Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/metasploit/framework/login_scanner/mssql.rb
28052 views
1
require 'rex/proto/mssql/client'

2
require 'metasploit/framework/login_scanner/base'

3
require 'metasploit/framework/login_scanner/rex_socket'

4
require 'metasploit/framework/login_scanner/ntlm'

5


6
module Metasploit

7
  module Framework

8
    module LoginScanner

9


10
      # This is the LoginScanner class for dealing with Microsoft SQL Servers.

11
      # It is responsible for taking a single target, and a list of credentials

12
      # and attempting them. It then saves the results

13
      class MSSQL

14
        include Metasploit::Framework::LoginScanner::Base

15
        include Metasploit::Framework::LoginScanner::RexSocket

16
        include Metasploit::Framework::LoginScanner::NTLM

17


18
        DEFAULT_PORT         = 1433

19
        DEFAULT_REALM        = nil

20
        # Lifted from lib/msf/core/exploit/mssql.rb

21
        LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]

22
        # Lifted from lib/msf/core/exploit/mssql.rb

23
        LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]

24
        PRIVATE_TYPES        = [ :password, :ntlm_hash ]

25
        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

26


27
        # @!attribute auth

28
        #   @return [Array<String>] Auth The Authentication mechanism to use

29
        #   @see Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS

30
        attr_accessor :auth

31


32
        validates :auth,

33
                  inclusion: { in: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS }

34


35
        # @!attribute domain_controller_rhost

36
        #   @return [String] Auth The domain controller rhost, required for Kerberos Authentication

37
        attr_accessor :domain_controller_rhost

38


39
        # @!attribute domain_controller_rhost

40
        #   @return [String] Auth The mssql hostname, required for Kerberos Authentication

41
        attr_accessor :hostname

42


43
        # @!attribute use_client_as_proof

44
        #   @return [Boolean] If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof

45
        attr_accessor :use_client_as_proof

46


47
        # @!attribute max_send_size

48
        #   @return [Integer] The max size of the data to encapsulate in a single packet

49
        attr_accessor :max_send_size

50


51
        # @!attribute send_delay

52
        #   @return [Integer] The delay between sending packets

53
        attr_accessor :send_delay

54


55
        attr_accessor :tdsencryption

56


57
        validates :tdsencryption,

58
          inclusion: { in: [true, false] }

59


60
        def attempt_login(credential)

61
          result_options = {

62
              credential: credential,

63
              host: host,

64
              port: port,

65
              protocol: 'tcp',

66
              service_name: 'mssql'

67
          }

68


69
          begin

70
            client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies, sslkeylogfile: sslkeylogfile)

71
            if client.mssql_login(credential.public, credential.private, '', credential.realm)

72
              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL

73
              if use_client_as_proof

74
                result_options[:proof] = client

75
                result_options[:connection] = client.sock

76
              else

77
                client.disconnect

78
              end

79
            else

80
              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT

81
            end

82
          rescue ::Rex::ConnectionError => e

83
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

84
            result_options[:proof] = e

85
          rescue => e

86
            elog(e, error: e)

87
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT

88
            result_options[:proof] = e

89
          end

90


91
          ::Metasploit::Framework::LoginScanner::Result.new(result_options)

92
        end

93


94
        private

95


96
        def set_sane_defaults

97
          self.connection_timeout    ||= 30

98
          self.port                  ||= DEFAULT_PORT

99
          self.max_send_size         ||= 0

100
          self.send_delay            ||= 0

101


102
          # Don't use ||= with booleans

103
          self.send_lm                = true if self.send_lm.nil?

104
          self.send_ntlm              = true if self.send_ntlm.nil?

105
          self.send_spn               = true if self.send_spn.nil?

106
          self.use_lmkey              = false if self.use_lmkey.nil?

107
          self.use_ntlm2_session      = true if self.use_ntlm2_session.nil?

108
          self.use_ntlmv2             = true if self.use_ntlmv2.nil?

109
          self.auth                   = Msf::Exploit::Remote::AuthOption::AUTO if self.auth.nil?

110
          self.tdsencryption          = false if self.tdsencryption.nil?

111
        end

112
      end

113


114
    end

115
  end

116
end

117


118