Comprehensive Guide on Ncrack – A Brute Forcing Tool

In this article we will be exploring the topic of network authentication using Ncrack. Security professionals depends on Ncrack while auditing their clients. The tools is very simple, yet robust in what it offers a penetration tester. It was design to help the companies in securing their networks by analysis all their hosts and networking devices for weak passwords.

Table of Content

Introduction to Ncrack

  • Exploring Modules

Authentication Phase

  • Basic Attack
  • Dictionary Attack
  • Brute Force Attack
  • Pairwise Attack

Misc Phase

  • Resume the Attack
  • Stop on Success
  • Obtain Result in List Format

Output Format

  • Normal text File
  • All Format At Once
  • Append output
  • Nsock Trace

Timing and Performance

  • Timing Templates
  • Service-Specific Options

Target Specification

  • Input from Nmap’s XML
  • Input from Text file
  • Exclude Host from List 

Introduction to Ncrack

Ncrack is a network authentication tool, it helps pentesters find out how vulnerable the credentials protecting a network’s access are. The tool is a part of the Kali Linux arsenal and comes preinstalled with the package. It also has a unique feature to attack multiple targets at once, which is not seen very often in such tools.

Ncrack can be started by typing “ncrack” in the terminal. This shows us all the different options the tool provides us.

syntax: ncrack [Options] {target:service specification/port number}

Exploring Modules

Ncrack is a very versatile tool, it has modules to test most of the popular forms of network authentication. We can see this by checking the modules.

Authentication Phase

Basic Attack

We have define this attack as basic because at this phase we only know that port 21 is enable for FTP service on victim’s machine. So with the help of the following command we will try to find out possible FTP login credential.

On executing above command it will try to crack password for anonymous login account as shown in the given below image.

 Dictionary Attack

Suppose you are willing to obtain correct login credential for any account such FTP, SSH or HTTP when you having following situations:

 Situation1- Know only username but don’t know the password

Situation2- Don’t know username but know the password

Situation3- Neither have username nor the password

In such situation, you should use a wordlist dictionary and then go with ncrack command respectively:

Brute Force Attack

Now whenever you consider yourself in following situations:

Suitation1- Close assumption of few usernames and passwords for any host:service and don’t want to use dictionary then you can go with following command, this will reduce our effort of guessing truthful credential.

Suitation2- Close assumption of usernames and passwords but there multiple hosts in a network and guessing valid login for destination machine is much time taken process.

Again with the help of ncrack following command you will be able to crack valid login for any host present in the network.

Pairwise Attack

Ncarck lets us choose sets of credentials, basically pairing them in row and column index which mean 1st username from user.txt file will pair with 1st password of pass.txt file.

If you are not giving any dictionary, then ncrack will go with its default dictionary for pairing password for anonymous login.

From the given below image you can observe that we had made successful FTP login with the help of paired password matthew.

Misc Phase

Resume the Attack

This is probably the feature that takes the cake. We all know how frustrating the loss of connection or any other technical interruption can be during testing, this is where Ncrack is blessing. If your attack gets interrupted, you can pick it right up from where you were.

Stop on Success

As you have seen in above attack that it keep on cracking the service until it finds the all possible logins but if you want that, the attack should quit cracking service after finding one credential then you should add -f option in the ncrack command.

Obtain Result in List Format

It always matter that how will you maintain your penetration testing report and output result while presenting them. Sometime it is quite hectic to arrange the result in well polish look especially at that time when you have to penetrate multiple host machine. To shoot such hotchpotch, the ncrack has added -sL option which will generate result in a list format.

Output Format

Normal text File

If you want to store the output of ncrack result in a Text/XML format.

Then you can go with -oN option to save the result in a text file with the help of given below command and later can use cat command to read the information saved inside that file.

Or you can switch to –oX option to save the output result in XML format.

 All Format At Once

Suppose you want to store the output of ncrack result in both format (.txt, .xml) then you can choose -oA option while executing command.

As you can observe that it has stored the result in two format as “output.ncrack” and “output.xml”.

Append output

If the testing is being done in iterations, Ncrack gives us the option to append or add the output to an existing file with ease.

As you can observe that when we try to crack ftp service for host: 192.168.0.106, it gives ignite:123 as login credential that I had save in a text file.

But on crack SMB service for host: 192.168.0.105, it gives msfadmin:msfadmin as login credential and here I had append the output in previous text file.

Conclusion: so by reading normal.txt file we got both output result at one place rather than clobber specified output files.

Nsock Trace

Ncarck lets us run nsock trace on our target while attacking it, we can set the trace level anywhere from 0 to 10 depending on our objective. The output from this operation is quite large.

We weren’t kidding when we said the output is large!

Timing and Performance

Timing Templates

Timing template in ncrack is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all ncrack scans run on –T3 timing template. Timing template in Ncrack is used to optimize and improve the quality and performance of scan to get desired results.

T5: Insane Scan

T4: Aggressive Scan

T3: Normal Scan

T2: Polite Scan

T1: Sneaky Scan

As you can observe from the given below image that it took 187.57 seconds and for this reason T0 and T1 is use to evade from firewall and IDS/IPS.

On executing above command you can comparing the time of completing the process in both result, it took 15.01 seconds during T5 and 24.00 second during default (T3).

Service-Specific Options

cl (min connection limit): minimum number of concurrent parallel connections

CL (max connection limit): maximum number of concurrent parallel connections

at (authentication tries): authentication attempts per connection

cd (connection delay): delay <time> between each connection initiation

cr (connection retries): caps number of service connection attempts

to (time-out): maximum cracking <time> for service, regardless of success so far

You can use above option while penetrating whole network for cracking any service.

Target Specification

Input from Nmap’s XML

You might be aware of Nmap tool its functionality, suppose while scanning network with the help of nmap you have stored its result in xml format then you can use ncrack -iX option to crack the running services with the help of xml file format.

As you can observe from the given image that ncrack itself, cracked the password for FTP without specifying any service or port in the command.

Input from Text file

Executing command again and again on multiple host is quite time consuming efforts, therefore, you can place all host IP in a text file and then use it for cracking any particular service.

Exclude Host from List

Suppose you are using a list that contains multiple IP or range of IP and you don’t want to crack service for a specific IP then you can use –exclude option to eliminate that particular IP from list of hosts.

As you can observe, this time it does not crack for 192.168.0.106 and shown the result for the remaining IP.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contachere

Comprehensive Guide on Dymerge

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

  • What is Dymerge
  • Installing and Launching Dymerge
  • Standard Merge
  • Fast Mode
  • Removing Duplicates
  • Reverse Listing
  • Alphabetic and Numeric Sorting
  • Defining Output
  • Including Characters
  • Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you gives the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this mean that the first word in the new dictionary will be last word of the second dictionary.

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Pydictor – A wordlist Generating Tool

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance.

Table of Content

  • What is Pydictor
  • Installation
  • Numeric Dictionary
  • Lower Case Alphabet Dictionary
  • Upper Case Alphabet Dictionary
  • Numeral Coupled With Upper Case Alphabet
  • Upper Case Coupled With Lower Case Alphabet
  • Numeral Coupled With Lower Case Alphabet
  • Combining Upper Case, Lower Case and Numeral
  • Adding Static Head
  • Adding Static Tail
  • Encoding
  • Character Permutation
  • Multiple Character Group Permutation
  • Social Engineering Dictionary
  • Customizing the Social Engineering Dictionary
  • Manipulating Dictionary Complexity Filter
  • Using Plugin
  • Leet Function

What is Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features which can be used to create that perfect dictionary for pretty much any kind of testing situation.

Installation

Let’s get cracking, the first thing we do is download Pydictor from GitHub and run it using Python. The moment the tool is executed, the running commands are visible to see other optional arguments.

Numeric Dictionary

We are beginning by exploring the option to create a numeric or as described by the tool, digital, dictionary. Let’s start by keeping it simple, only 5 characters long and limited to 0 – 5. We will be using the “-base” option to accomplish this.

The output is saved by default but in this case we will be saving it to “dict.txt”. The storage location will always appear after each execution. The “cat” command is used to view the output in the terminal.

Alphabet Dictionary

We will be making a dictionary which only holds lower case alphabets, the length of the words will remain to 5 characters.

Upper Case Alphabet Dictionary

We will now generate a dictionary with all the same metrics as earlier with the exception of changing the base option to upper case alphabets.

The result is visible to see.

Numeric Coupled With Upper Case Alphabet

The base options in Pydictor can be used in conjunction with each other, in this instance we will be coupling numeric (d) and upper case alphabets (c). Let’s see what kind of output we get.

Upper Case Coupled With Lower Case Alphabet

This time it’s going to be both upper and lower case alphabets together.

Numeral Coupled With Lower Case Alphabet

Let’s see what we get when we couple numerals with lower case alphabets.

Combining Upper Case, lower Case and Numeral

Now let’s combine all the 3 options that we’ve been playing. We will now combine upper case, lower case and numeral. To keep the output moving quicker we will limit the word length to 3 characters.

Adding Static Head

We will now be adding a static head to all the words, note that the head is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static head in front of all the numerals.

Adding Static Tail

We will now be adding a static tail to all the words, note that as mentioned in the instance above, the tail is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static tail at the end of all the numerals.

Encoding

Pydictor has an encode function that we can use to encode the words in the dictionary.

It gives us the option to choose from popular encoding algorithms such as Base64, DES, AES, MD5, SHA256, etc. In this instance we will be using Base64 as our algorithm of choice to encode numerals.

In the interest of thoroughness, we will first generate the numerals without encoding and then with encoding.

Now we see what the Base64 encoded output looks like

Character Permutation

We can use a permutation of a single word, Pydictor lets us choose a word and churn out as many permutations of it as possible.

Multiple Character Group Permutation

We’ll take Pydictor’s permutation prowess one step further by using the “-chunk” option.

This time we will be giving it multiple group of characters which it will take and churn out as many permutations as possible. It begins in a subtle way by just manipulating one word and then gradually moves on to the others. Notice the progression in the screenshot below.

Social Engineering Dictionary

Pydictor comes with an inbuilt social engineering dictionary builder that lets testers input information from profiling an individual to get a custom tailored dictionary. We run the “help desc” within the social engineering dictionary builder option to see the various defaults it has to offer.

Customizing the Social Engineering Dictionary

show option” is used within the social engineering dictionary builder to set the various vectors from profiling a target to generate a target specific dictionary. In this instance we will only be inputting the name, birth date, and email and phone number. The vectors are set using the “set” command.

Let’s see what our social engineering dictionary output looks like.

Manipulating Dictionary Complexity Filter

We will be doing two things in this instance, we will be extending a dictionary based on a rule and separating words filtered according to complexity level. The complexity level is set to 3 by default, we will take it up a notch by setting it to 4. The character length is set to a minimum of 1 and a maximum of 6.

We view the latter part of the output.

Using Plugin

Pydictor has plugins built into it by default, we will be suing a plugin that bases its generation on the last 6 digits of a Chinese resident ID card number. We will filter it using the “-occur” function. The occur option lets us defines with the following; letter, numeral and special character, in that order. We will only be looking for results that have numerals occurring 4 times or more in a single string.

Leet Function

The leet function can selectively substitute numerals or special characters in the place of alphabets to illustrate; leet turns to L331. We will be using the leet function in conjunction with the occur option and extend function.

This is a more complex ask that we have made from Pydictor than our earlier instances, let’s see what our output looks like.

We hope you enjoyed our little walkthrough of Pydictor. As mentioned earlier, dictionary generators are always a handy thing to have in your arsenal of pentesting tools. This tool is gives the user a lot of advance options which can a bit overwhelming unless the user has a very clear picture of what they want out of this tool.

Don’t be afraid of taking Pydictor for a spin and see what more you can derive out of it.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on Cupp– A wordlist Generating Tool

Hello Friends!! Today we are going explore the function of Cupp which is an authoritative tool that creates a wordlist especially particular for a person that can be use while making brute force attack for guessing login credential.

Table of Content

  • Introduction to Cupp
  • How Cupp Works
  • Getting Started
  • Generating Custom Dictionary
  • Adding to Custom Dictionary
  • Downloading Dictionaries from Cupp Repository 
  • Downloading Default Usernames and Passwords
  • Quiet Mode

Introduction to Cupp

Cupp stand for Common User Passwords Profiler and this tool can be used in many circumstances like license penetration tests or forensic crime investigations, CUPP is a cross platform and written in Python and it’s functioning is simple but with very powerful results. This application is a social engineers best friend when it comes to crating targeted password dictionaries which are tailored to an individual.

How Cupp Works

Cupp takes vectors from the profiling done for an individual, such as their nick name, pets name, child’s birthdate, etc. It works on the principle that a password is, more often, a combination of things known to an individual. These known thing are often personal details that are very close to person’s heart.

In cases when a person might use special notations in place of alphabets (e.g: leet can be written as 133t) Cupp has you covered.

Installation and Configuration

Cupp can be downloaded from GitHub using the “git clone” command. Winthin the downloaded Cupp folder, run the “cup.py” file. Once the file is run, the program shows you the various options it has to offer.

Optional Arguments:

-i      Interactive questions for user password profiling

-w FILENAME      Use this option to profile existing dictionary,

-l      Download huge wordlists from repository

-a      Parse default usernames and passwords directly from Alecto DB.

Project Alecto uses purified databases of Phenoelit and CIRT which merged and enhanced.

-v      Version of the program

Generating Custom Dictionary

Now it’s time to have some fun!

We will be using the interactive option to generate the custom dictionary. You will see that we have the option to input options such as pet’s name, child’s name, partners nickname, etc. All these things are highly personal and very common to find these things in a password, one way or another.

There’s also an option to add any specific keywords, special characters and random numbers. Apart from all this, there’s the option to activate Leet mode, this will make the generated dictionary extremely effective.

That’s all, the dictionary now gets made and saved.

Adding to Custom Dictionary

Cupp gives us the option to add more words to our created dictionary. We can customize the kind of words we would like to add by using the provided options.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root/cupp /raj.txt.cupp.txt

Downloading Dictionaries from Cupp Repository 

Cupp has its own repositories of dictionaries which are pre classified. These dictionaries can be downloaded and used. The downloaded files are compressed and have to be uncompressed to be viewed.

Enter the number to choose name to select dictionary you want to download, we have pressed 16 and downloaded to view a dictionary of Hindi names.

Downloading Default Usernames and Passwords

Cupp can download premade dictionaries holding the most common usernames and passwords from the project Alecto database for usage.

Quiet Mode

Quiet mode is for running Cupp in a more hush-hush way. If you’re the kind of person who does not want a big banner on their screen showing everyone what you’re doing, you’ll like this option. This basically makes for a cleaner screen while cup is carrying out the commands you’re giving it, without the funny cow popping up on top.

We’re going the couple the quite mode option with the dictionary download option that we demonstrated above.

We hope you enjoyed this basic walkthrough of the Cupp application. It is a very handy and easy to use tool when it comes to making custom dictionaries. Go ahead and see if it can guess your password.

Stay tuned for more articles on the latest and greatest in hacking!!!

 

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here