Class: Metasploit::Framework::LoginScanner::MSSQL

Inherits:

Object

• Object
• Metasploit::Framework::LoginScanner::MSSQL

Includes:

Base, NTLM, RexSocket

Defined in:

lib/metasploit/framework/login_scanner/mssql.rb

Overview

This is the LoginScanner class for dealing with Microsoft SQL Servers. It is responsible for taking a single target, and a list of credentials and attempting them. It then saves the results

Constant Summary

DEFAULT_PORT =

1433

DEFAULT_REALM =

'WORKSTATION'

LIKELY_PORTS =

Lifted from lib/msf/core/exploit/mssql.rb

[ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]

LIKELY_SERVICE_NAMES =

Lifted from lib/msf/core/exploit/mssql.rb

[ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]

PRIVATE_TYPES =

[ :password, :ntlm_hash ]

REALM_KEY =

Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

Instance Attribute Summary

• #auth ⇒ Array<String>

  Auth The Authentication mechanism to use.

• #domain_controller_rhost ⇒ String

  Auth The mssql hostname, required for Kerberos Authentication.

• #hostname ⇒ Object

  Returns the value of attribute hostname.

• #max_send_size ⇒ Integer

  The max size of the data to encapsulate in a single packet.

• #send_delay ⇒ Integer

  The delay between sending packets.

• #tdsencryption ⇒ Object

  Returns the value of attribute tdsencryption.

• #use_client_as_proof ⇒ Boolean

  If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof.

• #windows_authentication ⇒ Boolean

  Whether to use Windows Authentication instead of SQL Server Auth.

Instance Method Summary

• #attempt_login(credential) ⇒ Object

Instance Attribute Details

#auth ⇒ Array<String>

Returns Auth The Authentication mechanism to use.

Returns:

• (Array<String>) —

  Auth The Authentication mechanism to use

See Also:

• Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 30

def auth
  @auth
end

#domain_controller_rhost ⇒ String

Returns Auth The mssql hostname, required for Kerberos Authentication.

Returns:

• (String) —

  Auth The mssql hostname, required for Kerberos Authentication

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 40

def domain_controller_rhost
  @domain_controller_rhost
end

#hostname ⇒ Object

Returns the value of attribute hostname.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 44

def hostname
  @hostname
end

#max_send_size ⇒ Integer

Returns The max size of the data to encapsulate in a single packet.

Returns:

• (Integer) —

  The max size of the data to encapsulate in a single packet

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 56

def max_send_size
  @max_send_size
end

#send_delay ⇒ Integer

Returns The delay between sending packets.

Returns:

• (Integer) —

  The delay between sending packets

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 60

def send_delay
  @send_delay
end

#tdsencryption ⇒ Object

Returns the value of attribute tdsencryption.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 65

def tdsencryption
  @tdsencryption
end

#use_client_as_proof ⇒ Boolean

Returns If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof.

Returns:

• (Boolean) —

  If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 52

def use_client_as_proof
  @use_client_as_proof
end

#windows_authentication ⇒ Boolean

Returns Whether to use Windows Authentication instead of SQL Server Auth.

Returns:

• (Boolean) —

  Whether to use Windows Authentication instead of SQL Server Auth.

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 48

def windows_authentication
  @windows_authentication
end

Instance Method Details

#attempt_login(credential) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/mssql.rb', line 70

def attempt_login(credential)
  result_options = {
      credential: credential,
      host: host,
      port: port,
      protocol: 'tcp',
      service_name: 'mssql'
  }

  begin
    client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies, sslkeylogfile: sslkeylogfile)
    if client.mssql_login(credential.public, credential.private, '', credential.realm)
      result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
      if use_client_as_proof
        result_options[:proof] = client
        result_options[:connection] = client.sock
      else
        client.disconnect
      end
    else
      result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
    end
  rescue ::Rex::ConnectionError => e
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  rescue => e
    elog(e)
    result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
    result_options[:proof] = e
  end

  ::Metasploit::Framework::LoginScanner::Result.new(result_options)
end