From be78e830ed051ee5eb8c155d88907e7b9fab8ba5 Mon Sep 17 00:00:00 2001 From: TrustedSec Date: Sat, 23 Apr 2016 21:42:12 -0400 Subject: [PATCH] added tcp 1433 scanning and better handling around information on mssql bruter --- readme/CHANGELOG | 4 ++++ src/core/fasttrack.py | 33 +++++++++++++++++++++++++++------ src/core/setcore.py | 12 ++++++++++-- src/fasttrack/mssql.py | 11 +++++++++-- 4 files changed, 50 insertions(+), 10 deletions(-) diff --git a/readme/CHANGELOG b/readme/CHANGELOG index a5e8ee477..b304adc99 100644 --- a/readme/CHANGELOG +++ b/readme/CHANGELOG @@ -15,6 +15,10 @@ version 7.1 * added better threading within brute forcing sql accounts * fixed an issue where SET directory would not properly fill in dll hijacking and give invalid /root/.setsrc path instead of .set/src * reduced file format generation counter to when it prompts error message +* fixed an issue in mssql bruter that would remove the port parameter when attempting to brute force +* added if udp 1434 is not found, it will fall back to nmap to discover if 1433 default port is open - ran into pentest where udp wasn't allowed and missed SQL servers because of this +* added better handling and description of the SQL servers found during the test - might be useful for pentests to store that data somewhere +* added more improvements and handling around MSSQL server ~~~~~~~~~~~~~~~~ version 7.0.6 diff --git a/src/core/fasttrack.py b/src/core/fasttrack.py index 6dedd0a68..2fd176e8e 100644 --- a/src/core/fasttrack.py +++ b/src/core/fasttrack.py @@ -96,20 +96,32 @@ try: iprange = iprange.split(",") for host in iprange: sqlport = get_sql_port(host) + if sqlport == None: + sql_nmap_scan(host) + if sql_nmap_scan != None: + sql_servers = sql_servers + host + ":" + "1433" + "," if sqlport != None: sql_servers = sql_servers + host + ":" + sqlport + "," else: range1 = range.split(" ") for ip in range1: sqlport = get_sql_port(ip) + if sqlport == None: + sql_nmap_scan(ip) + if sql_nmap_scan != None: + sql_servers = sql_servers + ip + ":" + "1433" + "," + if sqlport != None: sql_servers = sql_servers + ip + ":" + sqlport + "," else: - # use udp discovery to get the SQL server IDP through - # 1434 + # use udp discovery to get the SQL server UDP 1434 sqlport = get_sql_port(range) - # UDP could be closed - defaulting to 1433 + # if its not closed then check nmap - if both fail then nada + if sqlport == None: + sql_nmap_scan(host) + if sql_nmap_scan != None: + sql_servers = sql_servers + host + ":" + "1433" + "," if sqlport != None: sql_servers = range + ":" + sqlport @@ -176,8 +188,13 @@ try: # if we didn't successful attack one if counter == 0: - print_warning( - "Sorry. Unable to locate or fully compromise a MSSQL Server.") + if sql_servers: + print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server on the following SQL servers: ") + for line in sql_servers: + if line != "": + print "SQL Server: " + line.rstrip() + + else: print_warning("Sorry. Unable to find any SQL servers to attack.") pause = raw_input( "Press {return} to continue to the main menu.") # if we successfully attacked one @@ -188,8 +205,12 @@ try: counter = 1 # here we list the servers we compromised master_names = master_list.split(":") + print_status("SET Fast-Track attacked the following SQL servers: ") + for line in sql_servers: + if line != "": + print "SQL Servers: " + line.rstrip() print_status( - "Select the compromise SQL server you want to interact with:\n") + "Below are the successfully compromised systems.\nSelect the compromise SQL server you want to interact with:\n") for success in master_names: if success != "": success = success.rstrip() diff --git a/src/core/setcore.py b/src/core/setcore.py index dc2cfac67..5fa384a9d 100644 --- a/src/core/setcore.py +++ b/src/core/setcore.py @@ -1778,9 +1778,17 @@ def get_sql_port(host): except: pass +# this will manually tcp connect if needed +def sql_nmap_scan(ipaddr): + proc = subprocess.Popen("nmap -v -sT -p1433 %s" % (ipaddr), shell=True, stdout=subprocess.PIPE) + output = proc.communicate()[0].split("\n") + result = "" + for result in output: + if "Discovered open port" in result: + result = result.split("on ")[1] + return result + # capture output from a function - - def capture(func, *args, **kwargs): """Capture the output of func when called with the given arguments. diff --git a/src/fasttrack/mssql.py b/src/fasttrack/mssql.py index 402249b0f..768e696b3 100644 --- a/src/fasttrack/mssql.py +++ b/src/fasttrack/mssql.py @@ -41,12 +41,19 @@ def brute(ipaddr, username, port, wordlist): # try actual password try: + # connect to the sql server and attempt a password + if ":" in ipaddr: + ipaddr = ipaddr.split(":") + port = ipaddr[1] + ipaddr = ipaddr[0] + ipaddr = str(ipaddr) - print("Attempting to brute force " + bcolors.BOLD + ipaddr + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC) + port = str(port) + + print("Attempting to brute force " + bcolors.BOLD + ipaddr + ":" + port + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC) # connect to the sql server and attempt a password if ":" in ipaddr: - #target_server = _mssql.connect(ipaddr, username, passwords) ipaddr = ipaddr.split(":") port = ipaddr[1] ipaddr = ipaddr[0]