Ncrack 0.5 ( http://ncrack.org )
Usage: ncrack [Options] {target and service specification}

TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iX <inputfilename>: Input from Nmap’s -oX XML output format
-iN <inputfilename>: Input from Nmap’s -oN Normal output format
-iL <inputfilename>: Input from list of hosts/networks
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file

SERVICE SPECIFICATION:
Can pass target specific services in <service>://target (standard) notation or
using -p which will be applied to all hosts in non-standard notation.
Service arguments can be specified to be host-specific, type of service-specific
(-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
-p <service-list>: services will be applied to all non-standard notation hosts
-m <service>:<options>: options will be applied to all services of this type
-g <options>: options will be applied to every service globally

Misc options:
ssl: enable SSL over this service
path <name>: used in modules like HTTP (‘=’ needs escaping if used)

TIMING AND PERFORMANCE:
Options which take <time> are in seconds, unless you append ‘ms’
(miliseconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
Service-specific options:
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay <time> between each connection initiation
cr (connection retries): caps number of service connection attempts
to (time-out): maximum cracking <time> for service, regardless of success so far
-T<0-5>: Set timing template (higher is faster)
–connection-limit <number>: threshold for total concurrent connections

AUTHENTICATION:
-U <filename>: username file
-P <filename>: password file
–user <username_list>: comma-separated username list
–pass <password_list>: comma-separated password list
–passwords-first: Iterate password list for each username. Default is opposite.
–pairwise: Choose usernames and passwords in pairs.

OUTPUT:
-oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
-oA <basename>: Output in the two major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 10 is meaningful)
–nsock-trace <level>: Set nsock trace level (Valid range: 0 – 10)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files

MISC:
–resume <file>: Continue previously saved session
–save <file>: Save restoration file with specific filename
-f: quit cracking service after one found credential
-6: Enable IPv6 cracking
-sL or –list: only list hosts and services
–datadir <dirname>: Specify custom Ncrack data file location
–proxy <type://proxy:port>: Make connections via socks4, 4a, http.
-V: Print version number
-h: Print this help summary page.

MODULES:
FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, MySQL

EXAMPLES:
ncrack -v –user root localhost:22
ncrack -v -T5 https://192.168.0.1
ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

FTP Module

FTP authentication is quite fast, since there is very little protocol negotiation overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a certain delay before replying with the results of a failed attempt. Filezilla is one of the most characteristic examples of this case, where the time delay is so great, that it is usually faster to open more connections against it, with each of them doing only 1 authentication per connection.

Telnet Module

Telnet daemons have been largely substituded by their safer ‘counterpart’ of SSH. However, there are many boxes, mainly routers or printers, that still rely on Telnet for remote access. Usually these are also easier to crack, since default passwords for them are publicly known. The drawback is that telnet is a rather slow protocol, so you shouldn’t be expecting really high rates against it.

SSH Module

SSH is one of the most prevalent protocols in today’s networks. For this reason, a special library, named opensshlib and based on code from OpenSSH, was specifically built and tailored for Ncrack’s needs. Opensshlib ships in with Ncrack, so SSH support comes out of the box. OpenSSL will have to be installed in Unix systems though. Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn’t be worrying about it at all.SSH bruteforcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them.

The latest version of the “Hacking the OpenSSH library for Ncrack” document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library

HTTP(S) Module

The HTTP Module currently supports basic and digest authentication. Ncrack tries to use the “Keepalive” HTTP option, whenever possible, which leads to really high speeds, since that allows dozens of attempts to be carried out per connection. The HTTP module can also be called over SSL.

SMB Module

The SMB module currently works over raw TCP. NetBIOS isn’t supported yet. This protocol allows for high parallelization, so users could potentially increase the number of concurrent probes against it. SMB is frequently used for file-sharing among other things and is one of the most ubiquitous protocols, being present in both Unix and Windows environments.

RDP Module

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the purpose of providing remote terminal services by transfering graphics display information from the remote computer to the user and transporting input commands from the user to the remote computer.

Fortunately, Microsoft recently decided to open the protocol’s internal workings to the public and has provided official documentation, which can be found at  http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspxRDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase.

For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved.

Care must be taken against RDP servers in Windows XP versions, since they can’t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don’t suffer from the same limitation.

VNC Module

The VNC protocol has known widespread usage among Unix administrators and users for remote graphical access. VNC is perhaps one of the most vulnerable protocols in terms of brute-forcing, since it often requires a password without a corresponding username for authentication. In addition, some versions of VNC impose an 8-character limit in password length. You should consider adding the --passwords-first option when cracking VNC systems to exploit the fact that the username often has no actual importance in authentication.

POP3(S) Module

POP3 support is still experimental and hasn’t been thoroughly tested. You can expect it to work against common mail servers, nevertheless.

SIP Module

The Session Initiation Protocol is a text-based protocol, very similar to HTTP in its structure. The most common application of SIP is in Internet telephony for voice and video calls. Nearly all enterprises have infrastructure that supports conference calls and part of them are based on SIP, making the authentication part a significant threat vector.

Redis Module

Redis is one of the most widely used caching servers and the most popular NoSQL database. Despite its reputation, the authentication mechanism is very simple, only allowing for a password to protect remote access to the service. Due to the high performance of Redis and the fact that only 2 packets are needed for the authentication phase, Ncrack can try a lot of passwords in parallel ( http://redis.io/commands/AUTH). Specifying a username list or single username will have no effect in this module, since Redis only deals with passwords.

PostgreSQL Module

PostgreSQL is often used as a backend database. The PostgreSQL module supports md5 authentication, which is the most frequent password authentication method.

MySQL Module

The MySQL module supports native authentication.