Ncrack telnet module

Discussion:

bgqueengeek

2017-06-14 00:59:11 UTC

Hi all;

Working with ncrack for scanning some non-standard devices (printers) that
do support telnet, but do not prompt with "login". Instead, the session goes
straight to the password prompt. Ncrack telnet does not have a way to
by-pass the login prompt. As such my ncrack scan fails to test the password
I know is correct. I have tested it with Cygwin telnet no problem.

Most telnet clients handle this ok in an interactive session, but a
wireshark trace of ncrack indicates ncrack never sees the password prompt.

I have the source for ncrack_telnet, but would rather not have to hack it up
too much. It exists on a linux host, so it builds and installs.

I recognize this is old, but any assistance out there would be greatly
appreciated.

--
View this message in context: http://nmap-dev.996309.n3.nabble.com/Ncrack-telnet-module-tp28740.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.

Daniel Miller

2017-06-14 01:55:13 UTC

Permalink

Hi! Thanks for the input. For telnet brute-forcing, the telnet-brute NSE
script [1] is very well suited, with intelligent prompt detection based on
empirical scanning of hundreds of different device types. Here's an example
invocation that tries all username/password combinations from separate
wordlists (default is to only run for 10 minutes):

nmap -p23 --script telnet-brute --script-args
unpwdb.timelimit=0,userdb=users.txt,passdb=passwords.txt
192.0.2.1

Of course, the Ncrack developers on the list may be interested in improving
Ncrack in this regard as well.

Dan

[1] https://nmap.org/nsedoc/scripts/telnet-brute.html

Post by bgqueengeek
Hi all;
Working with ncrack for scanning some non-standard devices (printers) that
do support telnet, but do not prompt with "login". Instead, the session goes
straight to the password prompt. Ncrack telnet does not have a way to
by-pass the login prompt. As such my ncrack scan fails to test the password
I know is correct. I have tested it with Cygwin telnet no problem.
Most telnet clients handle this ok in an interactive session, but a
wireshark trace of ncrack indicates ncrack never sees the password prompt.
I have the source for ncrack_telnet, but would rather not have to hack it up
too much. It exists on a linux host, so it builds and installs.
I recognize this is old, but any assistance out there would be greatly
appreciated.
--
View this message in context: http://nmap-dev.996309.n3.
nabble.com/Ncrack-telnet-module-tp28740.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

bgqueengeek

2017-06-14 23:16:32 UTC

Permalink

David; Thanks very much.

Unfortunately, I am not able to get this to work. First off I cannot find
where the exact requirements are for the text file. I have a plain-text list
of passwords, that are separated by CR LF.

Additionally, I tried this script call with no user list - it appeared to
faileto test the password. I think called a userdb file that was empty (just
a CR LF) - again it failed.

The server (a printer in this case) has a banner and then sends "Password:".

Here's the chatter:
nmap -p 23 --script telnet-brute --script-args
unpwdb.timelimit=0,userdb=testUsers.txt,passdb=testPasswords.txt <ip address
goes here>

Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-14 16:11 Pacific Daylight
Time

Nmap scan report for 10.77.166.208
Host is up (0.17s latency).
PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts: No valid accounts found
| Statistics: Performed 2 guesses in 1 seconds, average tps: 2.0
|_ ERROR: Password prompt encountered
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds

The password in the file is valid, so I should see a success here. Any idea
what I might be doing wrong?

Thank you so much,

Beth

--
View this message in context: http://nmap-dev.996309.n3.nabble.com/Ncrack-telnet-module-tp28740p28742.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.

nnposter

2017-06-15 00:35:05 UTC

Permalink

Post by bgqueengeek
The server (a printer in this case) has a banner and then sends "Password:".
nmap -p 23 --script telnet-brute --script-args
unpwdb.timelimit=0,userdb=testUsers.txt,passdb=testPasswords.txt <ip address
goes here>

Brute scripts, including telnet-brute, need to be advised to perform
password-only authentication. Please try to run the script by adding
brute.passonly=true (and do not bother with "userdb").

Cheers,
nnposter

bgqueengeek

2017-06-15 01:43:47 UTC

Permalink

Hi;

Again thanks for the response. I think I am doing what you suggested. Here's
the latest chatter:

nmap -p 23 --script telnet-brute --script-args "telnet-brute.passonly=true,
passdb=testPasswords.txt" <ip address>

Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-14 18:35 Pacific Daylight
Time

Nmap scan report for <ip address>

Host is up (0.16s latency).
PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts: No valid accounts found
| Statistics: Performed 5 guesses in 38 seconds, average tps: 0.1
|_ ERROR: Password prompt encountered

Nmap done: 1 IP address (1 host up) scanned in 40.64 seconds

I think your syntax is slightly different. Trying this too, and nmap does
not return. So at least this is changing the behavior. I will play with this
a bit more.

Thanks, nnposter!

--
View this message in context: http://nmap-dev.996309.n3.nabble.com/Ncrack-telnet-module-tp28740p28744.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.

nnposter

2017-06-15 02:02:14 UTC

Permalink

Post by bgqueengeek
Again thanks for the response. I think I am doing what you suggested. Here's
nmap -p 23 --script telnet-brute --script-args "telnet-brute.passonly=true,
passdb=testPasswords.txt" <ip address>

The parameter is brute.passonly, not telnet-brute.passonly.

You might also take a look at other brute.* parameters, documented at
https://nmap.org/nsedoc/lib/brute.html

Post by bgqueengeek
I think your syntax is slightly different. Trying this too, and nmap does
not return. So at least this is changing the behavior. I will play with this
a bit more.

Some feeble daemons do not handle concurrency too well. Consider running
the script with only one worker thread to confirm that the script
interacts with the daemon properly.

Cheers,
nnposter

bgqueengeek

2017-06-15 22:29:33 UTC

Permalink

Still not successful yet and I upgraded my nmap version.

Using the following syntax to attempt a single-threaded attempt:

nmap -p 23 --max-parallelism 1 --script telnet-brute --script-args
brute.passonly=true,passdb=testPasswords.txt <ip addy>

Starting Nmap 7.50 ( https://nmap.org ) at 2017-06-15 14:43 Pacific Daylight
Time

Nmap scan report for <ip addy>
Host is up (0.18s latency).

PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 1 guesses in 164 seconds, average tps: 0.0

Nmap done: 1 IP address (1 host up) scanned in 167.66 seconds

Problem is I know the lone password in the testPasswords.txt file is the
valid password.

Checking the brute NSE library page for more ideas, but open to any.

Again classic telnet client like that provided in Cygwin works.

:-|

--
View this message in context: http://nmap-dev.996309.n3.nabble.com/Ncrack-telnet-module-tp28740p28747.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.

nnposter

2017-06-15 23:38:40 UTC

Permalink

Post by bgqueengeek
Still not successful yet and I upgraded my nmap version.
nmap -p 23 --max-parallelism 1 --script telnet-brute --script-args
brute.passonly=true,passdb=testPasswords.txt <ip addy>

--max-parallelism is controlling the scanner itself, not the
brute-forcing worker threads. Add the following script arguments instead:

brute.threads=1
brute.start=1

Post by bgqueengeek
PORT STATE SERVICE
23/tcp open telnet
| Accounts: No valid accounts found
|_ Statistics: Performed 1 guesses in 164 seconds, average tps: 0.0

Something is seriously not working here. A single guess should not take
almost three minutes.

Post by bgqueengeek
Problem is I know the lone password in the testPasswords.txt file is the
valid password.
Checking the brute NSE library page for more ideas, but open to any.

This is hard to diagnose without more data. Can you provide a
pcap/pcapng of a single nmap run against the target together with nmap
output, while making sure that you are using the thread settings from
above and enabling debug logging with -ddd?

nmap -ddd -n -Pn -p23 --script telnet-brute --script-args
brute.passonly=true,brute.threads=1,brute.start=1,passdb=testPasswords.txt
<ip addy>

Feel free to send the two unedited files to me privately.

Cheers,
nnposter

bgqueengeek

2017-06-19 23:22:20 UTC

Permalink

Sent nnposter the d3 output. My concern is it still says trying root/root.

There is no root listed in the file testPasswords.txt.

Is the default directory under "nmap" or under "nmap\nselib\data\" ?

Thanks!

--
View this message in context: http://nmap-dev.996309.n3.nabble.com/Ncrack-telnet-module-tp28740p28752.html
Sent from the Nmap - Dev mailing list archive at Nabble.com.