Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::MSSQL
8
  include Msf::Auxiliary::Scanner
9
  include Msf::OptionalSession::MSSQL
10

11
  def initialize
12
    super(
13
      'Name' => 'MSSQL Version Utility',
14
      'Description' => 'Executes a TDS7 pre-login request against the MSSQL instance to query for version information.',
15
      'Author' => 'Zach Goldman',
16
      'License' => MSF_LICENSE
17
    )
18

19
    register_options([
20
      Opt::RPORT(1433)
21
    ])
22
  end
23

24
  def run
25
    if session
26
      set_mssql_session(session.client)
27
      data = mssql_client.initial_connection_info[:prelogin_data]
28
    else
29
      create_mssql_client
30
      data = mssql_prelogin
31
    end
32

33
    if data.blank?
34
      print_error("Unable to retrieve version information for #{mssql_client.peerhost}")
35
      return
36
    end
37

38
    data[:status] = 'open' if data[:version] || data[:encryption]
39

40
    print_status("SQL Server for #{mssql_client.peerhost}:")
41
    if data[:version]
42
      print_good("Version: #{data[:version]}")
43
    else
44
      print_error('Unknown Version')
45
    end
46
    if data[:encryption]
47
      case data[:encryption]
48
      when ENCRYPT_OFF
49
        data[:encryption] = 'off'
50
      when ENCRYPT_ON
51
        data[:encryption] = 'on'
52
      when ENCRYPT_NOT_SUP
53
        data[:encryption] = 'unsupported'
54
      when ENCRYPT_REQ
55
        data[:encryption] = 'required'
56
      else
57
        data[:encryption] = 'unknown'
58
      end
59
      print_good("Encryption: #{data[:encryption]}")
60
    else
61
      print_error('Unknown encryption status')
62
    end
63

64
    report_mssql_service(mssql_client.peerhost, data)
65
  end
66

67
  def report_mssql_service(ip, data)
68
    mssql_info = 'Version: %<version>s, Encryption: %<encryption>s' % [
69
      version: data[:version] || 'unknown',
70
      encryption: data[:encryption] || 'unknown'
71
    ]
72
    report_service(
73
      host: ip,
74
      port: mssql_client.peerport,
75
      name: 'mssql',
76
      info: mssql_info,
77
      state: (data['Status'].nil? ? 'closed' : data['Status'])
78
    )
79
  end
80
end
81

82