Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::MSSQL
8
  include Msf::Auxiliary::Report
9
  include Msf::OptionalSession::MSSQL
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Microsoft SQL Server Configuration Enumerator',
14
      'Description'    => %q{
15
          This module will perform a series of configuration audits and
16
        security checks against a Microsoft SQL Server database. For this
17
        module to work, valid administrative user credentials must be
18
        supplied.
19
      },
20
      'Author'         => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
21
      'License'        => MSF_LICENSE
22
    ))
23
  end
24

25
  def run
26
    print_status("Running MS SQL Server Enumeration...")
27
    if session
28
      set_mssql_session(session.client)
29
    else
30
      unless mssql_login_datastore
31
        print_error("Login was unsuccessful. Check your credentials.")
32
        disconnect
33
        return
34
      end
35
    end
36

37
    # Get Version
38
    print_status("Version:")
39
    vernum =""
40
    ver = mssql_query("select @@version")
41
    sqlversion = ver[:rows].join
42
    sqlversion.each_line do |row|
43
      print "[*]\t#{row}"
44
    end
45
    vernum = sqlversion.gsub("\n"," ").scan(/SQL Server\s*(200\d)/m)
46
    report_note(:host => mssql_client.peerhost,
47
      :proto => 'TCP',
48
      :port => mssql_client.peerport,
49
      :type => 'MSSQL_ENUM',
50
      :data => "Version: #{sqlversion}")
51

52
    #---------------------------------------------------------
53
    # Check Configuration Parameters and check what is enabled
54
    print_status("Configuration Parameters:")
55
    if vernum.join != "2000"
56
      query = "SELECT name, CAST(value_in_use AS INT) from sys.configurations"
57
      ver = mssql_query(query)[:rows]
58
      sysconfig = {}
59
      ver.each do |l|
60
        sysconfig[l[0].strip] = l[1].to_i
61
      end
62
    else
63
      # enable advanced options
64
      mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]
65
      query = "EXECUTE sp_configure"
66
      ver = mssql_query(query)[:rows]
67
      ver.class
68
      sysconfig = {}
69
      ver.each do |l|
70
        sysconfig[l[0].strip] = l[3].to_i
71
      end
72
    end
73

74
    #-------------------------------------------------------
75
    # checking for C2 Audit Mode
76
    if sysconfig['c2 audit mode'] == 1
77
      print_status("\tC2 Audit Mode is Enabled")
78
      report_note(:host => mssql_client.peerhost,
79
        :proto => 'TCP',
80
        :port => mssql_client.peerport,
81
        :type => 'MSSQL_ENUM',
82
        :data => "C2 Audit Mode is Enabled")
83
    else
84
      print_status("\tC2 Audit Mode is Not Enabled")
85
      report_note(:host => mssql_client.peerhost,
86
        :proto => 'TCP',
87
        :port => mssql_client.peerport,
88
        :type => 'MSSQL_ENUM',
89
        :data => "C2 Audit Mode is Not Enabled")
90
    end
91

92
    #-------------------------------------------------------
93
    # check if xp_cmdshell is enabled
94
    if vernum.join != "2000"
95
      if sysconfig['xp_cmdshell'] == 1
96
        print_status("\txp_cmdshell is Enabled")
97
        report_note(:host => mssql_client.peerhost,
98
          :proto => 'TCP',
99
          :port => mssql_client.peerport,
100
          :type => 'MSSQL_ENUM',
101
          :data => "xp_cmdshell is Enabled")
102
      else
103
        print_status("\txp_cmdshell is Not Enabled")
104
        report_note(:host => mssql_client.peerhost,
105
          :proto => 'TCP',
106
          :port => mssql_client.peerport,
107
          :type => 'MSSQL_ENUM',
108
          :data => "xp_cmdshell is Not Enabled")
109
      end
110
    else
111
      xpspexist = mssql_query("select sysobjects.name from sysobjects where name = \'xp_cmdshell\'")[:rows]
112
      if xpspexist != nil
113
        print_status("\txp_cmdshell is Enabled")
114
        report_note(:host => mssql_client.peerhost,
115
          :proto => 'TCP',
116
          :port => mssql_client.peerport,
117
          :type => 'MSSQL_ENUM',
118
          :data => "xp_cmdshell is Enabled")
119
      else
120
        print_status("\txp_cmdshell is Not Enabled")
121
        report_note(:host => mssql_client.peerhost,
122
          :proto => 'TCP',
123
          :port => mssql_client.peerport,
124
          :type => 'MSSQL_ENUM',
125
          :data => "xp_cmdshell is Not Enabled")
126
      end
127
    end
128

129
    #-------------------------------------------------------
130
    # check if remote access is enabled
131
    if sysconfig['remote access'] == 1
132
      print_status("\tremote access is Enabled")
133
      report_note(:host => mssql_client.peerhost,
134
        :proto => 'TCP',
135
        :port => mssql_client.peerport,
136
        :type => 'MSSQL_ENUM',
137
        :data => "remote access is Enabled")
138
    else
139
      print_status("\tremote access is Not Enabled")
140
      report_note(:host => mssql_client.peerhost,
141
        :proto => 'TCP',
142
        :port => mssql_client.peerport,
143
        :type => 'MSSQL_ENUM',
144
        :data => "remote access is not Enabled")
145
    end
146

147
    #-------------------------------------------------------
148
    #check if updates are allowed
149
    if sysconfig['allow updates'] == 1
150
      print_status("\tallow updates is Enabled")
151
      report_note(:host => mssql_client.peerhost,
152
        :proto => 'TCP',
153
        :port => mssql_client.peerport,
154
        :type => 'MSSQL_ENUM',
155
        :data => "allow updates is Enabled")
156
    else
157
      print_status("\tallow updates is Not Enabled")
158
      report_note(:host => mssql_client.peerhost,
159
        :proto => 'TCP',
160
        :port => mssql_client.peerport,
161
        :type => 'MSSQL_ENUM',
162
        :data => "allow updates is not Enabled")
163
    end
164

165
    #-------------------------------------------------------
166
    # check if Mail stored procedures are enabled
167
    if vernum.join != "2000"
168
      if sysconfig['Database Mail XPs'] == 1
169
        print_status("\tDatabase Mail XPs is Enabled")
170
        report_note(:host => mssql_client.peerhost,
171
          :proto => 'TCP',
172
          :port => mssql_client.peerport,
173
          :type => 'MSSQL_ENUM',
174
          :data => "Database Mail XPs is Enabled")
175
      else
176
        print_status("\tDatabase Mail XPs is Not Enabled")
177
        report_note(:host => mssql_client.peerhost,
178
          :proto => 'TCP',
179
          :port => mssql_client.peerport,
180
          :type => 'MSSQL_ENUM',
181
          :data => "Database Mail XPs is not Enabled")
182
      end
183
    else
184
      mailexist = mssql_query("select sysobjects.name from sysobjects where name like \'%mail%\'")[:rows]
185
      if mailexist != nil
186
        print_status("\tDatabase Mail XPs is Enabled")
187
        report_note(:host => mssql_client.peerhost,
188
          :proto => 'TCP',
189
          :port => mssql_client.peerport,
190
          :type => 'MSSQL_ENUM',
191
          :data => "Database Mail XPs is Enabled")
192
      else
193
        print_status("\tDatabase Mail XPs is Not Enabled")
194
        report_note(:host => mssql_client.peerhost,
195
          :proto => 'TCP',
196
          :port => mssql_client.peerport,
197
          :type => 'MSSQL_ENUM',
198
          :data => "Database Mail XPs is not Enabled")
199
      end
200
    end
201

202
    #-------------------------------------------------------
203
    # check if OLE stored procedures are enabled
204
    if vernum.join != "2000"
205
      if sysconfig['Ole Automation Procedures'] == 1
206
        print_status("\tOle Automation Procedures are Enabled")
207
        report_note(:host => mssql_client.peerhost,
208
          :proto => 'TCP',
209
          :port => mssql_client.peerport,
210
          :type => 'MSSQL_ENUM',
211
          :data => "Ole Automation Procedures are Enabled")
212
      else
213
        print_status("\tOle Automation Procedures are Not Enabled")
214
        report_note(:host => mssql_client.peerhost,
215
          :proto => 'TCP',
216
          :port => mssql_client.peerport,
217
          :type => 'MSSQL_ENUM',
218
          :data => "Ole Automation Procedures are not Enabled")
219
      end
220
    else
221
      oleexist = mssql_query("select sysobjects.name from sysobjects where name like \'%sp_OA%\'")[:rows]
222
      if oleexist != nil
223
        print_status("\tOle Automation Procedures is Enabled")
224
        report_note(:host => mssql_client.peerhost,
225
          :proto => 'TCP',
226
          :port => mssql_client.peerport,
227
          :type => 'MSSQL_ENUM',
228
          :data => "Ole Automation Procedures are Enabled")
229
      else
230
        print_status("\tOle Automation Procedures are Not Enabled")
231
        report_note(:host => mssql_client.peerhost,
232
          :proto => 'TCP',
233
          :port => mssql_client.peerport,
234
          :type => 'MSSQL_ENUM',
235
          :data => "Ole Automation Procedures are not Enabled")
236
      end
237
    end
238

239
    #-------------------------------------------------------
240
    # Get list of Databases on System
241
    print_status("Databases on the server:")
242
    dbs = mssql_query("select name from master..sysdatabases")[:rows].flatten
243
    if dbs != nil
244
      dbs.each do |dbn|
245
        print_status("\tDatabase name:#{dbn.strip}")
246
        print_status("\tDatabase Files for #{dbn.strip}:")
247
        if vernum.join != "2000"
248
          db_ind_files = mssql_query("select filename from #{dbn.strip}.sys.sysfiles")[:rows]
249
          if db_ind_files != nil
250
            db_ind_files.each do |fn|
251
              print_status("\t\t#{fn.join}")
252
              report_note(:host => mssql_client.peerhost,
253
                :proto => 'TCP',
254
                :port => mssql_client.peerport,
255
                :type => 'MSSQL_ENUM',
256
                :data => "Database: #{dbn.strip} File: #{fn.join}")
257
            end
258
          end
259
        else
260
          db_ind_files = mssql_query("select filename from #{dbn.strip}..sysfiles")[:rows]
261
          if db_ind_files != nil
262
            db_ind_files.each do |fn|
263
              print_status("\t\t#{fn.join.strip}")
264
              report_note(:host => mssql_client.peerhost,
265
                :proto => 'TCP',
266
                :port => mssql_client.peerport,
267
                :type => 'MSSQL_ENUM',
268
                :data => "Database: #{dbn.strip} File: #{fn.join}")
269
            end
270
          end
271
        end
272
      end
273
    end
274

275
    #-------------------------------------------------------
276
    # Get list of syslogins on System
277
    print_status("System Logins on this Server:")
278
    if vernum.join != "2000"
279
      syslogins = mssql_query("select loginname from master.sys.syslogins")[:rows]
280
    else
281
      syslogins = mssql_query("select loginname from master..syslogins")[:rows]
282
    end
283
    if syslogins != nil
284
      syslogins.each do |acc|
285
        print_status("\t#{acc.join}")
286
        report_note(:host => mssql_client.peerhost,
287
          :proto => 'TCP',
288
          :port => mssql_client.peerport,
289
          :type => 'MSSQL_ENUM',
290
          :data => "Database: Master User: #{acc.join}")
291
      end
292
    else
293
      print_error("\tCould not enumerate System Logins!")
294
      report_note(:host => mssql_client.peerhost,
295
        :proto => 'TCP',
296
        :port => mssql_client.peerport,
297
        :type => 'MSSQL_ENUM',
298
        :data => "Could not enumerate System Logins")
299
    end
300

301
    #-------------------------------------------------------
302
    # Get list of disabled accounts on System
303
    if vernum.join != "2000"
304
      print_status("Disabled Accounts:")
305
      disabledsyslogins = mssql_query("select name from master.sys.server_principals where is_disabled = 1")[:rows]
306
      if disabledsyslogins != nil
307
        disabledsyslogins.each do |acc|
308
          print_status("\t#{acc.join}")
309
          report_note(:host => mssql_client.peerhost,
310
            :proto => 'TCP',
311
            :port => mssql_client.peerport,
312
            :type => 'MSSQL_ENUM',
313
            :data => "Disabled User: #{acc.join}")
314
        end
315
      else
316
        print_status("\tNo Disabled Logins Found")
317
        report_note(:host => mssql_client.peerhost,
318
          :proto => 'TCP',
319
          :port => mssql_client.peerport,
320
          :type => 'MSSQL_ENUM',
321
          :data => "No Disabled Logins Found")
322
      end
323
    end
324

325
    #-------------------------------------------------------
326
    # Get list of accounts for which password policy does not apply on System
327
    if vernum.join != "2000"
328
      print_status("No Accounts Policy is set for:")
329
      nopolicysyslogins = mssql_query("select name from master.sys.sql_logins where is_policy_checked = 0")[:rows]
330
      if nopolicysyslogins != nil
331
        nopolicysyslogins.each do |acc|
332
          print_status("\t#{acc.join}")
333
          report_note(:host => mssql_client.peerhost,
334
            :proto => 'TCP',
335
            :port => mssql_client.peerport,
336
            :type => 'MSSQL_ENUM',
337
            :data => "None Policy Checked User: #{acc.join}")
338
        end
339
      else
340
        print_status("\tAll System Accounts have the Windows Account Policy Applied to them.")
341
        report_note(:host => mssql_client.peerhost,
342
          :proto => 'TCP',
343
          :port => mssql_client.peerport,
344
          :type => 'MSSQL_ENUM',
345
          :data => "All System Accounts have the Windows Account Policy Applied to them")
346
      end
347
    end
348

349
    #-------------------------------------------------------
350
    # Get list of accounts for which password expiration is not checked
351
    if vernum.join != "2000"
352
      print_status("Password Expiration is not checked for:")
353
      passexsyslogins = mssql_query("select name from master.sys.sql_logins where is_expiration_checked = 0")[:rows]
354
      if passexsyslogins != nil
355
        passexsyslogins.each do |acc|
356
          print_status("\t#{acc.join}")
357
          report_note(:host => mssql_client.peerhost,
358
            :proto => 'TCP',
359
            :port => mssql_client.peerport,
360
            :type => 'MSSQL_ENUM',
361
            :data => "None Password Expiration User: #{acc.join}")
362
        end
363
      else
364
        print_status("\tAll System Accounts are checked for Password Expiration.")
365
        report_note(:host => mssql_client.peerhost,
366
          :proto => 'TCP',
367
          :port => mssql_client.peerport,
368
          :type => 'MSSQL_ENUM',
369
          :data => "All System Accounts are checked for Password Expiration")
370
      end
371
    end
372

373
    #-------------------------------------------------------
374
    # Get list of sysadmin logins on System
375
    print_status("System Admin Logins on this Server:")
376
    if vernum.join != "2000"
377
      sysadmins = mssql_query("select name from master.sys.syslogins where sysadmin = 1")[:rows]
378
    else
379
      sysadmins = mssql_query("select name from master..syslogins where sysadmin = 1")[:rows]
380
    end
381
    if sysadmins != nil
382
      sysadmins.each do |acc|
383
        print_status("\t#{acc.join}")
384
        report_note(:host => mssql_client.peerhost,
385
          :proto => 'TCP',
386
          :port => mssql_client.peerport,
387
          :type => 'MSSQL_ENUM',
388
          :data => "Sysdba: #{acc.join}")
389
      end
390
    else
391
      print_error("\tCould not enumerate sysadmin accounts!")
392
      report_note(:host => mssql_client.peerhost,
393
        :proto => 'TCP',
394
        :port => mssql_client.peerport,
395
        :type => 'MSSQL_ENUM',
396
        :data => "Could not enumerate sysadmin accounts")
397
    end
398

399
    #-------------------------------------------------------
400
    # Get list of Windows logins on System
401
    print_status("Windows Logins on this Server:")
402
    if vernum.join != "2000"
403
      winusers = mssql_query("select name from master.sys.syslogins where isntuser = 1")[:rows]
404
    else
405
      winusers = mssql_query("select name from master..syslogins where isntuser = 1")[:rows]
406
    end
407

408
    if winusers != nil
409
      winusers.each do |acc|
410
        print_status("\t#{acc.join}")
411
        report_note(:host => mssql_client.peerhost,
412
          :proto => 'TCP',
413
          :port => mssql_client.peerport,
414
          :type => 'MSSQL_ENUM',
415
          :data => "Windows Logins: #{acc.join}")
416
      end
417
    else
418
      print_status("\tNo Windows logins found!")
419
      report_note(:host => mssql_client.peerhost,
420
        :proto => 'TCP',
421
        :port => mssql_client.peerport,
422
        :type => 'MSSQL_ENUM',
423
        :data => "No Windows logins found")
424
    end
425

426
    #-------------------------------------------------------
427
    # Get list of windows groups that can logins on the System
428
    print_status("Windows Groups that can logins on this Server:")
429
    if vernum.join != "2000"
430
      wingroups = mssql_query("select name from master.sys.syslogins where isntgroup = 1")[:rows]
431
    else
432
      wingroups = mssql_query("select name from master..syslogins where isntgroup = 1")[:rows]
433
    end
434

435
    if wingroups != nil
436
      wingroups.each do |acc|
437
        print_status("\t#{acc.join}")
438
        report_note(:host => mssql_client.peerhost,
439
          :proto => 'TCP',
440
          :port => mssql_client.peerport,
441
          :type => 'MSSQL_ENUM',
442
          :data => "Windows Groups: #{acc.join}")
443
      end
444
    else
445
      print_status("\tNo Windows Groups where found with permission to login to system.")
446
      report_note(:host => mssql_client.peerhost,
447
        :proto => 'TCP',
448
        :port => mssql_client.peerport,
449
        :type => 'MSSQL_ENUM',
450
        :data => "No Windows Groups where found with permission to login to system")
451

452
    end
453

454
    #-------------------------------------------------------
455
    # Check for local accounts with same username as password
456
    sameasuser = []
457
    if vernum.join != "2000"
458
      sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]
459
    else
460
      sameasuser = mssql_query("SELECT name FROM master.dbo.syslogins WHERE PWDCOMPARE\(name, password\) = 1")[:rows]
461
    end
462

463
    print_status("Accounts with Username and Password being the same:")
464
    if sameasuser != nil
465
      sameasuser.each do |up|
466
        print_status("\t#{up.join}")
467
        report_note(:host => mssql_client.peerhost,
468
          :proto => 'TCP',
469
          :port => mssql_client.peerport,
470
          :type => 'MSSQL_ENUM',
471
          :data => "Username: #{up.join} Password: #{up.join}")
472
      end
473
    else
474
      print_status("\tNo Account with its password being the same as its username was found.")
475
      report_note(:host => mssql_client.peerhost,
476
        :proto => 'TCP',
477
        :port => mssql_client.peerport,
478
        :type => 'MSSQL_ENUM',
479
        :data => "No Account with its password being the same as its username was found")
480
    end
481

482
    #-------------------------------------------------------
483
    # Check for local accounts with empty password
484
    blankpass = []
485
    if vernum.join != "2000"
486
      blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]
487
    else
488
      blankpass = mssql_query("SELECT name FROM master.dbo.syslogins WHERE password IS NULL AND isntname = 0")[:rows]
489
    end
490

491
    print_status("Accounts with empty password:")
492
    if blankpass != nil
493
      blankpass.each do |up|
494
        print_status("\t#{up.join}")
495
        report_note(:host => mssql_client.peerhost,
496
          :proto => 'TCP',
497
          :port => mssql_client.peerport,
498
          :type => 'MSSQL_ENUM',
499
          :data => "Username: #{up.join} Password: EMPTY ")
500
      end
501
    else
502
      print_status("\tNo Accounts with empty passwords where found.")
503
      report_note(:host => mssql_client.peerhost,
504
        :proto => 'TCP',
505
        :port => mssql_client.peerport,
506
        :type => 'MSSQL_ENUM',
507
        :data => "No Accounts with empty passwords where found")
508
    end
509

510
    #-------------------------------------------------------
511
    # Check for dangerous stored procedures
512
    fountsp = []
513
    dangeroussp = [
514
      'sp_createorphan',
515
      'sp_droporphans',
516
      'sp_execute_external_script',
517
      'sp_getschemalock',
518
      'sp_prepexec',
519
      'sp_prepexecrpc',
520
      'sp_refreshview',
521
      'sp_releaseschemalock',
522
      'sp_replpostschema',
523
      'sp_replsendtoqueue',
524
      'sp_replsetsyncstatus',
525
      'sp_replwritetovarbin',
526
      'sp_resyncexecute',
527
      'sp_resyncexecutesql',
528
      'sp_resyncprepare',
529
      'sp_resyncuniquetable',
530
      'sp_unprepare',
531
      'sp_xml_preparedocument',
532
      'sp_xml_removedocument',
533
      'sp_fulltext_getdata',
534
      'sp_getbindtoken',
535
      'sp_replcmds',
536
      'sp_replcounters',
537
      'sp_repldone',
538
      'sp_replflush',
539
      'sp_replincrementlsn',
540
      'sp_replpostcmd',
541
      'sp_replsetoriginator',
542
      'sp_replstatus',
543
      'sp_repltrans',
544
      'sp_replupdateschema',
545
      'sp_reset_connection',
546
      'sp_sdidebug',
547
      'xp_availablemedia',
548
      'xp_check_query_results',
549
      'xp_cleanupwebtask',
550
      'xp_cmdshell',
551
      'xp_convertwebtask',
552
      'xp_deletemail',
553
      'xp_dirtree',
554
      'xp_displayparamstmt',
555
      'xp_dropwebtask',
556
      'xp_dsninfo',
557
      'xp_enum_activescriptengines',
558
      'xp_enum_oledb_providers',
559
      'xp_enumcodepages',
560
      'xp_enumdsn',
561
      'xp_enumerrorlogs',
562
      'xp_enumgroups',
563
      'xp_enumqueuedtasks',
564
      'xp_eventlog',
565
      'xp_execresultset',
566
      'xp_fileexist',
567
      'xp_findnextmsg',
568
      'xp_fixeddrives',
569
      'xp_get_mapi_default_profile',
570
      'xp_get_mapi_profiles',
571
      'xp_get_tape_devices',
572
      'xp_getfiledetails',
573
      'xp_getnetname',
574
      'xp_grantlogin',
575
      'xp_initcolvs',
576
      'xp_intersectbitmaps',
577
      'xp_logevent',
578
      'xp_loginconfig',
579
      'xp_logininfo',
580
      'xp_makewebtask',
581
      'xp_mergexpusage',
582
      'xp_monitorsignal',
583
      'xp_msver any user',
584
      'xp_msx_enlist',
585
      'xp_ntsec_enumdomains',
586
      'xp_ntsec_enumgroups',
587
      'xp_ntsec_enumusers',
588
      'xp_oledbinfo',
589
      'xp_perfend',
590
      'xp_perfmonitor',
591
      'xp_perfsample',
592
      'xp_perfstart',
593
      'xp_printstatements',
594
      'xp_prop_oledb_provider',
595
      'xp_proxiedmetadata',
596
      'xp_qv',
597
      'xp_readerrorlog',
598
      'xp_readmail',
599
      'xp_readwebtask',
600
      'xp_regaddmultistring',
601
      'xp_regdeletekey',
602
      'xp_regdeletevalue',
603
      'xp_regenumvalues',
604
      'xp_regread',
605
      'xp_regremovemultistring',
606
      'xp_regwrite',
607
      'xp_repl_encrypt',
608
      'xp_revokelogin',
609
      'xp_runwebtask',
610
      'xp_schedulersignal',
611
      'xp_sendmail',
612
      'xp_servicecontrol',
613
      'xp_showcolv',
614
      'xp_showlineage',
615
      'xp_snmp_getstate',
616
      'xp_snmp_raisetrap',
617
      'xp_sprintf any user', # huh?
618
      'xp_sqlagent_enum_jobs',
619
      'xp_sqlagent_is_starting',
620
      'xp_sqlagent_monitor',
621
      'xp_sqlagent_notify',
622
      'xp_sqlinventory',
623
      'xp_sqlmaint',
624
      'xp_sqlregister',
625
      'xp_sqltrace',
626
      'xp_startmail',
627
      'xp_stopmail',
628
      'xp_subdirs',
629
      'xp_terminate_process',
630
      'xp_test_mapi_profile',
631
      'xp_trace_addnewqueue',
632
      'xp_trace_deletequeuedefinition',
633
      'xp_trace_destroyqueue',
634
      'xp_trace_enumqueuedefname',
635
      'xp_trace_enumqueuehandles',
636
      'xp_trace_eventclassrequired',
637
      'xp_trace_flushqueryhistory',
638
      'xp_trace_generate_event',
639
      'xp_trace_getappfilter',
640
      'xp_trace_getconnectionidfilter',
641
      'xp_trace_getcpufilter',
642
      'xp_trace_getdbidfilter',
643
      'xp_trace_getdurationfilter',
644
      'xp_trace_geteventfilter',
645
      'xp_trace_geteventnames',
646
      'xp_trace_getevents',
647
      'xp_trace_gethostfilter',
648
      'xp_trace_gethpidfilter',
649
      'xp_trace_getindidfilter',
650
      'xp_trace_getntdmfilter',
651
      'xp_trace_getntnmfilter',
652
      'xp_trace_getobjidfilter',
653
      'xp_trace_getqueueautostart',
654
      'xp_trace_getqueuecreateinfo',
655
      'xp_trace_getqueuedestination',
656
      'xp_trace_getqueueproperties',
657
      'xp_trace_getreadfilter',
658
      'xp_trace_getserverfilter',
659
      'xp_trace_getseverityfilter',
660
      'xp_trace_getspidfilter',
661
      'xp_trace_getsysobjectsfilter',
662
      'xp_trace_gettextfilter',
663
      'xp_trace_getuserfilter',
664
      'xp_trace_getwritefilter',
665
      'xp_trace_loadqueuedefinition',
666
      'xp_trace_opentracefile',
667
      'xp_trace_pausequeue',
668
      'xp_trace_restartqueue',
669
      'xp_trace_savequeuedefinition',
670
      'xp_trace_setappfilter',
671
      'xp_trace_setconnectionidfilter',
672
      'xp_trace_setcpufilter',
673
      'xp_trace_setdbidfilter',
674
      'xp_trace_setdurationfilter',
675
      'xp_trace_seteventclassrequired',
676
      'xp_trace_seteventfilter',
677
      'xp_trace_sethostfilter',
678
      'xp_trace_sethpidfilter',
679
      'xp_trace_setindidfilter',
680
      'xp_trace_setntdmfilter',
681
      'xp_trace_setntnmfilter',
682
      'xp_trace_setobjidfilter',
683
      'xp_trace_setqueryhistory',
684
      'xp_trace_setqueueautostart',
685
      'xp_trace_setqueuecreateinfo',
686
      'xp_trace_setqueuedestination',
687
      'xp_trace_setreadfilter',
688
      'xp_trace_setserverfilter',
689
      'xp_trace_setseverityfilter',
690
      'xp_trace_setspidfilter',
691
      'xp_trace_setsysobjectsfilter',
692
      'xp_trace_settextfilter',
693
      'xp_trace_setuserfilter',
694
      'xp_trace_setwritefilter',
695
      'xp_trace_startconsumer',
696
      'xp_unc_to_drive',
697
      'xp_updatecolvbm',
698
      'xp_updateFTSSQLAccount',
699
      'xp_updatelineage',
700
      'xp_varbintohexstr',
701
      'xp_writesqlinfo',
702
      'xp_MSplatform',
703
      'xp_MSnt2000',
704
      'xp_MSLocalSystem',
705
      'xp_IsNTAdmin',
706
      'xp_mapdown_bitmap'
707
    ]
708

709
    query = <<-EOS
710
SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P')
711
AND SYSOBJECTS.ID = SYSPROTECTS.ID
712
EOS
713
    fountsp = mssql_query(query)[:rows]
714
    if fountsp != nil
715
      fountsp.flatten!
716
      print_status("Stored Procedures with Public Execute Permission found:")
717
      fountsp.each do |strp|
718
        if dangeroussp.include?(strp.strip)
719
          print_status("\t#{strp.strip}")
720
          report_note(:host => mssql_client.peerhost,
721
            :proto => 'TCP',
722
            :port => mssql_client.peerport,
723
            :type => 'MSSQL_ENUM',
724
            :data => "Stored Procedures with Public Execute Permission #{strp.strip}")
725
        end
726
      end
727
    else
728
      print_status("\tNo Dangerous Stored Procedure found with Public Execute.")
729
      report_note(:host => mssql_client.peerhost,
730
        :proto => 'TCP',
731
        :port => mssql_client.peerport,
732
        :type => 'MSSQL_ENUM',
733
        :data => "No Dangerous Stored Procedure found with Public Execute")
734
    end
735

736
    #-------------------------------------------------------
737
    # Enumerate Instances
738
    instances =[]
739
    if vernum.join != "2000"
740
      querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
741
      instance_res = mssql_query(querykey)[:rows]
742
      if instance_res != nil
743
        instance_res.each do |i|
744
          instances << i[0]
745
        end
746
      end
747
    else
748
      querykey = "exec xp_regread \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\', \'InstalledInstances\'"
749
      instance_res = mssql_query(querykey)[:rows]
750
      if instance_res != nil
751
        instance_res.each do |i|
752
          instances << i[1]
753
        end
754
      end
755
    end
756

757
    print_status("Instances found on this server:")
758
    instancenames = []
759
    if instances != nil
760
      instances.each do |i|
761
        print_status("\t#{i}")
762
        instancenames << i.strip
763
        report_note(:host => mssql_client.peerhost,
764
          :proto => 'TCP',
765
          :port => mssql_client.peerport,
766
          :type => 'MSSQL_ENUM',
767
          :data => "Instance Name: #{i}")
768
      end
769
    else
770
      print_status("No instances found, possible permission problem")
771
    end
772

773
    #---------------------------------------------------------
774
    # Enumerate under what accounts the instance services are running under
775
    print_status("Default Server Instance SQL Server Service is running under the privilege of:")
776
    privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
777
    if privdflt != nil
778
      privdflt.each do |priv|
779
        print_status("\t#{priv[1]}")
780
        report_note(:host => mssql_client.peerhost,
781
          :proto => 'TCP',
782
          :port => mssql_client.peerport,
783
          :type => 'MSSQL_ENUM',
784
          :data => "Default Instance SQL Server running as: #{priv[1]}")
785
      end
786
    else
787
      print_status("\txp_regread might be disabled in this system")
788
    end
789

790
    #------------------------------------------------------------
791
    if instancenames.length > 1
792
      instancenames.each do |i|
793
        if i.strip != "MSSQLSERVER"
794
          privinst = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows]
795
          if privinst != nil
796
            print_status("Instance #{i} SQL Server Service is running under the privilege of:")
797
            privinst.each do |p|
798
              print_status("\t#{p[1]}")
799
              report_note(:host => mssql_client.peerhost,
800
                :proto => 'TCP',
801
                :port => mssql_client.peerport,
802
                :type => 'MSSQL_ENUM',
803
                :data => "#{i} Instance SQL Server running as: #{p[1]}")
804
            end
805
          else
806
            print_status("\tCould not enumerate credentials for Instance.")
807
          end
808
        end
809
      end
810
    end
811

812
    disconnect
813
  end
814
end
815

816