NCRACK(1)                   Ncrack Reference Guide                   NCRACK(1)

NAME
       ncrack - Network authentication cracking tool

SYNOPSIS
       ncrack [Options] {target specification}

DESCRIPTION
       Ncrack is an open source tool for network authentication cracking. It
       was designed for high-speed parallel cracking using a dynamic engine
       that can adapt to different network situations. Ncrack can also be
       extensively fine-tuned for special cases, though the default parameters
       are generic enough to cover almost every situation. It is built on a
       modular architecture that allows for easy extension to support
       additional protocols. Ncrack is designed for companies and security
       professionals to audit large networks for default or weak passwords in
       a rapid and reliable way. It can also be used to conduct fairly
       sophisticated and intensive brute force attacks against individual
       services.

           Warning

           Ncrack is a project started in the Summer of 2009. While it is
           already useful for some purposes, it is still unfinished, beta
           quality software. You can help out by testing it and reporting any
           problems as described in the section called "BUGS".

       The output from Ncrack is a list of found credentials, if any, for each
       of the targets specified. Ncrack can also print an interactive status
       report of progress so far and possibly additional debugging information
       that can help track problems, if the user selected that option.

       A typical Ncrack scan is shown in Example 1. The only Ncrack arguments
       used in this example are the two target IP addresses along with the the
       corresponding ports for each of them. The two example ports 21 and 22
       are automatically resolved to the default services listening on them:
       ftp and ssh.

       Example 1. A representative Ncrack scan


           $ ncrack 10.0.0.130:21 192.168.1.2:22

           Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST

           Discovered credentials for ftp on 10.0.0.130 21/tcp:
           10.0.0.130 21/tcp ftp: admin hello1
           Discovered credentials for ssh on 192.168.1.2 22/tcp:
           192.168.1.2 22/tcp ssh: guest 12345
           192.168.1.2 22/tcp ssh: admin money$

           Ncrack done: 2 services scanned in 156.03 seconds.

           Ncrack finished.



       The latest version of Ncrack can be obtained from
       http://nmap.org/ncrack. The latest version of this man page is
       available at http://nmap.org/ncrack/man.html .

OPTIONS SUMMARY
       This options summary is printed when Ncrack is run with no arguments.
       It helps people remember the most common options, but is no substitute
       for the in-depth documentation in the rest of this manual.

           Ncrack 0.7 ( http://ncrack.org )
           Usage: ncrack [Options] {target and service specification}
           TARGET SPECIFICATION:
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
             -iX <inputfilename>: Input from Nmap's -oX XML output format
             -iN <inputfilename>: Input from Nmap's -oN Normal output format
             -iL <inputfilename>: Input from list of hosts/networks
             --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
             --excludefile <exclude_file>: Exclude list from file
           SERVICE SPECIFICATION:
             Can pass target specific services in <service>://target (standard) notation or
             using -p which will be applied to all hosts in non-standard notation.
             Service arguments can be specified to be host-specific, type of service-specific
             (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
             Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
             -p <service-list>: services will be applied to all non-standard notation hosts
             -m <service>:<options>: options will be applied to all services of this type
             -g <options>: options will be applied to every service globally
             Misc options:
               ssl: enable SSL over this service
               path <name>: used in modules like HTTP ('=' needs escaping if used)
               db <name>: used in modules like MongoDB to specify the database
               domain <name>: used in modules like WinRM to specify the domain
           TIMING AND PERFORMANCE:
             Options which take <time> are in seconds, unless you append 'ms'
             (miliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
             Service-specific options:
               cl (min connection limit): minimum number of concurrent parallel connections
               CL (max connection limit): maximum number of concurrent parallel connections
               at (authentication tries): authentication attempts per connection
               cd (connection delay): delay <time> between each connection initiation
               cr (connection retries): caps number of service connection attempts
               to (time-out): maximum cracking <time> for service, regardless of success so far
             -T<0-5>: Set timing template (higher is faster)
             --connection-limit <number>: threshold for total concurrent connections
             --stealthy-linear: try credentials using only one connection against each specified host
               until you hit the same host again. Overrides all other timing options.
           AUTHENTICATION:
             -U <filename>: username file
             -P <filename>: password file
             --user <username_list>: comma-separated username list
             --pass <password_list>: comma-separated password list
             --passwords-first: Iterate password list for each username. Default is opposite.
             --pairwise: Choose usernames and passwords in pairs.
           OUTPUT:
             -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
             -oA <basename>: Output in the two major formats at once
             -v: Increase verbosity level (use twice or more for greater effect)
             -d[level]: Set or increase debugging level (Up to 10 is meaningful)
             --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
             --log-errors: Log errors/warnings to the normal-format output file
             --append-output: Append to rather than clobber specified output files
           MISC:
             --resume <file>: Continue previously saved session
             --save <file>: Save restoration file with specific filename
             -f: quit cracking service after one found credential
             -6: Enable IPv6 cracking
             -sL or --list: only list hosts and services
             --datadir <dirname>: Specify custom Ncrack data file location
             --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
             -V: Print version number
             -h: Print this help summary page.
           MODULES:
             SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
           EXAMPLES:
             ncrack -v --user root localhost:22
             ncrack -v -T5 https://192.168.0.1
             ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
           SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

TARGET SPECIFICATION
       Everything on the Ncrack command-line that isn't an option (or an
       option argument) is treated as a target host specification. The
       simplest case is to specify a target IP address or a hostname. Note,
       that you also need to specify a service to crack for the selected
       targets. Ncrack is very flexible in host/service specification. While
       hostnames and IP addresses can be defined with the flexibility that you
       are probably used to from Nmap, services along with service-specific
       options have a unique specification style that enables a combination of
       features to be taken advantage of.

       Sometimes you wish to crack a whole network of adjacent hosts. For
       this, Ncrack supports CIDR-style addressing. You can append /numbits to
       an IPv4 address or hostname and Ncrack will try to crack every IP
       address for which the first numbits are the same as for the reference
       IP or hostname given. For example, 192.168.10.0/24 would send probes to
       the 256 hosts between 192.168.10.0 11000000 10101000 00001010 00000000)
       and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
       inclusive. 192.168.10.40/24 would crack exactly the same targets. Given
       that the host scanme.nmap.org is at the IP address 64.13.134.52, the
       specification scanme.nmap.org/16 would send probes to the 65,536 IP
       addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed
       value is /0, which targets the whole Internet. The largest value is
       /32, which targets just the named host or IP address because all
       address bits are fixed.

       CIDR notation is short but not always flexible enough. For example, you
       might want to send probes to 192.168.0.0/16 but skip any IPs ending
       with .0 or .255 because they may be used as subnet network and
       broadcast addresses. Ncrack supports this through octet range
       addressing. Rather than specify a normal IP address, you can specify a
       comma-separated list of numbers or ranges for each octet. For example,
       192.168.0-255.1-254 will skip all addresses in the range that end in .0
       or .255, and 192.168.3-5,7.1 will target the four addresses
       192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of
       a range may be omitted; the default values are 0 on the left and 255 on
       the right. Using - by itself is the same as 0-255, but remember to use
       0- in the first octet so the target specification doesn't look like a
       command-line option. Ranges need not be limited to the final octets:
       the specifier will send probes to all IP addresses on the Internet
       ending in 13.37 This sort of broad sampling can be useful for Internet
       surveys and research.

       Ncrack accepts multiple host specifications on the command line, and
       they don't need to be the same type. The command ncrack scanme.nmap.org
       192.168.0.0/8 10.0.0,1,3-7.- -p22 does what you would expect.

       While targets are usually specified on the command lines, the following
       options are also available to control target selection:

       -iX inputfilename (Input from Nmap's -oX XML output format) .
           Reads target/service specifications from an Nmap XML output file.
           The Nmap XML file is created by scanning any hosts and specifying
           the Nmap -oX option. Ncrack will automatically parse the IP
           addresses and the corresponding ports and services that are open
           and will use these targets for authentication auditing. This is a
           really useful option, since it lets you essentially combine these
           two tools -Nmap and Ncrack- for cracking only those services that
           are surely open. In addition, if version detection has been enabled
           in Nmap (-sV option), Ncrack will use those findings to recognize
           and crack those services that are supported but are listening on
           non-default ports. For example, if a host is having a server
           listening on port 41414 and Nmap has identified that it is a SSH
           service, Ncrack will use that information to crack it using the SSH
           module. Of course, Ncrack is going to ignore open ports/services
           that are not supported for authentication cracking by its modules.

       -iN inputfilename (Input from Nmap's -oN Normal output format) .
           Reads target/service specifications from an Nmap Normal output
           file. The Nmap Normal file is created by scanning any hosts and
           specifying the Nmap -oN option. This works exactly like Ncrack's
           -iX option, the only difference being the format of the input file.

       -iL inputfilename (Input from list) .
           Reads target specifications from inputfilename. Passing a huge list
           of hosts is often awkward on the command line, yet it is a common
           desire. For example, you might want to crack a list of very
           specific servers that have been specified for penetration testing.
           Simply generate the list of hosts to crack and pass that filename
           to Ncrack as an argument to the -iL option. Entries can be in any
           of the formats accepted by Ncrack on the command line (IP address,
           hostname, CIDR, octet ranges or Ncrack's special host-service
           syntax. Each entry must be separated by one or more spaces, tabs,
           or newlines. You can specify a hyphen (-) as the filename if you
           want Ncrack to read hosts from standard input rather than an actual
           file. Note, however, that if hosts are specified without any
           service, you will have to also provide services/ports for the
           targets using the -p option.

       --exclude host1[, host2[, ...]] (Exclude hosts/networks) .
           Specifies a comma-separated list of targets to be excluded from the
           scan even if they are part of the overall network range you
           specify. The list you pass in uses normal Ncrack syntax, so it can
           include hostnames, CIDR netblocks, octet ranges, etc. This can be
           useful when the network you wish to scan includes untouchable
           mission-critical servers, systems that are known to react adversely
           to heavy load, or subnets administered by other people.

       --excludefile exclude_file  (Exclude list from file) .
           This offers the same functionality as the --exclude option, except
           that the excluded targets are provided in a newline, space, or tab
           delimited exclude_file rather than on the command line.

SERVICE SPECIFICATION
       No cracking session can be carried out without targetting a certain
       service to attack. Service specification is one of the most flexible
       subsystems of Ncrack and collaborates with target-specification in a
       way that allows different option combinations to be applied. For Ncrack
       to start running, you will have to specify at least one target host and
       one associated service to attack. Ncrack provides ways to specify a
       service by its default port number, by its name (as extracted from the
       ncrack-services file) or both. Normally, you need to define both name
       and port number only in the special case where you know that a
       particular service is listening on a non-default port.

       Ncrack offers two distinct ways with which services will be applied to
       your targets: per-host service specification and global specification.

       Per-host service specification

           Services specified in this mode are written next to the host and
           apply to it only. Keep in mind, however, that target-specification
           allows wildcards/netmasks, which essentially means that applying a
           per-host service specification format to that particular target
           will affect all of the expanded ones as a result. The general
           format is:

            [service-name]://target:[port-number]

           where target is a hostname or IP address in any of the formats
           described in the target-specification section, [service-name] is
           one of the common service names as defined in the ncrack-services
           file (e.g ssh, http) and [port-number] is what it obviously means.
           Ncrack can determine the default port numbers for each of the
           services it supports, as well as being able to deduce the service
           name when a default port number has been specified. Specifying both
           has meaning only when the user has a priori knowledge of a service
           listening on a non-default port number. This can easily be
           determined by using version detection like the one offered by
           Nmap's -sV option.

           Example 2. Per-host service specification example


               $ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910



           The above command will try to crack hosts: scanme.nmap.org on SSH
           service (default port 22), 10.0.0.10 on FTP service (default port
           21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH
           service on non-default port 5910 which has been explicitly
           specified. In the last case, Ncrack wouldn't be able to determine
           that the subnet hosts are to be scanned against the SSH service on
           that particular port without the user explicitly asking for it,
           because there isn't any mapping of port-number 5910 to service SSH.

       Global service specification

           Services specified in this mode are applied to all hosts that
           haven't been associated with the per-host service specification
           format. This is done using the -p option. While this facility may
           be similar to that of Nmap's, you should try not to confuse it,
           since the functionality is of a slightly different nature. Services
           can be specified using comma separated directives of the general
           format:

            -p [service1]:[port-number1],[service2]:[port-number2],...

           As usual, you need not specify both service name and port number
           since Ncrack knows the mappings of default-services to default-port
           numbers. Be careful though not to include any space between each
           service-name and/or port number, because Ncrack will think that the
           argument after the space is a host as per the rule "everything that
           isn't an option is a target specification".

           Example 3. Global service specification example


               $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet



           The above command will try to crack all of the specified hosts
           scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class
           subnet of 192.168.2.0 against the following services: SSH service
           (mapped from default port 22), FTP service on non-default port
           3210, and TELNET service on default port 23.

       Of course, Ncrack allows you to combine both modes of service
       specification if you deem that as necessary. Normally, you will only
       need to specify a couple of services but cracking a lot of hosts
       against many different services might be a longterm project for large
       networks that need to be consistently audited for weak passwords. If
       you are in doubt, about which hosts and services are going to be
       cracked with the current command, you can use the -sL option (see below
       for explanation).

SERVICE OPTIONS
       Apart from general service specification, Ncrack allows you to provide
       a multitude of options that apply to each or a subset of your targets.
       Options include timing and performance optimizations (which are
       thoroughly analyzed in a seperate section), SSL enabling/disabling and
       other module-specific parameters like the relative URL path for the
       HTTP module. Options can be defined in a variety of ways which include:
       per-host options, per-module options and global options. Since a
       combination of these options may be used, there is a strict hierarchy
       of precedence which will be discussed later.

       Per-host Options

           Options in this mode apply only to the host(s) they are referring
           to and are written next to it according to the following format:

            [service-name]://target:[port-number],opt1=optval1,opt2=optval,...

           The format concerning the service specification which comes before
           the options, has been explained in the previous section.  optN is
           referring to any of the option names that are available (a list
           will follow below), while optvalN determines the value of that
           option and depends on the nature of it. For example, most
           timing-related options expect to receive numbers as values, while
           the path option obviously needs a string argument.

       Per-module Options

           Options in this mode apply to all hosts that are associated with
           the particular service/module. This is accomplished using the -m
           which is defined with the format:

            -m service-name:opt1=optval1,opt2=optval2,...

           This option can be invoked multiple times, for as many different
           services as you might need to define service-wide applicable
           options. Each iteration of this option must refer to only one
           service. However, to avoid confusion, this option had better not be
           called more than one time for the same service, although this is
           allowed and the last iteration will take precedence over the
           previous ones for all redefined option values.

       Global Options

           Options in this mode apply to all hosts regardless of which service
           they are associated with. This is accomplished using the -g as
           follows:

            -g opt1=optval1,opt2=optval2,...

           This acts as a convenience option, where you can apply options to
           all services globally. Everything else regarding the available
           options and option values is the same as the previous modes.

       List of available Service Options

       Below follows a list of all the currently available service options.
       You can apply them with any of the three modes described above. The
       last six of the options are timing related and will be analyzed in
       Section "Timing and Performance" of this manual.



               ssl: enable SSL over this service
               path: path-name used in modules like HTTP ('=' needs escaping if used)
               db: used in modules like MongoDB to specify the database
               domain: used in modules like WinRM to specify the domain
               cl (min connection limit): minimum number of concurrent parallel connections
               CL (max connection limit): maximum number of concurrent parallel connections
               at (authentication tries): authentication attempts per connection
               cd (connection delay): delay time between each connection initiation
               cr (connection retries): caps number of service connection attempts
               to (time-out): maximum cracking time for service, regardless of success so far



       ssl (Enable/Disable SSL over service)
           By enabling SSL, Ncrack will try to open a TCP connection and then
           negotiate a SSL session with the target. Everything will then be
           transparently encrypted and decrypted. However, since Ncrack's job
           is to provide speed rather than strong crypto, the algorithms and
           ciphers for SSL are chosen on an efficiency basis. Possible values
           for this option are 'yes' but just specifying ssl would be enough.
           Thus, this is the only option that doesn't need to be written in
           the opt=optval format. By default, SSL is disabled for all services
           except those that are stricly dependent on it like HTTPS.

       path <name> (Path name for relative URLs)
           Some services like HTTP or SVN usually require a specific path in
           the URL. This option takes that pathname string as its value. The
           path is always relative to the hostname or IP address, so if you
           want to target something like http://foobar.com/login.php the path
           must take the value path=login.php . The initial '/' is added if
           you omit it. However, it is usually better if you explicitly
           specify it at the end of pathnames that are directories. For
           example, to crack the directory for
           http://foobar.com/protected-dir/ , it would be better if you wrote
           it as path=protected-dir/ . This is to avoid the (very) slight
           probability of a false positive, because there are cases where Web
           servers might reply with a "301 Moved Permanently" for a
           non-successful attempt. They normally send that reply, when a
           successful attempt is made for a requested password-protected path
           which has omitted the ending '/' but the requested source is
           actually a directory. Consequently, Ncrack regards that reply as
           having succeeded in the authentication attempt.

           Also be careful with the symbol '=', since it is used by Ncrack for
           argument parsing and you will have to espace it if it is included
           in the URL.

           By default, the path-name is initialized to '/', but will be
           ignored by services that do not require it.

       db <name> (Database name)
           Some services like MongoDB require a specific database name to
           crack. This option allows you to specify the database.

           By default, the db name for MongoDB is initialized to 'admin' but
           will be ignored by services that do not require it.

       domain <name> (Domain name)
           Some services like WinRM require a specific domain to crack. This
           option allows you to specify the domain.

           By default, the domain name for WinRM is initialized to
           'Workstation' but will be ignored by services that do not require
           it.

       Service Option Hierarchy

       As already noted, Ncrack allows a combination of the three different
       modes of service option specification. In that case, there is a strict
       hierarchy that resolves the order in which conflicting values for these
       options take precedence over each other. The order is as follows,
       leftmost being the highest priority and rightmost the lowest one:

       Per-host options > Per-module options > Global options >
       Timing-Template (for timing options only)

       The concept of the "Timing-Template" will be explained in the Section
       "Timing and Performance", but for now, just have in mind that its
       values have the least prevalence over everything else and essentially
       act as defaults for everything timing-related. Global options specified
       with -g have the directly higher precedence, while -m per-module
       options are immediately higher. In the top of the hierarcy reside the
       per-host options which are essentially the most specific ones.
       Consequently, you can see that the pattern is: the more specific the
       higher the precedence.

       Example 4. Service Option Hierarchy example


           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3



       The example demonstrates the hierarchy precedence. The services that
       are going to be cracked are SSH for scanme.nmap.org and FTP for hosts
       10.0.0.120, 10.0.0.20. No particular timing-template has been specified
       and thus the default will be used (Normal - 3). The per-host options
       for scanme.nmap.org define that the minimum connection limit (cl) is 10
       and that Ncrack should attempt only 1 authentication try (at) per
       connection. These values would override any other for service SSH of
       host scanme.nmap.org if there were conflicts with other modes. Since a
       global option of -g CL=3 was defined and there is no other
       higher-precedence for service SSH and scanme.nmap.org in particular,
       this value will also be applied. As for the FTP targets, the per-module
       -m ftp:CL=1 defined for all FTP services will override the equivalent
       global one. All these can get quite complex if overused, but they are
       not expected to be leveraged by the average Ncrack user anyway.
       Complicated network scanning scenarios might require them, though. To
       make certain the results are the ones you expect them to be, don't
       forget to use the -sL option that prints out details about what Ncrack
       would crack if invoked normally. You can add the debugging -d option if
       you want even more verbose output. For the above example, Ncrack would
       print the following:

       Example 5. Service Option Hierarchy Output example


           $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d

           Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT

           ----- [ Timing Template ] -----
           cl=7, CL=80, at=0, cd=0, cr=30, to=0

           ----- [ ServicesTable ] -----
           SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
           ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
           ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
           telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
           http:80            N/A N/A N/A N/A N/A N/A no  null null  null
           pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
           imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
           netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
           smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
           smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
           https:443          N/A N/A N/A N/A N/A N/A yes null null  null
           owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
           sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
           pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
           mssql:1433         N/A N/A N/A N/A N/A N/A no  null null  null
           mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
           ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
           rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
           psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
           vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
           redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
           winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
           winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
           cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
           cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
           mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null

           ----- [ Targets ] -----
           Host: 45.33.32.156 ( scanme.nmap.org )
             ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
           Host: 10.0.0.120
             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
           Host: 10.0.0.20
             ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation


           Ncrack done: 3 services would be scanned.
           Probes sent: 0 | timed-out: 0 | prematurely-closed: 0

           Ncrack finished.




       The ServicesTable just lists the per-module options for all available
       services. As you can see, the only defined option is in the FTP service
       for the CL . The Targets table is the most important part of this
       output and lists all targets and associated options according to the
       command-line invocation. No network operation takes place in this mode,
       apart from forward DNS resolution for hostnames (like scanme.nmap.org
       in this example).

TIMING AND PERFORMANCE
       The timing engine is perhaps the most important part of any serious
       network authentication cracking tool. Ncrack's timing engine offers a
       great many options for optimization and can be bended to serve
       virtually any user need. As Ncrack is progressing, this subsystem is
       going to evolve into a dynamic autonomous engine that will be able to
       automatically adjust its behaviour according to the network feedback it
       gets, in order to achieve maximum performance and precision without any
       user intervention.

       Some options accept a time parameter. This is specified in seconds by
       default, though you can append `ms', `m', or `h' to the value to
       specify milliseconds, minutes, or hours (`s' for seconds is redundant).
       So the cd (connection delay) arguments 900000ms, 900s, and 15m all do
       the same thing.

       cl num-minconnections; CL num-maxconnections (Adjust number of
       concurrent parallel connections)

           Connection Limit

           These options control the total number of connections that may be
           outstanding for any service at the same time. Normally, Ncrack
           tries to dynamically adjust the number of connections for each
           individual target by counting how many drops or connection failures
           happen. If a strange network condition occurs, that signifies that
           something may be going wrong, like the host dropping any new
           connection attempts, then Ncrack will immediately lower the total
           number of connections hitting the service. However, the caps number
           of the minimum or maximum connections that will take place can be
           overriden using these two options. By properly adjusting them, you
           can essentially optimize performance, if you can handle the tricky
           part of knowing or discovering your target's own limits. The
           convention here is that cl with lowercase letters is referring to
           the minimum connection limit, while CL  with uppercase letters is
           referring to the maximum number of connections.

           The most common usage is to set cl (minimum connection limit) for
           targets that you are almost certain are going to withstand these
           many connections at any given time. This is a risky option to play
           with, as setting it too high might actually do more harm than good
           by effectively DoS-attacking the target and triggering firewall
           rules that will ban your IP address.

           On the other hand, for more stealthy missions, setting the CL
           (maximum connection limit) to a low value might be what you want.
           However, setting it too low will surely have a great impact in
           overall cracking speed. For maximum stealth, this can be combined
           with the cd (connection delay) described below.

       at num-attempts (Adjust authentication attempts per connection)

           Authentication Tries

           Using this option, you can order Ncrack to limit the authentication
           attempts it carries out per connection. Ncrack initially sends a
           reconnaisance probe that lets it calculate the maximum number of
           such authentication tries and from thereon it always tries to use
           that number. Most servicse pose an upper limit on the number of
           authentication per connection and in most cases finding that
           maximum leads to better performance.

           Setting this option to lower values can give you some stealth
           bonus, since services such as SSH tend to log failed attempts after
           more than a certain number of authentication tries per connection.
           They use that as a metric rather than counting the total number of
           authentication attempts or connections per IP address (which is
           usually done by a firewall). Consequently, a number of 1 or 2
           authentication tries might circumvent logging in some cases.

           Note that setting that option to a high value will not have any
           effect if Ncrack realizes that the server doesn't allow that many
           attempts per connection. In this case, it will just use that
           maximum number and ignore your setting.

       cd time (Adjust delay time between each new connection)

           Connection Delay

           This option essentially defines the imposed time delay between each
           new connection. Ncrack will wait the amount of time you specify in
           this option value, before starting a new connection against the
           given service. The higher you set it, the slower Ncrack will
           perform, but the stealthier your attack will become.

           Ncrack by default tries to initiate new connections as fast as
           possible given that new probes are actually allowed to be sent and
           are not restricted by parameters such as Connection Limit which can
           dynamically increase or decrease. Although this approach achieves
           blazing speed as long as the host remains responsive, it can lead
           to a number of disasters such as a firewall being triggered, the
           targets' or your bandwidth to be diminished and even the tested
           service to suffer a Denial of Service attack. By carefully
           adjusting this option, you can potentially avoid these annoying
           situations.

       cr max-conattempts (Adjust the max number of connection retries)

           Connection Retries

           This option allows the user to specify the maximum amount of
           consecutive failed attempts against that particular service. If at
           any time, during the cracking session, Ncrack fails to connect
           against that particular service, then it will stop cracking it
           entirely.

       to time (Adjust the maximum overall cracking time)

           Timeout

           Define how much time Ncrack is going to spend cracking the service,
           before giving up regardless of whether it has found any credentials
           so far. However, any authentication token discovered until that
           time, will be stored and printed normally. Ncrack marks a service
           as finished when the username/password lists iteration ends or when
           it can no longer crack it for some serious reason. If Ncrack
           finishes cracking a service before the time specified in this
           option, then it will not be taken into account at all.

           Sometimes, you have a limited time window to scan/crack your hosts.
           This might occur for various reasons. A common one would be that
           normal user activity mustn't be interrupted and since Ncrack can
           become very aggressive, it might be allowed to scan the hosts only
           at during certain time period like the night hours. Scanning during
           certain such hours is also likely to make an attack less
           detectable.

           Don't forget that Ncrack allows you to specify the time unit of
           measure by appending `ms', `m', or `h' for milliseconds, minutes or
           hours (seconds is the default time unit). Using them in this
           particular option, is really convenient as you can specify
           something like to=8h to give Ncrack a total of 8 hours to crack
           that service. Setting up cronjobs for scheduled scans in
           combination with this option, might also be a good idea.

       -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing
       template) .
           While the fine-grained timing controls discussed in the previous
           section are powerful and effective, some people find them
           confusing. Moreover, choosing the appropriate values can sometimes
           take more time than the scan you are trying to optimize. So Ncrack
           offers a simpler approach, with six timing templates. You can
           specify them with the -T option and their number (0-5) or their
           name. The template names are paranoid (0), sneaky (1), polite (2),
           normal (3), aggressive (4), and insane (5). The first two are for
           IDS evasion. Polite mode slows down the scan to use less bandwidth
           and target machine resources. Normal mode is the default and so -T3
           does nothing. Aggressive mode speeds scans up by making the
           assumption that you are on a reasonably fast and reliable network.
           Finally insane mode assumes that you are on an extraordinarily fast
           network or are willing to sacrifice some accuracy for speed.

           These templates allow the user to specify how aggressive they wish
           to be, while leaving Ncrack to pick the exact timing values. If you
           know that the network service is going to withstand a huge number
           of connections you might try using the aggressive template of -T4 .
           Even then, this is mostly advised for services residing in the
           local network. Going over to insane mode -T5 is not recommended,
           unless you absolutely know what you are doing.

           While -T0.  and -T1.  may be useful for avoiding IDS alerts, they
           will take an extraordinarily long time to crack even a few
           services. For such a long scan, you may prefer to set the exact
           timing values you need rather than rely on the canned -T0 and -T1
           values.

       --connection-limit numprobes (Adjust the threshold of total concurrent
       connections)
           NOT IMPLEMENTED YET.

AUTHENTICATION
       This section describes ways of specifying your own username and
       password lists as well as the available modes of iterating over them.
       Ncrack ships in with a variety of username and password lists which
       reside under the directory 'lists' of the source tarball and later
       installed under Ncrack's data directory which usually is
       /usr/local/share/ncrack or /usr/share/ncrack . You can omit specifying
       any lists and Ncrack is going to use the default ones which contain
       some of the most common usernames and passwords. The password list is
       frequency-sorted with the top most common passwords at the beginning of
       the list so they will be tried out first. The lists have been derived
       from a combination of sorting publicly leaked password files and other
       techniques.

       -U filename (Specify username list)
           Specify your own username list by giving the path to the filename
           as argument to this option.

           Usernames for specific environments can be gathered in numerous
           ways including harvesting for email-addresses in the company's
           website, looking up information in whois databases, using the SMTP
           VRFY technique at vulnerable mail servers or through social
           engineering.

       -P filename (Specify password list)
           Specify your own password list by giving the path to the filename
           as argument to this option.

           Common passwords are usually derived from leaked lists as a result
           of successful intrusions in public sites such as forums or other
           social networking places. A great deal of them have already been
           publicly disclosed and some of these have been used to assemble
           Ncrack's own lists.

       --user username_list (Specify command-line comma-separated username
       list)
           Specify your own usernames directly in the command-line as a
           comma-separated list.

       --pass password_list (Specify command-line comma-separated password
       list)
           Specify your own passwords directly in the command-line as a
           comma-separated list.

       --passwords-first (Reverse the way passwords are iterated)
           Ncrack by default iterates the username list for each password.
           With this option, you can reverse that. For example, given the
           username list of -> "root, guest, admin" and the password list of
           "test, 12345, q1w2e3r4" Ncrack will normally go over them like this
           -> root:test, guest:test, admin:test, root:12345 etc. By enabling
           this option it will go over them like this -> root:test,
           root:12345, root:q1w2e3r4, guest:test etc.

           Most network authentication cracking tools prefer by default to
           iterate the password list for each username. This is, however,
           ineffective compared to the opposite iteration in most cases. This
           holds true for the simple reason that password lists are usually
           sorted on a frequency basis, meaning that the more common a
           password is, the closer to the beginning of the password list it
           is. Thus, iterating over all usernames for the most common
           passwords first has usually more chances to get a positive result.
           With the --passwords-first iteration, very common passwords might
           not even be tried out for certain usernames if the user chooses to
           abort the session early. However, this option might prove valuable
           for cases where the attacker knows and has already verified that
           the username list contains real usernames, instead of blindly
           bruteforcing through them.

       --pairwise (Choose usernames and passwords in pairs)
           Enabling this option will make Ncrack iterate the username and
           password list by choosing them in pairs. For example, given the
           username list of "root, guest, admin" and the password list of
           "test, 12345, q1w2e3r4" Ncrack will go over them like this:
           "root:test", "guest:12345", "admin:q1w2e3r4". This is particulary
           useful when inside knowledge of the infrastructure tested is
           available and special username and password lists have been made.

OUTPUT
       Any security tool is only as useful as the output it generates. Complex
       tests and algorithms are of little value if they aren't presented in an
       organized and comprehensible fashion. Of course, no single format can
       please everyone. So Ncrack offers several formats, including the
       interactive mode for humans to read directly and XML for easy parsing
       by software.

       In addition to offering different output formats, Ncrack provides
       options for controlling the verbosity of output as well as debugging
       messages. Output types may be sent to standard output or to named
       files, which Ncrack can append to or clobber.

       Ncrack makes output available in three different formats. The default
       is called interactive output, and it is sent to standard output
       (stdout). There is also normal output, which is similar to interactive
       except that it displays less runtime information and warnings since it
       is expected to be analyzed after the scan completes rather than
       interactively.

       XML output is one of the most important output types, as it can be
       converted to HTML, easily parsed by programs such as Ncrack graphical
       user interfaces, or imported into databases. Currently, XML output
       hasn't been implemented.

       While interactive output is the default and has no associated
       command-line options, the other two format options use the same syntax.
       They take one argument, which is the filename that results should be
       stored in. Multiple formats may be specified, but each format may only
       be specified once. For example, you may wish to save normal output for
       your own review while saving XML of the same scan for programmatic
       analysis. You might do this with the options -oX myscan.xml -oN
       myscan.ncrack. While this chapter uses the simple names like myscan.xml
       for brevity, more descriptive names are generally recommended. The
       names chosen are a matter of personal preference. A scheme could be
       using long filenames that incorporate the scan date and a word or two
       describing the scan, placed in a directory named after the company that
       is being scanned.

       While these options save results to files, Ncrack still prints
       interactive output to stdout as usual. For example, the command nmap
       -oX myscan.xml [target] prints XML to myscan.xml and fills standard
       output with the same interactive results it would have printed if -oX
       wasn't specified at all. You can change this by passing a hyphen
       character as the argument to one of the format types. This causes
       Ncrack to deactivate interactive output, and instead print results in
       the format you specified to the standard output stream. So the command
       nmap -oX - target will send only XML output to stdout. Serious errors
       may still be printed to the normal error stream, stderr.

       Unlike some Ncrack arguments, the space between the logfile option flag
       (such as -oX) and the filename or hyphen is mandatory.

       All of these arguments support strftime-like conversions in the
       filename.  %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as
       in strftime.  %T is the same as %H%M%S, %R is the same as %H%M, and %D
       is the same as %m%d%y. A % followed by any other character just yields
       that character (%% gives you a percent symbol). So -oX 'scan-%T-%D.xml'
       will use an XML file in the form of scan-144840-121307.xml.

       Ncrack also offers options to control scan verbosity and to append to
       output files rather than clobbering them. All of these options are
       described below.

       Ncrack Output Formats

       -oN filespec (normal output) .
           Requests that normal output be directed to the given filename. As
           discussed above, this differs slightly from interactive output.

       -oX filespec (XML output) .
           Requests that XML output be directed to the given filename.

       -oA basename (Output to all formats) .
           As a convenience, you may specify -oA basename to store scan
           results in normal and XML formats at once. They are stored in
           basename.ncrack, and basename.xml respectively. As with most
           programs, you can prefix the filenames with a directory path, such
           as ~/ncracklogs/foocorp/ on Unix or c:\hacking\sco on Windows.

       Verbosity and debugging options

       -v (Increase verbosity level) .
           Increases the verbosity level, causing Ncrack to print more
           information about the scan in progress. Credentials are shown as
           they are found and more statistical information is printed in the
           end. Use it twice or more for even greater verbosity.

       -d [level] (Increase or set debugging level) .
           When even verbose mode doesn't provide sufficient data for you,
           debugging is available to flood you with much more! As with the
           verbosity option (-v), debugging is enabled with a command-line
           flag (-d) and the debug level can be increased by specifying it
           multiple times. Alternatively, you can set a debug level by giving
           an argument to -d. For example, -d10 sets level ten. That is the
           highest effective level and will produce thousands of lines, unless
           your cracking session is going really slow.

           Debugging output is useful when a bug is suspected in Ncrack, or if
           you are simply confused as to what Ncrack is doing and why. As this
           feature is mostly intended for developers, debug lines aren't
           always self-explanatory. If you don't understand a line, your only
           recourses are to ignore it, look it up in the source code, or
           request help from the development list (nmap-dev). Some lines are
           self explanatory, but the messages become more obscure as the debug
           level is increased.

       --nsock-trace level (Set nsock trace level) .
           This option is meant mostly for developers as enabling it will
           activate the Nsock's library debugging output. Nsock is the
           underlying library for parallel socket handling. You will have to
           specify a certain level for this option. Valid range is 0 up to 10.
           Usually, a level of 1 or 2 is enough to get a good overview of
           network operations happening behind the scenes. Nsock prints that
           information to stdout by default.

       --log-errors (Log errors/warnings to normal mode output file) .
           Warnings and errors printed by Ncrack usually go only to the screen
           (interactive output), leaving any normal-format output files
           (usually specified with -oN) uncluttered. When you do want to see
           those messages in the normal output file you specified, add this
           option. It is useful when you aren't watching the interactive
           output or when you want to record errors while debugging a problem.
           The error and warning messages will still appear in interactive
           mode too. This won't work for most errors related to bad
           command-line arguments because Ncrack may not have initialized its
           output files yet.

           An alternative to --log-errors is redirecting interactive output
           (including the standard error stream) to a file. Most Unix shells
           make this approach easy, though it can be difficult on Windows.

       Miscellaneous output options

       --append-output (Append to rather than clobber output files) .
           When you specify a filename to an output format flag such as -oX or
           -oN, that file is overwritten by default. If you prefer to keep the
           existing content of the file and append the new results, specify
           the --append-output option. All output filenames specified in that
           Ncrack execution will then be appended to rather than clobbered.
           This doesn't work well for XML (-oX) scan data as the resultant
           file generally won't parse properly until you fix it up by hand.

MISCELLANEOUS OPTIONS
       This section describes some important (and not-so-important) options
       that don't really fit anywhere else.

       --resume file (Continue previously saved session) .
           Whenever the user cancels a running session (usually by pressing
           Ctrl+C), Ncrack saves the current state into a file which it can
           later use to continue from where it had stopped. This file is saved
           in subdirectory .ncrack/ of the user's home path with a filename
           format of "restore.YY-MM-DD_hh-mm". An example would be:
           "/home/ithilgore/.ncrack/restore.2010-05-18_04-42". You can then
           continue your session, by specifying this file as argument to the
           --resume option.

       -f  (Quit cracking service after one found credential) .
           This option will force Ncrack to quit cracking a service as soon as
           it finds a valid username/password combination for it. Assuming
           many parallel services are being cracked at the same time, this
           option is applied on each of them separately. This means that
           Ncrack will stop cracking each individual service after finding a
           pair of credentials for it, but will not quit entirely. Supplying
           the option two times, like -f -f will, however, make Ncrack exit
           immediately as soon as it finds a valid credential for any service.

           Frequently, attackers will try cracking several services in
           parallel to maximize the chances of finding a pair of valid
           credentials. Given that a network is no stronger than its weakest
           link, this option and especially the -f -f  counterpart will often
           be used to lessen chances of detection and prevent network
           resources from being wasted aimlessly.

       -6 (Enable IPv6 scanning) .
           Warning: This option was just added and it is currently
           experimental, so please notify us for any problems and bugs related
           to it.

           The command syntax is the same as usual except that you also add
           the -6 option. Of course, you must use IPv6 syntax if you specify
           an address rather than a hostname. An address might look like
           3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
           recommended. The output looks the same as usual, with the IPv6
           address on the "Discovered credentials" line being the only IPv6
           give away.

           While IPv6 hasn't exactly taken the world by storm, it gets
           significant use in some (usually Asian) countries and most modern
           operating systems support it. To use Ncrack with IPv6, both the
           source and target of your scan must be configured for IPv6. If your
           ISP (like most of them) does not allocate IPv6 addresses to you,
           free tunnel brokers are widely available and will probably work
           fine with Ncrack. A popular IPv6 tunnel broker service is at
           http://www.tunnelbroker.net. 6to4 tunnels are another popular, free
           approach.

       -sL (List Scan) .
           The list scan simply lists each host and service that would be
           cracked if this option wasn't specified. No packets are sent to the
           target hosts and the only network operation that might happen is
           DNS-resolution of any hostnames of targets. This option is really
           helpful in making sure that you have specified everything as you
           wanted. Service-specific options will also be printed so this acts
           as a good sanity check of potentially complex command-line
           arguments such as the advanced modes of Service Option
           Specification and the equivalent Hierarchy for sessions that
           require delicate timing handling. If list scan is called along with
           the -d debug option, then additional output, like the ServicesTable
           and the current Timing-Template's parameters, is also going to be
           printed.

       --datadir directoryname (Specify custom Ncrack data file location) .
           Ncrack needs a file called ncrack-services to load a lookup-table
           of supported services/ports. This file shouldn't be changed, unless
           you know what you are doing (e.g extending Ncrack for additional
           modules). In addition, Ncrack is shipped with various username and
           password lists, some of which are used by default in case the user
           doesn't specify ones of his own. All these files are normally
           copied during the installation procedure to a directory such as
           /usr/share/ncrack or /usr/local/share/ncrack . Using the --datadir
           option, will force Ncrack to start searching for these files in
           specified directory. If the files aren't found, then it will
           continue searching in the directory specified by the NCRACKDIR
           environmental variable NCRACKDIR (if it is defined). Next comes
           ~/.ncrack directory for real and effective UIDs (POSIX systems
           only) or location of the Ncrack executable (Win32 only), and then a
           compiled-in location such as /usr/local/share/ncrack or
           /usr/share/ncrack. As a last resort, Ncrack will look in the
           current directory.

       --proxy type://proxy:port (Make connections via socks4, 4a, http) .
           This will make Ncrack perform the authentication cracking session
           through the proxy host specified.

       -V; --version (Print version number) .
           Prints the Ncrack version number and exits.

       -h; --help (Print help summary page) .
           Prints a short help screen with the most common command flags.
           Running Ncrack without any arguments does the same thing.

RUNTIME INTERACTION
       During the execution of Ncrack, all key presses are captured. This
       allows you to interact with the program without aborting and restarting
       it. Certain special keys will change options, while any other keys will
       print out a status message telling you about the scan. The convention
       is that lowercase letters increase the amount of printing, and
       uppercase letters decrease the printing. You may also press `?' for
       help.

       v / V
           Increase / decrease the verbosity level

       d / D
           Increase / decrease the debugging Level

       p / P
           Display found credentials

       ?
           Print a runtime interaction help screen

       Anything else
           Print out a status message like this:

           Stats: 0:00:20 elapsed; 0 services completed (1 total)

           Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17
           remaining)

MODULES
       Ncrack's architecture is modular with each module corresponding to one
       particular service or protocol. Currently, Ncrack supports the
       protocols SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP
       Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA. If you
       want to write and contribute your own Ncrack modules, be sure to read
       the Ncrack Developer's Guide at http://nmap.org/ncrack/devguide.html
       Below we describe some key points for each of them.

       FTP Module

           FTP authentication is quite fast, since there is very little
           protocol negotiation overhead. Most FTP daemons allow 3 to 6
           authentication attempts but usually impose a certain delay before
           replying with the results of a failed attempt. Filezilla is one of
           the most characteristic examples of this case, where the time delay
           is so great, that it is usually faster to open more connections
           against it, with each of them doing only 1 authentication per
           connection.

       Telnet Module

           Telnet daemons have been largely substituded by their safer
           'counterpart' of SSH. However, there are many boxes, mainly routers
           or printers, that still rely on Telnet for remote access. Usually
           these are also easier to crack, since default passwords for them
           are publicly known. The drawback is that telnet is a rather slow
           protocol, so you shouldn't be expecting really high rates against
           it.

       SSH Module

           SSH is one of the most prevalent protocols in today's networks. For
           this reason, a special library, named opensshlib and based on code
           from OpenSSH, was specifically built and tailored for Ncrack's
           needs. Opensshlib ships in with Ncrack, so SSH support comes out of
           the box. OpenSSL will have to be installed in Unix systems though.
           Windows OpenSSL dlls are included in Ncrack, so Windows users
           shouldn't be worrying about it at all.

           SSH bruteforcing holds many pitfalls and challenges, and you are
           well advised to read a paper that was written to explain them. The
           latest version of the "Hacking the OpenSSH library for Ncrack"
           document can be found under docs/openssh_library.txt or at
           http://sock-raw.org/papers/openssh_library

       HTTP(S) Module

           The HTTP Module currently supports basic and digest authentication.
           Ncrack tries to use the "Keepalive" HTTP option, whenever possible,
           which leads to really high speeds, since that allows dozens of
           attempts to be carried out per connection. The HTTP module can also
           be called over SSL.

       SMB Module

           The SMB module currently works over raw TCP. NetBIOS isn't
           supported yet. This protocol allows for high parallelization, so
           users could potentially increase the number of concurrent probes
           against it. SMB is frequently used for file-sharing among other
           things and is one of the most ubiquitous protocols, being present
           in both Unix and Windows environments.

       RDP Module

           RDP (Remote Desktop Protocol) is a proprietary protocol developed
           by Microsoft for the purpose of providing remote terminal services
           by transfering graphics display information from the remote
           computer to the user and transporting input commands from the user
           to the remote computer. Fortunately, Microsoft recently decided to
           open the protocol's internal workings to the public and has
           provided official documentation, which can be found at
           http://msdn.microsoft.com/en-
           us/library/cc240445%28v=PROT.10%29.aspx

           RDP is one of the most complex protocols, requiring the exchange of
           many packets, even for just the authentication phase. For this
           reason, cracking it takes a lot of time and this is probably the
           slowest module. The connection phase is briefly described at
           http://msdn.microsoft.com/en-
           us/library/cc240452%28v=PROT.10%29.aspx where you can also see a
           diagram of the various packets involved. Care must be taken against
           RDP servers in Windows XP versions, since they can't handle
           multiple connections at the same time. It is advised to use a very
           slow timing template or even better limit the maximum parallel
           connections using timing options such as CL (Connection Limit) or
           cd (connection delay) against Windows XP (and relevant) RDP
           servers. Windows Vista and above don't suffer from the same
           limitation.

       VNC Module

           The VNC protocol has known widespread usage among Unix
           administrators and users for remote graphical access. VNC is
           perhaps one of the most vulnerable protocols in terms of
           brute-forcing, since it often requires a password without a
           corresponding username for authentication. In addition, some
           versions of VNC impose an 8-character limit in password length. You
           should consider adding the --passwords-first option when cracking
           VNC systems to exploit the fact that the username often has no
           actual importance in authentication.

       POP3(S) Module

           POP3 support is still experimental and hasn't been thoroughly
           tested. You can expect it to work against common mail servers,
           nevertheless.

       IMAP Module

           The Internet Message Access Protocol (IMAP) is used by email
           clients to retrieve email messages from a mail server. The module
           sends the LOGIN command to authenticate. The LOGIN command is the
           simplest, fastest and most supported authentication mechanism for
           IMAP.

       SIP Module

           The Session Initiation Protocol is a text-based protocol, very
           similar to HTTP in its structure. The most common application of
           SIP is in Internet telephony for voice and video calls. Nearly all
           enterprises have infrastructure that supports conference calls and
           part of them are based on SIP, making the authentication part a
           significant threat vector.

       Redis Module

           Redis is one of the most widely used caching servers and the most
           popular NoSQL database. Despite its reputation, the authentication
           mechanism is very simple, only allowing for a password to protect
           remote access to the service. Due to the high performance of Redis
           and the fact that only 2 packets are needed for the authentication
           phase, Ncrack can try a lot of passwords in parallel
           (http://redis.io/commands/AUTH). Specifying a username list or
           single username will have no effect in this module, since Redis
           only deals with passwords.

       PostgreSQL Module

           PostgreSQL is often used as a backend database. The PostgreSQL
           module supports md5 authentication, which is the most frequent
           password authentication method.

       MySQL Module

           The MySQL module supports native authentication.

       MySQL Module

           The MSSQL module supports mixed authentication.

       MongoDB Module

           The MongoDB module supports MongoDB-CR and SCRAM-SHA-1
           authentication. The pairwise and passwords-first option will be
           ignored for the MongoDB module, due to them being inefficient
           against MongoDB. The optimal way of cracking MongoDB is to take
           advantage of a user-enumeration vulnerability inherent in its
           authentication mechanism, which Ncrack exploits.

       Cassandra Module

           Apache Cassandra is a popular NoSQL database often left unsecured
           with weak credentials or no authentication.

       OWA Module

           Outlook Web App allows users to access a Microsoft Exchange Server
           mailbox from a web browser and experience Microsoft Outlook without
           a mail client. The module supports Basic Authentication.

       WinRM Module

           Windows Remote Management (WinRM) is the Microsoft implementation
           of WS-Management Protocol, a standard Simple Object Access Protocol
           (SOAP)-based, firewall-friendly protocol that allows hardware and
           operating systems, from different vendors, to interoperate. It is
           often used to administer Windows machines. The module supports
           Basic and Negotiate authentication.

       DICOM Module

           Digital Imaging and Communications in Medicine (DICOM) is a
           protocol used heavily in healthcare environments. Most commonly, it
           is used as both a file format and network protocol by Picture
           Archiving and Communication Systems (PACS). The client of a DICOM
           service is called a service class user (SCU) and the server a
           service class provider (SCP). DICOM is very unique in how it
           authenticates clients to servers; there are potentially one to
           three steps involved: Association, Find Service and Retrieve
           Images.

           Association: This is the initial step that almost all PACS servers
           require. By sending an A-ASSOCIATE request with the correct called
           Application Entity Title (AET) the client associates with the
           server and then can go on to perform query / retrieve requests in
           the next steps. This is the mode that Ncrack currently supports by
           iterating through the username field. Thus to brute-force the
           server's AET, you can specify a list of AETs using the -U option
           and then specifying a null password. Example: ncrack
           dicom://127.0.0.1 -U aet.txt --pass DOESNOTMATTER

           Find Service: This step involves being able to query the PACS
           server for patient studies that are associated with DICOM images.
           This takes place after the client has performed the Association
           phase. A C-FIND request must be sent with the correct calling AET.
           Knowing the correct allowed client AET (or calling AET) is required
           by securely configured PACS servers. Many PACS servers by default
           do not require this.

           Retrieve Images: This step allows a client to retrieve DICOM
           images. The most hardened PACS servers will require the client to
           have a specific allowed IP configured in order to send a C-MOVE /
           C-STORE request after the above two steps have been performed.

       MQTT Module

           The Message Queueing Telemetry Transport (MQTT) protocol is a
           publish / subscribe machine to machine protocol that allows IoT
           clients to publish to a broker. Each client device subscribes to a
           particular topic of interest and receives messages from publishers.
           Usually MQTT authentication is optional and when enabled can be
           brute-forced very easily as it only requires a single MQTT CONNECT
           packet to be sent for each attemped credential pair.

       Wordpress Module

           Wodpress is one of the most popular content management systems.
           This module attacks the web administration endpoint. By default it
           will try "wp-login.php" but you can change it by specifying the
           path. For example: ncrack
           wp://127.0.0.1,path=/non-default/wp-login.php

       CVS Module

           The Concurrent Versioning System (CVS) is a revision control system
           in software development. Although not as popular nowadays, there
           are many old, oudated CVS servers out there that might have default
           or weak credentials.

BUGS
       Like its authors, Ncrack isn't perfect. But you can help make it better
       by sending bug reports or even writing patches. If Ncrack doesn't
       behave the way you expect, first upgrade to the latest version
       available from http://nmap.org/ncrack. If the problem persists, do some
       research to determine whether it has already been discovered and
       addressed. Try searching for the error message on our search page at
       http://insecure.org/search.html or at Google. Also try browsing the
       nmap-dev archives at http://seclists.org/ .  Read this full manual page
       as well. If you are developing your own Ncrack module, make sure you
       have first read the Ncrack Developer's Guide at
       http://nmap.org/ncrack/devguide.html . If nothing comes of this, mail a
       bug report to nmap-dev@insecure.org . Please include everything you
       have learned about the problem, as well as what version of Ncrack you
       are running and what operating system version it is running on. Problem
       reports and Ncrack usage questions sent to nmap-dev@insecure.org are
       far more likely to be answered than those sent to Fyodor directly. If
       you subscribe to the nmap-dev list before posting, your message will
       bypass moderation and get through more quickly. Subscribe at
       http://cgi.insecure.org/mailman/listinfo/nmap-dev .

       Code patches to fix bugs are even better than bug reports. Basic
       instructions for creating patch files with your changes are available
       at http://nmap.org/data/HACKING . Patches may be sent to nmap-dev
       (recommended) or to Fyodor directly.

AUTHORS
       ithilgore (Fotios (Fotis) Chantzis) ithilgore@sock-raw.org
       (http://sock-raw.org)

       Fyodor fyodor@insecure.org (http://insecure.org)

NCRACK COPYRIGHT AND LICENSING
       While it isn't distributed with Nmap, Ncrack is part of the Nmap
       project and falls under the same license and (non) warranty provisions,
       as described at http://nmap.org/book/man-legal.html.

Ncrack                            08/23/2019                         NCRACK(1)