The cybersecurity field has thousands of tools we can use to check the security of our systems. One category of tools we can find is the password crackers. In this group, we can find Ncrack. Ncrack defines itself as a high-speed network authentication cracker.

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, HTTP(S), SMB, POP3(S), VNC, FTP, SIP, Redis, PostgreSQL, MySQL, and Telnet.

Let´s try to do a little demo. Previously, we need a few things:

• A remote system to audit. It can be a real system or a virtual machine. In my case, I am going to use a Debian VM with a SSH server installed.
• Ncrack installed in our machine. There are versions available for different systems like Windows, Linux and Mac OS.
• We need two dictionaries. One with a list of users we want to use and, the second one with a list of passwords to use to audit the system.

Firsts thing, let´s try the connectivity with the system we want to audit:

~# ping -c 1 192.168.0.38 PING 192.168.0.38
(192.168.0.38): 56 data bytes
64 bytes from 192.168.0.38: icmp_seq=0 ttl=64 time=0.382 ms

--- 192.168.0.38 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.382/0.382/0.382/0.000 ms

The next step should be to check if the SSH port is available in the remote system. For this purpose, we can use a tool like Nmap.

~# nmap -sV 192.168.0.38
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-25 10:09 GMT
Nmap scan report for 192.168.0.38
Host is up (0.00094s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80/tcp open tcpwrapped
110/tcp open tcpwrapped
111/tcp open rpcbind 2-4 (RPC #100000)
143/tcp open tcpwrapped
443/tcp open tcpwrapped
993/tcp open imaps?
995/tcp open pop3s?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

And, finally, let´s audit our external system using Ncrack. We are going to use a few flags to execute the Ncrack tool:

• -p: Allows us to specify the port we want to audit.
• -U: Allows us to specify a file with the list of users.
• -P: Allows us to specify a file with the list of passwords.

~# ncrack -p 22 -U users.txt -P passwords.txt 192.168.0.38

Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-03-25 10:11 GMT

Discovered credentials for ssh on 192.168.0.38 22/tcp:
192.168.0.38 22/tcp ssh: 'fjavierm' 'pa$w0rd'

Ncrack done: 1 service scanned in 18.02 seconds.
Ncrack finished.

And, let´s double check the credentials are working properly:

~# ssh 192.168.0.38
fjavierm@192.168.0.38's password:

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Sat Mar 25 10:07:52 2017 from 192.168.0.15
fjavierm@debian:~$

As we can see, now, we have access to the remote system exploiting a weak password.

There are some countermeasures that we can implement to fix this problem, one of them is to establish a strong password policy.