Ncrack is a network authentication cracking tool designed to identify systems with weak credentials. It is highly flexible and supports popular network protocols, such as FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, and MySQL.

In this recipe, you will learn how to install Ncrack to find systems with weak passwords.

Grab the latest stable version of Ncrack from https://nmap.org/ncrack/. At the moment, the latest version is 0.5:

$wget https://nmap.org/ncrack/dist/ncrack-0.5.tar.gz  

Untar the compressed file and enter the new directory:

$ tar -zxf ncrack-0.5.tar.gz 
$ cd ncrack-0.5  

Configure and build Ncrack with the command:

$./configure && make  

Finally, install it in your system:

#make install  

Now you should be able to use Ncrack anywhere in your system.

To start a basic dictionary attack against a SSH server, use the following command:

$ncrack ssh://<target>:<port>  

Ncrack will use the default settings to attack the SSH server running on the specified IP address and port. This might take some time depending on the network conditions:

   Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-04-03 21:10 EEST  
   Discovered credentials for ssh on 192.168.1.2 22/tcp: 
   192.168.1.2 22/tcp ssh: guest 12345  
   Ncrack done: 1 service scanned in 56 seconds.  
   Ncrack finished. 

In this case, we have successfully found the credentials of the account guest. Someone should have known better that 12345 is not a good password.

Ncrack takes as arguments the hostname or IP address of the target and a service to attack. Targets and services can be defined as follows:

<[service-name]>://<target>:<[port-number]>

The simplest command requires a target and the service specification. Another way of running the scan shown earlier is as follows:

$ncrack 192.168.1.2:22 
   Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-01-03 22:10 EEST  
   Discovered credentials for ssh on 192.168.1.2 22/tcp: 
   192.168.1.2 22/tcp ssh: guest 12345 
   192.168.1.2 22/tcp ssh: admin money$  
   Ncrack done: 1 service scanned in 156.03 seconds.  
   Ncrack finished. 

In this case, Ncrack automatically detected the SSH service based on the port number given in the target and performed a password auditing attack using the default dictionaries shipped with Ncrack. Luckily, this time we found two accounts with weak passwords.

As we have seen Ncrack provides a few different ways of specifying targets, but it takes it to the next level with some interesting features, such as the ability to of pause and resume attacks. We will briefly explore some of its options, but I highly recommend you read the official documentation at https://nmap.org/ncrack/man.html for the full list of options.

Ncrack would not be a good network login cracker without options to tune the authentication process. Ncrack users may use their own username and password lists with the options -U and -P correspondingly if the included lists (inside the directory /lists) are not adequate:

$ ncrack -U <user list file> -P <password list file> <[service-name]>://<target>:<[port-number]>  

Otherwise, we might have a specific username or password we would like to test with the options --user and --pass:

$ ncrack --user <username> <[service-name]>://<target>:<[port-number]>
$ ncrack --pass <password> <[service-name]>://<target>:<[port-number]>  

Ncrack supports resuming incomplete scans with the --resume option. If you had to stop a cracking session, just resume it passing the filename of the previous session:

$ncrack --resume cracking-session <[service-name]>://<target>:<[port-number]>  

If we would like to set the filename of the session, use the --save option:

$ncrack --save cracking-session <[service-name]>://<target>:<[port-number]>