Path: blob/master/modules/auxiliary/admin/mssql/mssql_enum.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::MSSQL7include Msf::Auxiliary::Report8include Msf::OptionalSession::MSSQL910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Microsoft SQL Server Configuration Enumerator',15'Description' => %q{16This module will perform a series of configuration audits and17security checks against a Microsoft SQL Server database. For this18module to work, valid administrative user credentials must be19supplied.20},21'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],22'License' => MSF_LICENSE,23'Notes' => {24'Stability' => [CRASH_SAFE],25'SideEffects' => [IOC_IN_LOGS],26'Reliability' => []27}28)29)30end3132# rubocop:disable Metrics/MethodLength33def run34print_status('Running MS SQL Server Enumeration...')35if session36set_mssql_session(session.client)37else38unless mssql_login_datastore39print_error('Login was unsuccessful. Check your credentials.')40disconnect41return42end43end4445# Get Version46print_status('Version:')47ver = mssql_query('select @@version')48sqlversion = ver[:rows].join49sqlversion.each_line do |row|50print "[*]\t#{row}"51end52vernum = sqlversion.gsub("\n", ' ').scan(/SQL Server\s*(200\d)/m)53report_note(54host: mssql_client.peerhost,55proto: 'TCP',56port: mssql_client.peerport,57type: 'MSSQL_ENUM',58data: { version: sqlversion }59)6061#---------------------------------------------------------62# Check Configuration Parameters and check what is enabled63print_status('Configuration Parameters:')64if vernum.join != '2000'65query = 'SELECT name, CAST(value_in_use AS INT) from sys.configurations'66ver = mssql_query(query)[:rows]67sysconfig = {}68ver.each do |l|69sysconfig[l[0].strip] = l[1].to_i70end71else72# enable advanced options73mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]74query = 'EXECUTE sp_configure'75ver = mssql_query(query)[:rows]76ver.class77sysconfig = {}78ver.each do |l|79sysconfig[l[0].strip] = l[3].to_i80end81end8283#-------------------------------------------------------84# checking for C2 Audit Mode85if sysconfig['c2 audit mode'] == 186print_status("\tC2 Audit Mode is Enabled")87report_note(88host: mssql_client.peerhost,89proto: 'TCP',90port: mssql_client.peerport,91type: 'MSSQL_ENUM',92data: { c2_audit_mode: 'Enabled' }93)94else95print_status("\tC2 Audit Mode is Not Enabled")96report_note(97host: mssql_client.peerhost,98proto: 'TCP',99port: mssql_client.peerport,100type: 'MSSQL_ENUM',101data: { c2_audit_mode: 'Disabled' }102)103end104105#-------------------------------------------------------106# check if xp_cmdshell is enabled107if vernum.join != '2000'108if sysconfig['xp_cmdshell'] == 1109print_status("\txp_cmdshell is Enabled")110report_note(111host: mssql_client.peerhost,112proto: 'TCP',113port: mssql_client.peerport,114type: 'MSSQL_ENUM',115data: { xp_cmdshell: 'Enabled' }116)117else118print_status("\txp_cmdshell is Not Enabled")119report_note(120host: mssql_client.peerhost,121proto: 'TCP',122port: mssql_client.peerport,123type: 'MSSQL_ENUM',124data: { xp_cmdshell: 'Disabled' }125)126end127else128xpspexist = mssql_query("select sysobjects.name from sysobjects where name = \'xp_cmdshell\'")[:rows]129if !xpspexist.nil?130print_status("\txp_cmdshell is Enabled")131report_note(132host: mssql_client.peerhost,133proto: 'TCP',134port: mssql_client.peerport,135type: 'MSSQL_ENUM',136data: { xp_cmdshell: 'Enabled' }137)138else139print_status("\txp_cmdshell is Not Enabled")140report_note(141host: mssql_client.peerhost,142proto: 'TCP',143port: mssql_client.peerport,144type: 'MSSQL_ENUM',145data: { xp_cmdshell: 'Disabled' }146)147end148end149150#-------------------------------------------------------151# check if remote access is enabled152if sysconfig['remote access'] == 1153print_status("\tremote access is Enabled")154else155print_status("\tremote access is Not Enabled")156end157report_note(158host: mssql_client.peerhost,159proto: 'TCP',160port: mssql_client.peerport,161type: 'MSSQL_ENUM',162data: { remote_access: 'Enabled' }163)164165#-------------------------------------------------------166# check if updates are allowed167if sysconfig['allow updates'] == 1168print_status("\tallow updates is Enabled")169report_note(170host: mssql_client.peerhost,171proto: 'TCP',172port: mssql_client.peerport,173type: 'MSSQL_ENUM',174data: { allow_updates: 'Enabled' }175)176else177print_status("\tallow updates is Not Enabled")178report_note(179host: mssql_client.peerhost,180proto: 'TCP',181port: mssql_client.peerport,182type: 'MSSQL_ENUM',183data: { allow_updates: 'Disabled' }184)185end186187#-------------------------------------------------------188# check if Mail stored procedures are enabled189if vernum.join != '2000'190if sysconfig['Database Mail XPs'] == 1191print_status("\tDatabase Mail XPs is Enabled")192report_note(193host: mssql_client.peerhost,194proto: 'TCP',195port: mssql_client.peerport,196type: 'MSSQL_ENUM',197data: { database_mail_xps: 'Enabled' }198)199else200print_status("\tDatabase Mail XPs is Not Enabled")201report_note(202host: mssql_client.peerhost,203proto: 'TCP',204port: mssql_client.peerport,205type: 'MSSQL_ENUM',206data: { database_mail_xps: 'Disabled' }207)208end209else210mailexist = mssql_query("select sysobjects.name from sysobjects where name like \'%mail%\'")[:rows]211if !mailexist.nil?212print_status("\tDatabase Mail XPs is Enabled")213report_note(214host: mssql_client.peerhost,215proto: 'TCP',216port: mssql_client.peerport,217type: 'MSSQL_ENUM',218data: { database_mail_xps: 'Enabled' }219)220else221print_status("\tDatabase Mail XPs is Not Enabled")222report_note(223host: mssql_client.peerhost,224proto: 'TCP',225port: mssql_client.peerport,226type: 'MSSQL_ENUM',227data: { database_mail_xps: 'Disabled' }228)229end230end231232#-------------------------------------------------------233# check if OLE stored procedures are enabled234if vernum.join != '2000'235if sysconfig['Ole Automation Procedures'] == 1236print_status("\tOle Automation Procedures are Enabled")237report_note(238host: mssql_client.peerhost,239proto: 'TCP',240port: mssql_client.peerport,241type: 'MSSQL_ENUM',242data: { ole_automation_procedures: 'Enabled' }243)244else245print_status("\tOle Automation Procedures are Not Enabled")246report_note(247host: mssql_client.peerhost,248proto: 'TCP',249port: mssql_client.peerport,250type: 'MSSQL_ENUM',251data: { ole_automation_procedures: 'Disabled' }252)253end254else255oleexist = mssql_query("select sysobjects.name from sysobjects where name like \'%sp_OA%\'")[:rows]256if !oleexist.nil?257print_status("\tOle Automation Procedures is Enabled")258report_note(259host: mssql_client.peerhost,260proto: 'TCP',261port: mssql_client.peerport,262type: 'MSSQL_ENUM',263data: { ole_automation_procedures: 'Enabled' }264)265else266print_status("\tOle Automation Procedures are Not Enabled")267report_note(268host: mssql_client.peerhost,269proto: 'TCP',270port: mssql_client.peerport,271type: 'MSSQL_ENUM',272data: { ole_automation_procedures: 'Disabled' }273)274end275end276277#-------------------------------------------------------278# Get list of Databases on System279print_status('Databases on the server:')280dbs = mssql_query('select name from master..sysdatabases')[:rows].flatten281if !dbs.nil?282dbs.each do |dbn|283print_status("\tDatabase name:#{dbn.strip}")284print_status("\tDatabase Files for #{dbn.strip}:")285if vernum.join != '2000'286db_ind_files = mssql_query("select filename from #{dbn.strip}.sys.sysfiles")[:rows]287if !db_ind_files.nil?288db_ind_files.each do |fn|289print_status("\t\t#{fn.join}")290report_note(291host: mssql_client.peerhost,292proto: 'TCP',293port: mssql_client.peerport,294type: 'MSSQL_ENUM',295data: {296database: dbn.strip, file: fn.join297}298)299end300end301else302db_ind_files = mssql_query("select filename from #{dbn.strip}..sysfiles")[:rows]303if !db_ind_files.nil?304db_ind_files.each do |fn|305print_status("\t\t#{fn.join.strip}")306report_note(307host: mssql_client.peerhost,308proto: 'TCP',309port: mssql_client.peerport,310type: 'MSSQL_ENUM',311data: {312database: dbn.strip,313file: fn.join314}315)316end317end318end319end320end321322#-------------------------------------------------------323# Get list of syslogins on System324print_status('System Logins on this Server:')325if vernum.join != '2000'326syslogins = mssql_query('select loginname from master.sys.syslogins')[:rows]327else328syslogins = mssql_query('select loginname from master..syslogins')[:rows]329end330if !syslogins.nil?331syslogins.each do |acc|332print_status("\t#{acc.join}")333report_note(334host: mssql_client.peerhost,335proto: 'TCP',336port: mssql_client.peerport,337type: 'MSSQL_ENUM',338data: { database_master_user: acc.join }339)340end341else342print_error("\tCould not enumerate System Logins!")343report_note(344host: mssql_client.peerhost,345proto: 'TCP',346port: mssql_client.peerport,347type: 'MSSQL_ENUM',348data: { logons: 'Could not enumerate System Logins' }349)350end351352#-------------------------------------------------------353# Get list of disabled accounts on System354if vernum.join != '2000'355print_status('Disabled Accounts:')356disabledsyslogins = mssql_query('select name from master.sys.server_principals where is_disabled = 1')[:rows]357if !disabledsyslogins.nil?358disabledsyslogins.each do |acc|359print_status("\t#{acc.join}")360report_note(361host: mssql_client.peerhost,362proto: 'TCP',363port: mssql_client.peerport,364type: 'MSSQL_ENUM',365data: { disabled_user: acc.join }366)367end368else369print_status("\tNo Disabled Logins Found")370report_note(371host: mssql_client.peerhost,372proto: 'TCP',373port: mssql_client.peerport,374type: 'MSSQL_ENUM',375data: { disabled_user: 'No Disabled Logins Found' }376)377end378end379380#-------------------------------------------------------381# Get list of accounts for which password policy does not apply on System382if vernum.join != '2000'383print_status('No Accounts Policy is set for:')384nopolicysyslogins = mssql_query('select name from master.sys.sql_logins where is_policy_checked = 0')[:rows]385if !nopolicysyslogins.nil?386nopolicysyslogins.each do |acc|387print_status("\t#{acc.join}")388report_note(389host: mssql_client.peerhost,390proto: 'TCP',391port: mssql_client.peerport,392type: 'MSSQL_ENUM',393data: { none_policy_checked_user: acc.join }394)395end396else397print_status("\tAll System Accounts have the Windows Account Policy Applied to them.")398report_note(399host: mssql_client.peerhost,400proto: 'TCP',401port: mssql_client.peerport,402type: 'MSSQL_ENUM',403data: { none_policy_checked_user: 'All System Accounts have the Windows Account Policy Applied to them' }404)405end406end407408#-------------------------------------------------------409# Get list of accounts for which password expiration is not checked410if vernum.join != '2000'411print_status('Password Expiration is not checked for:')412passexsyslogins = mssql_query('select name from master.sys.sql_logins where is_expiration_checked = 0')[:rows]413if !passexsyslogins.nil?414passexsyslogins.each do |acc|415print_status("\t#{acc.join}")416report_note(417host: mssql_client.peerhost,418proto: 'TCP',419port: mssql_client.peerport,420type: 'MSSQL_ENUM',421data: { none_password_expiration_user: acc.join }422)423end424else425print_status("\tAll System Accounts are checked for Password Expiration.")426report_note(427host: mssql_client.peerhost,428proto: 'TCP',429port: mssql_client.peerport,430type: 'MSSQL_ENUM',431data: { none_password_expiration_user: 'All System Accounts are checked for Password Expiration' }432)433end434end435436#-------------------------------------------------------437# Get list of sysadmin logins on System438print_status('System Admin Logins on this Server:')439if vernum.join != '2000'440sysadmins = mssql_query('select name from master.sys.syslogins where sysadmin = 1')[:rows]441else442sysadmins = mssql_query('select name from master..syslogins where sysadmin = 1')[:rows]443end444if !sysadmins.nil?445sysadmins.each do |acc|446print_status("\t#{acc.join}")447report_note(448host: mssql_client.peerhost,449proto: 'TCP',450port: mssql_client.peerport,451type: 'MSSQL_ENUM',452data: { sysdba: acc.join }453)454end455else456print_error("\tCould not enumerate sysadmin accounts!")457report_note(458host: mssql_client.peerhost,459proto: 'TCP',460port: mssql_client.peerport,461type: 'MSSQL_ENUM',462data: { sysdba: 'Could not enumerate sysadmin accounts' }463)464end465466#-------------------------------------------------------467# Get list of Windows logins on System468print_status('Windows Logins on this Server:')469if vernum.join != '2000'470winusers = mssql_query('select name from master.sys.syslogins where isntuser = 1')[:rows]471else472winusers = mssql_query('select name from master..syslogins where isntuser = 1')[:rows]473end474475if !winusers.nil?476winusers.each do |acc|477print_status("\t#{acc.join}")478report_note(479host: mssql_client.peerhost,480proto: 'TCP',481port: mssql_client.peerport,482type: 'MSSQL_ENUM',483data: { windows_logins: acc.join }484)485end486else487print_status("\tNo Windows logins found!")488report_note(489host: mssql_client.peerhost,490proto: 'TCP',491port: mssql_client.peerport,492type: 'MSSQL_ENUM',493data: { windows_logins: 'No Windows logins found' }494)495end496497#-------------------------------------------------------498# Get list of windows groups that can logins on the System499print_status('Windows Groups that can logins on this Server:')500if vernum.join != '2000'501wingroups = mssql_query('select name from master.sys.syslogins where isntgroup = 1')[:rows]502else503wingroups = mssql_query('select name from master..syslogins where isntgroup = 1')[:rows]504end505506if !wingroups.nil?507wingroups.each do |acc|508print_status("\t#{acc.join}")509report_note(510host: mssql_client.peerhost,511proto: 'TCP',512port: mssql_client.peerport,513type: 'MSSQL_ENUM',514data: { windows_groups: acc.join }515)516end517else518print_status("\tNo Windows Groups where found with permission to login to system.")519report_note(520host: mssql_client.peerhost,521proto: 'TCP',522port: mssql_client.peerport,523type: 'MSSQL_ENUM',524data: { windows_groups: 'No Windows Groups where found with permission to login to system' }525)526527end528529#-------------------------------------------------------530# Check for local accounts with same username as password531sameasuser = []532if vernum.join != '2000'533sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]534else535sameasuser = mssql_query("SELECT name FROM master.dbo.syslogins WHERE PWDCOMPARE\(name, password\) = 1")[:rows]536end537538print_status('Accounts with Username and Password being the same:')539if !sameasuser.nil?540sameasuser.each do |up|541print_status("\t#{up.join}")542report_note(543host: mssql_client.peerhost,544proto: 'TCP',545port: mssql_client.peerport,546type: 'MSSQL_ENUM',547data: {548username: up.join,549password: up.join550}551)552end553else554print_status("\tNo Account with its password being the same as its username was found.")555report_note(556host: mssql_client.peerhost,557proto: 'TCP',558port: mssql_client.peerport,559type: 'MSSQL_ENUM',560data: { credentials: 'No Account with its password being the same as its username was found' }561)562end563564#-------------------------------------------------------565# Check for local accounts with empty password566blankpass = []567if vernum.join != '2000'568blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]569else570blankpass = mssql_query('SELECT name FROM master.dbo.syslogins WHERE password IS NULL AND isntname = 0')[:rows]571end572573print_status('Accounts with empty password:')574if !blankpass.nil?575blankpass.each do |up|576print_status("\t#{up.join}")577report_note(578host: mssql_client.peerhost,579proto: 'TCP',580port: mssql_client.peerport,581type: 'MSSQL_ENUM',582data: {583username: up.join,584password: 'EMPTY'585}586)587end588else589print_status("\tNo Accounts with empty passwords where found.")590report_note(591host: mssql_client.peerhost,592proto: 'TCP',593port: mssql_client.peerport,594type: 'MSSQL_ENUM',595data: { credentials: 'No Accounts with empty passwords where found' }596)597end598599#-------------------------------------------------------600# Check for dangerous stored procedures601dangeroussp = [602'sp_createorphan',603'sp_droporphans',604'sp_execute_external_script',605'sp_getschemalock',606'sp_prepexec',607'sp_prepexecrpc',608'sp_refreshview',609'sp_releaseschemalock',610'sp_replpostschema',611'sp_replsendtoqueue',612'sp_replsetsyncstatus',613'sp_replwritetovarbin',614'sp_resyncexecute',615'sp_resyncexecutesql',616'sp_resyncprepare',617'sp_resyncuniquetable',618'sp_unprepare',619'sp_xml_preparedocument',620'sp_xml_removedocument',621'sp_fulltext_getdata',622'sp_getbindtoken',623'sp_replcmds',624'sp_replcounters',625'sp_repldone',626'sp_replflush',627'sp_replincrementlsn',628'sp_replpostcmd',629'sp_replsetoriginator',630'sp_replstatus',631'sp_repltrans',632'sp_replupdateschema',633'sp_reset_connection',634'sp_sdidebug',635'xp_availablemedia',636'xp_check_query_results',637'xp_cleanupwebtask',638'xp_cmdshell',639'xp_convertwebtask',640'xp_deletemail',641'xp_dirtree',642'xp_displayparamstmt',643'xp_dropwebtask',644'xp_dsninfo',645'xp_enum_activescriptengines',646'xp_enum_oledb_providers',647'xp_enumcodepages',648'xp_enumdsn',649'xp_enumerrorlogs',650'xp_enumgroups',651'xp_enumqueuedtasks',652'xp_eventlog',653'xp_execresultset',654'xp_fileexist',655'xp_findnextmsg',656'xp_fixeddrives',657'xp_get_mapi_default_profile',658'xp_get_mapi_profiles',659'xp_get_tape_devices',660'xp_getfiledetails',661'xp_getnetname',662'xp_grantlogin',663'xp_initcolvs',664'xp_intersectbitmaps',665'xp_logevent',666'xp_loginconfig',667'xp_logininfo',668'xp_makewebtask',669'xp_mergexpusage',670'xp_monitorsignal',671'xp_msver any user',672'xp_msx_enlist',673'xp_ntsec_enumdomains',674'xp_ntsec_enumgroups',675'xp_ntsec_enumusers',676'xp_oledbinfo',677'xp_perfend',678'xp_perfmonitor',679'xp_perfsample',680'xp_perfstart',681'xp_printstatements',682'xp_prop_oledb_provider',683'xp_proxiedmetadata',684'xp_qv',685'xp_readerrorlog',686'xp_readmail',687'xp_readwebtask',688'xp_regaddmultistring',689'xp_regdeletekey',690'xp_regdeletevalue',691'xp_regenumvalues',692'xp_regread',693'xp_regremovemultistring',694'xp_regwrite',695'xp_repl_encrypt',696'xp_revokelogin',697'xp_runwebtask',698'xp_schedulersignal',699'xp_sendmail',700'xp_servicecontrol',701'xp_showcolv',702'xp_showlineage',703'xp_snmp_getstate',704'xp_snmp_raisetrap',705'xp_sprintf any user', # huh?706'xp_sqlagent_enum_jobs',707'xp_sqlagent_is_starting',708'xp_sqlagent_monitor',709'xp_sqlagent_notify',710'xp_sqlinventory',711'xp_sqlmaint',712'xp_sqlregister',713'xp_sqltrace',714'xp_startmail',715'xp_stopmail',716'xp_subdirs',717'xp_terminate_process',718'xp_test_mapi_profile',719'xp_trace_addnewqueue',720'xp_trace_deletequeuedefinition',721'xp_trace_destroyqueue',722'xp_trace_enumqueuedefname',723'xp_trace_enumqueuehandles',724'xp_trace_eventclassrequired',725'xp_trace_flushqueryhistory',726'xp_trace_generate_event',727'xp_trace_getappfilter',728'xp_trace_getconnectionidfilter',729'xp_trace_getcpufilter',730'xp_trace_getdbidfilter',731'xp_trace_getdurationfilter',732'xp_trace_geteventfilter',733'xp_trace_geteventnames',734'xp_trace_getevents',735'xp_trace_gethostfilter',736'xp_trace_gethpidfilter',737'xp_trace_getindidfilter',738'xp_trace_getntdmfilter',739'xp_trace_getntnmfilter',740'xp_trace_getobjidfilter',741'xp_trace_getqueueautostart',742'xp_trace_getqueuecreateinfo',743'xp_trace_getqueuedestination',744'xp_trace_getqueueproperties',745'xp_trace_getreadfilter',746'xp_trace_getserverfilter',747'xp_trace_getseverityfilter',748'xp_trace_getspidfilter',749'xp_trace_getsysobjectsfilter',750'xp_trace_gettextfilter',751'xp_trace_getuserfilter',752'xp_trace_getwritefilter',753'xp_trace_loadqueuedefinition',754'xp_trace_opentracefile',755'xp_trace_pausequeue',756'xp_trace_restartqueue',757'xp_trace_savequeuedefinition',758'xp_trace_setappfilter',759'xp_trace_setconnectionidfilter',760'xp_trace_setcpufilter',761'xp_trace_setdbidfilter',762'xp_trace_setdurationfilter',763'xp_trace_seteventclassrequired',764'xp_trace_seteventfilter',765'xp_trace_sethostfilter',766'xp_trace_sethpidfilter',767'xp_trace_setindidfilter',768'xp_trace_setntdmfilter',769'xp_trace_setntnmfilter',770'xp_trace_setobjidfilter',771'xp_trace_setqueryhistory',772'xp_trace_setqueueautostart',773'xp_trace_setqueuecreateinfo',774'xp_trace_setqueuedestination',775'xp_trace_setreadfilter',776'xp_trace_setserverfilter',777'xp_trace_setseverityfilter',778'xp_trace_setspidfilter',779'xp_trace_setsysobjectsfilter',780'xp_trace_settextfilter',781'xp_trace_setuserfilter',782'xp_trace_setwritefilter',783'xp_trace_startconsumer',784'xp_unc_to_drive',785'xp_updatecolvbm',786'xp_updateFTSSQLAccount',787'xp_updatelineage',788'xp_varbintohexstr',789'xp_writesqlinfo',790'xp_MSplatform',791'xp_MSnt2000',792'xp_MSLocalSystem',793'xp_IsNTAdmin',794'xp_mapdown_bitmap'795]796797query = <<~EOS798SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P')799AND SYSOBJECTS.ID = SYSPROTECTS.ID800EOS801fountsp = mssql_query(query)[:rows]802if !fountsp.nil?803fountsp.flatten!804print_status('Stored Procedures with Public Execute Permission found:')805fountsp.each do |strp|806next unless dangeroussp.include?(strp.strip)807808print_status("\t#{strp.strip}")809report_note(810host: mssql_client.peerhost,811proto: 'TCP',812port: mssql_client.peerport,813type: 'MSSQL_ENUM',814data: { stored_procedures_with_public_execute_permission: strp.strip }815)816end817else818print_status("\tNo Dangerous Stored Procedure found with Public Execute.")819report_note(820host: mssql_client.peerhost,821proto: 'TCP',822port: mssql_client.peerport,823type: 'MSSQL_ENUM',824data: { stored_procedures_with_public_execute_permission: 'No Dangerous Stored Procedure found with Public Execute' }825)826end827828#-------------------------------------------------------829# Enumerate Instances830instances = []831if vernum.join != '2000'832querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"833instance_res = mssql_query(querykey)[:rows]834if !instance_res.nil?835instance_res.each do |i|836instances << i[0]837end838end839else840querykey = "exec xp_regread \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\', \'InstalledInstances\'"841instance_res = mssql_query(querykey)[:rows]842if !instance_res.nil?843instance_res.each do |i|844instances << i[1]845end846end847end848849print_status('Instances found on this server:')850instancenames = []851if !instances.nil?852instances.each do |i|853print_status("\t#{i}")854instancenames << i.strip855report_note(856host: mssql_client.peerhost,857proto: 'TCP',858port: mssql_client.peerport,859type: 'MSSQL_ENUM',860data: { instance_name: i }861)862end863else864print_status('No instances found, possible permission problem')865end866867#---------------------------------------------------------868# Enumerate under what accounts the instance services are running under869print_status('Default Server Instance SQL Server Service is running under the privilege of:')870privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]871if !privdflt.nil?872privdflt.each do |priv|873print_status("\t#{priv[1]}")874report_note(875host: mssql_client.peerhost,876proto: 'TCP',877port: mssql_client.peerport,878type: 'MSSQL_ENUM',879data: { default_instance_sql_server: priv[1] }880)881end882else883print_status("\txp_regread might be disabled in this system")884end885886#------------------------------------------------------------887if instancenames.length > 1888instancenames.each do |i|889next unless i.strip != 'MSSQLSERVER'890891privinst = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows]892if !privinst.nil?893print_status("Instance #{i} SQL Server Service is running under the privilege of:")894privinst.each do |p|895print_status("\t#{p[1]}")896report_note(897host: mssql_client.peerhost,898proto: 'TCP',899port: mssql_client.peerport,900type: 'MSSQL_ENUM',901data: {902instance_sql_server: i,903port: p[1]904}905)906end907else908print_status("\tCould not enumerate credentials for Instance.")909end910end911end912913disconnect914end915# rubocop:enable Metrics/MethodLength916end917918919