diff --git a/readme/CHANGELOG b/readme/CHANGELOG index 1a6d29960..e25b114a1 100644 --- a/readme/CHANGELOG +++ b/readme/CHANGELOG @@ -1,3 +1,11 @@ +~~~~~~~~~~~~~~~~ +version 7.3.12 +~~~~~~~~~~~~~~~~ + +* added prompt before brute forcing +* removed nmap depend and used standard sockets for tcp connect +* reduced connect time for mssql + ~~~~~~~~~~~~~~~~ version 7.3.11 ~~~~~~~~~~~~~~~~ diff --git a/src/core/fasttrack.py b/src/core/fasttrack.py index 0c4cb3f90..7ab153ee8 100644 --- a/src/core/fasttrack.py +++ b/src/core/fasttrack.py @@ -98,7 +98,7 @@ try: if "/" in str(range): iprange = printCIDR(range) iprange = iprange.split(",") - pool = ThreadPool(200) + pool = ThreadPool(30) sqlport = pool.map(get_sql_port, iprange) pool.close() pool.join() @@ -154,10 +154,10 @@ try: sql_servers = sql_servers.split(",") # start loop and brute force - print_status("The following SQL servers and associated ports were identified; ") + print_status("The following SQL servers and associated ports were identified: ") for sql in sql_servers: if sql != "": - print "SQL Server:" + sql + print(sql) print_status("By pressing enter, you will begin the brute force process on all SQL accounts identified in the list above.") test = input("Press {enter} to begin the brute force process.") for servers in sql_servers: @@ -195,9 +195,6 @@ try: if sql_servers: print_warning( "Sorry. Unable to locate or fully compromise a MSSQL Server on the following SQL servers: ") - for line in sql_servers: - if line != "": - print("SQL Server: " + line.rstrip()) else: print_warning( diff --git a/src/core/set.version b/src/core/set.version index de0fc6a68..1cef271e2 100644 --- a/src/core/set.version +++ b/src/core/set.version @@ -1 +1 @@ -7.3.11 +7.3.12 diff --git a/src/core/setcore.py b/src/core/setcore.py index 6c0bf60a5..24f8dbf5c 100644 --- a/src/core/setcore.py +++ b/src/core/setcore.py @@ -18,6 +18,7 @@ import base64 from src.core import dictionaries import io import trace + #python 2 and 3 compatibility try: from urllib.request import urlopen @@ -1765,29 +1766,30 @@ def get_sql_port(host): # Attempt to query UDP:1434 and return MSSQL running port try: - port = 1434 - msg = "\x02\x41\x41\x41\x41" - s.sendto(msg, (host, port)) - d = s.recvfrom(1024) + sql_port = None + try: + port = 1434 + msg = "\x02\x41\x41\x41\x41" + s.sendto(msg, (host, port)) + d = s.recvfrom(1024) + sql_port = d[0].split(";")[9] - sql_port = d[0].split(";")[9] - if sql_port != None: - return host + ": " + sql_port - else: - proc = subprocess.Popen("nmap -v -sT -p1433 %s" % - (host), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - output = proc.communicate()[0].split("\n") - result = "" - counter = 0 - for result in output: - if "Discovered open port" in result: - result = result.split("on ")[1] - counter = 1 - return host + ":" + "1433" - if counter == 0: - return None + # if we have an exception, udp 1434 isnt there could be firewalled off so we need to check 1433 just in case + except: + sql_port = "1433" + pass - except: + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(.2) + s.connect((host, int(sql_port))) + return host + ":" + sql_port + + # if port is closed + except: return None + + except Exception as err: + print str(err) pass # capture output from a function