added tcp 1433 scanning and better handling around information on mssql bruter

readme/CHANGELOG

@@ -15,6 +15,10 @@ version 7.1
 * added better threading within brute forcing sql accounts
 * fixed an issue where SET directory would not properly fill in dll hijacking and give invalid /root/.setsrc path instead of .set/src 
 * reduced file format generation counter to when it prompts error message
+* fixed an issue in mssql bruter that would remove the port parameter when attempting to brute force
+* added if udp 1434 is not found, it will fall back to nmap to discover if 1433 default port is open - ran into pentest where udp wasn't allowed and missed SQL servers because of this
+* added better handling and description of the SQL servers found during the test - might be useful for pentests to store that data somewhere
+* added more improvements and handling around MSSQL server
 
 ~~~~~~~~~~~~~~~~
 version 7.0.6

src/core/fasttrack.py

@@ -96,20 +96,32 @@ try:
 	                        iprange = iprange.split(",")
 	                        for host in iprange:
 	                            sqlport = get_sql_port(host)
+				    if sqlport == None:
+					sql_nmap_scan(host)
+					if sql_nmap_scan != None:
+						sql_servers = sql_servers + host + ":" + "1433" + ","
 	                            if sqlport != None:
 	                                sql_servers = sql_servers + host + ":" + sqlport + ","
 			else:
 				range1 = range.split(" ")
 				for ip in range1:
 					sqlport = get_sql_port(ip)
+                                    	if sqlport == None:
+                                        	sql_nmap_scan(ip)
+                                        	if sql_nmap_scan != None:
+                                                	sql_servers = sql_servers + ip + ":" + "1433" + ","
+
 					if sqlport != None:
 						sql_servers = sql_servers + ip + ":" + sqlport + ","
 
                     else:
-                        # use udp discovery to get the SQL server IDP through
-                        # 1434
+                        # use udp discovery to get the SQL server UDP 1434
                         sqlport = get_sql_port(range)
-                        # UDP could be closed - defaulting to 1433
+                        # if its not closed then check nmap - if both fail then nada
+                        if sqlport == None:
+                        	sql_nmap_scan(host)
+                        	if sql_nmap_scan != None:
+                        		sql_servers = sql_servers + host + ":" + "1433" + ","
                         if sqlport != None:
                             sql_servers = range + ":" + sqlport
 
@@ -176,8 +188,13 @@ try:
 
                 # if we didn't successful attack one
                 if counter == 0:
-                    print_warning(
-                        "Sorry. Unable to locate or fully compromise a MSSQL Server.")
+		    if sql_servers:
+                    	print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server on the following SQL servers: ")
+			for line in sql_servers: 
+				if line != "":
+					print "SQL Server: " + line.rstrip()
+
+		    else: print_warning("Sorry. Unable to find any SQL servers to attack.")
                     pause = raw_input(
                         "Press {return} to continue to the main menu.")
                 # if we successfully attacked one
@@ -188,8 +205,12 @@ try:
                         counter = 1
                         # here we list the servers we compromised
                         master_names = master_list.split(":")
+			print_status("SET Fast-Track attacked the following SQL servers: ")
+			for line in sql_servers:
+				if line != "": 	
+					print "SQL Servers: " + line.rstrip()
                         print_status(
-                            "Select the compromise SQL server you want to interact with:\n")
+                            "Below are the successfully compromised systems.\nSelect the compromise SQL server you want to interact with:\n")
                         for success in master_names:
                             if success != "":
                                 success = success.rstrip()

src/core/setcore.py

@@ -1778,9 +1778,17 @@ def get_sql_port(host):
     except:
         pass
 
+# this will manually tcp connect if needed
+def sql_nmap_scan(ipaddr):
+        proc = subprocess.Popen("nmap -v -sT -p1433 %s" % (ipaddr), shell=True, stdout=subprocess.PIPE)
+        output =  proc.communicate()[0].split("\n")
+        result = ""
+        for result in output:
+                if "Discovered open port" in result:
+                        result = result.split("on ")[1]
+	return result
+
 # capture output from a function
-
-
 def capture(func, *args, **kwargs):
     """Capture the output of func when called with the given arguments.
 

src/fasttrack/mssql.py

@@ -41,12 +41,19 @@ def brute(ipaddr, username, port, wordlist):
             # try actual password
             try:
 
+                # connect to the sql server and attempt a password
+                if ":" in ipaddr:
+                    ipaddr = ipaddr.split(":")
+                    port = ipaddr[1]
+                    ipaddr = ipaddr[0]
+
                 ipaddr = str(ipaddr)
-                print("Attempting to brute force " + bcolors.BOLD + ipaddr + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC)
+		port = str(port)
+
+                print("Attempting to brute force " + bcolors.BOLD + ipaddr + ":" + port + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC)
 
                 # connect to the sql server and attempt a password
                 if ":" in ipaddr:
-                    #target_server = _mssql.connect(ipaddr, username, passwords)
                     ipaddr = ipaddr.split(":")
                     port = ipaddr[1]
                     ipaddr = ipaddr[0]