Class: Metasploit::Framework::LoginScanner::MSSQL

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::MSSQL

Includes:

Base, NTLM, RexSocket, MSSQL::Client

Defined in:

lib/metasploit/framework/login_scanner/mssql.rb

Overview

This is the LoginScanner class for dealing with Microsoft SQL Servers. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results

Constant Summary

DEFAULT_PORT =

1433

DEFAULT_REALM =

'WORKSTATION'

LIKELY_PORTS =

Lifted from lib/msf/core/exploit/mssql.rb

[ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]

LIKELY_SERVICE_NAMES =

Lifted from lib/msf/core/exploit/mssql.rb

[ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]

PRIVATE_TYPES =

[ :password, :ntlm_hash ]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Constants included from MSSQL::Base

MSSQL::Base::ENCRYPT_NOT_SUP, MSSQL::Base::ENCRYPT_OFF, MSSQL::Base::ENCRYPT_ON, MSSQL::Base::ENCRYPT_REQ, MSSQL::Base::STATUS_END_OF_MESSAGE, MSSQL::Base::STATUS_IGNORE_EVENT, MSSQL::Base::STATUS_NORMAL, MSSQL::Base::STATUS_RESETCONNECTION, MSSQL::Base::STATUS_RESETCONNECTIONSKIPTRAN, MSSQL::Base::TYPE_ATTENTION_SIGNAL, MSSQL::Base::TYPE_BULK_LOAD, MSSQL::Base::TYPE_PRE_LOGIN_MESSAGE, MSSQL::Base::TYPE_PRE_TDS7_LOGIN, MSSQL::Base::TYPE_RPC, MSSQL::Base::TYPE_SQL_BATCH, MSSQL::Base::TYPE_SSPI_MESSAGE, MSSQL::Base::TYPE_TABLE_RESPONSE, MSSQL::Base::TYPE_TDS7_LOGIN, MSSQL::Base::TYPE_TRANSACTION_MANAGER_REQUEST

Instance Attribute Summary

• #auth ⇒ Array<String>

  Auth The Authentication mechanism to use.

• #domain_controller_rhost ⇒ String

  Auth The mssql hostname, required for Kerberos Authentication.

• #hostname ⇒ Object

  Returns the value of attribute hostname.

• #tdsencryption ⇒ Object

  Returns the value of attribute tdsencryption.

• #windows_authentication ⇒ Boolean

  Whether to use Windows Authentication instead of SQL Server Auth.

Attributes included from Tcp::Client

#max_send_size, #send_delay, #sock

Instance Method Summary

• #attempt_login(credential) ⇒ Object

Methods included from MSSQL::Client

#mssql_login, #mssql_prelogin, #mssql_ssl_send_recv, #send_lm, #send_ntlm, #send_spn, #use_ntlm2_session, #use_ntlmv2

Methods included from MSSQL::Base

#mssql_parse_done, #mssql_parse_env, #mssql_parse_error, #mssql_parse_info, #mssql_parse_login_ack, #mssql_parse_reply, #mssql_parse_ret, #mssql_parse_tds_reply, #mssql_parse_tds_row, #mssql_send_recv, #mssql_tds_encrypt

Methods included from Tcp::Client

#chost, #connect, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Instance Attribute Details

#auth ⇒ Array<String>

Returns Auth The Authentication mechanism to use.

Returns:

• (Array<String>) —

  Auth The Authentication mechanism to use

See Also:

• Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 31

def auth
  @auth
end

#domain_controller_rhost ⇒ String

Returns Auth The mssql hostname, required for Kerberos Authentication.

Returns:

• (String) —

  Auth The mssql hostname, required for Kerberos Authentication

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 41

def domain_controller_rhost
  @domain_controller_rhost
end

#hostname ⇒ Object

Returns the value of attribute hostname.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 45

def hostname
  @hostname
end

#tdsencryption ⇒ Object

Returns the value of attribute tdsencryption.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 54

def tdsencryption
  @tdsencryption
end

#windows_authentication ⇒ Boolean

Returns Whether to use Windows Authentication instead of SQL Server Auth.

Returns:

• (Boolean) —

  Whether to use Windows Authentication instead of SQL Server Auth.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 49

def windows_authentication
  @windows_authentication
end

Instance Method Details

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 59

def attempt_login(credential)
  result_options = {
      credential: credential,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'mssql'
  }

  begin
    if mssql_login(credential.public, credential.private, '', credential.realm)
      result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
    else
      result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError => e
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  rescue => e
    elog(e)
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  end

  ::Metasploit::Framework::LoginScanner::Result.new(result_options)
end