Re: Ncrack HTTP Auth Success Detection

[Daniel Miller <bonsaiviking () gmail com>]

Joe,

Ncrack is not under active development at the moment. You are more than
welcome to check out the source code and try to find a fix, but I think
you'll have better luck with Nmap's http-brute NSE script (
http://nmap.org/nsedoc/scripts/http-brute.html). Since it is written in
Lua, it is easier to make incremental changes if necessary, though it ought
to Just Work.

Dan


On Wed, Jun 11, 2014 at 4:58 AM, Joe Savage <joe () reinterpretcast com> wrote:

> Hey,
>
> I've been using ncrack's HTTP module to bruteforce some HTTP Basic
> Authentication with a simple password dictionary, so I'm using a command
> such as the following:
>
> `ncrack --user username -P wordlist.txt http://domain.tld:port
> ,path=/path/`
>
> The issue I'm having is that ncrack doesn't seem to be able to detect
> differences between password successes and failures - listing all the
> attempted user/pass combinations after the attack - as the server returns
> messages in both cases (one indicating failure, and the other being the
> password protected page). I know the message returned in cases of failure,
> but is there any way I can make ncrack aware of this so it can only output
> any password successes to me?
>
> I feel like I must be missing some obvious piece of functionality or
> something here, as the way I'm using the tool at current means I can
> get literally no use out of the HTTP module.
>
> Any help or advice would be appreciated. Thanks.
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/