1TODO: 2 3* We should probably include the Microsoft Visual C++ 2010 Redistributable Package 4 in the Windows installation setup file, since after moving to Visual Studio 5 C++ 2010 Express, Windows systems demand msvcr100.dll in order for Ncrack 6 to run. 7 8* Start username-list gathering project. Gathering these from email 9 addresses may be the most powerful technique. 10 11* Implement connection retry (cr) timing option. 12 13* Fix a SSH module bug as described here: 14 http://seclists.org/nmap-dev/2010/q3/517 15 16* Consider adding an option for excluding cracking certain accounts. This 17 is important when we want to avoid locking out a critical account by 18 trying too many times. See discussion at: 19 http://seclists.org/nmap-dev/2011/q2/292 20 21* Handle username validation for services. For example, if an FTP 22 server is anon only or if we enumerate SMB users, or some service 23 gives a user does not exist error, we should probably not waste time 24 trying to crack such users against those services. We need to 25 figure out how this works when multiple services/hosts are being 26 cracked at the same time. 27 28* HTTP-form auth which will be based on the existing HTTP module and 29 will target HTTP forms will have to ideally be able to parse the 30 most common web forms out there. The user will also be given the 31 choice to specify certain form-related arguments that can make 32 Ncrack's job easier. 33 34* Discuss improvements on password/username-list manipulation. 35 e.g combo-lists, special format with which you could specify the 36 username/password to be tried reversed, or a username to be tested 37 as password, like this for example: 38 %username% #to test the user name as a password 39 %rev username% #username reversed 40 %%username%% #to test for %username% 41 42* Perhaps improve option -U and -P options 43 so that user can give a comma separated list of files that will be 44 automatically concatenated by Ncrack. 45 46* RDP module TODOs: 47 o provide generic endianess by coding a framework which is 48 endianess-agnostic. This will also be helpful for the .restore 49 file portability (see relevant task). 50 o check if RDP cracking can go faster by issuing more than 1 pair of 51 credentials per connection (which is what happens now). This will 52 require the sending of special scancodes which will instruct the RDP 53 server to 'delete' the previous username/password (usually only needed 54 for the username if it is changed, since the password is automatically 55 deleted by the server, when wrong). A scancode (usually 'tab') 56 for switching between username and password will also have to be sent. 57 o see if it is possible to send an 'empty' password. This is currently 58 not easy to do, since the RDP server ignores an 'empty' password sent in 59 the initial client_info packet, and it has to be manually entered later 60 by the user. In order to automate this, special scancodes must be sent 61 like above. Windows Vista and above also require you to select the user 62 first, before being able to type the password. Automating this can be 63 hard. 64 o Support NLA: http://seclists.org/nmap-dev/2010/q3/526 65 o Figure out why it isn't working against Windows 7 for Thomas 66 Buchanan: http://seclists.org/nmap-dev/2010/q3/505 67 --> According to the discussion at this nmap-dev thread, it appears that 68 the problem Thomas has been describing only appears on his Windows 7 69 version which comes from a public release candidate of Windows 7. No other 70 Windows 7 version displays this behaviour. We are waiting to see if other 71 people come across this problem, since so far this bug can't be replicated. 72 o See what's wrong with: http://seclists.org/nmap-dev/2010/q3/643 73 74 75* Convert telnet module to use new inbuf/outbuf system. 76 --> It already does, but needs some fixes. 77 78* Think about packet trace. Obviously without pcap or something similar, 79 we can only print info about TCP payloads or connection 80 initiations/endings. 81 How can I get the unique connection id from nsock? --> With nsi_id() 82 83* Discuss about an option that will make Ncrack do a round-robin attack when 84 targeting many hosts in parallel. For example, suppose you crack 5 different 85 services (perhaps from the same subnet): then Ncrack will do 1 authentication 86 attempt against the 1st host, then the 2nd, then the 3rd, ... and then start 87 from the 1st again. This is to avoid possible lockout mechanisms. Note, 88 that you could emulate this behaviour (but not in the exact same way) by 89 configuring the option of 'connection-delay' for all hosts. However this will 90 result in bursts of packets if the connection-delay is the same for all hosts 91 and it would be too much of a trouble to assign and calculate a 92 different 'connection-delay' for each host (so as to emulate the round-robin 93 behaviour). 94 95* Extend opensshlib to support SSH version 1, as well as additional 96 diffie-hellman algorithms. 97 98* For session saving (--resume) consider going to second granularity in the 99 filename. This avoids occasions when the file is overwritten because the 100 user invoked Ncrack in the same minute and decided to cancel again. 101 102* Take care of portability (endian) issues for --resume option. 103 Currently it stores integers and the like in the system binary 104 format. 105 106* Complete output engine. The main thing left is support for XML output using 107 the option -oX. 108 109* Solve the ssh username/password special iteration challenge as mentioned here: 110 http://seclists.org/nmap-dev/2009/q3/0119.html 111 112* If a connection times out continuously for 1 service and the rest of the 113 services need to poll for new events through nsock_loop, the fact that 114 ncrack_connection_end calls ncrack_probes again won't let that happen 115 So for many errors of 1 connection perhaps just toss service into a special 116 list so that we can move on for the time being. 117 118* Wider Ncrack promotion 119 120* Complete dynamic timing engine. 121 - Some details from SoC application: 122 As of yet, the engine is "smart" enough to be able to adapt to some 123 trivial end-cases e.g lower the number of parallel probes when we 124 get more than a certain number of RSTs from our target in a certain 125 amount of time. Of course, the user has the final say on how the 126 engine will behave, depending on whether or not he defined certain 127 time-related arguments during the initial Ncrack invocation. The 128 engine should ideally be able to adapt more intelligently to the 129 given network conditions and the special characteristics of our 130 targets. This implies that it will be able to deduce on its own the 131 best possible value of parallel probes and other time-related 132 parameters (for example, if it should wait between each 133 authentication try and for how long). Since Ncrack is based on 134 Nsock which is a socket-abstraction layer and we have no access to 135 raw sockets or packet-crafting libraries (the user can invoke 136 Ncrack without root privileges after all), we only have TCP itself 137 as a feedback mechanism for the network conditions. This can prove 138 tricky for our work. Our engine might have to be based on 139 trial-and-error and partial statistical analysis to take some of 140 its decisions. 141 142 One idea would be to keep a history of the average performance for 143 each target and for each time-related metric. After some 144 experimentation with each target and depending on the network 145 conditions, our engine will be able to decide which of the 146 different set of saved values are most suitable for the 147 moment. However, this has to be flexible and prone to be 148 dynamically adapted, since network traffic is susceptible to 149 change. The "saved history" will mostly be used as a mechanism for 150 better decision-taking. Ncrack should be as accurate and fast as 151 possible, at the same time. As a result, when increasing the number 152 of parallel probes doesn't lead to further increase in the average 153 rate of authentication tries, it should back off and try with less 154 probes. This is the experimentation-phase we mentioned above. Upon 155 seeing that further reduction of the probes leads to decrease in 156 performance, it should again try to increase them. All of this 157 implies that we define some sort of 'average ideal' performance 158 with which the current performance will be compared. This metric 159 can be derived from a statistical analysis of our 'saved history' 160 so far. 161 162* For -vv verbose mode, possibly save the banner for each service and show it at 163 the end. Also we can show a sample session, showing the special patterns used 164 in the authentication steps. These may also prove useful for user submissions 165 of new exotic patterns for modules, like telnet, that need them. 166 167* SMTP/IMAP/POP3 - some initial IMAP/POP3 patches have already been 168 provided by Balázs Bucsay. Further development of them, as well as 169 SMTP support should be one goal to cover the existing email 170 infrastructure. 171 172* Improve SMB module, adding NetBIOS support etc. 173 174* Consider adding a spec file for distributing RPMs. 175 176* Discuss whether Ncrack should use different default username/password lists 177 based on the protocol/service it is trying to crack. 178 179* Consider collecting/assemblying protocol-optimized username/password lists. 180 181* Consider extending Buf()'s class functions so that you can push and pop 182 data in layers. Right now, you can only append data, but for example 183 you cannot leave some empty space and come and fill it in later. 184 185* Think about making Ncrack distributed (e.g with one master, several agents) 186 187============================= :DONE: ========================================= 188 189* Write Ncrack Developer's Guide. 190 191* Update CHANGELOG to note changes since last release 192 193* Make new post-soc Ncrack release with SMB and RDP 194 195* Remove excess verbosity in RDP cracker module (e.g. don't print 196 "Account credentials are NOT valid." for each test unless in high 197 debugging mode) 198 199* Add remote desktop (rdp) cracking. Ithilgore says there are few 200 rdesktop crackers out there. Need to think about whether this makes 201 most sense in Ncrack, NSE, or both. 202 203* Improve current scorpion logo on the Ncrack page. An SVG file would be best. 204 205* SMB support will be quite a demanding and time-consuming task but a 206 lot of research of this protocol has already been conducted by 207 Ron. Thus, a lot of our work can be based on his NSE-scripts. 208 209* Implement option to make Ncrack stop scanning after finding the 210 first credential pair (there is such an option in Hydra). We should 211 probably provide 2 different versions of the option. One would 212 finish Ncrack after finding 1 password regardless of how many 213 services it is cracking in parallel. The other would finish Ncrack 214 after finding 1 password for every service it is cracking. We have 215 two ways of doing this: either with a separate switch (e.g -f and 216 -F) or using the already existing module option subsystem (-m, -g, 217 per-host e.g $ ncrack 127.0.0.1:22,f=yes) [we decided on -f to mean 218 "quit each service after one credential found" and -f -f for "quit 219 after any credential is found on any service". 220 221* Find a way to parse a 'blank' password from the command-line (--pass option). 222 223* We also should find a special way for treating the 'blank' password. 224 We decided to treat it the same way as Nmap--use a blank line in the 225 file as the designator for a blank password. 226 227* Improve the font on the current Ncrack page logo so it isn't so 228 lumpy (it's been resized or something which is causing the problem). 229 230* Discuss with nmap-dev about making and distributing a oN2oX converter 231 (Nmap Normal to XML output) so that we drop supporting the -iN option (which 232 seems to change at times) and instead focus on improving the -iX option. 233 The converter program could be in Python (more likely) or Perl and be 234 maintained as a common shared package between Ncrack and Nmap. 235 ---> For now we will try keeping up-to-date with Nmap's -oN format. 236 237* We should probably put an Ncrack logo atop the Ncrack page 238 (http://nmap.org/ncrack/). For example, look at the Nping page at 239 http://nmap.org/nping/. 240 241* Make a CHANGELOG showing the differences between 0.01ALPHA and 0.2ALPHA 242 243* Make 0.2ALPHA release 244 o Build Windows, Mac, Source packages 245 o Ask David for help with Mac 246 o Update web site 247 o Send to nmap-dev for testing 248 249* Do a valgrind memory leak and bug audit for all the modules 250 (ssh almost done, remaining: ftp, http, pop3, telnet). 251 There are still some minor/trivial errors reported by valgrind but most 252 of them are 'possibly lost' memory leaks related to Nsock and others are in 253 libcrypto (in which we don't have any access and surely don't want to 254 manually patch). 255 256* Windows Ncrack testing -- for example see 257 http://seclists.org/nmap-dev/2010/q2/435 258 259* Make free (misc_info) handlers for HTTP protocol. 260 261* Add --disable-pcap option to Nsock so that Ncrack and Nmap may share the 262 exact same Nsock version all the time. 263 264* Fix potentially big memory leak. See this thread: 265 http://seclists.org/nmap-dev/2010/q1/1140 266 o Note, Fyodor can reproduce scanning against localhost ssh with 267 openssh-server-5.2p1-6.fc11.x86_64 on Fedora Core 11 x86_64 268 -- Already partially fixed one generic memory leak. 269 270* Update Ncrack License Terms (for year 2010) 271 272* Fully update man page to document the latest version of Ncrack. For 273 example, --user and --pass and --resume options aren't mentioned at 274 all. 275 276* Fix configure-issue where ./configure is initially run twice instead of 277 just once. This happens for every library (nbase, nsock, opensshlib). Seems to 278 be related with an old issue. (See below) 279 --> Problem was that I had put two separate AC_OUTPUT directives. One for 280 modules AC_OUTPUT(modules/Makefile) and AC_OUTPUT(Makefile) for central 281 one. This made autoconf create, for some reason, 2 different 282 CONFIG_SUBDIRS in the configure script. Solution was writing 283 AC_OUTPUT(modules/Makefile Makefile). 284 285* In verbose mode it should tell when a service completes (note that 286 in some case a "completion" is really a failure, for example 287 "scanme.nmap.org 22") 288 289* Provide a compact and clean way of providing additional information 290 (like the credential pairs found so far) in the interactive status 291 message. 292 - We may have a key users can press at any time, like 'p' for 293 passwords, to show the currently discovered credential list. 294 Should probably use the same format Ncrack users to print all the 295 credentials at the end of its run. The normal interactive status 296 message should probably say something like 'press 'p' to list 297 discovered passwords' if at least one valid credential has been 298 discovered. 299 - May warrant nmap-dev discussion 300 301* Add some real-life examples to the ncrack -h output. 302 303* Add to ncrack -h and maybe -V output a list of the modules 304 supported. 305 306* Make sure the -v option parsing works well. Right now, we get: 307 ./ncrack -v -P lists/top50000.pwd localhost:22 scanme.nmap.org:22 308 Invalid argument to -v: "-P". 309 QUITTING! 310 311* Integrate part of recently leaked hotmail passwords into Ncrack's password 312 database. 313 314* Fix -oN importer to work with new Nmap output format 315 316* Integrate nmap's new password lists. 317 318* Solve bug that sometimes causes http module to report as the password 319 found the one immediately following the real password found. [This seems 320 to be OK since the last changes, but we need to be careful in case it 321 comes up again] 322 323* Find a generic way to fix memory leaks of Connection's void *misc_info. 324 The problem is that we want a way so that the Connection class destructor can 325 remove any dynamically-allocated member, without knowing about the inner 326 structure of them (they can be cast to anything since they are void * and 327 each module casts it as a completely unique struct) 328 329* Add --resume support 330 331* Integrate Solar Designer's list to Ncrack. 332 --> Has been added as separate file, but we are waiting for the 333 frequency file to merge the best passwords in our default.pwd. We 334 could always merge it in an equally balanced way by using the same 335 frequencies for our current default lst for SD's and merge them. 336 337* We may also need to increase the maximum number of half-open connections in 338 Windows: see http://half-open.com/home_en.htm - We could do this by asking the 339 user during Ncrack setup if he wants to update the system's imposed limit - if 340 he doesn't want to accept the change, then he will possibly suffer a 341 performance degradation. 342 --> This is way too intrusive and Ncrack isn't really impeded by it. 343 344* Implement option that lets user specify the usernames and passwords directly 345 in the command-line, like -u guest,test etc. 346 347* Improve -iX parser to handle more of XML, particularly newlines. 348 349* Await reply from Microsoft for Windows Firewall RFC deviation: 350 http://seclists.org/nmap-dev/2009/q2/0774.html 351 http://seclists.org/nmap-dev/2009/q2/0780.html 352 https://connect.microsoft.com/WNDP/feedback/ViewFeedback.aspx?FeedbackID=470990 353 ------> It seems the Microsoft guys found the thing not reproducible but they 354 must have tested it under XP SP2 whereas the behaviour seems to be occuring 355 only in SP3. I have mentioned that in a comment but they probably won't see 356 that again, so perhaps I might have to resubmit the issue. 357 ------> I have resubmitted the bug, pointing out now that it only applies 358 to XP SP3: 359 https://connect.microsoft.com/WNDP/feedback/ViewFeedback.aspx?FeedbackID=479640 360 Microsoft responded - but according to those guys, this behaviour isn't 361 exhibited in a clean installation. Ongoing discussion on this one. 362 It seems they marked that bug as not reproducible finally. 363 364* Implement feature that can get input from Nmap's output files, to determine 365 which services to crack. Both -oN and -oX should be supported. Optionally, 366 some additional info could be extracted from version detection, if available, 367 to handle specific corner cases with certain servers. 368 369* Test more thoroughly the windows version of ncrack. 370 371* Add IPv6 support 372 373* Search for good username and password lists, or find ways to 374 generate them (e.g. web scraping for email addresses or account 375 names or whatever). Usernames seems like a relatively easy problem, 376 while password lists are more difficult to come by. 377 * Assembled a lot of lists. Now need to sort them out. 378 379* Possibly adapt Nmap license headers to Ncrack specifically. 380 --> This has been halted for a while, until a unified solution for all 381 Nmap tools is found. 382 383* Documentation: write the man page (in Docbook XML, at least for the 384 final version) 385 386* Test buffering cases for all modules, when for example we need to search for 387 certain patterns but the pattern is split in 2 separate packets due to a 388 small window. 389 ---> SSH already does that by using the ssh_loop_read function and I have 390 already added the Buf class (derived from buffer.c of OpenSSH) that can be 391 used to append the replies from each protocol. Now I only need to adapt the 392 FTP and TELNET modules to use that instead of the con->buf thing. 393 All modules have now been replaced to use the Buf class. 394 395* On a brand-new checkout, configure seems to be running 2 times for the 396 libraries nbase and nsock - one time in the beginning of calling ./configure 397 and a second time after typing make. Why does this happen? In addition, there 398 seems to be a problem when changing the order of linking - if nbase comes 399 first and nsock comes second, linking problems between the two arise. However, 400 nmap has them in that order without any problems. 401 This problem seems to have been automagically solved. 402 403* For future reference on modules like http: consider saving state information 404 like the http parsing that needs to be done only 1 time per host inside the 405 service, so that future connections can refer to that instead of having to 406 redo that work. That will probably add to the speed. 407 State information is already used by nearly all modules. 408 409* Make Ncrack packaging - a source tarball for *nix and a Windows installer. 410 411* Fix the false positives/false negative issues we've been seeing 412 when scanning over the Internet for http module. 413 414* Add ssl support (through nsock). 415 416* Implement Service timeout, where the user imposes a certain timeout 417 after which the service is marked as finished regardless of the progress 418 so far. 419 420* Refine interactive Status Report to print an estimate of the time left. 421 422* Change Ncrack's build system so that whenever ssl isn't found on the system, 423 the ssh module isn't included/compiled, since it requires (the underlying 424 opensshlib actually does) it in order to work. 425 426* Add output info when Ncrack finishes, the way Nmap does it. 427 Also -v should print additional info like how many connections were 428 initiated etc 429 Example from Nmap: 430 (verbose) 431 Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds 432 Raw packets sent: 1000 (44.000KB) | Rcvd: 2010 (84.440KB) 433 (normal) 434 Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds 435 436* Refine core engine. 437 438* Code ssh module 439 440* Test telnet module, thoroughly 441 442* Port Ncrack to Windows 443 444* Complete ncrack callback handlers documentation. 445 446* Appended Nmap license headers to each ncrack file. 447 448* Handle case when connection limit is more than the total passwords/usernames 449 in list 450 451* Implement on-the-fly 'Status Report' within interactive Ncrack output. 452 453* Code output.cc and -oN option. 454 455* Implement interactive Ncrack output. 456 457* Implement queueing mechanism for ServiceGroup lists. 458 459* Studied SSH RFCs. 460 461