Skip to main content


A common software used for bruteforcing network services developed under the same house of nmap is ncrack.

Ncrack is a high-speed network authentication cracking tool designed for easy extension and large-scale scanning.

Notice that common flags include: * -u/-U, to specify a single user/a list of uers in a file * --pass/-P, to specify a single password/a list of password in a file * -iL, to specify a list of hosts * -iX, to specify as input the nmap output XML file * -f, stop after the first valid found credentials

Let's see some examples of the usage of ncrack:

ncrack -V
# this will show the ncrack version and supported modes
ncrack -f
# this will start an ftp bruteforce
# -f, stop after having found the first successful login credentials  
ncrack -u administrator -P 500-worst-passwords.txt -p 3389
# in this case we will try to bruteforce RDP on port 3389

We can also try to specify a different port for a specific service for example:

ncrack ssh://
# here we try to bruteforce ssh on port 5910

we can also specify services in another form:

ncrack -p 22,ftp:3210,telnet
ncrack -u test -P 500-worst-passwords.txt -T 5 -p 21
# -T allows to specify how aggressive the bruteforce will be as with nmap
# so the value goes from 0 (paranoid bruteforce) to 5 (insane bruteforce)

Or if we already know the password but don't know the user we may try:

ncrack -U users.txt --pass admin123
ncrack -vv  -U users.txt -P rockyou.txt,CL=1
# CL=1, memans that the maximum number of connections will be limited to 1
# -vv will be very verbose
# -U allows us to specify a list of users taken from a file
# -P selects the list of passwords

We can also specify a list of hosts as with nmap:

ncrack -vv -U users.txt -P passwords.txt -iL host.txt -oA output_ncrack

we can also restore an interrupted session by doing:

ncrack --resume /root/.ncrack/restore.<datetime>

Another cool thing about ncrack is its ability to parse xml output from nmap and try to bruteforce all the services, let's see how:

ncrack -u users.txt -P passwords.txt -iX nmap.xml
# -iX takes as input the XML file provided by nmap
# notice that if nmap identifies an SSH service running port 4142
# then ncrack will automatically and correctly try to bruteforce SSH on that
# port

Ncrack also allows the fine-tuning of the bruteforce attack with the following options: * cl (min connection limit): minimum number of concurrent parallel connections * CL (max connection limit): maximum number of concurrent parallel connections * at (authentication tries): authentication attempts per connection * cd (connection delay): delay

An example using some of these options may be:

ncrack -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d

Another possible option that can be specified is the maximum number of concurrent connections which can be specified by --connection-limit <number>, so an example may be:

ncrack -p 22 --connection-limit 10

We can specify targets with different formats:

ncrack ssh://192.168.1.*:5910
# here we try to bruteforce on port 22
# but also ftp on host
# and also ssh for all hosts on port 5910

anther example may be:

ncrack -p 22,ftp:3210,telnet
# in this case we are telling nmap to scan all the addresses on port 22
# (defaults to SSH), port 3210 for FTP and port of telnet (which is the 21)

Notice that ncrack can also use a proxy when bruteforcing.