Ncrack command-line interface overview

[ithilgore <ithilgore.ryu.l () gmail com>]

===== Service Specification ====

I just finished coding and committing Ncrack's target specification interface
which is perhaps one of the most important aspects of its command-line
interface. After the previous discussion with nmap-dev
( http://seclists.org/nmap-dev/2009/q2/0361.html ), the most flexible approach
was the one that jah proposed( http://seclists.org/nmap-dev/2009/q2/0364.html ),
only with some modifications.

The idea is that the user should be able to easily specify the following:

* multiple hosts using Nmap's advanced notation which includes target ranges,
CIDR, wildmasks, netmasks and using either IP addresses or hostnames

* multiple services, applied either to each specific hostgroup or globally

* services specified either as default ports or by name - for services listening
to non-default ports the notation <service_name>:<port> is used

Ncrack uses Nmap's TargetGroup and Target classes and thus by default supports
its convenient target specification. Services can be specified either to each
individual hostgroup or globally by using the -p or --services options. Valid
delimiters for separating hostgroups with its service specifications are:

brackets: [ ]   services must be enclosed inside them
url-notation: ://  services are specified following the delimiter
double colons ::  services are specified following the delimiter

Brackets need no escaping in bash and pdksh, while csh/tcsh need it.
For csh/tcsh users the above dditional delimiters were introduced for ease of use.

Some examples:

10.0.0.1[ftp,22,smtp:300] scanme.nmap.org[ssh:3991] -p ssh

The above will crack
host 10.0.0.1 for services ftp(21), 22(ssh), smtp(300)
and
host scanme.nmap.org for services ssh(3991), ssh(21)

whatever follows -p is applied to every hostgroup. Duplicate services are
removed except when a non-default port has been specified for one. This can
happen when for example there are different services using the same
authentication protocol but listening to different ports. In that case, Ncrack
will try to crack the service on each port. In addition, Ncrack checks that each
service specified is supported by searching at a global lookup table loaded from
file "ncrack-services" (which uses the usual service file format).

Another example:

10.0.0.*[telnet,22] 192.168.1.0/24 -p 25

This will crack hosts 10.0.0.1-254 for services telnet(23), ssh(22) and smtp(25)
and hosts 192.168.1.1-254 for service smtp(25)

Ncrack can list hosts to be cracked (without doing anything else) like Nmap does
with -sL by specifying -sL or --list.

Some real life examples:

$ ncrack 10.0.0.3[21,ssh] 10.0.0.6-7[smtp] -p telnet:210 -sL

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 06:11 EEST

=== Targets ===
Host: 10.0.0.3
  ftp:21
  ssh:22
  telnet:210
Host: 10.0.0.6
  smtp:25
  telnet:210
Host: 10.0.0.7
  smtp:25
  telnet:210

Ncrack finished.


$ ncrack scanme.nmap.org://telnet 192.168.1.0/31 --list -p 21

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 06:13 EEST

=== Targets ===
Host: 64.13.134.52
  telnet:12079
  ftp:21
Host: 192.168.1.0
  ftp:21
Host: 192.168.1.1
  ftp:21

Ncrack finished.

$ ncrack scanme.nmap.org[telnet] --list --services 20,21
Service with default port '20' not supported! Ignoring...
For non-default ports specify <service-name>:<non-default-port>

Starting Ncrack 0.00001ALPHA ( http://ncrack.org ) at 2009-05-16 07:17 EEST

=== Targets ===
Host: 64.13.134.52
  telnet:23
  ftp:21

Ncrack finished.

$ cat ncrack-services
# Ncrack available services
# Use this file to add additional supported services in the format specified:
# <service_name> <port_number>/<protocol>
# where protocol = either tcp or udp

ftp 21/tcp
telnet 23/tcp
ssh 22/tcp
smtp 25/tcp



Ncrack also supports Nmap's way of getting input from files by using the -iL
option as well as excluding hosts either with --exclude or --excludefile.

Currently Ncrack's help output is the following:

./ncrack -h
Ncrack 0.00001ALPHA ( http://ncrack.org )
Usage: ncrack [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
SERVICE SPECIFICATION:
  Can pass target specific services (after each hostgroup) or global ones
  Services can be passed as names or default ports. For non-default ports
  they must be specified it in form 'service_name:port'
  Ex: scanme.nmap.org[ssh,ftp:310,25] 10.0.0.*://telnet -p ssh:2130
  -p <service-list>: services that will be applied to all hosts (global)
TIMING AND PERFORMANCE:
  Options which take <time> are in milliseconds, unless you append 's'
  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  --min-hostgroup/max-hostgroup <size>: Parallel host crack group sizes
  --min-parallelism/max-parallelism <time>: Probe parallelization
  --max-retries <tries>: Caps number of service connection attempts.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
OUTPUT:
  -v: Increase verbosity level (use twice or more for greater effect)
  -d[level]: Set or increase debugging level (Up to 9 is meaningful)
MISC:
  --list or -sL: only list hosts and services
  -V: Print version number
  -h: Print this help summary page.


For now, ignore the Timing and Performance options. They are not implemented at
the moment and will need a separate discussion and a thread of their own, given
their importance.


What other kind of options would you like to see in Ncrack and what changes to
the already existing ones? Major candidates are

--restore <inputfile>: restore previously saved session
--policy <options>: password policy enforcer (e.g case-sensitive)
-6: Enable IPv6
-oN/-oX/-oG <file>: Output scan in normal, XML, and Grepable format,
respectively, to the given filename.
--trace: show connections and other network-debugging information
-iN/-iX/-iG <inputfile>: get hosts/services from Nmap's plain/xml/grepable file

Options for different kinds of tunneling/proxies are also possible.
And of course, each service-specific module will take its own specialized arguments.

Whoever wants to try out the service-specification command-line, can download
the code at svn://svn.insecure.org/nmap-exp/ithilgore/ncrack
The code has been tested and compiles on Linux only, so far. Just type:
./configure
make

That's it for now.
Cheers,
 ithilgore



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org