Class: Metasploit::Framework::LoginScanner::MSSQL

Inherits:
Object
  • Object
show all
Includes:
Base, NTLM, RexSocket
Defined in:
lib/metasploit/framework/login_scanner/mssql.rb

Overview

This is the LoginScanner class for dealing with Microsoft SQL Servers. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results

Constant Summary collapse

DEFAULT_PORT =
1433
DEFAULT_REALM =
'WORKSTATION'
LIKELY_PORTS =

Lifted from lib/msf/core/exploit/mssql.rb

[ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
LIKELY_SERVICE_NAMES =

Lifted from lib/msf/core/exploit/mssql.rb

[ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]
PRIVATE_TYPES =
[ :password, :ntlm_hash ]
REALM_KEY =
Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#authArray<String>

Returns Auth The Authentication mechanism to use.

Returns:

  • (Array<String>)

    Auth The Authentication mechanism to use

See Also:



30
31
32
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 30

def auth
  @auth
end

#domain_controller_rhostString

Returns Auth The mssql hostname, required for Kerberos Authentication.

Returns:

  • (String)

    Auth The mssql hostname, required for Kerberos Authentication



40
41
42
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 40

def domain_controller_rhost
  @domain_controller_rhost
end

#hostnameObject

Returns the value of attribute hostname.



44
45
46
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 44

def hostname
  @hostname
end

#max_send_sizeInteger

Returns The max size of the data to encapsulate in a single packet.

Returns:

  • (Integer)

    The max size of the data to encapsulate in a single packet



56
57
58
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 56

def max_send_size
  @max_send_size
end

#send_delayInteger

Returns The delay between sending packets.

Returns:

  • (Integer)

    The delay between sending packets



60
61
62
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 60

def send_delay
  @send_delay
end

#tdsencryptionObject

Returns the value of attribute tdsencryption.



65
66
67
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 65

def tdsencryption
  @tdsencryption
end

#use_client_as_proofBoolean

Returns If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof.

Returns:

  • (Boolean)

    If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof



52
53
54
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 52

def use_client_as_proof
  @use_client_as_proof
end

#windows_authenticationBoolean

Returns Whether to use Windows Authentication instead of SQL Server Auth.

Returns:

  • (Boolean)

    Whether to use Windows Authentication instead of SQL Server Auth.



48
49
50
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 48

def windows_authentication
  @windows_authentication
end

Instance Method Details

#attempt_login(credential) ⇒ Object



70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 70

def (credential)
  result_options = {
      credential: credential,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'mssql'
  }

  begin
    client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies)
    if client.(credential.public, credential.private, '', credential.realm)
      result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
      if use_client_as_proof
        result_options[:proof] = client
      else
        client.disconnect
      end
    else
      result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError => e
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  rescue => e
    elog(e)
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  end

  ::Metasploit::Framework::LoginScanner::Result.new(result_options)
end