Nmap Development mailing list archives

Re: Ncrack discussion

From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Thu, 14 May 2009 23:27:07 +0300

jah wrote:

Hi ithilgore, my comments inline:

1) Target-Service Specification

Ex1: $ ncrack 10.0.0.*, 192.168.1.1, www.google.com -p22, 23

This will try to crack the default services on ports 22, 23 (ssh, telnet) for
hosts 10.0.0.0-255, 192.168.1.1 and www.google.com

I like that.  The user can specify a bunch of default services on a
group of targets.  And, like Nmap, -p should take service names as well
as port numbers.

What happens if the user knows that the above hosts' services listen on
non-default ports? He should be able to specify that like this:

Ex2: $ ncrack 10.0.0.*, 192.168.1.1, www.google.com -p399, 4531 -s ftp, svn

I agree with Kris, this seems tedious and is likely to cause errors in
service specification. Kris' idea of proto:port seems the most natural
way to do this.

Fyodor also suggested a url-like scheme like this:

Ex3: $ ncrack ssh://scanme.nmap.org:22, ftp://foo.bar.org:3000, bar.acme.org:21,
ftp://scanme.nmap.org

This could be OK (it's certainly intuitive), but what If I want to
specify several different services at more than one host as well as a
few services common to all hosts.


Yes, this is the main problem with the above approach.

Maybe something like the following:

ncrack  scanme.nmap.org[21,22,ftp:9000] 
foo.bar.com[telnet:9000,ssh:9001]  -p 110

which would do:
pop, ftp and ssh on the default ports and ftp on 9000 at scanme
pop on the default port and telnet and ssh on ports 9000 and 9001
respectively at foo.bar.com


The above sounds great since it solves the host-service uniqueness and
additionally it doesn't limit the user having to specify the host so many times
as the different services he needs to crack (like the url-scheme does).

However, using brackets will involve having to escape them in most shells. Since
we want to avoid that, another character might be more appropriate. What about
using slashes?

$ ncrack scanme.nmap.org/21,22,ftp:9000/ foo.bar.com/telnet:9000,ssh:9001/  -p 110

It looks uglier though. Any other idea on that? The general scheme looks great
apart from that.



-- ithilgore

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Ncrack discussion ithilgore (May 14)
- Re: Ncrack discussion Kris Katterjohn (May 14)
  - Re: Ncrack discussion Arturo 'Buanzo' Busleiman (May 14)
    - Re: Ncrack discussion sara fink (May 16)
    - Re: Ncrack discussion ithilgore (May 16)
- Re: Ncrack discussion jah (May 14)
  - Re: Ncrack discussion ithilgore (May 14)
    - Re: Ncrack discussion jah (May 14)
    - Re: Ncrack discussion ithilgore (May 14)
    - Re: Ncrack discussion doug (May 14)
    - Re: Ncrack discussion Dnucna (May 15)
- Re: Ncrack discussion Lionel Cons (May 15)
  - What is this error? Jones, David H (May 15)
    - RE: What is this error? Aaron Leininger (May 15)
    - Re: What is this error? Michael Pattrick (May 15)