Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic engine that can adapt to different network situations.

It can also be extensively fine-tuned for special cases, though the default parameters are generic enough to cover almost every situation. It is built on a modular architecture that allows for easy extension to support additional protocols.

Ncrack is designed for companies and security professionals to audit large networks for default or weak passwords in a rapid and reliable way. It can also be used to conduct fairly sophisticated and intensive brute force attacks against individual services.

The output from Ncrack is a list of found credentials, if any, for each of the targets specified. Ncrack can also print an interactive status report of progress so far and possibly additional debugging information that can help track problems, if the user selected that option.

Usage:

ncrack [Options] {target and service specification}
 
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.
   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
   -iX : Input from Nmap's -oX XML output format
   -iN : Input from Nmap's -oN Normal output format
   -iL : Input from list of hosts/networks
   --exclude : Exclude hosts/networks
   --excludefile : Exclude list from file
 
 SERVICE SPECIFICATION:
   Can pass target specific services in ://target (standard) notation or
   using -p which will be applied to all hosts in non-standard notation.
   Service arguments can be specified to be host-specific, type of service-specific
   (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
   Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
   -p : services will be applied to all non-standard notation hosts
   -m :: options will be applied to all services of this type
   -g : options will be applied to every service globally
 
   Misc options:
     ssl: enable SSL over this service
     path : used in modules like HTTP ('=' needs escaping if used)
 
 TIMING AND PERFORMANCE:
   Options which take  are in seconds, unless you append 'ms'
   (miliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
   Service-specific options:
     cl (min connection limit): minimum number of concurrent parallel connections
     CL (max connection limit): maximum number of concurrent parallel connections
     at (authentication tries): authentication attempts per connection
     cd (connection delay): delay  between each connection initiation
     cr (connection retries): caps number of service connection attempts
     to (time-out): maximum cracking  for service, regardless of success so far
   -T<0-5>: Set timing template (higher is faster)
   --connection-limit : threshold for total concurrent connections
 
 AUTHENTICATION:
   -U : username file
   -P : password file
   --user : comma-separated username list
   --pass : comma-separated password list
   --passwords-first: Iterate password list for each username. Default is opposite.
 
 OUTPUT:
   -oN/-oX : Output scan in normal and XML format, respectively, to the given filename.
   -oA : Output in the two major formats at once
   -v: Increase verbosity level (use twice or more for greater effect)
   -d[level]: Set or increase debugging level (Up to 10 is meaningful)
   --nsock-trace : Set nsock trace level (Valid range: 0 - 10)
   --log-errors: Log errors/warnings to the normal-format output file
   --append-output: Append to rather than clobber specified output files
 
 MISC:
   --resume : Continue previously saved session
   -f: quit cracking service after one found credential
   -6: Enable IPv6 cracking
   -sL or --list: only list hosts and services
   --datadir : Specify custom Ncrack data file location
   -V: Print version number
   -h: Print this help summary page.
 
 MODULES:
   FTP, SSH, TELNET, HTTP(S), POP3(S)
 
 EXAMPLES:
   ncrack -v --user root localhost:22
   ncrack -v -T5 https://192.168.0.1
   ncrack -v -iX ~/nmap.xml -g CL=5,to=1h