<indexterm><primary>man page</primary><see>reference guide</see></indexterm>
<indexterm class="startofrange" id="man-ncrack1-indexterm">
  <primary>reference guide (man page)</primary>
</indexterm>
<refentry id='man-ncrack1'>
  <refmeta>
    <refentrytitle>ncrack</refentrytitle>
    <manvolnum>1</manvolnum>
    <refmiscinfo class="source">Ncrack</refmiscinfo>
    <refmiscinfo class="manual">Ncrack Reference Guide</refmiscinfo>
  </refmeta>
  <refnamediv id='man-name'>
    <refname>ncrack</refname>
    <refpurpose>Network authentication cracking tool</refpurpose>
  </refnamediv>
  <!-- body begins here -->
  <refsynopsisdiv id="man-synopsis">
    <cmdsynopsis sepchar=" ">
      <command moreinfo="none">ncrack</command>
      <arg choice="opt" rep="norepeat">
        <replaceable>Options</replaceable>
      </arg>
      <arg choice="req" rep="norepeat">
        <replaceable>target specification</replaceable>
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1 id="man-description">
    <title>Description</title>
    <indexterm significance="normal"><primary>Ncrack</primary><secondary>
        description of</secondary>
    </indexterm>
    <web>
    <note>
    <para>
    This document describes the very latest version of
    Ncrack available from <ulink url="http://nmap.org/ncrack"/> Please
    ensure you are using the latest version before reporting that a
    feature doesn't work as described.
    </para>
    </note>
    </web>
    <para>
      Ncrack is an open source tool for network authentication
      cracking.  It was designed for high-speed parallel cracking
      using a dynamic engine that can adapt to different network
      situations. Ncrack can also be extensively fine-tuned for
      special cases, though the default parameters are generic enough
      to cover almost every situation. It is built on a modular
      architecture that allows for easy extension to support
      additional protocols. Ncrack is designed for companies and
      security professionals to audit large networks for default or
      weak passwords in a rapid and reliable way.  It can also be used
      to conduct fairly sophisticated and intensive brute force
      attacks against individual services.
    </para>

    <warning><para>Ncrack is a project started in the Summer of 2009.  While it is already useful for some purposes, it is still unfinished, beta quality software.  You can help out by testing it and reporting any problems as described in <xref linkend="man-bugs"/>.</para></warning>

    <para>
      The output from Ncrack is a list of found credentials, if any, for each
      of the targets specified. Ncrack can also print an interactive status
      report of progress so far and possibly additional debugging information
      that can help track problems, if the user selected that option.
    </para>

    <para>
      A typical Ncrack scan is shown in
      <xref linkend="man-ex-repscan" xrefstyle="select: label nopage" />. 
      The only Ncrack arguments used in this example are the two target IP
      addresses along with the the corresponding ports for each of them. The
      two example ports 21 and 22 are automatically resolved to the default
      services listening on them: ftp and ssh.
    </para>

    <example id="man-ex-repscan"><title>A representative Ncrack scan</title>
      <indexterm><primary><option>-v</option></primary><secondary>example of
      </secondary></indexterm>
    <screen>

$ ncrack 10.0.0.130:21 192.168.1.2:22

Starting Ncrack 0.6 ( http://ncrack.org ) at 2016-01-03 22:10 EEST

Discovered credentials for ftp on 10.0.0.130 21/tcp:
10.0.0.130 21/tcp ftp: admin hello1
Discovered credentials for ssh on 192.168.1.2 22/tcp:
192.168.1.2 22/tcp ssh: guest 12345
192.168.1.2 22/tcp ssh: admin money$

Ncrack done: 2 services scanned in 156.03 seconds.

Ncrack finished.

    </screen>
    </example>

  </refsect1>

  <para>
    The latest version of Ncrack can be obtained from
    <ulink url="http://nmap.org/ncrack" />. The latest version of this man page is
    available at http://nmap.org/ncrack/man.html .
  </para>
  
  <refsect1 id='man-briefoptions'>
    <title>Options Summary</title>

    <para>
      This options summary is printed when Ncrack is run with no arguments.
      It helps people remember the most common options, but is no substitute
      for the in-depth documentation in the rest of this manual.
    </para>
     <indexterm class="startofrange" id="ncrack-usage-indexterm">
       <primary sortas="#">summary of options</primary>
     </indexterm>
     <indexterm class="startofrange" id="ncrack-usage-ncrack-indexterm">
       <primary>command-line options</primary>
       <secondary>of Ncrack</secondary>
     </indexterm>
      &ncrack-usage;
      <indexterm class="endofrange" startref="ncrack-usage-ncrack-indexterm"/>
      <indexterm class="endofrange" startref="ncrack-usage-indexterm"/>
  </refsect1>


  <refsect1 id="man-target-specification">
    <title>Target Specification</title>
    <indexterm significance="normal"><primary>target specification</primary>
    </indexterm>

     <para>
       Everything on the Ncrack command-line that isn't an option (or an
       option argument) is treated as a target host specification. The
       simplest case is to specify a target IP address or a hostname. Note,
       that you also need to specify a service to crack for the selected
       targets. Ncrack is very flexible in host/service specification.
       While hostnames and IP addresses can be defined with the flexibility
       that you are probably used to from Nmap, services along with
       service-specific options have a unique specification style that enables
       a combination of features to be taken advantage of. 
     </para>

     <para>
       Sometimes you wish to crack a whole network of adjacent hosts.
       For this, Ncrack supports CIDR-style <indexterm significance="normal">
       <primary>CIDR (Classless Inter-Domain Routing)</primary></indexterm>
       addressing. You can append /<replaceable>numbits</replaceable> to an
       IPv4 address or hostname and Ncrack will try to crack every IP
       address for which the first numbits are the same as for the
       reference IP or hostname given. For example, 192.168.10.0/24 would
       send probes to the 256 hosts between 192.168.10.0
       <literal moreinfo="none">11000000 10101000 00001010 00000000</literal>)
       and 192.168.10.255 (binary:
       <literal moreinfo="none">11000000 10101000 00001010 11111111</literal>),
       inclusive. 192.168.10.40/24 would crack exactly the same targets.
       Given that the host <literal moreinfo="none">scanme.nmap.org</literal>
       <indexterm significance="normal"><primary>
       <literal moreinfo="none">scanme.nmap.org</literal></primary></indexterm>
       is at the IP address 64.13.134.52, the specification
       scanme.nmap.org/16 would send probes to the 65,536 IP addresses
       between 64.13.0.0 and 64.13.255.255. The smallest allowed value is
       /0, which targets the whole Internet. The largest value is /32,
       which targets just the named host or IP address because all address
       bits are fixed.
      </para>
 
      <indexterm significance="normal"><primary>address ranges</primary>
      </indexterm>
      <para>
        CIDR notation is short but not always flexible enough.  For example,
        you might want to send probes to 192.168.0.0/16 but skip any IPs
        ending with .0 or .255 because they may be used as subnet network
        and broadcast addresses. Ncrack supports this through octet range
        addressing. Rather than specify a normal IP address, you can specify
        a comma-separated list of numbers or ranges for each octet. For
        example, 192.168.0-255.1-254 will skip all addresses in the range
        that end in .0 or .255, and 192.168.3-5,7.1 will target the four
        addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1.
        Either side of a range may be omitted; the default values are 0 on
        the left and 255 on the right. Using
        <literal moreinfo="none">-</literal> by itself is the same as 0-255,
        but remember to use 0- in the first octet so the target
        specification doesn't look like a command-line option. Ranges need
        not be limited to the final octets: the specifier will send probes
        to all IP addresses on the Internet ending in 13.37 This sort of
        broad sampling can be useful for Internet surveys and research.
      </para>
 
      <para>
        Ncrack accepts multiple host specifications on the command line,
        and they don't need to be the same type. The command
        <command moreinfo="none">ncrack scanme.nmap.org
        192.168.0.0/8 10.0.0,1,3-7.- -p22</command> does what you would expect.
      </para>
 
      <para>
        While targets are usually specified on the command lines, the
        following options are also available to control target selection:
      </para>

      <variablelist>
 
      <varlistentry>
        <term>
          <option>-iX <replaceable>inputfilename</replaceable></option>
          (Input from Nmap's -oX XML output format)
          <indexterm><primary><option>-iX</option></primary></indexterm>
          <indexterm><primary>target specification</primary><secondary>
              from Nmap XML</secondary></indexterm>
        </term>
        <listitem>
          <para>Reads target/service specifications from an Nmap XML output
            file.
            The Nmap XML file is created by scanning any hosts and specifying
            the Nmap <option>-oX</option> option. Ncrack will automatically
            parse the IP addresses and the corresponding ports and services
            that are <emphasis>open</emphasis> and will use these targets for
            authentication auditing. This is a really useful option, since it
            lets you essentially combine these two tools -Nmap and Ncrack-
            for cracking only those services that are surely open. In addition,
            if version detection has been enabled in Nmap 
            (<option>-sV</option> option), Ncrack will use
            those findings to recognize and crack those services that are
            supported but are listening on non-default ports. For example, if a
            host is having a server listening on port 41414 and Nmap has
            identified that it is a SSH service, Ncrack will use that
            information to crack it using the SSH module. Of course, Ncrack is
            going to ignore open ports/services that are not supported for
            authentication cracking by its modules.
          </para>
        </listitem>
      </varlistentry>

       <varlistentry>
        <term>
          <option>-iN <replaceable>inputfilename</replaceable></option>
          (Input from Nmap's -oN Normal output format)
          <indexterm><primary><option>-iN</option></primary></indexterm>
          <indexterm><primary>target specification</primary><secondary>
              from Nmap Normal</secondary></indexterm>
        </term>
        <listitem>
          <para>Reads target/service specifications from an Nmap Normal output
            file.
            The Nmap Normal file is created by scanning any hosts and
            specifying the Nmap <option>-oN</option> option. This works exactly
            like Ncrack's <option>-iX</option> option, the only difference
            being the format of the input file.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>-iL <replaceable>inputfilename</replaceable></option>
          (Input from list)
          <indexterm><primary><option>-iL</option></primary></indexterm>
          <indexterm><primary>target specification</primary><secondary>
              from list</secondary></indexterm>
        </term>
        <listitem>
          <para>Reads target specifications from
          <replaceable>inputfilename</replaceable>. Passing a huge
          list of hosts is often awkward on the command line, yet it
          is a common desire. For example, you might want to crack
          a list of very specific servers that have been specified for
          penetration testing. Simply generate the list
          of hosts to crack and pass that filename to Ncrack as an
          argument to the <option>-iL</option> option. Entries can be
          in any of the formats accepted by Ncrack on the command line
          (IP address, hostname, CIDR, octet ranges or Ncrack's special
          host-service syntax. Each
          entry must be separated by one or more spaces, tabs, or
          newlines.  You can specify a hyphen (<literal>-</literal>)
          as the filename if you want Ncrack to read hosts from standard
          input rather than an actual file. Note, however, that if hosts
          are specified without any service, you will have to also provide
          services/ports for the targets using the <option>-p</option>
          option.
        </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>--exclude
            <replaceable>host1</replaceable><optional>,
              <replaceable>host2</replaceable><optional>,
                ...</optional></optional></option> (Exclude hosts/networks)
          <indexterm significance="preferred"><primary><option>--exclude
          </option></primary></indexterm>
          <indexterm><primary>excluding targets</primary></indexterm>
        </term>
        <listitem>
          <para>Specifies a comma-separated list of targets to be
          excluded from the scan even if they are part of the overall
          network range you specify.  The list you pass in uses normal
          Ncrack syntax, so it can include hostnames, CIDR netblocks,
          octet ranges, etc.  This can be useful when the network you
          wish to scan includes untouchable mission-critical servers,
          systems that are known to react adversely to heavy load,
          or subnets administered by other people.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>--excludefile <replaceable>exclude_file</replaceable>
          </option> (Exclude list from file)
          <indexterm significance="preferred"><primary><option>
                --excludefile</option></primary></indexterm>
        </term>
        <listitem>
          <para>This offers the same functionality as the
            <option>--exclude</option>
          option, except that the excluded targets are provided in a
          newline, space, or tab delimited
          <replaceable>exclude_file</replaceable> rather than on the
          command line.</para>
        </listitem>
      </varlistentry>

    </variablelist>

  </refsect1>


  <refsect1 id="man-service-specification">
  <title>Service Specification</title>
  <indexterm significance="normal"><primary>service specification</primary>
  </indexterm>

   <para>
     No cracking session can be carried out without targetting a certain
     service to attack. Service specification is one of the most flexible
     subsystems of Ncrack and collaborates with target-specification in a
     way that allows different option combinations to be applied. For
     Ncrack to start running, you will have to specify at least one target
     host and one associated service to attack. Ncrack provides ways to
     specify a service by its default port number, by its name (as
     extracted from the <filename>ncrack-services</filename> file) or both.
     Normally, you need to define both name and port number only in
     the special case where you know that a particular service is listening on
     a non-default port.
   </para>

   <para>
     Ncrack offers two distinct ways with which services will be applied to
     your targets: per-host service specification and global specification. 
   </para>

   <variablelist><title>Per-host service specification</title>

     <varlistentry>
       <listitem>
      <para>
       Services specified in this mode are written next to the host and
       apply to it only. Keep in mind, however, that target-specification
       allows wildcards/netmasks, which essentially means that
       applying a per-host service specification format to that particular
       target will affect all of the expanded ones as a result.
       The general format is:
      </para>
         <para><option>
             <replaceable><optional>service-name</optional></replaceable>://<replaceable>target</replaceable>:<replaceable><optional>port-number</optional></replaceable></option>

         </para>
      <para>
        where <replaceable>target</replaceable> is a hostname
        or IP address in any of the formats described in the
        target-specification section,
        <replaceable><optional>service-name</optional></replaceable> is
        one of the common service names as defined in the
        <emphasis><filename>ncrack-services</filename></emphasis>
        file (e.g ssh, http) and
        <replaceable><optional>port-number</optional></replaceable>
        is what it obviously means.

       Ncrack can determine the default port numbers for each of the
       services it supports, as well as being able to deduce the service
       name when a default port number has been specified. Specifying both
       has meaning only when the user has a priori knowledge of a service
       listening on a non-default port number. This can easily be
       determined by using version detection like the one offered by Nmap's 
       <option>-sV</option> option. 
      </para>

      <example id="man-rep-exscan"><title>Per-host service specification
          example</title>
        <screen>

$ ncrack scanme.nmap.org:22 ftp://10.0.0.10 ssh://192.168.1.*:5910

       </screen>
     </example>
     <para>
       The above command will try to crack hosts: scanme.nmap.org on SSH
       service (default port 22), 10.0.0.10 on FTP service (default port
       21) and 192.168.1.0 - 192.168.1.255 (all of this C subnet) on SSH
       service on non-default port 5910 which has been explicitly
       specified. In the last case, Ncrack wouldn't be able to determine
       that the subnet hosts are to be scanned against the SSH
       service on that particular port without the user explicitly asking
       for it, because there isn't any mapping of port-number 5910 to
       service SSH. 
      </para>
 
 
     </listitem>
     </varlistentry>

   </variablelist>


     <variablelist><title>Global service specification</title>

     <varlistentry>
       <listitem>
      <para>
        Services specified in this mode are applied to
        <emphasis>all</emphasis> hosts that haven't been associated with
        the per-host service specification format. This is done using
        the <option>-p</option> option. While this facility may be similar
        to that of Nmap's, you should try not to confuse it, since the
        functionality is of a slightly different nature. Services can be
        specified using comma separated directives of the general format:

      </para>
         <para><option>
             -p <replaceable><optional>service1</optional></replaceable>:<replaceable><optional>port-number1</optional></replaceable>,<replaceable><optional>service2</optional></replaceable>:<replaceable><optional>port-number2</optional></replaceable>,...
           </option>
         </para>
      <para>
        As usual, you need not specify both service name and port number
        since Ncrack knows the mappings of default-services to default-port
        numbers. Be careful though not to include any space between each
        service-name and/or port number, because Ncrack will think that
        the argument after the space is a host as per the rule
        "everything that isn't an option is a target specification". 
      </para>

       <example id="man-rep-exscan-1"><title>Global service specification
          example</title>
        <screen>

$ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet

       </screen>
     </example>
     <para>
       The above command will try to crack all of the specified hosts
       scanme.nmap.org, 10.0.0.120, 10.0.0.121, 10.0.0.122 and the C class
       subnet of 192.168.2.0 against the following services: SSH service
       (mapped from default port 22), FTP service on non-default port 3210, and
       TELNET service on default port 23.
     </para>
     </listitem>
     </varlistentry>

   </variablelist>

   <para>
     Of course, Ncrack allows you to combine both modes of service
     specification if you deem that as necessary. Normally, you will only
     need to specify a couple of services but cracking a lot of hosts
     against many different services might be a longterm project for
     large networks that need to be consistently audited for weak
     passwords. If you are in doubt, about which hosts and services are
     going to be cracked with the current command, you can use the
     <option>-sL</option> option (see below for explanation).
   </para>

  </refsect1>

  <refsect1 id="man-service-options">
  <title>Service Options</title>
  <indexterm significance="normal"><primary>service options</primary>
  </indexterm>

  <para>
    Apart from general service specification, Ncrack allows you to provide
    a multitude of options that apply to each or a subset of your targets.
    Options include timing and performance optimizations
    (which are thoroughly analyzed in a seperate section), SSL
    enabling/disabling and other module-specific parameters like the
    relative URL path for the HTTP module. Options can be defined in a
    variety of ways which include: per-host options, per-module options
    and global options. Since a combination of these options may be used,
    there is a strict hierarchy of precedence which will be discussed
    later.
  </para>

   <variablelist><title>Per-host Options</title>

     <varlistentry>
       <listitem>
         <para>
         Options in this mode apply only to the host(s) they are referring
         to and are written next to it according to the following format:

      </para>
      <para><option>
          <replaceable><optional>service-name</optional></replaceable>://<replaceable>target</replaceable>:<replaceable><optional>port-number</optional></replaceable>,<replaceable>opt1</replaceable>=<replaceable>optval1</replaceable>,<replaceable>opt2</replaceable>=<replaceable>optval</replaceable>,...
          </option>
        </para>

        <para>
          The format concerning the service specification which comes before
          the options, has been explained in the previous section.
          <option><replaceable>optN</replaceable></option> is referring to any of the option names
          that are available (a list will follow below), while
          <option>optvalN</option> determines the value of that option and
          depends on the nature of it. For example, most timing-related
          options expect to receive numbers as values, while the
          <option>path</option> option obviously needs a string argument.
        </para>
      </listitem>
    </varlistentry>

  </variablelist>

  <variablelist><title>Per-module Options</title>

     <varlistentry>
       <listitem>
         <para>
         Options in this mode apply to all hosts that are associated with
         the particular service/module. This is accomplished using the
         <option>-m</option> which is defined with the format:

      </para>
      <para><option>
          -m <replaceable>service-name</replaceable>:<replaceable>opt1</replaceable>=<replaceable>optval1</replaceable>,<replaceable>opt2</replaceable>=<replaceable>optval2</replaceable>,...
          </option>
        </para>

        <para>
          This option can be invoked multiple times, for as many
          different services as you might need to define service-wide
          applicable options. Each iteration of this option must refer to
          only one service. However, to avoid confusion, this option had better
          not be called more than one time for the same service, although
          this is allowed and the last iteration will take precedence over
          the previous ones for all redefined option values.
       </para>
      </listitem>
    </varlistentry>

   </variablelist>

    <variablelist><title>Global Options</title>

     <varlistentry>
       <listitem>
         <para>
           Options in this mode apply to all hosts regardless of which service
           they are associated with. This is accomplished using the
           <option>-g</option> as follows:

      </para>
      <para><option>
          -g <replaceable>opt1</replaceable>=<replaceable>optval1</replaceable>,<replaceable>opt2</replaceable>=<replaceable>optval2</replaceable>,...
          </option>
        </para>

        <para>
          This acts as a convenience option, where you can apply options
          to all services globally. Everything else regarding the available
          options and option values is the same as the previous modes.
        </para>
      </listitem>
    </varlistentry>

  </variablelist>

  <variablelist><title>List of available Service Options</title>

    <para>
      Below follows a list of all the currently available service options.
      You can apply them with any of the three modes described above. The
      last six of the options are timing related and will be analyzed in
      Section "Timing and Performance" of this manual.
    </para>

     <varlistentry>
       <listitem>
         <para>
    <screen>
ssl: enable SSL over this service
path: path-name used in modules like HTTP ('=' needs escaping if used)
db: used in modules like MongoDB to specify the database
domain: used in modules like WinRM to specify the domain
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay time between each connection initiation
cr (connection retries): caps number of service connection attempts
to (time-out): maximum cracking time for service, regardless of success so far
    </screen>
        </para>
      </listitem>
    </varlistentry>

  </variablelist>

  <variablelist>
  <varlistentry>
        <term>
          <option>ssl</option> (Enable/Disable SSL over service)
        </term>
        <listitem>
          <para>
            By enabling SSL, Ncrack will try to open a TCP connection and
            then negotiate a SSL session with the target. Everything will
            then be transparently encrypted and decrypted. However, since
            Ncrack's job is to provide speed rather than strong crypto, the
            algorithms and ciphers for SSL are chosen on an efficiency
            basis. Possible values for this option are '<option>yes</option>'
            but just specifying <option>ssl</option> would be enough. Thus,
            this is the only option that doesn't need to be written in the 
            <replaceable>opt</replaceable>=<replaceable>optval</replaceable>
            format. By default, SSL is disabled for all services except
            those that are stricly dependent on it like HTTPS. 
          </para>
        </listitem>
  </varlistentry>
</variablelist>

  <variablelist>
  <varlistentry>
        <term>
          <option>path &lt;name&gt;</option> (Path name for relative URLs)
        </term>
        <listitem>
          <para>
            Some services like HTTP or SVN usually require a specific path
            in the URL. This option takes that pathname string as its value.
            The path is always relative to the hostname or IP address, so if
            you want to target something like http://foobar.com/login.php
            the path must take the value <option>path=login.php</option> .
            The initial '/' is added if you omit it. However, it is usually
            better if you explicitly specify it at the end of pathnames
            that are directories.
            For example, to crack the directory for
            http://foobar.com/protected-dir/ , it would be better if you
            wrote it as <option>path=protected-dir/</option> . 
            This is to avoid the (very) slight probability of a false positive,
            because there are cases where Web servers might reply with a
            "301 Moved Permanently" for a non-successful attempt.
            They normally send that reply, when a successful attempt
            is made for a requested password-protected path which has
            omitted the ending '/' but the requested source is
            actually a directory. Consequently,
            Ncrack regards that reply as having succeeded in the
            authentication attempt.
          </para>

          <para>
            Also be careful with the symbol '=', since it is used by Ncrack
            for argument parsing and you will
            have to espace it if it is included in the URL. 
          </para>

          <para>
            By default, the
            path-name is initialized to '/', but will be ignored by
            services that do not require it.
          </para>

        </listitem>
  </varlistentry>
  </variablelist>

  <variablelist>
  <varlistentry>
        <term>
          <option>db &lt;name&gt;</option> (Database name)
        </term>
        <listitem>
          <para>
            Some services like MongoDB require a specific database name
            to crack. This option allows you to specify the database. 
          </para>

          <para>
            By default, the db name for MongoDB is initialized to 'admin'
            but will be ignored by services that do not require it.
          </para>

        </listitem>
  </varlistentry>
</variablelist>

  <variablelist>
  <varlistentry>
        <term>
          <option>domain &lt;name&gt;</option> (Domain name)
        </term>
        <listitem>
          <para>
            Some services like WinRM require a specific domain to crack.
            This option allows you to specify the domain.
          </para>

          <para>
            By default, the domain name for WinRM is initialized to 'Workstation'
            but will be ignored by services that do not require it.
          </para>

        </listitem>
  </varlistentry>
  </variablelist>



  <variablelist><title>Service Option Hierarchy</title>

    <para>
      As already noted, Ncrack allows a combination of the three different
      modes of service option specification. In that case, there is a
      strict hierarchy that resolves the order in which conflicting values
      for these options take precedence over each other. The order is as
      follows, leftmost being the highest priority and rightmost the lowest
      one:
    </para>
    <para>
      Per-host options > Per-module options > Global options > 
      Timing-Template (for timing options only) 
    </para>
    <para>
      The concept of the "Timing-Template" will be explained in the Section
      "Timing and Performance", but for now, just have in mind that its
      values have the least prevalence over everything else and essentially
      act as defaults for everything timing-related. Global options
      specified with <option>-g</option> have the directly higher
      precedence, while <option>-m</option> per-module options are
      immediately higher. In the top of the hierarcy reside the per-host
      options which are essentially the most specific ones. Consequently,
      you can see that the pattern is: the more specific the higher the
      precedence.
    </para>

    <example id="man-rep-exscan-2"><title>Service Option Hierarchy
        example</title>
        <screen>

$ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3

       </screen>
     </example>
     <para>
       The example demonstrates the hierarchy precedence. The services that
       are going to be cracked are SSH for scanme.nmap.org and
       FTP for hosts 10.0.0.120, 10.0.0.20. No particular timing-template has
       been specified and thus the default will be used (Normal - 3). The
       per-host options for scanme.nmap.org define that the minimum
       connection limit (cl) is 10 and that Ncrack should attempt only 1
       authentication try (at) per connection. These values would override
       any other for service SSH of host scanme.nmap.org if there were
       conflicts with other modes. Since a global option of
       <option>-g CL=3</option> was defined and there is no other
       higher-precedence for service SSH and scanme.nmap.org in particular,
       this value will also be applied. As for the FTP targets, the
       per-module <option>-m ftp:CL=1</option> defined for all FTP services
       will override the equivalent global one. All these can get
       quite complex if overused, but they are not expected to be leveraged
       by the average Ncrack user anyway. Complicated network scanning
       scenarios might require them, though. To make certain the results
       are the ones you expect them to be, don't forget to use the
       <option>-sL</option> option that prints out details about what Ncrack
       would crack if invoked normally. You can add the debugging
       <option>-d</option> option if you want even more verbose output.
       For the above example, Ncrack would print the following:
     </para>

    <example id="man-rep-exscan-3"><title>Service Option Hierarchy Output
        example</title>
        <screen>

$ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d

Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT

----- [ Timing Template ] -----
cl=7, CL=80, at=0, cd=0, cr=30, to=0

----- [ ServicesTable ] -----
SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
http:80            N/A N/A N/A N/A N/A N/A no  null null  null
pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
https:443          N/A N/A N/A N/A N/A N/A yes null null  null
owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
mssql:1443         N/A N/A N/A N/A N/A N/A no  null null  null
mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null

----- [ Targets ] -----
Host: 45.33.32.156 ( scanme.nmap.org ) 
  ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
Host: 10.0.0.120
  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
Host: 10.0.0.20
  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation


Ncrack done: 3 services would be scanned.
Probes sent: 0 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.


       </screen>
     </example>

     <para>
       The <emphasis>ServicesTable</emphasis> just lists the per-module options
       for all available services. As you can see, the only defined option is
       in the FTP service for the <option>CL</option> . The
       <emphasis>Targets</emphasis> table is the most important part of
       this output and lists all targets and associated options according
       to the command-line invocation. No network operation takes place in
       this mode, apart from forward DNS resolution for hostnames (like
       scanme.nmap.org in this example). 
    </para>

  </variablelist>

  </refsect1>


  <refsect1 id="man-specification">
    <title>Timing and Performance</title>
    <indexterm class="startofrange" id="man-performance-timing-indexterm">
      <primary>timing</primary></indexterm>
    <indexterm class="startofrange" id="man-performance-indexterm">
      <primary>performance</primary></indexterm>

    <para>
      The timing engine is perhaps the most important part of any serious
      network authentication cracking tool. Ncrack's timing engine offers
      a great many options for optimization and can be bended to serve
      virtually any user need. As Ncrack is progressing, this subsystem
      is going to evolve into a dynamic autonomous engine
      that will be able to automatically adjust its behaviour
      according to the network feedback it gets, in order to achieve
      maximum performance and precision without any user intervention.
    </para>

    <para>
      Some options accept a <literal>time</literal> parameter. This
      is specified in seconds by default, though you can append
      &lsquo;ms&rsquo;, &lsquo;m&rsquo;, or &lsquo;h&rsquo; to the value to
      specify milliseconds, minutes, or hours (&lsquo;s&rsquo; for seconds
      is redundant). So the <option>cd</option> (connection delay) arguments
      <literal>900000ms</literal>, <literal>900s</literal>, and
      <literal>15m</literal> all do the same thing.   
    </para>

   <variablelist>

   <varlistentry>
     <term>
       <option>cl <replaceable>num-minconnections</replaceable></option>; 
       <option>CL <replaceable>num-maxconnections</replaceable></option>
       (Adjust number of concurrent parallel connections) 
     </term>
     <listitem>

      <para>
        <option>Connection Limit</option>
      </para>

       <para>
         These options control the total number of connections that may be
         outstanding for any service at the same time. Normally, Ncrack
         tries to dynamically adjust the number of connections for each
         individual target by counting how many drops or connection failures
         happen. If a strange network condition occurs, that signifies that
         something may be going wrong, like the host dropping any new
         connection attempts, then Ncrack will immediately lower the total
         number of 
         connections hitting the service. However, the caps number of the
         minimum or maximum connections that will take place can be
         overriden using these two options. By properly adjusting them,
         you can essentially optimize performance, if you can handle
         the tricky part of knowing or discovering your target's own limits.
         The convention here is that <option>cl</option> with lowercase
         letters is referring to the minimum connection limit, while
         <option>CL </option> with uppercase letters is referring to the
         maximum number of connections. 
       </para>

       <para>
         The most common usage is to set
         <option>cl (minimum connection limit)</option> for targets
         that you are almost certain are going to withstand these many
         connections at any given time. This is a risky option to play
         with, as setting it too high might actually do more harm than good
         by effectively DoS-attacking the target and triggering firewall
         rules that will ban your IP address. 
       </para>

       <para>
         On the other hand, for more stealthy missions, setting the
         <option>CL (maximum connection limit)</option> to a low value
         might be what you want.
         However, setting it too low will surely have a great impact in
         overall cracking speed. For maximum stealth, this can be
         combined with the <option>cd (connection delay)</option> described
         below.
       </para>
         
    </listitem>
  </varlistentry>
  </variablelist>

  <variablelist>
   <varlistentry>
     <term>
       <option>at <replaceable>num-attempts</replaceable></option>
       (Adjust authentication attempts per connection) 
     </term>
     <listitem>

       <para>
         <option>Authentication Tries</option>
       </para>

       <para>
         Using this option, you can order Ncrack to limit the
         authentication attempts it carries out per connection. 
         Ncrack initially sends a reconnaisance probe that lets it
         calculate the maximum number of such authentication tries and
         from thereon it always tries to use that number. Most servicse
         pose an upper limit on the number of authentication per connection
         and in most cases finding that maximum leads to better performance.
       </para>

       <para>
         Setting this option to lower values can give you some stealth
         bonus, since services such as SSH tend to log failed attempts
         after more than a certain number of authentication tries per
         connection. They use that as a metric rather than counting the
         total number of authentication attempts or connections per
         IP address (which is usually done by a firewall). Consequently, a
         number of 1 or 2 authentication tries might circumvent logging in
         some cases. 
       </para>

       <para>
         Note that setting that option to a high value will not have any
         effect if Ncrack realizes that the server doesn't allow that many
         attempts per connection. In this case, it will just use that
         maximum number and ignore your setting.
       </para>
 
         
    </listitem>
  </varlistentry>
</variablelist>


   <variablelist>
   <varlistentry>
     <term>
       <option>cd <replaceable>time</replaceable></option>
       (Adjust delay time between each new connection) 
     </term>
     <listitem>

       <para>
         <option>Connection Delay</option>
       </para>

       <para>
         This option essentially defines the imposed time delay between each
         new connection. Ncrack will wait the amount of time you specify in
         this option value, before starting a new connection against the
         given service. The higher you set it, the slower Ncrack will perform,
         but the stealthier your attack will become.
       </para>

       <para>
         Ncrack by default tries to initiate new connections as fast as
         possible given that new probes are actually allowed to be sent
         and are not restricted by parameters such as
         <option>Connection Limit</option> which can dynamically increase
         or decrease. Although this approach achieves blazing speed as long
         as the host remains responsive, it can lead to a number of
         disasters such as a firewall being triggered, the targets' or your
         bandwidth to be diminished and even the tested service to suffer
         a Denial of Service attack. By carefully adjusting this option,
         you can potentially avoid these annoying situations. 
       </para>

         
    </listitem>
  </varlistentry>
  </variablelist>

   <variablelist>
   <varlistentry>
     <term>
       <option>cr <replaceable>max-conattempts</replaceable></option>
       (Adjust the max number of connection retries) 
     </term>
     <listitem>

       <para>
         <option>Connection Retries</option>
       </para>

       <para>
         This option allows the user to specify the maximum amount of consecutive failed
         attempts against that particular service. If at any time, during the cracking session,
         Ncrack fails to connect against that particular service, then it will stop cracking
         it entirely.
       </para>

         
    </listitem>
  </varlistentry>
  </variablelist>

   <variablelist>
   <varlistentry>
     <term>
       <option>to <replaceable>time</replaceable></option>
       (Adjust the maximum overall cracking time) 
     </term>
     <listitem>

       <para>
         <option>Timeout</option>
       </para>

       <para>
         Define how much time Ncrack is going to spend cracking the
         service, before giving up regardless of whether it has found any
         credentials so far.
         However, any authentication token discovered
         until that time, will be stored and printed normally. 
         Ncrack marks a service as finished when the
         username/password lists iteration ends or when it can no
         longer crack it for some serious reason. If Ncrack finishes
         cracking a service before the time specified in this option, then
         it will not be taken into account at all. 
       </para>

       <para>
        Sometimes, you have a limited time window to scan/crack your hosts.
        This might occur for various reasons. A common one would be that
        normal user activity mustn't be interrupted and since Ncrack can
        become very aggressive, it might be allowed to scan the hosts only
        at during certain time period like the night hours. Scanning
        during certain such hours is also likely to make an attack less
        detectable. 
       </para>

      <para>
        Don't forget that Ncrack allows you to specify the time unit
        of measure by appending 
        &lsquo;ms&rsquo;, &lsquo;m&rsquo;, or &lsquo;h&rsquo; 
        for milliseconds, minutes or hours (seconds is the default time unit).
        Using them in this particular
        option, is really convenient as you can specify something like
        <option>to=8h</option> to give Ncrack a total of 8 hours to crack
        that service. Setting up cronjobs for scheduled scans
        in combination with this option, might also be a good idea.
      </para>

         
    </listitem>
  </varlistentry>
  </variablelist>

  <variablelist>
   <varlistentry>
   <term>
     <option>-T
     paranoid|sneaky|polite|normal|aggressive|insane</option>
     (Set a timing template)
   <indexterm><primary><option>-T</option></primary></indexterm>
   <indexterm><primary>timing templates</primary><seealso>
       <literal>paranoid</literal>, <literal>sneaky</literal>,
       <literal>polite</literal>, <literal>normal</literal>,
       <literal>aggressive</literal>, and
       <literal>insane</literal></seealso></indexterm>
   </term>
   <listitem>
     <indexterm><primary><option>-T0</option></primary>
       <see><literal>paranoid</literal> timing template</see></indexterm>
     <indexterm><primary><option>-T1</option></primary>
       <see><literal>sneaky</literal> timing template</see></indexterm>
     <indexterm><primary><option>-T2</option></primary>
       <see><literal>polite</literal> timing template</see></indexterm>
     <indexterm><primary><option>-T3</option></primary>
       <see><literal>normal</literal> timing template</see></indexterm>
     <indexterm><primary><option>-T4</option></primary>
       <see><literal>aggressive</literal> timing template</see></indexterm>
     <indexterm><primary><option>-T5</option></primary>
       <see><literal>insane</literal> timing template</see></indexterm>


    <para>While the fine-grained timing controls discussed in the previous
    section are powerful and effective, some people find them confusing.
    Moreover, choosing the appropriate values can sometimes take more time
    than the scan you are trying to optimize.  So Ncrack offers a simpler
    approach, with six timing templates.  You can specify them with the
    <option>-T</option> option and their number (0&ndash;5) or their name.
    The template names are
    <option>paranoid</option>&nbsp;(<option>0</option>),
    <option>sneaky</option>&nbsp;(<option>1</option>),
    <option>polite</option>&nbsp;(<option>2</option>),
    <option>normal</option>&nbsp;(<option>3</option>),
    <option>aggressive</option>&nbsp;(<option>4</option>),
    and <option>insane</option>&nbsp;(<option>5</option>).
    The first two are for IDS evasion.
    Polite mode slows down the scan to use less bandwidth
    and target machine resources.  Normal mode is the default and so
    <option>-T3</option> does nothing. Aggressive mode speeds scans up by
    making the assumption that you are on a reasonably fast and reliable
    network.  Finally
    insane mode assumes that you are on an
    extraordinarily fast network or are willing to sacrifice some accuracy
    for speed.
    </para>

    <para>These templates allow the user to specify how aggressive they
    wish to be, while leaving Ncrack to pick the exact timing values. If
    you know that the network service is going to withstand a huge number
    of connections you might try using the aggressive template of
    <option>-T4</option> . Even then, this is mostly advised for services
    residing in the local network. Going over to insane mode
    <option>-T5</option> is not recommended, unless you absolutely know what
    you are doing.
  </para>

   <para>
     While
    <option>-T0</option><indexterm><primary><literal>paranoid</literal>
        (<option>-T0</option>) timing template</primary></indexterm>
    and <option>-T1</option><indexterm><primary><literal>sneaky</literal>
        (<option>-T1</option>) timing template</primary></indexterm>
   may be useful for avoiding IDS alerts, they will take an extraordinarily long
   time to crack even a few services. For such a long scan,
   you may prefer to set the exact timing values you need rather than
   rely on the canned <option>-T0</option> and <option>-T1</option>
   values.
   </para>


       </listitem>
     </varlistentry>
   </variablelist>

   <variablelist>
   <varlistentry>
     <term>
       <option>--connection-limit <replaceable>numprobes</replaceable></option>
       (Adjust the threshold of total concurrent connections) 
     </term>
     <listitem>

       <para>
         NOT IMPLEMENTED YET.
       </para>

         
    </listitem>
  </varlistentry>
  </variablelist>

  </refsect1>


   <refsect1 id='man-authentication'>
    <title>Authentication</title>
    <indexterm class="startofrange" id="man-authentication-indexterm">
      <primary>authentication</primary></indexterm>
    
    <para>
      This section describes ways of specifying your own username and
      password lists as well as the available modes of iterating over them.
      Ncrack ships in with a variety of username and password lists which
      reside under the directory '<emphasis>lists</emphasis>' of the source
      tarball and later installed under Ncrack's data directory which
      usually is /usr/local/share/ncrack or /usr/share/ncrack . You can
      omit specifying any lists and Ncrack is going to use the default
      ones which contain some of the most common usernames and passwords.
      The password list is frequency-sorted with the top most common
      passwords at the beginning of the list so they will be tried out first. 
      The lists have been derived from a combination of sorting publicly leaked
      password files and other techniques.
    </para> 


     <variablelist>
      <varlistentry>
        <term>
          <option>-U <replaceable>filename</replaceable></option>
          (Specify username list)
        </term>
        <listitem>

        <para>
          Specify your own username list by giving the path to the
          filename as argument to this option.
        </para>
                    
        <para>
          Usernames for specific environments can be gathered in numerous
          ways including harvesting for email-addresses in the company's
          website, looking up information in whois databases, using the SMTP
          VRFY technique at vulnerable mail servers or through social
          engineering.
        </para>

        </listitem>
      </varlistentry>
    </variablelist>


    <variablelist>
      <varlistentry>
        <term>
          <option>-P <replaceable>filename</replaceable></option>
          (Specify password list)
        </term>
        <listitem>

        <para>
          Specify your own password list by giving the path to the
          filename as argument to this option.
        </para>
                    
        <para>
          Common passwords are usually derived from leaked lists as a
          result of successful intrusions in public sites such as forums or
          other social networking places. A great deal of them have already
          been publicly disclosed and some of these have been used to
          assemble Ncrack's own lists.
        </para>

        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist>
      <varlistentry>
        <term>
          <option>--user <replaceable>username_list</replaceable></option>
          (Specify command-line comma-separated username list)
        </term>
        <listitem>

        <para>
          Specify your own usernames directly in the command-line as a
          comma-separated list.
        </para>
                    
        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist>
      <varlistentry>
        <term>
          <option>--pass <replaceable>password_list</replaceable></option>
          (Specify command-line comma-separated password list)
        </term>
        <listitem>

        <para>
          Specify your own passwords directly in the command-line as a
          comma-separated list.
        </para>
                    
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist>
      <varlistentry>
        <term>
          <option>--passwords-first</option>
          (Reverse the way passwords are iterated)
        </term>
        <listitem>

        <para>
          Ncrack by default iterates the username list for each password.
          With this option, you can reverse that. For example, given the
          username list of -> "root, guest, admin" and the password list of
          "test, 12345, q1w2e3r4" Ncrack will normally go over them like
          this -> root:test, guest:test, admin:test, root:12345 etc. By
          enabling this option it will go over them like this -> root:test,
          root:12345, root:q1w2e3r4, guest:test etc.
        </para>

        <para>
          Most network authentication cracking tools prefer by default to
          iterate the password list for each username. This is, however,
          ineffective compared to the opposite iteration in most cases.
          This holds true for the simple reason that password lists are
          usually sorted on a frequency basis, meaning that the more common
          a password is, the closer to the beginning of the password list
          it is. Thus, iterating over all usernames for the most common
          passwords first has usually more chances to get a positive
          result. With the <option>--passwords-first</option> iteration,
          very common passwords might not even be tried out for certain
          usernames if the user chooses to abort the session early.
          However, this option might prove valuable for cases where the
          attacker knows and has already verified that the username list
          contains real usernames, instead of blindly bruteforcing through
          them. 
        </para>
                    
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist>
      <varlistentry>
        <term>
          <option>--pairwise</option>
          (Choose usernames and passwords in pairs)
        </term>
        <listitem>

          <para>
            Enabling this option will make Ncrack iterate the username and password
            list by choosing them in pairs. For example, given the username list of
            "root, guest, admin" and the password list of "test, 12345, q1w2e3r4" Ncrack
            will go over them like this: "root:test", "guest:12345", "admin:q1w2e3r4". 
            This is particulary useful when inside knowledge of the infrastructure tested 
            is available and special username and password lists have been made.
        </para>
                    
        </listitem>
      </varlistentry>
    </variablelist>



  </refsect1>


  
  <refsect1 id='man-output'>
    <title>Output</title>
    <indexterm class="startofrange" id="man-output-indexterm">
      <primary>output formats</primary></indexterm>

    <para>
     Any security tool is only as useful as the output it
     generates. Complex tests and algorithms are of little value if
     they aren't presented in an organized and comprehensible fashion.
     Of course, no single format can please everyone. So Ncrack offers
     several formats, including the interactive mode for humans to read
     directly and XML for easy parsing by software.
    </para>

    <para>
     In addition to offering different output formats, Ncrack provides
     options for controlling the verbosity of output as well as debugging
     messages. Output types may be sent to standard output or to named
     files, which Ncrack can append to or clobber.  
    </para>
     
    <para>
     Ncrack makes output available in three different formats.
     The default is called <firstterm>interactive output</firstterm>,
     and it is sent to standard output (stdout). There is also 
     <firstterm>normal output</firstterm>, which is similar to interactive
     except that it displays less runtime information and warnings since
     it is expected to be analyzed after the scan completes rather than
     interactively.
    </para>

    <para><firstterm>XML output</firstterm> is one of the most important
     output types, as it can be converted to HTML, easily parsed by
     programs such as Ncrack graphical user interfaces, or imported
     into databases. Currently, XML output hasn't been implemented.
    </para>

    <para>
     While interactive output is the default and has no associated
     command-line options, the other two format options use the same
     syntax. They take one argument, which is the filename that results
     should be stored in. Multiple formats may be specified, but each
     format may only be specified once. For example, you may wish to save
     normal output for your own review while saving XML of the same scan
     for programmatic analysis. You might do this with the options
     <option>-oX myscan.xml -oN myscan.ncrack</option>. While this chapter
     uses the simple names like <literal>myscan.xml</literal> for brevity,
     more descriptive names are generally recommended. The names chosen
     are a matter of personal preference. A scheme could be using long
     filenames that incorporate the scan date and a word or two
     describing the scan, placed in a directory named after the
     company that is being scanned.
    </para>

    <para>
     While these options save results to files, Ncrack still prints
     interactive output to stdout as usual. For example, the command
     <command>nmap -oX myscan.xml [target]</command> prints XML to
     <filename>myscan.xml</filename> and fills standard output with
     the same interactive results it would have printed if
     <option>-oX</option> wasn't specified at all. You can change this
     by passing a hyphen character as the argument to one of the format
     types. This causes Ncrack to deactivate interactive output, and
     instead print results in the format you specified to the standard
     output stream. So the command <command>nmap -oX - target</command>
     will send only XML output to stdout. Serious errors may still be
     printed to the normal error stream, stderr.
    </para>

    <para>
     Unlike some Ncrack arguments, the space between the logfile option
     flag (such as <option>-oX</option>) and the filename or hyphen is
     mandatory.
    </para>

    <para>
     All of these arguments support
     <function>strftime</function>-like conversions in the filename.
     <literal>%H</literal>, <literal>%M</literal>, <literal>%S</literal>,
     <literal>%m</literal>, <literal>%d</literal>, <literal>%y</literal>,
     and <literal>%Y</literal> are all exactly the same as in
     <function>strftime</function>.  <literal>%T</literal> is the same
     as <literal>%H%M%S</literal>, <literal>%R</literal> is the same as
     <literal>%H%M</literal>, and <literal>%D</literal> is the same as
     <literal>%m%d%y</literal>. A <literal>%</literal> followed by any other
     character just yields that character (<literal>%%</literal> gives you a
     percent symbol).  So <option>-oX 'scan-%T-%D.xml'</option> will use an XML
     file in the form of <filename>scan-144840-121307.xml</filename>.
    </para>

   <para>
    Ncrack also offers options to control scan verbosity and to append
    to output files rather than clobbering them.  All of these options are
    described below.
   </para>

  <variablelist><title>Ncrack Output Formats</title>
      <varlistentry>
        <term>
          <option>-oN <replaceable>filespec</replaceable></option>
          (normal output)
          <indexterm><primary><option>-oN</option></primary></indexterm>
          <indexterm><primary>normal output</primary></indexterm></term>
        <listitem>

        <para>
          Requests that <literal>normal output</literal> be
          directed to the given filename. As discussed above, this
          differs slightly from <literal>interactive output</literal>.
        </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
        <option>-oX <replaceable>filespec</replaceable></option> (XML output)
          <indexterm><primary><option>-oX</option></primary></indexterm>
          <indexterm><primary>XML output</primary></indexterm></term>
        <listitem>

        <para>
          Requests that <literal>XML output</literal> be
          directed to the given filename. Currently this is not
          implemented.
        </para>

        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>-oA <replaceable>basename</replaceable></option>
          (Output to all formats)
          <indexterm significance="preferred"><primary><option>-oA
          </option></primary></indexterm></term>
          <listitem>
          <para>

           As a convenience, you may specify <option>-oA
           <replaceable>basename</replaceable></option> to store scan
           results in normal and XML formats at once. They
           are stored in
           <filename><replaceable>basename</replaceable>.ncrack</filename>, and
           <filename><replaceable>basename</replaceable>.xml</filename>
           respectively. As with most programs, you can prefix the filenames
           with a directory path, such as
           <filename>~/ncracklogs/foocorp/</filename> on Unix or
           <filename>c:\hacking\sco</filename> on Windows.
         </para>
        </listitem>
      </varlistentry>

   </variablelist>

   <variablelist><title>Verbosity and debugging options</title>
      <varlistentry>
        <term>
          <option>-v</option> (Increase verbosity level)
          <indexterm><primary><option>-v</option></primary></indexterm>
          <indexterm><primary>verbosity</primary></indexterm>
        </term>
        <listitem>

        <para>
        Increases the verbosity level, causing Ncrack to
        print more information about the scan in progress. Credentials
        are shown as they are found and more statistical information is
        printed in the end. Use it twice or more for even greater
        verbosity.
        <indexterm><primary><option>-v</option></primary>
          <secondary>giving more than once</secondary></indexterm>
        </para>

        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>-d [level]</option> (Increase or set debugging level)
        <indexterm><primary><option>-d</option></primary></indexterm>
        <indexterm><primary>debugging</primary></indexterm>
        </term>
        <listitem>

        <para>
        When even verbose mode doesn't provide sufficient data for you,
        debugging is available to flood you with much more! As with the
        verbosity option (<option>-v</option>), debugging is enabled with a
        command-line flag (<option>-d</option>) and the debug level can be
        increased by specifying it multiple times. Alternatively, you can set
        a debug level by giving an argument to <option>-d</option>. For
        example, <option>-d10</option> sets level ten. That is the highest
        effective level and will produce thousands of lines, unless your
        cracking session is going really slow.
        </para>

        <para>
        Debugging output is useful when a bug is suspected in Ncrack,
        or if you are simply confused as to what Ncrack is doing and why.
        As this feature is mostly intended for developers, debug lines aren't
        always self-explanatory. 
        If you don't understand a line, your only recourses are to ignore it,
        look it up in the source code, or request help from
        the development list (<citetitle>nmap-dev</citetitle>). Some lines are
        self explanatory, but the messages become more obscure as the debug
        level is increased.
        </para>

        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>--nsock-trace <replaceable>level</replaceable></option>
          (Set nsock trace level)
          <indexterm><primary><option>--nsock-trace</option>
          </primary></indexterm>
        <indexterm><primary>nsock-trace</primary></indexterm>
        </term>
        <listitem>

          <para>
            This option is meant mostly for developers as enabling it will
            activate the Nsock's library debugging output.
            Nsock is the underlying library for parallel socket handling.
            You will have to specify a certain level for this option. Valid
            range is 0 up to 10. Usually, a level of 1 or 2 is enough
            to get a good overview of network operations happening behind
            the scenes. Nsock prints that information to stdout by default.
        </para>

        </listitem>
      </varlistentry>


      <varlistentry>
        <term>
          <option>--log-errors</option> 
          (Log errors/warnings to normal mode output file)
          <indexterm significance="preferred"><primary><option>--log-errors
          </option></primary></indexterm>
        </term>
        <listitem>

        <para>
        Warnings and errors printed by Ncrack usually go only to
        the screen (interactive output), leaving any normal-format
        output files (usually specified with <option>-oN</option>)
        uncluttered.  When you do want to see those messages in the
        normal output file you specified, add this option. It is
        useful when you aren't watching the interactive output or
        when you want to record errors while debugging a problem.
        The error and warning messages will still appear in
        interactive mode too.  This won't work for most errors
        related to bad command-line arguments because Ncrack may not
        have initialized its output files yet.
        </para>

        <para>
        An alternative to <option>--log-errors</option> is
        redirecting interactive output (including the standard error
        stream) to a file. Most Unix shells make this
        approach easy, though it can be difficult on Windows.
        </para>

        </listitem>
      </varlistentry>

   </variablelist>

   <variablelist><title>Miscellaneous output options</title>

     <varlistentry>
        <term>
          <option>--append-output</option> (Append to rather than clobber output files)
           <indexterm><primary><option>--append-output</option></primary></indexterm>
        </term>
        <listitem>

           <para>When you specify a filename to an output format flag
           such as <option>-oX</option> or <option>-oN</option>, that
           file is overwritten by default.  If you prefer to keep the
           existing content of the file and append the new results,
           specify the <option>--append-output</option> option. All
           output filenames specified in that Ncrack execution will then
           be appended to rather than clobbered. This doesn't work
           well for XML (<option>-oX</option>) scan data as the
           resultant file generally won't parse properly until you fix
           it up by hand.</para>
        </listitem>
    </varlistentry>

   </variablelist>

  </refsect1>


  <refsect1 id='man-misc-options'>
    <title>Miscellaneous Options</title>
    <para>This section describes some important (and not-so-important)
    options that don't really fit anywhere else.</para>

  <variablelist>

  <varlistentry>
        <term>
          <option>--resume <replaceable>file</replaceable></option>
          (Continue previously saved session)
          <indexterm significance="preferred"><primary><option>--resume
          </option></primary></indexterm>
        </term>
        <listitem>

          <para>Whenever the user cancels a running session (usually by
            pressing Ctrl+C), Ncrack saves the current state into a file
            which it can later use to continue from where it had stopped.
            This file is saved in subdirectory <filename>.ncrack/</filename>
            of the user's home path with a filename format of 
            "<filename>restore.YY-MM-DD_hh-mm</filename>". An example would be:
            <filename>"/home/ithilgore/.ncrack/restore.2010-05-18_04-42
            </filename>". You can then continue your session, by specifying
            this file as argument to the <option>--resume</option> option.
        </para>
        </listitem>
      </varlistentry>

        <varlistentry>
        <term>
          <option>-f </option>
          (Quit cracking service after one found credential)
          <indexterm significance="preferred"><primary><option>-f
          </option></primary></indexterm>
        </term>
        <listitem>

          <para>This option will force Ncrack to quit cracking a service as
            soon as it finds a valid username/password combination for it.
            Assuming many parallel services are being cracked at the same
            time, this option is applied on each of them separately. This
            means that Ncrack will stop cracking each individual service 
            after finding a pair of credentials for it, but will not quit
            entirely. Supplying the option two times, like <option>-f
              -f</option> will, however, make Ncrack exit immediately as soon
            as it finds a valid credential for <emphasis>any</emphasis>
            service.
          </para>

          <para>
            Frequently, attackers will try cracking several
            services in parallel to maximize the chances of finding a pair
            of valid credentials. Given that a network is no stronger than
            its weakest link, this option and especially the <option>-f -f
            </option> counterpart will often be used to lessen chances of 
            detection and prevent network resources from being wasted aimlessly.
        </para>
        </listitem>
      </varlistentry>



      <varlistentry>
        <term>
          <option>-6</option> (Enable IPv6 scanning)
          <indexterm significance="preferred"><primary><option>-6</option></primary></indexterm>
          <indexterm><primary>IPv6</primary></indexterm>
        </term>
        <listitem>

          <para>Warning: This option was just added and it is currently
            experimental, so please notify us for any problems and bugs
            related to it.
          </para>

          <para>
          The command syntax is the same as usual except that you also
          add the <option>-6</option> option.  Of course, you must use
          IPv6 syntax if you specify an address rather than a
          hostname.  An address might look like
          <literal>3ffe:7501:4819:2000:210:f3ff:fe03:14d0</literal>,
          so hostnames are recommended.  The output looks the same as
          usual, with the IPv6 address on the <quote>Discovered
          credentials</quote> line being the only IPv6 give away.</para>

          <para>While IPv6 hasn't exactly taken the world by storm, it
          gets significant use in some (usually Asian) countries and
          most modern operating systems support it.  To use Ncrack with
          IPv6, both the source and target of your scan must be
          configured for IPv6. If your ISP (like most of them) does
          not allocate IPv6 addresses to you, free tunnel brokers are
          widely available and will probably work fine with Ncrack.
          A popular IPv6 tunnel broker
          <indexterm><primary>IPv6 tunnel broker</primary></indexterm>
	        service is at <ulink url="http://www.tunnelbroker.net"/>.
          6to4 tunnels are another popular, free approach.</para>

        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
        <option>-sL</option> (List Scan)
          <indexterm><primary><option>-sL</option></primary></indexterm>
          <indexterm><primary>list scan</primary></indexterm>
        </term>
        <listitem>
          <para>            
            The list scan simply lists each host and service that would
            be cracked if this option wasn't specified. No packets are sent
            to the target hosts and the only network operation that might
            happen is DNS-resolution of any hostnames of targets. This
            option is really helpful in making sure that you have specified
            everything as you wanted. Service-specific options will also be
            printed so this acts as a good sanity check of potentially
            complex command-line arguments such as the advanced modes
            of Service Option Specification and the equivalent Hierarchy
            for sessions that require delicate timing handling. If list
            scan is called along with the <option>-d</option> debug option,
            then additional output, like the ServicesTable and the
            current Timing-Template's parameters, is also going to be printed.           
        </para>

        </listitem>
      </varlistentry>


      <varlistentry>
        <term>
          <option>--datadir <replaceable>directoryname</replaceable></option>
          (Specify custom Ncrack data file location)
          <indexterm significance="preferred"><primary><option>--datadir
          </option></primary></indexterm>
        </term>
        <listitem>

          <para>Ncrack needs a file called <filename>ncrack-services</filename>
          to load a lookup-table of supported services/ports. This file
          shouldn't be changed, unless you know what you are doing (e.g
          extending Ncrack for additional modules). In addition, Ncrack is
          shipped with various username and password lists, some of which
          are used by default in case the user doesn't specify ones of his
          own. All these files are normally copied during the installation
          procedure to a directory such as /usr/share/ncrack or
          /usr/local/share/ncrack . Using the <option>--datadir</option>
          option, will force Ncrack to start searching for these files in
          specified directory. If the files aren't found, then it will continue
          searching in the directory specified by the NCRACKDIR environmental
          variable <envar>NCRACKDIR</envar> (if it is defined).
          Next comes <filename>~/.ncrack</filename> directory for real and
          effective UIDs (POSIX systems only) or location of the Ncrack
          executable (Win32 only), and then a compiled-in location such as
          <filename>/usr/local/share/ncrack</filename> or
          <filename>/usr/share/ncrack</filename>. As a last resort, Ncrack will
          look in the current directory.
        </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>--proxy <replaceable>type</replaceable>://<replaceable>proxy</replaceable>:<replaceable>port</replaceable></option>
          (Make connections via socks4, 4a, http)
          <indexterm significance="preferred"><primary><option>--proxy
          </option></primary></indexterm>
        </term>
        <listitem>

          <para>
            This will make Ncrack perform the authentication cracking session
            through the proxy host specified. 
        </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>-V</option>; <option>--version</option>
          (Print version number)
          <indexterm><primary><option>-V</option></primary></indexterm>
          <indexterm><primary><option>--version</option></primary></indexterm>
        </term>
        <listitem>
          <para>Prints the Ncrack version number and exits.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>
          <option>-h</option>; <option>--help</option>
          (Print help summary page)
          <indexterm><primary><option>-h</option></primary></indexterm>
          <indexterm><primary><option>--help</option></primary></indexterm>
        </term>
        <listitem>
          <para>Prints a short help screen with the most common
          command flags. Running Ncrack without any arguments does the
          same thing.</para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>



  <refsect1 id='man-runtime-interaction'>
     <title>Runtime Interaction<indexterm><primary>runtime interaction
     </primary></indexterm></title>

    <para>During the execution of Ncrack, all key presses are
    captured. This allows you to interact with the program
    without aborting and restarting it. Certain special
    keys will change options, while any other keys will print out a
    status message telling you about the scan. The convention is
    that 
    <emphasis>lowercase letters increase</emphasis> the
    amount of printing, and 
    <emphasis>uppercase letters decrease</emphasis> the
    printing.  You may also press &lsquo;<emphasis>?</emphasis>&rsquo;
    for help.</para>
    <variablelist>
      <varlistentry>
        <term>
          <option>v</option> / <option>V</option>
        </term>
        <listitem>
          <para>Increase / decrease the verbosity level</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          <option>d</option> / <option>D</option>
        </term>
        <listitem>
          <para>Increase / decrease the debugging Level</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          <option>p</option> / <option>P</option>
        </term>
        <listitem>
          <para>Display found credentials</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          <option>?</option>
        </term>
        <listitem>
          <para>Print a runtime interaction help screen</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          Anything else
        </term>
        <listitem>
          <para>Print out a status message like this:</para>
          <para>Stats: 0:00:20 elapsed; 0 services completed (1 total)</para>
          <para>
       Rate: 6.26; Found: 1; About 13.27% done; ETC: 21:06 (0:02:17 remaining)
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>


   <refsect1 id='man-modules'>
     <title>Modules<indexterm><primary>modules
     </primary></indexterm></title>

     <para>
       Ncrack's architecture is modular with each module corresponding to
       one particular service or protocol. Currently, Ncrack supports the
       protocols SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP
       Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA.
       
       If you want to write and contribute your own Ncrack modules, be sure to read
       the Ncrack Developer's Guide at <ulink url="http://nmap.org/ncrack/devguide.html" />
       Below we describe some key points for each of them.
     </para>

     <variablelist><title>FTP Module</title>

      <varlistentry>
        <listitem>
          <para>  
            FTP authentication is quite fast, since there is very little
            protocol negotiation overhead. Most FTP daemons allow 3 to 6
            authentication attempts but usually impose a certain delay
            before replying with the results of a failed attempt. Filezilla
            is one of the most characteristic examples of this case, where
            the time delay is so great, that it is usually faster to open
            more connections against it, with each of them doing only 1
            authentication per connection.
         </para>

        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist><title>Telnet Module</title>
    <varlistentry>
        <listitem>
          <para>  
            Telnet daemons have been largely substituded by their safer
            'counterpart' of SSH. However, there are many boxes, mainly
            routers or printers, that still rely on Telnet for remote
            access. Usually these are also easier to crack, since default
            passwords for them are publicly known. The drawback is that
            telnet is a rather slow protocol, so you shouldn't be expecting
            really high rates against it.
          </para>

        </listitem>
      </varlistentry>
    </variablelist>


    <variablelist><title>SSH Module</title>
      <varlistentry>
        <listitem>
          <para>  
            SSH is one of the most prevalent protocols in today's networks.
            For this reason, a special library, named opensshlib and based
            on code from OpenSSH, was specifically built and tailored for
            Ncrack's needs. Opensshlib ships in with Ncrack, so SSH support
            comes out of the box. OpenSSL will have to be installed in Unix
            systems though. Windows OpenSSL dlls are included in Ncrack, so
            Windows users shouldn't be worrying about it at all.
          </para>

          <para>
            SSH bruteforcing holds many pitfalls and challenges, and you
            are well advised to read a paper that was written to explain
            them. The latest version of the
            "Hacking the OpenSSH library for Ncrack" document can be found
            under <emphasis>docs/openssh_library.txt</emphasis> or at
            <ulink url="http://sock-raw.org/papers/openssh_library" />
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist><title>HTTP(S) Module</title>
      <varlistentry>
        <listitem>
          <para>  
            The HTTP Module currently supports basic and digest authentication.
            Ncrack tries to use the "Keepalive" HTTP option, whenever possible, 
            which leads
            to really high speeds, since that allows dozens of attempts
            to be carried out per connection. The HTTP module can also be
            called over SSL.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist><title>SMB Module </title>
      <varlistentry>
        <listitem>
          <para>
            The SMB module currently works over raw TCP. NetBIOS isn't
            supported yet. This protocol allows for high parallelization,
            so users could potentially increase the number of concurrent probes
            against it. SMB is frequently used for file-sharing among other things
            and is one of the most ubiquitous protocols, being present
            in both Unix and Windows environments.
          </para>         
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist><title>RDP Module </title>
      <varlistentry>
        <listitem>
          <para>
            RDP (Remote Desktop Protocol) is a proprietary protocol developed
            by Microsoft for the purpose of providing remote terminal services
            by transfering graphics display information from the remote computer
            to the user and transporting input commands from the user to the
            remote computer. Fortunately, Microsoft recently decided to open
            the protocol's internal workings to the public and has provided
            official documentation, which can be found at 
            <ulink url="http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx"/>
          </para>

          <para>
            RDP is one of the most complex protocols, requiring the exchange of
            many packets, even for just the authentication phase. For this
            reason, cracking it takes a lot of time and this is probably
            the slowest module. 
            The connection phase is briefly described at
            <ulink url="http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx"/>
            where you can also see a diagram of the various packets involved.
            Care must be taken against RDP servers in Windows XP versions,
            since they can't handle multiple connections at the same time.
            It is advised to use a very slow timing template or even better
            <emphasis>limit the maximum parallel connections</emphasis>
            using timing options such as
            <option>CL</option> (Connection Limit) or <option>cd</option>
            (connection delay) against Windows XP (and relevant) RDP
            servers. Windows Vista and above don't suffer from the same
            limitation.
          </para>

        </listitem>
      </varlistentry>
    </variablelist>

      <variablelist><title>VNC Module</title>
      <varlistentry>
        <listitem>
          <para>  
            The VNC protocol has known widespread usage among Unix
            administrators and users for remote graphical access. VNC is
            perhaps one of the most vulnerable protocols in terms of
            brute-forcing, since it often requires a password without a
            corresponding username for authentication. In addition, some
            versions of VNC impose an 8-character limit in password length.
            You should consider adding the
            <option>--passwords-first</option> option when cracking VNC
            systems to exploit the fact that the username often has no
            actual importance in authentication.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>

      <variablelist><title>POP3(S) Module</title>
      <varlistentry>
        <listitem>
          <para>  
            POP3 support is still experimental and hasn't been thoroughly
            tested. You can expect it to work against common mail servers,
            nevertheless.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>

      <variablelist><title>IMAP Module</title>
      <varlistentry>
        <listitem>
          <para>  
            The Internet Message Access Protocol (IMAP) is used by email clients to
            retrieve email messages from a mail server. The module sends the LOGIN
            command to authenticate. The LOGIN command is the simplest, fastest and
            most supported authentication mechanism for IMAP.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>



    <variablelist><title>SIP Module</title>
      <varlistentry>
        <listitem>
          <para>  
            The Session Initiation Protocol is a text-based protocol, very similar
            to HTTP in its structure. The most common application of SIP is in 
            Internet telephony for voice and video calls. Nearly all enterprises
            have infrastructure that supports conference calls and part of them are
            based on SIP, making the authentication part a significant threat vector.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

    <variablelist><title>Redis Module</title>
      <varlistentry>
        <listitem>
          <para>  
            Redis is one of the most widely used caching servers and the most
            popular NoSQL database. Despite its reputation, the authentication
            mechanism is very simple, only allowing for a password to protect
            remote access to the service. Due to the high performance of Redis and
            the fact that only 2 packets are needed for the authentication phase,
            Ncrack can try a lot of passwords in parallel (<ulink url="http://redis.io/commands/AUTH" />).
            Specifying a username list or single username will have no effect in this module, since
            Redis only deals with passwords.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist><title>PostgreSQL Module</title>
      <varlistentry>
        <listitem>
          <para> 
            PostgreSQL is often used as a backend database. 
            The PostgreSQL module supports md5 authentication, which is the most frequent 
            password authentication method. 
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist><title>MySQL Module</title>
      <varlistentry>
        <listitem>
          <para>
           The MySQL module supports native authentication.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>


     <variablelist><title>MySQL Module</title>
      <varlistentry>
        <listitem>
          <para>
           The MSSQL module supports mixed authentication.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist><title>MongoDB Module</title>
      <varlistentry>
        <listitem>
          <para>
            The MongoDB module supports MongoDB-CR and SCRAM-SHA-1 authentication. The pairwise
            and passwords-first option will be ignored for the MongoDB module, due to them being
            inefficient against MongoDB. The optimal way of cracking MongoDB is to take advantage
            of a user-enumeration vulnerability inherent in its authentication mechanism, which
            Ncrack exploits.
          </para>
            
        </listitem>
      </varlistentry>
    </variablelist>

     <variablelist><title>Cassandra Module</title>
      <varlistentry>
        <listitem>
          <para>
            Apache Cassandra is a popular NoSQL database often left unsecured with weak credentials
            or no authentication. 
          </para>
        </listitem>
      </varlistentry>
    </variablelist>


     <variablelist><title>OWA Module</title>
      <varlistentry>
        <listitem>
          <para>
            Outlook Web App allows users to access a Microsoft Exchange Server mailbox from a web
            browser and experience Microsoft Outlook without a mail client. The module supports
            Basic Authentication.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>


    <variablelist><title>WinRM Module</title>
      <varlistentry>
        <listitem>
          <para>
            Windows Remote Management (WinRM) is the Microsoft implementation of
            WS-Management Protocol, a standard Simple Object Access Protocol 
            (SOAP)-based, firewall-friendly protocol that allows hardware and
            operating systems, from different vendors, to interoperate. It is often used to
            administer Windows machines. The module supports Basic and Negotiate authentication.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>


    </refsect1>


    
  <refsect1 id='man-bugs'>
   <title>Bugs</title>
   <indexterm><primary>bugs, reporting</primary></indexterm>

   <para>
    Like its authors, Ncrack isn't perfect. But you can help make
    it better by sending bug reports or even writing patches. If Ncrack
    doesn't behave the way you expect, first upgrade to the latest
    version available from <ulink url="http://nmap.org/ncrack"/>. If the
    problem persists, do some research to determine whether it has already
    been discovered and addressed. Try searching for the error message on our
    search page at <ulink url="http://insecure.org/search.html"/> or at
    Google. Also try browsing the <citetitle>nmap-dev</citetitle> archives
    at <ulink url="http://seclists.org/"/> .
    <indexterm><primary> <citetitle>nmap-dev</citetitle> mailing list
    </primary></indexterm>
    Read this full manual page as well. If you are developing your own Ncrack
    module, make sure you have first read the Ncrack Developer's Guide at
    <ulink url="http://nmap.org/ncrack/devguide.html" /> .
    If nothing comes of this, mail a bug
    report to <email>nmap-dev@insecure.org</email> . Please include
    everything you have learned about the problem, as well as what version of
    Ncrack you are running and what operating system version it is running on.
    Problem reports and Ncrack usage questions sent to
    <email>nmap-dev@insecure.org</email> are far more likely to be answered
    than those sent to Fyodor directly. If you subscribe to the nmap-dev
    list before posting, your message will bypass moderation and get through
    more quickly. Subscribe at 
    <ulink url="http://cgi.insecure.org/mailman/listinfo/nmap-dev"/> .
   </para>

   <para>
    Code patches to fix bugs are even better than bug reports.
    Basic instructions for creating patch files with your changes are
    available at <ulink url="http://nmap.org/data/HACKING" /> . Patches may
    be sent to <citetitle>nmap-dev</citetitle> (recommended) or to Fyodor
    directly.
   </para>

  </refsect1>


  <refsect1 id="man-author">
    <title>Authors</title>
    <para>ithilgore (Fotios (Fotis) Chantzis) <email>ithilgore@sock-raw.org</email>
      (<ulink url="http://sock-raw.org" />)</para>
    <para>Fyodor <email>fyodor@insecure.org</email>
      (<ulink url="http://insecure.org" />)</para>
  </refsect1>


  <refsect1 id='man-legal'>
  <title>Ncrack Copyright and Licensing</title>
  <indexterm><primary>copyright</primary></indexterm>
  <indexterm><primary>GNU General Public License</primary></indexterm>

  <para>
    While it isn't distributed with Nmap, Ncrack is part of the Nmap project and falls under the same license and (non) warranty provisions, as described at <ulink url="http://nmap.org/book/man-legal.html"/>.
  </para>
  </refsect1>

</refentry>

<indexterm class="endofrange" startref="man-ncrack-indexterm"
  significance="normal"/>