Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/mssql/mssql_login.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasploit/framework/credential_collection'

7
require 'metasploit/framework/login_scanner/mssql'

8
require 'rex/proto/mssql/client'

9
require 'rex/post/mssql'

10


11
class MetasploitModule < Msf::Auxiliary

12
  include Msf::Exploit::Remote::MSSQL

13
  include Msf::Auxiliary::Report

14
  include Msf::Auxiliary::AuthBrute

15
  include Msf::Auxiliary::CommandShell

16
  include Msf::Auxiliary::Scanner

17
  include Msf::Sessions::CreateSessionOptions

18
  include Msf::Auxiliary::ReportSummary

19


20
  def initialize

21
    super(

22
      'Name' => 'MSSQL Login Utility',

23
      'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',

24
      'Author' => 'MC',

25
      'References' => [

26
        [ 'CVE', '1999-0506'] # Weak password

27
      ],

28
      'License' => MSF_LICENSE,

29
      # some overrides from authbrute since there is a default username and a blank password

30
      'DefaultOptions' => {

31
        'USERNAME' => 'sa',

32
        'BLANK_PASSWORDS' => true,

33
        'CreateSession' => false

34
      }

35
    )

36
    register_options([

37
      Opt::Proxies,

38
      OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),

39
      OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])

40
    ])

41


42
    if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

43
      add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')

44
    else

45
      options_to_deregister = %w[CreateSession]

46
    end

47
    deregister_options(*options_to_deregister)

48
  end

49


50
  def create_session?

51
    if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

52
      datastore['CreateSession']

53
    else

54
      false

55
    end

56
  end

57


58
  def run

59
    results = super

60
    logins = results.flat_map { |_k, v| v[:successful_logins] }

61
    sessions = results.flat_map { |_k, v| v[:successful_sessions] }

62
    print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")

63
    return results unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)

64


65
    if create_session?

66
      print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")

67
    else

68
      print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true')

69
    end

70
    results

71
  end

72


73
  def run_host(ip)

74
    print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")

75


76
    if datastore['TDSENCRYPTION']

77
      if create_session?

78
        raise Msf::OptionValidateError.new(

79
          {

80
            'TDSENCRYPTION' => "Cannot create sessions when encryption is enabled. See https://github.com/rapid7/metasploit-framework/issues/18745 to vote for this feature"

81
          }

82
        )

83
      else

84
        print_status("TDS Encryption enabled")

85
      end

86
    end

87


88
    cred_collection = build_credential_collection(

89
      realm: datastore['DOMAIN'],

90
      username: datastore['USERNAME'],

91
      password: datastore['PASSWORD']

92
    )

93


94
    scanner = Metasploit::Framework::LoginScanner::MSSQL.new(

95
      configure_login_scanner(

96
        host: ip,

97
        port: rport,

98
        proxies: datastore['PROXIES'],

99
        cred_details: cred_collection,

100
        stop_on_success: datastore['STOP_ON_SUCCESS'],

101
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

102
        connection_timeout: 30,

103
        max_send_size: datastore['TCP::max_send_size'],

104
        send_delay: datastore['TCP::send_delay'],

105
        auth: datastore['Mssql::Auth'],

106
        domain_controller_rhost: datastore['DomainControllerRhost'],

107
        hostname: datastore['Mssql::Rhostname'],

108
        windows_authentication: datastore['USE_WINDOWS_AUTHENT'],

109
        tdsencryption: datastore['TDSENCRYPTION'],

110
        framework: framework,

111
        framework_module: self,

112
        use_client_as_proof: create_session?,

113
        ssl: datastore['SSL'],

114
        ssl_version: datastore['SSLVersion'],

115
        ssl_verify_mode: datastore['SSLVerifyMode'],

116
        ssl_cipher: datastore['SSLCipher'],

117
        local_port: datastore['CPORT'],

118
        local_host: datastore['CHOST']

119
      )

120
    )

121
    successful_logins = []

122
    successful_sessions = []

123
    scanner.scan! do |result|

124
      credential_data = result.to_h

125
      credential_data.merge!(

126
        module_fullname: self.fullname,

127
        workspace_id: myworkspace_id

128
      )

129
      if result.success?

130
        credential_core = create_credential(credential_data)

131
        credential_data[:core] = credential_core

132
        create_credential_login(credential_data)

133
        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"

134
        successful_logins << result

135


136
        if create_session?

137
          begin

138
            successful_sessions << session_setup(result)

139
          rescue ::StandardError => e

140
            elog('Failed to setup the session', error: e)

141
            print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"

142
            result.connection.close unless result.connection.nil?

143
          end

144
        end

145
      else

146
        invalidate_login(credential_data)

147
        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"

148
      end

149
    end

150
    { successful_logins: successful_logins, successful_sessions: successful_sessions }

151
  end

152


153
  # @param [Metasploit::Framework::LoginScanner::Result] result

154
  # @return [Msf::Sessions::MSSQL]

155
  def session_setup(result)

156
    return unless (result.connection && result.proof)

157


158
    my_session = Msf::Sessions::MSSQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })

159
    merge_me = {

160
      'USERPASS_FILE' => nil,

161
      'USER_FILE' => nil,

162
      'PASS_FILE' => nil,

163
      'USERNAME' => result.credential.public,

164
      'PASSWORD' => result.credential.private

165
    }

166


167
    start_session(self, nil, merge_me, false, my_session.rstream, my_session)

168
  end

169
end

170


171