hack3rs.ca network-security
/learning/tools/ncrack :: tool-guide-9

defender@hack3rs:~/learning/tools$ open ncrack

Ncrack

Network authentication auditing

Ncrack audits authentication controls on network services in authorized environments — testing for weak and default credentials, validating account lockout behavior, and confirming that failed login attempts generate the alerts they should.

how-to-learn-this-tool-like-a-defender

Work through the stages in order. Each one builds on the previous. Skipping straight to 'run a command' without knowing what the output means is how analysts end up misreading evidence under pressure.

  • $Name the specific question this tool answers — and one question it cannot answer alone.
  • $Run the simplest command in a lab against a host you control; read every field in the output before moving on.
  • $Identify which output fields are direct evidence and which are inferences the tool made on your behalf.
  • $Pull a second source — a log, a PCAP, a SIEM event — that either confirms or contradicts what the tool reported.
  • $Write down the exact command you ran, what you expected, what you got, and what you are doing next.

preflight-checklist-before-using-tool

  • $Confirm in writing: who authorized this, what hosts are in scope, and what the maximum acceptable impact is.
  • $State the question you are trying to answer — not 'run the tool' but 'confirm whether port 443 is open on 10.10.20.15'.
  • $Name the second source you will use if the tool output is ambiguous (log, PCAP, CMDB, another tool).
  • $Record the start time, the host or interface you ran it on, and the exact command — enough for another analyst to reproduce it.
  • $Know what normal output looks like for this host before you run anything in anger.

how-experts-read-output

  • $Field recognition: identify the two or three fields that directly answer your question and ignore the rest for now.
  • $Scope check: confirm the output covers the host, interface, and time window you intended — not a cached or adjacent result.
  • $Evidence type: is this a direct observation (packet captured, port open) or an inference the tool made (service guessed from banner)?
  • $Correlation: name the one other source — a log line, a PCAP stream, a CMDB entry — that would confirm or contradict this.
  • $Decision: close the question, escalate with evidence, refine the scope, or collect another source — pick one and do it.

official-links

open docs Official Ncrack project page and documentation links release notes Project updates / releases (official project page) Nmap project Nmap ecosystem context and related tooling

ethical-use-and-defense-scope

Run Ncrack only for authorized authentication auditing with explicit scope, named owner approval, and a clear plan for rate limits and lockout impact. Unauthorized login testing is not a gray area.

Credential testing can lock out accounts and generate alerts that trigger real incident response activity. Coordinate with identity, helpdesk, and service owners before testing anything in production.

The defensive goal is control validation: does lockout work, does monitoring see it, are weak credentials present. Document tested accounts, test windows, rate settings, and outcomes so the exercise is auditable.

tool-history-origin-and-purpose

  • $When created: Developed by the Nmap project in the late 2000s; early public releases appeared around 2009.
  • $Why it was created: Defenders and auditors needed a focused tool for validating weak/default credentials and authentication exposure on network services using repeatable workflows.

Ncrack was created within the Nmap ecosystem to provide a high-speed network authentication auditing tool for testing credentials against services in authorized security assessments.

why-defenders-still-use-it

Defenders use Ncrack in tightly scoped, authorized labs or audits to test password policy exposure, validate account lockout behavior, and prove the impact of weak credentials on services such as SSH, RDP, FTP, and web auth endpoints.

How the tool evolved
  • +Built as a specialized complement to Nmap discovery and enumeration workflows.
  • +Used most effectively in controlled, rate-limited, owner-approved validation scenarios.
  • +Serves as a strong teaching tool for credential controls, lockouts, and monitoring requirements.

when-this-tool-is-a-good-fit

  • +Authorized weak and default credential testing on exposed SSH, RDP, FTP, and HTTP auth services.
  • +Validation that account lockout triggers at the configured threshold and that monitoring sees it.
  • +Post-remediation testing after password policy or service hardening changes take effect.
  • +Training labs on authentication hygiene, lockout behavior, and failed-login detection.

when-to-use-another-tool-or-source

  • !When you need host process/user context, pair with endpoint or OS logs.
  • !When you need ownership and business impact, pair with CMDB/ticketing/asset context.
  • !When the tool output is ambiguous, validate using a second evidence source before concluding.
  • !When production risk is high, test in a lab first and use change coordination.

1. What Ncrack Solves for Defenders

Policy documents say lockout is enabled. Ncrack tells you whether lockout actually triggers at the configured threshold, whether service accounts are exempt, and whether the failed login attempts show up in SIEM alerts. Those are different questions, and the answers are often different from what the policy says.

It also answers whether exposed services are running with weak or default credentials that a real attacker would try first. That is a control gap worth finding before the attacker does.

Use Ncrack after Nmap. Discover which services are exposed on which hosts, then scope credential testing tightly to the services and account types that the audit plan covers.

2. Scope, Rate, and Lockout Safety

Before running any test, find out the lockout threshold, the reset timer, and who owns the accounts in scope. A technically correct test that locks a shared service account at 9 a.m. on a Monday is still an operational failure.

Use a small, controlled account set, an approved credential list, and explicit rate limits. In most defensive contexts, the goal is to confirm that controls trigger — not to maximize the number of attempts in the shortest possible time.

Write down stop conditions before you start: service instability, unexpected lockout patterns, or signs that scope is wider than intended. Having documented abort criteria is what separates a disciplined audit from one that causes damage.

3. Interpreting Results Like a Defender

A successful login test is a control failure that needs immediate remediation. A failed test — where nothing was cracked — is not proof of safety. Check whether lockout triggered, whether monitoring logged the attempts, whether MFA is enforced, and whether alternate auth paths exist.

Write up the control story, not just the pass/fail count: which account types were tested, what was detected, what was blocked, and what the logs did not show. That narrative produces better remediation than a simple credential list.

Correlate Ncrack results with service logs, domain controller events, VPN logs, and SIEM. The audit should improve both the detection and the prevention side of credential security.

4. Training and Lab Use

Ncrack is useful in authentication training labs because it makes credential risk visible in real time. Learners can watch a weak password fall, observe a lockout trigger (or not), and compare what monitoring shows for a brute-force pattern versus a typo.

Build labs with multiple service types — SSH, RDP, FTP, HTTP auth — and set different policies per host. That variation forces students to read the specific context rather than assume uniform behavior across services.

End every lab session with the controls: stronger passwords, MFA, exposed service reduction, service account governance, and alert tuning. The credential test is the question; the controls are the answer.

scenario-teaching-playbooks

Work through each scenario step by step. The goal is to practice making decisions with the tool — not just executing commands — so the workflow becomes automatic before you need it under pressure.

1. Authorized weak and default credential testing on exposed SSH, RDP, FTP, and HTTP auth services.

Suggested starting block: Lab-Scoped Baseline Authentication Test

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

2. Validation that account lockout triggers at the configured threshold and that monitoring sees it.

Suggested starting block: Safer Workflow Controls And Logging

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

3. Post-remediation testing after password policy or service hardening changes take effect.

Suggested starting block: Remediation And Validation Tracking

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

4. Training labs on authentication hygiene, lockout behavior, and failed-login detection.

Suggested starting block: Lab-Scoped Baseline Authentication Test

  • $Write the question you need to answer and the exact hosts or segments you are authorized to inspect.
  • $Run the first command from the selected command block; note the timestamp and interface used.
  • $Read the output field by field — identify what the tool confirmed versus what it inferred.
  • $Check a second source (host log, SIEM alert, PCAP, ticket, or CMDB record) that covers the same time window.
  • $Write one sentence stating your finding, your confidence level, and the next action.

cli-workflows

Lab-safe commands for authorized environments. Run each one, read the output, and note what field or value tells you something useful before moving to the next.

cli-walkthroughs-with-expected-output

One command per block, with sample output. Study the output before you run the command yourself — you should recognize what you are looking at when it appears on your screen.

Lab-Scoped Baseline Authentication Test

Beginner
Command
ncrack -p ssh 10.10.20.15 -U users.txt -P passwords.txt --connection-limit 1
Example Output
Ncrack 0.7 ( http://ncrack.org )

Discovered credentials on ssh://10.10.20.15:22
  10.10.20.15 22/tcp ssh: 'admin' 'admin123'

Ncrack done: 1 service scanned in 15.23 seconds.
Probes sent: 25 | timed-out: 0 | prematurely-closed: 0

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Safer Workflow Controls And Logging

Intermediate
Command
mkdir -p auth-audit/{scope,logs,notes}
Example Output
# no output — directory created successfully

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

Remediation And Validation Tracking

Advanced
Command
printf "finding,control,owner,status,validation_date\n" > auth-audit/notes/remediation.csv
Example Output
finding  control  owner  status  validation_date

$ how to read it: Read the key fields — host, port, protocol, state — then ask whether the output answers the question you started with. If it raises a new question instead, collect a second source before drawing a conclusion.

command-anatomy-and-expert-usage

Each card explains what the command is for, what can go wrong, and what the output means. Syntax is easy to look up; knowing which command to reach for — and what to ignore in the output — is the skill worth building.

Lab-Scoped Baseline Authentication Test

Beginner
Command
ncrack -p ssh 10.10.20.15 -U users.txt -P passwords.txt --connection-limit 1
Command Anatomy
  • $Base command: ncrack
  • $Primary arguments/options: -p ssh 10.10.20.15 -U users.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
Ncrack 0.7 ( http://ncrack.org )

Discovered credentials on ssh://10.10.20.15:22
  10.10.20.15 22/tcp ssh: 'admin' 'admin123'

Ncrack done: 1 service scanned in 15.23 seconds.
Probes sent: 25 | timed-out: 0 | prematurely-closed: 0

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab-Scoped Baseline Authentication Test

Beginner
Command
ncrack -p rdp 10.10.20.20 -U users.txt -P passwords.txt --rate 1
Command Anatomy
  • $Base command: ncrack
  • $Primary arguments/options: -p rdp 10.10.20.20 -U users.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Ncrack 0.7 ( http://ncrack.org )

Starting rdp://10.10.20.20:3389
Status: at 0:00:05; 5/50 tested
No credentials found. (Accounts meet lockout policy requirements.)
Ncrack done: 1 service scanned in 45.10 seconds.

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab-Scoped Baseline Authentication Test

Beginner
Command
ncrack -p ftp 10.10.20.25 -U users.txt -P passwords.txt --user admin
Command Anatomy
  • $Base command: ncrack
  • $Primary arguments/options: -p ftp 10.10.20.25 -U users.txt
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Ncrack 0.7 ( http://ncrack.org )

Discovered credentials on ftp://10.10.20.25:21
  10.10.20.25 21/tcp ftp: 'admin' 'password'

Ncrack done: 1 service scanned in 12.05 seconds.

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Safer Workflow Controls And Logging

Intermediate
Command
mkdir -p auth-audit/{scope,logs,notes}
Command Anatomy
  • $Base command: mkdir
  • $Primary arguments/options: -p auth-audit/{scope,logs,notes}
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
# no output — directory created successfully

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Safer Workflow Controls And Logging

Intermediate
Command
printf "service,target,account_set,rate,window,owner\n" > auth-audit/scope/plan.csv
Command Anatomy
  • $Base command: printf
  • $Primary arguments/options: "service,target,account_set,rate,window,owner\n" > auth-audit/scope/plan.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
service  target  account_set  rate  window  owner

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Safer Workflow Controls And Logging

Intermediate
Command
journalctl --since "-15 min" | tail -n 80
Command Anatomy
  • $Base command: journalctl
  • $Primary arguments/options: --since "-15 min" | tail
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
Mar 17 10:12:01 lab-host sshd[2341]: Accepted publickey for analyst from 10.0.0.5 port 54321
Mar 17 10:12:44 lab-host sudo[2345]: analyst : TTY=pts/0 ; COMMAND=/usr/bin/systemctl status
Mar 17 10:14:03 lab-host systemd[1]: Started Session 4 of user analyst.
Mar 17 10:15:19 lab-host kernel: [UFW ALLOW] IN=eth0 SRC=10.0.0.5 DST=10.0.0.10 PROTO=TCP DPT=443

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Safer Workflow Controls And Logging

Intermediate
Command
grep -i "failed\|auth" /var/log/auth.log | tail -n 40 || true
Command Anatomy
  • $Base command: grep
  • $Primary arguments/options: -i "failed\|auth" /var/log/auth.log | tail
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Quick evidence extraction from logs or command output.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Mar 17 10:28:01 lab-host sshd[4521]: Failed password for admin from 10.10.20.1 port 54321
Mar 17 10:28:02 lab-host sshd[4521]: Failed password for admin from 10.10.20.1 port 54322
Mar 17 10:28:03 lab-host sshd[4521]: Failed password for admin from 10.10.20.1 port 54323
Mar 17 10:28:05 lab-host sshd[4521]: Accepted password for admin from 10.10.20.1 port 54324

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Remediation And Validation Tracking

Advanced
Command
printf "finding,control,owner,status,validation_date\n" > auth-audit/notes/remediation.csv
Command Anatomy
  • $Base command: printf
  • $Primary arguments/options: "finding,control,owner,status,validation_date\n" > auth-audit/notes/remediation.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Baseline command: learn what normal output looks like.

Show sample output and interpretation notes 
finding  control  owner  status  validation_date

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Remediation And Validation Tracking

Advanced
Command
column -s, -t auth-audit/notes/remediation.csv
Command Anatomy
  • $Base command: column
  • $Primary arguments/options: -s, -t auth-audit/notes/remediation.csv
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Collect, validate, or document evidence in a defensive workflow.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Intermediate step: refine scope or extract more useful evidence.

Show sample output and interpretation notes 
finding  control  owner  status  validation_date

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Remediation And Validation Tracking

Advanced
Command
nmap -sV -p 22,3389,21 10.10.20.15 10.10.20.20 10.10.20.25
Command Anatomy
  • $Base command: nmap
  • $Primary arguments/options: -sV -p 22,3389,21 10.10.20.15 10.10.20.20
  • $Operator goal: know what answer you expect before you run it; if the output surprises you, investigate before concluding.
Use And Risk

$ intent: Discovery, reachability testing, or service/version validation.

$ risk: Review command impact before running; validate in lab first if uncertain.

$ learning focus: Advanced step: use after baseline and validation are understood.

Show sample output and interpretation notes 
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.10.20.15
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2
Nmap scan report for 10.10.20.20
PORT     STATE SERVICE  VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Nmap scan report for 10.10.20.25
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5

$ expert reading pattern: Check that the scope matches what you intended, pick out the two or three fields that answer your question, then find one other source that confirms before you act.

Lab-Scoped Baseline Authentication Test

ncrack -p ssh 10.10.20.15 -U users.txt -P passwords.txt --connection-limit 1
ncrack -p rdp 10.10.20.20 -U users.txt -P passwords.txt --rate 1
ncrack -p ftp 10.10.20.25 -U users.txt -P passwords.txt --user admin

Safer Workflow Controls And Logging

mkdir -p auth-audit/{scope,logs,notes}
printf "service,target,account_set,rate,window,owner\n" > auth-audit/scope/plan.csv
journalctl --since "-15 min" | tail -n 80
grep -i "failed\|auth" /var/log/auth.log | tail -n 40 || true

Remediation And Validation Tracking

printf "finding,control,owner,status,validation_date\n" > auth-audit/notes/remediation.csv
column -s, -t auth-audit/notes/remediation.csv
nmap -sV -p 22,3389,21 10.10.20.15 10.10.20.20 10.10.20.25

defensive-use-cases

  • $Authorized weak and default credential testing on exposed SSH, RDP, FTP, and HTTP auth services.
  • $Validation that account lockout triggers at the configured threshold and that monitoring sees it.
  • $Post-remediation testing after password policy or service hardening changes take effect.
  • $Training labs on authentication hygiene, lockout behavior, and failed-login detection.

common-mistakes

  • $Starting without knowing the lockout threshold and causing avoidable account lockouts during business hours.
  • $Using a broad credential list when a small targeted set would validate the control just as well.
  • $Reporting only whether credentials were found and ignoring gaps in lockout and monitoring coverage.
  • $Running tests without explicit owner approval and a communicated schedule.

expert-habits-for-free-self-study

Free teaching resource. The loop that makes analysts better: ask a precise question, collect evidence, read it carefully, validate against a second source, document what you found, and repeat with a harder question.

  • $Pick the least disruptive command that can still answer the question — then run that one first.
  • $Before you look at output, write one sentence stating what you expect to see.
  • $Mark each output field as 'observed' or 'inferred by tool' before acting on it.
  • $Save the exact command with flags and target — not a paraphrase — so another analyst can run the same thing.
  • $During a quiet period, capture what normal output looks like from key hosts; store those samples where you can find them during an incident.
  • $When you escalate, include the command output, the timestamp, and one sentence on why it matters — not just 'looks suspicious'.

knowledge-check

  • ?What question is this tool best suited to answer first?
  • ?What permissions or scope approvals are needed before using it?
  • ?Which second evidence source should you pair with it for higher confidence?
  • ?What does normal output look like for your environment?

teaching-answer-guide

Show teaching hints
  • #Start from the tool’s role and the scenario you are investigating.
  • #Never rely on one tool alone for high-confidence incident decisions.
  • #Document normal output patterns during calm periods so anomalies are easier to spot.
  • #Prefer lab validation for new commands, rules, or scans before production use.

practice-plan

# Set up a lab with two services and different lockout configurations — one with lockout enabled, one without.
# Run a rate-limited test and document what triggered a lockout, what appeared in service logs, and what the SIEM showed.
# Correlate the Ncrack test window with auth logs and any SIEM alerts to see what detection coverage looks like.
# Write a short remediation plan: which credential changes, which MFA gaps, which monitoring improvements.
<- previous tool Cain & Abel -> next tool Kismet