Password Attacksbruteforceauthenticationcrackingnetworkrdpsshftp

Ncrack

High-speed network authentication cracking tool for testing poor passwords on hosts and devices. Supports protocols like RDP, SSH, HTTP(S), SMB, and more for large-scale auditing.

Description

Ncrack is a high-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals rely on Ncrack when auditing their clients. It was designed using a modular approach, a command-line syntax similar to Nmap, and a dynamic engine that adapts its behavior based on network feedback, allowing rapid yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, enabling sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s, and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, telnet, and additional modules like Wordpress, IMAP, CVS, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, DICOM.

It allows for very sophisticated bruteforcing attacks with options for concurrent connections, authentication tries, delays, and more, making it suitable for comprehensive password security assessments.

How It Works

Ncrack operates with a modular design and dynamic engine that adapts based on network feedback. It supports target specification via hostnames, IPs, or Nmap outputs, and service specification like rdp://target or -p rdp. Users control bruteforcing via timing options (cl, CL for connections, at for tries, cd for delays), authentication inputs (-U, -P files or --user/--pass lists), and global/host/service-specific modifiers (-g, -m). It iterates credentials (passwords-first or pairwise) across protocols, providing verbose output and resuming capabilities.

Installation

bash

sudo apt install ncrack

Flags

-vIncrease verbosity level (use twice or more for greater effect)

-iL <inputfilename>Input from list of hosts/networks

--user <username_list>comma-separated username list

-P <filename>password file

-p <service-list>services will be applied to all non-standard notation hosts

CL=<number>maximum number of concurrent parallel connections

-U <filename>username file

--pass <password_list>comma-separated password list

-oN/-oX <file>Output scan in normal and XML format, respectively, to the given filename

Examples

Use verbose mode, read IP list, attempt login as 'victim' with password dictionary over RDP with one connection at a time

ncrack -v -iL win.txt --user victim -P passes.txt -p rdp CL=1

Crack SSH on localhost port 22 using username 'root' with verbose output

ncrack -v --user root localhost:22

Crack HTTPS on 192.168.0.1 with timing template T5 and verbose output

ncrack -v -T5 https://192.168.0.1

Use Nmap XML input, set global max connections to 5 and timeout to 1 hour with verbose output

ncrack -v -iX ~/nmap.xml -g CL=5,to=1h

Target multiple hosts with specified services including SSH, FTP on custom ports, HTTP, and HTTPS

ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl

Host-specific SSH options, module-wide SSH auth tries, global connection delay

ncrack ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000

Updated 2026-04-16kali.org ↗