Ncrack

What is Ncrack?

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

To learn more about the Ncrack scanner itself visit Ncrack GitHub or Ncrack Website.

Deployment

The ncrack chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)
helm upgrade --install ncrack secureCodeBox/ncrack

Scanner Configuration

The following security scan configuration example are based on the Ncrack Documentation, please take a look at the original documentation for more configuration examples.

This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual.

Ncrack 0.7 ( http://ncrack.org )
Usage: ncrack [Options] {target and service specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iX <inputfilename>: Input from Nmap's -oX XML output format
  -iN <inputfilename>: Input from Nmap's -oN Normal output format
  -iL <inputfilename>: Input from list of hosts/networks
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
SERVICE SPECIFICATION:
  Can pass target specific services in <service>://target (standard) notation or
  using -p which will be applied to all hosts in non-standard notation.
  Service arguments can be specified to be host-specific, type of service-specific
  (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
  Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
  -p <service-list>: services will be applied to all non-standard notation hosts
  -m <service>:<options>: options will be applied to all services of this type
  -g <options>: options will be applied to every service globally
  Misc options:
    ssl: enable SSL over this service
    path <name>: used in modules like HTTP ('=' needs escaping if used)
    db <name>: used in modules like MongoDB to specify the database
    domain <name>: used in modules like WinRM to specify the domain
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, unless you append 'ms'
  (miliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  Service-specific options:
    cl (min connection limit): minimum number of concurrent parallel connections
    CL (max connection limit): maximum number of concurrent parallel connections
    at (authentication tries): authentication attempts per connection
    cd (connection delay): delay <time> between each connection initiation
    cr (connection retries): caps number of service connection attempts
    to (time-out): maximum cracking <time> for service, regardless of success so far
  -T<0-5>: Set timing template (higher is faster)
  --connection-limit <number>: threshold for total concurrent connections
  --stealthy-linear: try credentials using only one connection against each specified host
    until you hit the same host again. Overrides all other timing options.
AUTHENTICATION:
  -U <filename>: username file
  -P <filename>: password file
  --user <username_list>: comma-separated username list
  --pass <password_list>: comma-separated password list
  --passwords-first: Iterate password list for each username. Default is opposite.
  --pairwise: Choose usernames and passwords in pairs.
OUTPUT:
  -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
  -oA <basename>: Output in the two major formats at once
  -v: Increase verbosity level (use twice or more for greater effect)
  -d[level]: Set or increase debugging level (Up to 10 is meaningful)
  --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
MISC:
  --resume <file>: Continue previously saved session
  --save <file>: Save restoration file with specific filename
  -f: quit cracking service after one found credential
  -6: Enable IPv6 cracking
  -sL or --list: only list hosts and services
  --datadir <dirname>: Specify custom Ncrack data file location
  --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
  -V: Print version number
  -h: Print this help summary page.
MODULES:
  SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM
EXAMPLES:
  ncrack -v --user root localhost:22
  ncrack -v -T5 https://192.168.0.1
  ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

Requirements

Kubernetes: >=v1.11.0-0

Additional Chart Configurations

Ncrack Deployment & Configuration

Password encryption

Because Ncrack findings are very sensitive, you probably don't want every secureCodeBox user to see them. In order to address this issue we provide an option that lets you encrypt found passwords with public key crypto. Just generate a key pair with openssl:

openssl genrsa -out key.pem 2048
openssl rsa -in key.pem -outform PEM -pubout -out public.pem

After you created the public key file you have to create a kubernetes secret from that file:

  kubectl create secret generic --from-file="public.key=public.pem" <ncrack-secret-name>

Now you only need to set the value encryptPasswords.existingSecret to the secrets name when installing the scanner

  helm upgrade --install ncrack secureCodeBox/ncrack --set="encryptPasswords.existingSecret=<ncrack-secret-name>"

To decrypt a password from a finding use:

base64 encryptedPassword -d | openssl pkeyutl -decrypt -inkey key.pem -out decryptedPassword.txt

Setup with custom files:

If you want to use your own files within the Ncrack scan, you have to create a secret first:

kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists

IMPORTANT: Use an extra empty line at the end of your files, otherwise the last letter of the last line will be omitted (due to a bug in k8)

Now we created a secret named "ncrack-lists". Before we can use the files, we have to install the Ncrack ScanType:

cat <<EOF | helm upgrade --install ncrack secureCodeBox/ncrack --values -
scanner:
  extraVolumes:
    - name: ncrack-lists
      secret:
        secretName: ncrack-lists
  extraVolumeMounts:
    - name: ncrack-lists
      mountPath: "/ncrack/"
EOF

This enables us now to refer to our files via /ncrack/<file> in the scan.yaml.

For a full example on how to configure Ncrack with your custom files against a ssh service, see the "dummy-ssh" example.

Basic setup (no files can be mounted):

The Ncrack ScanType can be deployed via helm:

helm upgrade --install ncrack secureCodeBox/ncrack

Delete Ncrack ScanType:

helm delete ncrack

Values

Key	Type	Default	Description
cascadingRules.enabled	bool	`false`	Enables or disables the installation of the default cascading rules for this scanner
encryptPasswords.existingSecret	string	`nil`	secret name with a pem encoded rsa public key to encrypt identified passwords
encryptPasswords.key	string	`"public.key"`	name of the property in the secret with the pem encoded rsa public key
imagePullSecrets	list	`[]`	Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
parser.affinity	object	`{}`	Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
parser.env	list	`[]`	Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
parser.image.pullPolicy	string	`"IfNotPresent"`	Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
parser.image.repository	string	`"docker.io/securecodebox/parser-ncrack"`	Parser image repository
parser.image.tag	string	defaults to the charts version	Parser image tag
parser.resources	object	{ requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } }	Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
parser.scopeLimiterAliases	object	`{}`	Optional finding aliases to be used in the scopeLimiter.
parser.tolerations	list	`[]`	Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
parser.ttlSecondsAfterFinished	string	`nil`	seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.activeDeadlineSeconds	string	`nil`	There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup)
scanner.affinity	object	`{}`	Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)
scanner.backoffLimit	int	3	There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.env	list	`[]`	Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.extraContainers	list	`[]`	Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMounts	list	`[]`	Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumes	list	`[]`	Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.pullPolicy	string	`"IfNotPresent"`	Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
scanner.image.repository	string	`"docker.io/securecodebox/scanner-ncrack"`	Container Image to run the scan
scanner.image.tag	string	`nil`	defaults to the charts appVersion
scanner.nameAppend	string	`nil`	append a string to the default scantype name.
scanner.podSecurityContext	object	`{}`	Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.resources	object	`{}`	CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContext	object	`{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}`	Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.securityContext.allowPrivilegeEscalation	bool	`false`	Ensure that users privileges cannot be escalated
scanner.securityContext.capabilities.drop[0]	string	`"all"`	This drops all linux privileges from the container.
scanner.securityContext.privileged	bool	`false`	Ensures that the scanner container is not run in privileged mode
scanner.securityContext.readOnlyRootFilesystem	bool	`true`	Prevents write access to the containers file system
scanner.securityContext.runAsNonRoot	bool	`true`	Enforces that the scanner image is run as a non root user
scanner.suspend	bool	`false`	if set to true the scan job will be suspended after creation. You can then resume the job using `kubectl resume <jobname>` or using a job scheduler like kueue
scanner.tolerations	list	`[]`	Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
scanner.ttlSecondsAfterFinished	string	`nil`	seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

License

Code of secureCodeBox is licensed under the Apache License 2.0.

CPU architectures

The scanner is currently supported for these CPU architectures:

linux/amd64

Examples

dummy-ssh

In this example we execute an ncrack scan against the intentional vulnerable ssh service (dummy-ssh)

Initialize ncrack with lists and dummy-ssh

Before executing the scan, make sure to have dummy-ssh installed, and have the proper username & password lists:

# Create user & password list files, you can edit them later if you want
printf "root\nadmin\n" > users.txt
printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt

# Create a Kubernetes secret containing these files
kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists

# Install dummy-ssh app. We'll use ncrack to enumerate its ssh username and password
helm install dummy-ssh ./demo-targets/dummy-ssh/ --wait

# Install the ncrack scanType and set mount the files from the ncrack-lists Kubernetes secret
cat <<EOF | helm upgrade --install ncrack ./scanners/ncrack --values -
scanner:
  extraVolumes:
    - name: ncrack-lists
      secret:
        secretName: ncrack-lists
  extraVolumeMounts:
    - name: ncrack-lists
      mountPath: "/ncrack/"
EOF

After that you can execute the scan in this directory:

kubectl apply -f scan.yaml

The scan should find credentials for username 'root' with password 'THEPASSWORDYOUCREATED'.

Troubleshooting:

Make sure to leave a blank line at the end of each file used in the secret!
If printf doesn't create new lines, try 'echo -e "..."'
You can show your existing secrets with 'kubectl get secrets'

Scan

# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "dummy-ssh"
spec:
  scanType: "ncrack"
  parameters:
    # Enable verbose logging, d10: Debug Level 10, printing more output to the console
    - -v
    - -d10
    - -U
    - /ncrack/users.txt
    - -P
    - /ncrack/passwords.txt
    - ssh://dummy-ssh

What is Ncrack?​

Deployment​

Scanner Configuration​

Requirements​

Additional Chart Configurations​

Ncrack Deployment & Configuration​

Password encryption​

Setup with custom files:​

Basic setup (no files can be mounted):​

Delete Ncrack ScanType:​

Values​

License​

CPU architectures​

Examples​

dummy-ssh​

Initialize ncrack with lists and dummy-ssh​

Troubleshooting:​