Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.
To learn more about the Ncrack scanner itself visit Ncrack GitHub or Ncrack Website.
Ncrack Deployment & Configuration
Setup with custom files:
If you want to use your own files within the ncrack scan, you have to create a secret first:
Now we created a secret named "ncrack-lists". But before we can use the files, we have to install the ncrack ScanType:
This enables us now to refer to our files via /ncrack/<file>
in the scan.yaml.
For a full example on how to configure ncrack with your custom files against a ssh service, see the "dummy-ssh" example.
Basic setup (no files can be mounted):
The Ncrack ScanType can be deployed via helm:
Delete Ncrack ScanType:
Scanner Configuration
The following security scan configuration example are based on the Ncrack Documentation, please take a look at the original documentation for more configuration examples.
This options summary is printed when Ncrack is run with no arguments. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual.
Password encryption
Because Ncrack findings are very sensitive you probably don't want every secureCodeBox user to see them. In order to address this issue we provide an option that lets you encrypt found passwords with public key crypto. Just generate a key pair with openssl:
After you created the public key file you have to create a kubernetes secret from that file:
Now you only need to set the value encryptPasswords.existingSecret to the secrets name when installing the scanner
To decrypt a password from a finding use:
Chart Configuration
Key | Type | Default | Description |
---|---|---|---|
encryptPasswords.existingSecret | string | nil | secret name with a pem encoded rsa public key to encrypt identified passwords |
encryptPasswords.key | string | "public.key" | name of the property in the secret with the pem encoded rsa public key |
image.repository | string | "docker.io/securecodebox/scanner-ncrack" | Container Image to run the scan |
image.tag | string | nil | defaults to the charts appVersion |
parseJob.ttlSecondsAfterFinished | string | nil | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
parserImage.repository | string | "docker.io/securecodebox/parser-ncrack" | Parser image repository |
parserImage.tag | string | defaults to the charts version | Parser image tag |
scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
scannerJob.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
scannerJob.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
scannerJob.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scannerJob.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scannerJob.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
scannerJob.securityContext | object | {} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scannerJob.ttlSecondsAfterFinished | string | nil | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
๐ง The implementation is currently work-in-progress and still undergoing major changes. It'll be released here once it has stabilized.
Examples
dummy-ssh
In this example we execute an ncrack scan against the intentional vulnerable ssh service (dummy-ssh)
Initialize ncrack with lists and dummy-ssh
Before executing the scan, make sure to have dummy-ssh installed, and have the proper username & password lists:
After that you can execute the scan in this directory:
The scan should find credentials for username 'root' with password 'THEPASSWORDYOUCREATED'.
Troubleshooting:
- Make sure to leave a blank line at the end of each file used in the secret!
- If printf doesn't create new lines, try 'echo -e "..."'
- You can show your existing secrets with 'kubectl get secrets'
- Scan