Added domain option, updated documentation and fixed some default tim…

…ings

CHANGELOG

@@ -54,8 +54,8 @@ o Implemented 'cr' (connection retries) option (caps number of consecutive
   connection attempts until host/service is removed from list)
   [Evangelos Deirmetzoglou - GSoC 2017]
 
-o Added 'db' module option for protocols that need a specific database
-  specification (e.g. MongoDB)
+o Added 'db' and 'domain' module options for protocols that need a specific
+  database (e.g. MongoDB) or domain (e.g. WinRM)
 
 o Updated Ncrack to use latest Nsock & Nbase versions. 
 

Service.h

@@ -303,7 +303,7 @@ class Service
 
     char *db; /* used for MongoDB or other modules that need a database name */
 
-    char *domain; /* used for HTTP or other modules that need a path-name */
+    char *domain; /* used for modules like WinRM that need a domain */
 
 		void *module_data; /* service/module-specific data */
 

docs/ncrack.1

@@ -2,12 +2,12 @@
 .\"     Title: ncrack
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.75.1 <http://docbook.sf.net/>
-.\"      Date: 10/11/2017
+.\"      Date: 10/12/2017
 .\"    Manual: Ncrack Reference Guide
 .\"    Source: Ncrack
 .\"  Language: English
 .\"
-.TH "NCRACK" "1" "10/11/2017" "Ncrack" "Ncrack Reference Guide"
+.TH "NCRACK" "1" "10/12/2017" "Ncrack" "Ncrack Reference Guide"
 .\" -----------------------------------------------------------------
 .\" * set default formatting
 .\" -----------------------------------------------------------------
@@ -112,6 +112,8 @@ SERVICE SPECIFICATION:
   Misc options:
     ssl: enable SSL over this service
     path <name>: used in modules like HTTP (\'=\' needs escaping if used)
+    db <name>: used in modules like MongoDB to specify the database
+    domain <name>: used in modules like WinRM to specify the domain
 TIMING AND PERFORMANCE:
   Options which take <time> are in seconds, unless you append \'ms\'
   (miliseconds), \'m\' (minutes), or \'h\' (hours) to the value (e\&.g\&. 30m)\&.
@@ -370,6 +372,8 @@ Below follows a list of all the currently available service options\&. You can a
 .nf
 ssl: enable SSL over this service
 path: path\-name used in modules like HTTP (\'=\' needs escaping if used)
+db: used in modules like MongoDB to specify the database
+domain: used in modules like WinRM to specify the domain
 cl (min connection limit): minimum number of concurrent parallel connections
 CL (max connection limit): maximum number of concurrent parallel connections
 at (authentication tries): authentication attempts per connection
@@ -406,6 +410,20 @@ Also be careful with the symbol \'=\', since it is used by Ncrack for argument p
 By default, the path\-name is initialized to \'/\', but will be ignored by services that do not require it\&.
 .RE
 .PP
+\fBdb <name>\fR (Database name)
+.RS 4
+Some services like MongoDB require a specific database name to crack\&. This option allows you to specify the database\&.
+.sp
+By default, the db name for MongoDB is initialized to \'admin\' but will be ignored by services that do not require it\&.
+.RE
+.PP
+\fBdomain <name>\fR (Domain name)
+.RS 4
+Some services like WinRM require a specific domain to crack\&. This option allows you to specify the domain\&.
+.sp
+By default, the domain name for WinRM is initialized to \'Workstation\' but will be ignored by services that do not require it\&.
+.RE
+.PP
 \fBService Option Hierarchy\fR
 .PP
 As already noted, Ncrack allows a combination of the three different modes of service option specification\&. In that case, there is a strict hierarchy that resolves the order in which conflicting values for these options take precedence over each other\&. The order is as follows, leftmost being the highest priority and rightmost the lowest one:
@@ -452,33 +470,57 @@ option if you want even more verbose output\&. For the above example, Ncrack wou
 
 $ ncrack scanme\&.nmap\&.org:22,cl=10,at=1 10\&.0\&.0\&.120 10\&.0\&.0\&.20 \-p 21 \-m ftp:CL=1 \-g CL=3 \-sL \-d
 
-Starting Ncrack 0\&.01ALPHA ( http://ncrack\&.org ) at 2009\-08\-05 18:32 EEST
+Starting Ncrack 0\&.6 ( http://ncrack\&.org ) at 2017\-10\-12 01:13 CDT
 
 \-\-\-\-\- [ Timing Template ] \-\-\-\-\-
-cl=7, CL=80, at=0, cd=0, cr=10, to=0
+cl=7, CL=80, at=0, cd=0, cr=30, to=0
 
 \-\-\-\-\- [ ServicesTable ] \-\-\-\-\-
-SERVICE   cl  CL  at  cd  cr  to  ssl path
-ftp:21    N/A 1   N/A N/A N/A N/A no  null
-ssh:22    N/A N/A N/A N/A N/A N/A no  null
-telnet:23 N/A N/A N/A N/A N/A N/A no  null
-smtp:25   N/A N/A N/A N/A N/A N/A no  null
-http:80   N/A N/A N/A N/A N/A N/A no  null
-https:443 N/A N/A N/A N/A N/A N/A yes null
+SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
+ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
+ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
+telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
+http:80            N/A N/A N/A N/A N/A N/A no  null null  null
+pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
+imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
+netbios\-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
+smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
+smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
+https:443          N/A N/A N/A N/A N/A N/A yes null null  null
+owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
+sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
+pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
+mssql:1443         N/A N/A N/A N/A N/A N/A no  null null  null
+mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
+ms\-wbt\-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
+rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
+psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
+redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
+winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
+winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
+cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
+cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
+mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null
 
 \-\-\-\-\- [ Targets ] \-\-\-\-\-
-Host: 64\&.13\&.134\&.52 ( scanme\&.nmap\&.org )
-  ssh:22 cl=10, CL=10, at=1, cd=0, cr=10, to=0, ssl=no, path=/
+Host: 45\&.33\&.32\&.156 ( scanme\&.nmap\&.org ) 
+  ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
 Host: 10\&.0\&.0\&.120
-  ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
+  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
 Host: 10\&.0\&.0\&.20
-  ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
+  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
+
 
 Ncrack done: 3 services would be scanned\&.
 Probes sent: 0 | timed\-out: 0 | prematurely\-closed: 0
 
 Ncrack finished\&.
 
+
 
 .fi
 .if n \{\

docs/ncrack.usage.txt

@@ -20,6 +20,8 @@ SERVICE SPECIFICATION:
   Misc options:
     ssl: enable SSL over this service
     path <name>: used in modules like HTTP ('=' needs escaping if used)
+    db <name>: used in modules like MongoDB to specify the database
+    domain <name>: used in modules like WinRM to specify the domain
 TIMING AND PERFORMANCE:
   Options which take <time> are in seconds, unless you append 'ms'
   (miliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

docs/refguide.xml

@@ -589,6 +589,8 @@ $ ncrack scanme.nmap.org 10.0.0.120-122 192.168.2.0/24 -p 22,ftp:3210,telnet
     <screen>
 ssl: enable SSL over this service
 path: path-name used in modules like HTTP ('=' needs escaping if used)
+db: used in modules like MongoDB to specify the database
+domain: used in modules like WinRM to specify the domain
 cl (min connection limit): minimum number of concurrent parallel connections
 CL (max connection limit): maximum number of concurrent parallel connections
 at (authentication tries): authentication attempts per connection
@@ -670,6 +672,48 @@ to (time-out): maximum cracking time for service, regardless of success so far
   </varlistentry>
   </variablelist>
 
+  <variablelist>
+  <varlistentry>
+        <term>
+          <option>db &lt;name&gt;</option> (Database name)
+        </term>
+        <listitem>
+          <para>
+            Some services like MongoDB require a specific database name
+            to crack. This option allows you to specify the database. 
+          </para>
+
+          <para>
+            By default, the db name for MongoDB is initialized to 'admin'
+            but will be ignored by services that do not require it.
+          </para>
+
+        </listitem>
+  </varlistentry>
+</variablelist>
+
+  <variablelist>
+  <varlistentry>
+        <term>
+          <option>domain &lt;name&gt;</option> (Domain name)
+        </term>
+        <listitem>
+          <para>
+            Some services like WinRM require a specific domain to crack.
+            This option allows you to specify the domain.
+          </para>
+
+          <para>
+            By default, the domain name for WinRM is initialized to 'Workstation'
+            but will be ignored by services that do not require it.
+          </para>
+
+        </listitem>
+  </varlistentry>
+  </variablelist>
+
+
+
   <variablelist><title>Service Option Hierarchy</title>
 
     <para>
@@ -736,33 +780,57 @@ $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g
 
 $ ncrack scanme.nmap.org:22,cl=10,at=1 10.0.0.120 10.0.0.20 -p 21 -m ftp:CL=1 -g CL=3 -sL -d
 
-Starting Ncrack 0.01ALPHA ( http://ncrack.org ) at 2009-08-05 18:32 EEST
+Starting Ncrack 0.6 ( http://ncrack.org ) at 2017-10-12 01:13 CDT
 
 ----- [ Timing Template ] -----
-cl=7, CL=80, at=0, cd=0, cr=10, to=0
+cl=7, CL=80, at=0, cd=0, cr=30, to=0
 
 ----- [ ServicesTable ] -----
-SERVICE   cl  CL  at  cd  cr  to  ssl path
-ftp:21    N/A 1   N/A N/A N/A N/A no  null
-ssh:22    N/A N/A N/A N/A N/A N/A no  null
-telnet:23 N/A N/A N/A N/A N/A N/A no  null
-smtp:25   N/A N/A N/A N/A N/A N/A no  null
-http:80   N/A N/A N/A N/A N/A N/A no  null
-https:443 N/A N/A N/A N/A N/A N/A yes null
+SERVICE            cl  CL  at  cd  cr  to  ssl path db    domain
+ftp:21             N/A 1   N/A N/A N/A N/A no  null null  null
+ssh:22             N/A N/A N/A N/A N/A N/A no  null null  null
+telnet:23          N/A N/A N/A N/A N/A N/A no  null null  null
+http:80            N/A N/A N/A N/A N/A N/A no  null null  null
+pop3:110           N/A N/A N/A N/A N/A N/A no  null null  null
+imap:143           N/A N/A N/A N/A N/A N/A no  null null  null
+netbios-ssn:445    N/A N/A N/A N/A N/A N/A no  null null  null
+smb:445            N/A N/A N/A N/A N/A N/A no  null null  null
+smb:139            N/A N/A N/A N/A N/A N/A no  null null  null
+https:443          N/A N/A N/A N/A N/A N/A yes null null  null
+owa:443            N/A N/A N/A N/A N/A N/A yes null null  null
+sip:5060           N/A N/A N/A N/A N/A N/A no  null null  null
+pop3s:995          N/A N/A N/A N/A N/A N/A yes null null  null
+mssql:1443         N/A N/A N/A N/A N/A N/A no  null null  null
+mysql:3306         N/A N/A N/A N/A N/A N/A no  null null  null
+ms-wbt-server:3389 N/A N/A N/A N/A N/A N/A no  null null  null
+rdp:3389           N/A N/A N/A N/A N/A N/A no  null null  null
+psql:5432          N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5801           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5900           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:5901           N/A N/A N/A N/A N/A N/A no  null null  null
+vnc:6001           N/A N/A N/A N/A N/A N/A no  null null  null
+redis:6379         N/A N/A N/A N/A N/A N/A no  null null  null
+winrm:5985         N/A N/A N/A N/A N/A N/A no  null null  Workstation
+winrm:5986         N/A N/A N/A N/A N/A N/A no  null null  Workstation
+cassandra:9160     N/A N/A N/A N/A N/A N/A no  null null  null
+cassandra:9042     N/A N/A N/A N/A N/A N/A no  null null  null
+mongodb:27017      N/A N/A N/A N/A N/A N/A no  null admin null
 
 ----- [ Targets ] -----
-Host: 64.13.134.52 ( scanme.nmap.org )
-  ssh:22 cl=10, CL=10, at=1, cd=0, cr=10, to=0, ssl=no, path=/
+Host: 45.33.32.156 ( scanme.nmap.org ) 
+  ssh:22 cl=10, CL=10, at=1, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
 Host: 10.0.0.120
-  ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
+  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
 Host: 10.0.0.20
-  ftp:21 cl=3, CL=1, at=0, cd=0, cr=10, to=0, ssl=no, path=/
+  ftp:21 cl=3, CL=1, at=0, cd=0, cr=30, to=0ms, ssl=no, path=/, db=admin, domain=Workstation
+
 
 Ncrack done: 3 services would be scanned.
 Probes sent: 0 | timed-out: 0 | prematurely-closed: 0
 
 Ncrack finished.
 
+
        </screen>
      </example>
 

ncrack.cc

@@ -250,6 +250,7 @@ print_usage(void)
       "    path <name>: used in modules like HTTP ('=' needs escaping if "
            "used)\n"
       "    db <name>: used in modules like MongoDB to specify the database\n"
+      "    domain <name>: used in modules like WinRM to specify the domain\n"
       "TIMING AND PERFORMANCE:\n"
       "  Options which take <time> are in seconds, unless you append 'ms'\n"
       "  (miliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m)."
@@ -340,6 +341,8 @@ lookup_init(const char *const filename)
       continue;
 
     temp.misc.ssl = false;
+    temp.misc.db = NULL;
+    temp.misc.domain = NULL;
 
     if (sscanf(line, "%127s %hu/%15s", servicename, &portno, proto) != 3)
       fatal("invalid ncrack-services file: %s", filename);
@@ -356,6 +359,12 @@ lookup_init(const char *const filename)
       || !strncmp(servicename, "owa", sizeof("owa")))
       temp.misc.ssl = true;
 
+    if (!strncmp(servicename, "mongodb", sizeof("mongodb")))
+        temp.misc.db = Strndup("admin", sizeof("admin"));
+
+    if (!strncmp(servicename, "winrm", sizeof("winrm")))
+        temp.misc.domain = Strndup("Workstation", sizeof("Workstation"));
+
     for (vi = ServicesTable.begin(); vi != ServicesTable.end(); vi++) {
       if ((vi->lookup.portno == temp.lookup.portno) 
           && (vi->lookup.proto == temp.lookup.proto)
@@ -1374,6 +1383,7 @@ ncrack_main(int argc, char **argv)
       int col_ssl = colno++;
       int col_path = colno++;
       int col_db = colno++;
+      int col_domain = colno++;
       int numrows = ServicesTable.size() + 1;
       NcrackOutputTable *Tbl = new NcrackOutputTable(numrows, colno);
 
@@ -1387,6 +1397,7 @@ ncrack_main(int argc, char **argv)
       Tbl->addItem(0, col_ssl, false, "ssl", sizeof("ssl") - 1);
       Tbl->addItem(0, col_path, false, "path", sizeof("path") - 1);
       Tbl->addItem(0, col_db, false, "db", sizeof("db") - 1);
+      Tbl->addItem(0, col_domain, false, "domain", sizeof("domain") - 1);
 
       int rowno = 1;
 
@@ -1437,6 +1448,12 @@ ncrack_main(int argc, char **argv)
         Tbl->addItem(rowno, col_path, false, ServicesTable[i].misc.path ?
             ServicesTable[i].misc.path : "null");
 
+        Tbl->addItem(rowno, col_db, false, ServicesTable[i].misc.db ?
+            ServicesTable[i].misc.db : "null");
+
+        Tbl->addItem(rowno, col_domain, false, ServicesTable[i].misc.domain ?
+            ServicesTable[i].misc.domain : "null");
+
         rowno++;
       }      
       log_write(LOG_PLAIN, "%s", Tbl->printableTable(NULL));
@@ -1452,11 +1469,12 @@ ncrack_main(int argc, char **argv)
       for (li = SG->services_all.begin(); li != SG->services_all.end(); li++) {
         if ((*li)->target == Targets[i]) 
           log_write(LOG_PLAIN, "  %s:%hu cl=%ld, CL=%ld, at=%ld, cd=%ld, "
-              "cr=%ld, to=%lldms, ssl=%s, path=%s\n", 
+              "cr=%ld, to=%lldms, ssl=%s, path=%s, db=%s, domain=%s\n",
               (*li)->name, (*li)->portno, (*li)->min_connection_limit,
               (*li)->max_connection_limit, (*li)->auth_tries, 
               (*li)->connection_delay, (*li)->connection_retries,
-              (*li)->timeout, (*li)->ssl ? "yes" : "no", (*li)->path);
+              (*li)->timeout, (*li)->ssl ? "yes" : "no", (*li)->path,
+              (*li)->db, (*li)->domain);
       }
     }
   } else {