Disclaimer: You must own or have permission to run Ncrack on any network or device. This post is used for educational purposes.
IT admin personnel can test different devices and their setups with ncrack. If devices are set up in a network, services such as SSH, FTP, HTTP, SNMP or others can inadvertently be left on with simplex or default passwords. Many printers and other devices have these default services left on. Some devices such as IoT may have hard coded usernames and passwords.
Ncrack for Linux, Mac or Windows can be found here
If you install Ncrack, you can use common username and password list that come with ncrack. Other lists can be found here. You can use Notepad++ to add usernames or passwords to the lists.
To run Ncrack, you must use (in this case Windows) a command prompt.
Change into the directory that contains Ncrack. In the example below, we have moved the user files and password files into the same folder as the executable.
Below -Ncrack was installed and then moved to the root of c:
The password and user lists were selected and cut.
The password and user lists were then moved (pasted) in the Ncrack folder.
Below is an example of the user file. Remember you can add usernames to the list. You can do the same for the password lists.
To test a router (one that we own), we ran –
ncrack -vv -U minimal.usr -P default.pwd 192.168.1.1:23 (the 23 represents telnet’s port number)
Below you will see the username and password for telnet.
Running ncrack again with port 80 we can see below, two usernames and passwords are given. One for root and one for admin.
Reusing the credentials below show control of a (lab based) router.
How do you protect against this?
- Disable services in printers, routers and on your computer that you don’t use.
- Turn on firewalls if applicable.
- Set complex passwords on all accounts on the device.
- Remember some devices have services that you may not know about. You can use NMAP on the devices to see which ports are open.
- Research the device to see if there are alternate accounts or services you are unaware of.
- If you cannot set passwords on devices that have hard coded passwords, remove the device from the network