number]: self explanatory.
Check the man page for more options available and, well, use your imagination when testing personal systems.