Nmap Development mailing list archives
Ncrack command-line interface overview
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Sat, 16 May 2009 07:26:16 +0300
===== Service Specification ==== I just finished coding and committing Ncrack's target specification interface which is perhaps one of the most important aspects of its command-line interface. After the previous discussion with nmap-dev ( http://seclists.org/nmap-dev/2009/q2/0361.html ), the most flexible approach was the one that jah proposed( http://seclists.org/nmap-dev/2009/q2/0364.html ), only with some modifications. The idea is that the user should be able to easily specify the following: * multiple hosts using Nmap's advanced notation which includes target ranges, CIDR, wildmasks, netmasks and using either IP addresses or hostnames * multiple services, applied either to each specific hostgroup or globally * services specified either as default ports or by name - for services listening to non-default ports the notation <service_name>:<port> is used Ncrack uses Nmap's TargetGroup and Target classes and thus by default supports its convenient target specification. Services can be specified either to each individual hostgroup or globally by using the -p or --services options. Valid delimiters for separating hostgroups with its service specifications are: brackets: [ ] services must be enclosed inside them url-notation: :// services are specified following the delimiter double colons :: services are specified following the delimiter Brackets need no escaping in bash and pdksh, while csh/tcsh need it. For csh/tcsh users the above dditional delimiters were introduced for ease of use. Some examples: 10.0.0.1[ftp,22,smtp:300] scanme.nmap.org[ssh:3991] -p ssh The above will crack host 10.0.0.1 for services ftp(21), 22(ssh), smtp(300) and host scanme.nmap.org for services ssh(3991), ssh(21) whatever follows -p is applied to every hostgroup. Duplicate services are removed except when a non-default port has been specified for one. This can happen when for example there are different services using the same authentication protocol but listening to different ports. In that case, Ncrack will try to crack the service on each port. In addition, Ncrack checks that each service specified is supported by searching at a global lookup table loaded from file "ncrack-services" (which uses the usual service file format). Another example: 10.0.0.*[telnet,22] 192.168.1.0/24 -p 25 This will crack hosts 10.0.0.1-254 for services telnet(23), ssh(22) and smtp(25) and hosts 192.168.1.1-254 for service smtp(25) Ncrack can list hosts to be cracked (without doing anything else) like Nmap does with -sL by specifying -sL or --list. Some real life examples: $ ncrack 10.0.0.3[21,ssh] 10.0.0.6-7[smtp] -p telnet:210 -sL Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 06:11 EEST === Targets === Host: 10.0.0.3 ftp:21 ssh:22 telnet:210 Host: 10.0.0.6 smtp:25 telnet:210 Host: 10.0.0.7 smtp:25 telnet:210 Ncrack finished. $ ncrack scanme.nmap.org://telnet 192.168.1.0/31 --list -p 21 Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 06:13 EEST === Targets === Host: 64.13.134.52 telnet:12079 ftp:21 Host: 192.168.1.0 ftp:21 Host: 192.168.1.1 ftp:21 Ncrack finished. $ ncrack scanme.nmap.org[telnet] --list --services 20,21 Service with default port '20' not supported! Ignoring... For non-default ports specify <service-name>:<non-default-port> Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 07:17 EEST === Targets === Host: 64.13.134.52 telnet:23 ftp:21 Ncrack finished. $ cat ncrack-services # Ncrack available services # Use this file to add additional supported services in the format specified: # <service_name> <port_number>/<protocol> # where protocol = either tcp or udp ftp 21/tcp telnet 23/tcp ssh 22/tcp smtp 25/tcp Ncrack also supports Nmap's way of getting input from files by using the -iL option as well as excluding hosts either with --exclude or --excludefile. Currently Ncrack's help output is the following: ./ncrack -h Ncrack 0.00001ALPHA ( http://ncrack.org ) Usage: ncrack [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file SERVICE SPECIFICATION: Can pass target specific services (after each hostgroup) or global ones Services can be passed as names or default ports. For non-default ports they must be specified it in form 'service_name:port' Ex: scanme.nmap.org[ssh,ftp:310,25] 10.0.0.*://telnet -p ssh:2130 -p <service-list>: services that will be applied to all hosts (global) TIMING AND PERFORMANCE: Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). --min-hostgroup/max-hostgroup <size>: Parallel host crack group sizes --min-parallelism/max-parallelism <time>: Probe parallelization --max-retries <tries>: Caps number of service connection attempts. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes OUTPUT: -v: Increase verbosity level (use twice or more for greater effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) MISC: --list or -sL: only list hosts and services -V: Print version number -h: Print this help summary page. For now, ignore the Timing and Performance options. They are not implemented at the moment and will need a separate discussion and a thread of their own, given their importance. What other kind of options would you like to see in Ncrack and what changes to the already existing ones? Major candidates are --restore <inputfile>: restore previously saved session --policy <options>: password policy enforcer (e.g case-sensitive) -6: Enable IPv6 -oN/-oX/-oG <file>: Output scan in normal, XML, and Grepable format, respectively, to the given filename. --trace: show connections and other network-debugging information -iN/-iX/-iG <inputfile>: get hosts/services from Nmap's plain/xml/grepable file Options for different kinds of tunneling/proxies are also possible. And of course, each service-specific module will take its own specialized arguments. Whoever wants to try out the service-specification command-line, can download the code at svn://svn.insecure.org/nmap-exp/ithilgore/ncrack The code has been tested and compiles on Linux only, so far. Just type: ./configure make That's it for now. Cheers, ithilgore _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Ncrack command-line interface overview ithilgore (May 15)
- Re: Ncrack command-line interface overview ithilgore (May 15)
- Re: Ncrack command-line interface overview ithilgore (May 16)
- Re: Ncrack command-line interface overview ithilgore (May 17)
- Re: Ncrack command-line interface overview sara fink (May 17)
- Re: Ncrack command-line interface overview ithilgore (May 17)
- Re: Ncrack command-line interface overview ithilgore (May 18)
- Re: Ncrack command-line interface overview ithilgore (May 17)