fix typo

readme/CHANGELOG

@@ -1,3 +1,11 @@
+~~~~~~~~~~~~~~~~
+version 7.3.12
+~~~~~~~~~~~~~~~~
+
+* added prompt before brute forcing
+* removed nmap depend and used standard sockets for tcp connect
+* reduced connect time for mssql
+
 ~~~~~~~~~~~~~~~~
 version 7.3.11
 ~~~~~~~~~~~~~~~~

src/core/fasttrack.py

@@ -98,7 +98,7 @@ try:
                         if "/" in str(range):
                             iprange = printCIDR(range)
                             iprange = iprange.split(",")
-                            pool = ThreadPool(200)
+                            pool = ThreadPool(30)
                             sqlport = pool.map(get_sql_port, iprange)
                             pool.close()
                             pool.join()
@@ -154,10 +154,10 @@ try:
                     sql_servers = sql_servers.split(",")
                     # start loop and brute force
 
-                    print_status("The following SQL servers and associated ports were identified; ")
+                    print_status("The following SQL servers and associated ports were identified: ")
                     for sql in sql_servers:
                         if sql != "":
-                            print "SQL Server:" + sql
+                            print(sql)
                     print_status("By pressing enter, you will begin the brute force process on all SQL accounts identified in the list above.")
                     test = input("Press {enter} to begin the brute force process.")
                     for servers in sql_servers:
@@ -195,9 +195,6 @@ try:
                     if sql_servers:
                         print_warning(
                             "Sorry. Unable to locate or fully compromise a MSSQL Server on the following SQL servers: ")
-                        for line in sql_servers:
-                            if line != "":
-                                print("SQL Server: " + line.rstrip())
 
                     else:
                         print_warning(

src/core/set.version

@@ -1 +1 @@
-7.3.11
+7.3.12

src/core/setcore.py

@@ -18,6 +18,7 @@ import base64
 from src.core import dictionaries
 import io
 import trace
+
 #python 2 and 3 compatibility
 try:
     from urllib.request import urlopen
@@ -1765,29 +1766,30 @@ def get_sql_port(host):
 
     # Attempt to query UDP:1434 and return MSSQL running port
     try:
-        port = 1434
-        msg = "\x02\x41\x41\x41\x41"
-        s.sendto(msg, (host, port))
-        d = s.recvfrom(1024)
+        sql_port = None
+        try:
+            port = 1434
+            msg = "\x02\x41\x41\x41\x41"
+            s.sendto(msg, (host, port))
+            d = s.recvfrom(1024)
+            sql_port = d[0].split(";")[9]
 
-        sql_port = d[0].split(";")[9]
-        if sql_port != None: 
-            return host + ": " + sql_port
-        else:
-            proc = subprocess.Popen("nmap -v -sT -p1433 %s" %
-                                    (host), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-            output = proc.communicate()[0].split("\n")
-            result = ""
-            counter = 0
-            for result in output:
-                if "Discovered open port" in result:
-                    result = result.split("on ")[1]
-                    counter = 1
-                    return host + ":" + "1433"
-            if counter == 0:
-                return None 
+        # if we have an exception, udp 1434 isnt there could be firewalled off so we need to check 1433 just in case
+        except:
+            sql_port = "1433"
+            pass
 
-    except:
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.settimeout(.2)
+            s.connect((host, int(sql_port)))
+            return host + ":" + sql_port
+
+        # if port is closed
+        except: return None
+
+    except Exception as err:
+        print str(err)
         pass
 
 # capture output from a function