CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
require 'rex/proto/mssql/client'
2
require 'metasploit/framework/login_scanner/base'
3
require 'metasploit/framework/login_scanner/rex_socket'
4
require 'metasploit/framework/login_scanner/ntlm'
5

6
module Metasploit
7
  module Framework
8
    module LoginScanner
9

10
      # This is the LoginScanner class for dealing with Microsoft SQL Servers.
11
      # It is responsible for taking a single target, and a list of credentials
12
      # and attempting them. It then saves the results
13
      class MSSQL
14
        include Metasploit::Framework::LoginScanner::Base
15
        include Metasploit::Framework::LoginScanner::RexSocket
16
        include Metasploit::Framework::LoginScanner::NTLM
17

18
        DEFAULT_PORT         = 1433
19
        DEFAULT_REALM         = 'WORKSTATION'
20
        # Lifted from lib/msf/core/exploit/mssql.rb
21
        LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
22
        # Lifted from lib/msf/core/exploit/mssql.rb
23
        LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]
24
        PRIVATE_TYPES        = [ :password, :ntlm_hash ]
25
        REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
26

27
        # @!attribute auth
28
        #   @return [Array<String>] Auth The Authentication mechanism to use
29
        #   @see Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS
30
        attr_accessor :auth
31

32
        validates :auth,
33
                  inclusion: { in: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS }
34

35
        validates :auth,
36
                  inclusion: { in: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS }
37

38
        # @!attribute domain_controller_rhost
39
        #   @return [String] Auth The domain controller rhost, required for Kerberos Authentication
40
        attr_accessor :domain_controller_rhost
41

42
        # @!attribute domain_controller_rhost
43
        #   @return [String] Auth The mssql hostname, required for Kerberos Authentication
44
        attr_accessor :hostname
45

46
        # @!attribute windows_authentication
47
        #   @return [Boolean] Whether to use Windows Authentication instead of SQL Server Auth.
48
        attr_accessor :windows_authentication
49

50
        # @!attribute use_client_as_proof
51
        #   @return [Boolean] If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof
52
        attr_accessor :use_client_as_proof
53

54
        # @!attribute max_send_size
55
        #   @return [Integer] The max size of the data to encapsulate in a single packet
56
        attr_accessor :max_send_size
57

58
        # @!attribute send_delay
59
        #   @return [Integer] The delay between sending packets
60
        attr_accessor :send_delay
61

62
        validates :windows_authentication,
63
          inclusion: { in: [true, false] }
64

65
        attr_accessor :tdsencryption
66

67
        validates :tdsencryption,
68
          inclusion: { in: [true, false] }
69

70
        def attempt_login(credential)
71
          result_options = {
72
              credential: credential,
73
              host: host,
74
              port: port,
75
              protocol: 'tcp',
76
              service_name: 'mssql'
77
          }
78

79
          begin
80
            client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies)
81
            if client.mssql_login(credential.public, credential.private, '', credential.realm)
82
              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
83
              if use_client_as_proof
84
                result_options[:proof] = client
85
                result_options[:connection] = client.sock
86
              else
87
                client.disconnect
88
              end
89
            else
90
              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
91
            end
92
          rescue ::Rex::ConnectionError => e
93
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
94
            result_options[:proof] = e
95
          rescue => e
96
            elog(e)
97
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
98
            result_options[:proof] = e
99
          end
100

101
          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
102
        end
103

104
        private
105

106
        def set_sane_defaults
107
          self.connection_timeout    ||= 30
108
          self.port                  ||= DEFAULT_PORT
109
          self.max_send_size         ||= 0
110
          self.send_delay            ||= 0
111

112
          # Don't use ||= with booleans
113
          self.send_lm                = true if self.send_lm.nil?
114
          self.send_ntlm              = true if self.send_ntlm.nil?
115
          self.send_spn               = true if self.send_spn.nil?
116
          self.use_lmkey              = false if self.use_lmkey.nil?
117
          self.use_ntlm2_session      = true if self.use_ntlm2_session.nil?
118
          self.use_ntlmv2             = true if self.use_ntlmv2.nil?
119
          self.auth                   = Msf::Exploit::Remote::AuthOption::AUTO if self.auth.nil?
120
          self.windows_authentication = false if self.windows_authentication.nil?
121
          self.tdsencryption          = false if self.tdsencryption.nil?
122
        end
123
      end
124

125
    end
126
  end
127
end
128

129