Testing a private network host for poor passwords with Ncrack.
What is Ncrack?
Ncrack is a cross-platform high-speed network authentication cracking tool. It was built to help human beings secure their networks by proactively testing their hosts and networking devices for poor passwords.
Ncrack supports the following protocols: RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, and telnet.
Disclaimer
This article is for educational purposes only. An excerpt from the Computer Misuse Act 1990:
A person is guilty of an offence if:
- he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
- the access he intends to secure, or to enable to be secured, is unauthorised; and
- he knows at the time when he causes the computer to perform the function that that is the case.
Installation
Install build essentials and encryption libraries:
# apt-get install build-essential checkinstall libssl-dev libssh-dev
Download Ncrack archive package:
# cd ~ && wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
Extract the tarball:
# tar -xzvf ncrack-0.4ALPHA.tar.gz && cd ncrack-0.4ALPHA
Configure:
# ./configure [...] configure: creating ./config.status config.status: creating Makefile config.status: creating config.h Configuration complete. Type make (or gmake on some *BSD machines) to compile.
Compile the source:
# make ... Ncrack compiled successfully! make[1]: Leaving directory `/root/ncrack-0.4ALPHA'
Create some directories:
# mkdir /usr/local/share/ncrack /usr/local/share/man/man1
Create and install Ncrack Debian package:
# checkinstall -D --nodoc -y
Done. The new package has been installed and saved to
/root/ncrack-0.4ALPHA/ncrack_0.4ALPHA-1_i386.deb
Check installation status:
# dpkg -s ncrack
Package: ncrack
Status: install ok installed
Priority: extra
Section: checkinstall
Installed-Size: 1304
Maintainer: root@debian
Architecture: i386
Version: 0.4ALPHA-1
Provides: ncrack
Description: Package created with checkinstall 1.6.2
Usage (with SSH)
SSH penetration testing is likely one the most common Ncrack usage areas. As an example, we are going to use Ncrack to check for weak regular users’ SSH passwords.
As you may remember, the Adobe password leak revealed the most commonly used passwords. We’re going to use the top 100 of them today.
Download a list of top 100 leaked Adobe passwords:
# cd ~ && wget http://stricture-group.com/files/adobe-top100.txt
The below command extracts and sorts the password column only so we can use records for Ncrack:
# sed '/^[1-9]/!d' adobe-top100.txt | cut -d= -f2-3 | \ sed -e 's/^[ \t]*//' -e 's/^=[ \t]*//'|sort > p.txt
The output file containing the top 100 passwords is called p.txt. We can now check if our regular user sandy is using one of these poor passwords. For simplicity purposes, we use localhost address here, however, the same approach applies to any host address:
# ncrack -v -f --user sandy -P p.txt ssh://127.0.0.1:12,CL=1
Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2014-05-10 16:36 BST
Discovered credentials on ssh://127.0.0.1:12 'sandy' 'abcd1234'
ssh://127.0.0.1:12 finished.
Discovered credentials for ssh on 127.0.0.1 12/tcp:
127.0.0.1 12/tcp ssh: 'sandy' 'abcd1234'
Ncrack done: 1 service scanned in 30.01 seconds.
Probes sent: 7 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
Parameters that were used:
- -v: increase verbosity level (use twice or more for greater effect).
- -f: quit cracking service after one found credential.
- – -user: comma-separated username list.
- -P: password file.
- CL: maximum number of concurrent parallel connections.
- [service-name]://target:[port-number]: self explanatory.
Check the man page for more options available and, well, use your imagination when testing personal systems.