About a year ago the creators of nmap threw ncrack , a program to brute force to various services online. Today is still in Alpha version 0.3. In the latest version of Nmap, announced in nmap-hackers just over a month, have been included in the default install a bunch of scripts for your engine NSE (Nmap Scripting Engine) we allow brute force to make a number of services.
In the NSE documentation you can find all the scripts, the *-brute are the bruteforcing. We must emphasize that in this case, when we say we are brute force dictionary attacks by referring to the most used when it comes to strength Gross credentials online. At the moment are very common protocols, along with more unusual. On the other hand are missing, such as SSH. Protocols included today are:
The use of scripts is particularly friendly. Nmap only tell the script that we use, attempt to make the attack when you find the services or assets in a scan.
nmap - script vnc-brute 127.0.0.1
To tune a bit more, if only we carry out the attack and we know in advance the port and the service would be appropriate to indicate.
nmap-p 5900 - vnc-brute script 127.0.0.1
Of course, we can make scans nmap IP ranges and launch the script only to hosts that match the protocol.
nmap - script mysql-brute 192.168.1.1-255
With regard to the dictionaries that are used, nmap includes their own (both users and passwords) through its library unpwdb . We can change either by userdb and passdb parameters.
nmap - script ftp-brute - script-args userdb = / tmp / users 127.0.0.1
nmap - script ftp-brute - script-args userdb = / tmp / users, passdb = / tmp / passwds 127.0.0.1
Example of use against a host that has VNC listening:
alberto @ asdfqwerty: ~ $ nmap - script vnc-brute localhost
Starting Nmap 5.51 (http://nmap.org)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00056s latency).
Other addresses for localhost ( not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
631/TCP open ipp
3306/tcp open mysql
5900/tcp open vnc
| 1234 => correct Login
| _ perfomed in 369 guesses 609 seconds, average tps: 1
Nmap done: 1 IP address (1 host up) scanned in 374.46 seconds
Alternative info article via Art of Infosenic.