From 5ae3aa8f84a159fe7bc5ff40020f0644b00adf9b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 26 Mar 2012 09:57:06 -0500 Subject: [PATCH 1/7] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 59dfee2a71..3b682286f2 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ tags *.swp *.orig *.rej +*.nonsense-ignore-just-testing \ No newline at end of file From d7727c880a4256a3348f9c7413eee86cfe9fb7b7 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Thu, 20 Sep 2012 12:23:48 -0500 Subject: [PATCH 2/7] adds -s Execute the specified string as console commands to msfconsole for convenience when you don't need/want a full resource file, you just want to run something quick example usage: # say you have a saved config ready to go on load ./msfconsole -s 'exploit -j' # you can run multiple commands too ./msfconsole -s 'set ConsoleLogging true\nshow options' --- lib/msf/ui/console/driver.rb | 7 +++++++ msfconsole | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 399c0781c2..00547a5aed 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -249,6 +249,13 @@ class Driver < Msf::Ui::Driver # If the opt is nil here, we load ~/.msf3/msfconsole.rc load_resource(opts['Resource']) end + + # Process any additional startup commands + if opts['SCommands'] and opts['SCommands'].kind_of? Array + opts['SCommands'].each { |c| + run_single(c) + } + end end # diff --git a/msfconsole b/msfconsole index c21594147f..17296a4c30 100755 --- a/msfconsole +++ b/msfconsole @@ -101,6 +101,11 @@ class OptsConsole options['DisableBanner'] = true end + opts.on("-s", "-s ", "Execute the specified string as console commands") do |s| + options['SCommands'] ||= [] + options['SCommands'] += s.split('\n') + end + opts.separator "" opts.separator "Common options:" From 1f9013047571997e64a02c8c44cffcafa9339e49 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 20 Sep 2012 13:34:29 -0500 Subject: [PATCH 3/7] Touchups to msfconsole command parsing Move from -s to -x and use a semicolon. --- lib/msf/ui/console/driver.rb | 4 ++-- msfconsole | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 00547a5aed..eac24a576d 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -251,8 +251,8 @@ class Driver < Msf::Ui::Driver end # Process any additional startup commands - if opts['SCommands'] and opts['SCommands'].kind_of? Array - opts['SCommands'].each { |c| + if opts['XCommands'] and opts['XCommands'].kind_of? Array + opts['XCommands'].each { |c| run_single(c) } end diff --git a/msfconsole b/msfconsole index 17296a4c30..ea8add619e 100755 --- a/msfconsole +++ b/msfconsole @@ -101,9 +101,9 @@ class OptsConsole options['DisableBanner'] = true end - opts.on("-s", "-s ", "Execute the specified string as console commands") do |s| - options['SCommands'] ||= [] - options['SCommands'] += s.split('\n') + opts.on("-x", "-x ", "Execute the specified string as console commands (use ; for multiples)") do |s| + options['XCommands'] ||= [] + options['XCommands'] += s.split(/\s*;\s*/) end opts.separator "" From b1226ab87cc7e97f42fabb9c2146bd5b6cb994e7 Mon Sep 17 00:00:00 2001 From: Barry Shteiman Date: Fri, 21 Sep 2012 20:01:32 +0100 Subject: [PATCH 4/7] mysql search config + less verbose --- modules/post/windows/gather/enum_db.rb | 266 +++++++++++++++++++++++++ 1 file changed, 266 insertions(+) create mode 100644 modules/post/windows/gather/enum_db.rb diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb new file mode 100644 index 0000000000..4bdf179ef4 --- /dev/null +++ b/modules/post/windows/gather/enum_db.rb @@ -0,0 +1,266 @@ +## +# $Id$ +## + +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/windows/registry' +require 'msf/core/post/file' + + +class Metasploit3 < Msf::Post + + include Msf::Post::File + include Msf::Post::Windows::Registry + include Msf::Auxiliary::Report + + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Gather Database Instance Enumeration', + 'Description' => %q{ This module will enumerate a windows system for installed database instances }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Barry Shteiman '], + 'Version' => '$Revision$', + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter' ] + )) + end + + # method called when command run is issued + def run + + print_status("Enumerating Databases on #{sysinfo['Computer']}") + found = false + if check_mssql + enumerate_mssql + found = true + end + if check_oracle + enumerate_oracle + found = true + end + if check_db2 + enumerate_db2 + found = true + end + if check_mysql + enumerate_mysql + found = true + end + if check_sybase + enumerate_sybase + found = true + end + if found + print_status("Enumeration Complete, Databases Found.") + else + print_status("Enumeration Complete, No Databases were found") + end + end + + ##### initial identification methods ##### + + # method for Checking if database instances are installed on host - mssql + def check_mssql + key = "HKLM\\SOFTWARE\\Microsoft" + if registry_enumkeys(key).include?("Microsoft SQL Server") + print_status("\tMicrosoft SQL Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - oracle + def check_oracle + key = "HKLM\\SOFTWARE\\Oracle" + if registry_enumkeys(key).include?("ALL_HOMES") + print_status("\tOracle Server found.") + return true + elsif registry_enumkeys(key).include?("SYSMAN") + print_status("\tOracle Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - db2 + def check_db2 + key = "HKLM\\SOFTWARE\\IBM\\DB2" + if registry_enumkeys(key).include?("GLOBAL_PROFILE") + print_status("\tDB2 Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - mysql + def check_mysql + key = "HKLM\\SOFTWARE" + if registry_enumkeys(key).include?("MySQL AB") + print_status("\tMySQL Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - sybase + def check_sybase + key = "HKLM\\SOFTWARE\\Sybase" + if registry_enumkeys(key).include?("SQLServer") + print_status("\tSybase Server found.") + return true + elsif registry_enumkeys(key).include?("Server") + print_status("\tSybase Server found.") + return true + end + return false + rescue + return false + end + + ##### deep analysis methods ##### + + # method to identify mssql instances + def enumerate_mssql + key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL" + instances = registry_enumvals(key) + if not instances.nil? and not instances.empty? + instances.each do |i| + tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll" + tcpport = registry_getvaldata(tcpkey,"TcpPort") + print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})") + + end + end + rescue + end + + # method to identify oracle instances + def enumerate_oracle + basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN" + instances = registry_enumkeys(basekey) + if not instances.nil? and not instances.empty? + instances.each do |i| + key = "#{basekey}\\#{i}" + val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID") + val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME") + + if session.fs.file.exists?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + ports = data_TNSNAMES.scan(/PORT\ \=\ (\d+)/) + port = 0 + ports.each do |p| + if port == 0 + port = $1 + end + end + print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})") + else + print_error("\t\t+ #{val_ORACLE_SID} (No Listener Found)") + end + end + end + rescue + end + + # method to identify mysql instances + def enumerate_mysql + basekey = "HKLM\\SOFTWARE\\MySQL AB" + instances = registry_enumkeys(basekey) + if not instances.nil? and not instances.empty? + instances.each do |i| + found = false + key = "#{basekey}\\#{i}" + val_Location = registry_getvaldata(key,"Location") + if session.fs.file.exists?(val_Location + "\\my.ini") + found = true + data = read_file(val_Location + "\\my.ini") + elsif session.fs.file.exists?(val_Location + "\\my.cnf") + found = true + data = read_file(val_Location + "\\my.cnf") + else + sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") + getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) + data = 0 + getfile.each do |file| + if data == 0 + if session.fs.file.exists?("#{file['path']}\\#{file['name']}") + found = true + data = read_file("#{file['path']}\\#{file['name']}") + end + end + end + end + if found + ports = data.scan(/port\=(\d+)/) + port = 0 + ports.each do |p| + if port == 0 + port = $1 + end + end + print_good("\t\t+ MYSQL (Port:#{port})") + else + print_error("\t\t+couldnt locate file.") + end + + end + end + rescue + end + + # method to identify mysql instances + def enumerate_sybase + basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer" + instance = registry_getvaldata(basekey,"DSLISTEN") + location = registry_getvaldata(basekey,"RootDir") + if session.fs.file.exists?(location + "\\ini\\sql.ini") + data = read_file(location + "\\ini\\sql.ini") + segments = data.scan(/\[#{instance}\]([^\[]*)/) + segment = "" + segments.each do |s| + if segment == "" + segment = $1 + end + end + port = segment.scan(/master\=\w+\,0.0.0.0\,(\d+)/) + print_good("\t\t+ #{instance} (Port:#{port})") + else + print_error("\t\t+couldnt locate file.") + end + rescue + print_error("\t\t+ couldnt locate information.") + end + + # method to identify db2 instances + def enumerate_db2 + key = "HKLM\\SOFTWARE\\IBM\\DB2\\GLOBAL_PROFILE" + instance = registry_getvaldata(key,"DB2INSTDEF") + tcpkey = "HKLM\\SOFTWARE\\IBM\\DB2\\PROFILES\\#{instance}" + tcpport = registry_getvaldata(tcpkey,"DB2PORTRANGE") + account = registry_getvaldata(tcpkey,"DB2ACCOUNTNAME") + owner = registry_getvaldata(tcpkey,"DB2INSTOWNER") + print_good("\t\t+ #{instance} (Port:#{tcpport} , User:#{account}, Owner:#{owner})") + rescue + print_error("\t\t+#{instance}, couldnt identify instance information.") + end + + + +end \ No newline at end of file From f51f4c1e6a2aefc03cbeffd1ce8d7a3c0839a0ea Mon Sep 17 00:00:00 2001 From: Barry Shteiman Date: Wed, 26 Sep 2012 13:28:16 +0100 Subject: [PATCH 5/7] added support for oracle 11g XE --- modules/post/windows/gather/enum_db.rb | 352 +++++++++++++++---------- 1 file changed, 220 insertions(+), 132 deletions(-) diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb index 4bdf179ef4..0ff8c6abb6 100644 --- a/modules/post/windows/gather/enum_db.rb +++ b/modules/post/windows/gather/enum_db.rb @@ -1,7 +1,3 @@ -## -# $Id$ -## - ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -9,65 +5,86 @@ # http://metasploit.com/ ## -require 'msf/core' require 'rex' -require 'msf/core/post/windows/registry' +require 'msf/core' require 'msf/core/post/file' - +require 'msf/core/post/common' +require 'msf/core/post/windows/registry' class Metasploit3 < Msf::Post include Msf::Post::File + include Msf::Post::Common include Msf::Post::Windows::Registry include Msf::Auxiliary::Report - def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Gather Database Instance Enumeration', - 'Description' => %q{ This module will enumerate a windows system for installed database instances }, - 'License' => MSF_LICENSE, - 'Author' => [ 'Barry Shteiman '], - 'Version' => '$Revision$', - 'Platform' => [ 'windows' ], - 'SessionTypes' => [ 'meterpreter' ] - )) + 'Name' => 'Windows Gather Database Instance Enumeration', + 'Description' => %q{ This module will enumerate a windows system for installed database instances }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Barry Shteiman ', # Module author + 'juan vazquez' # minor help + ], + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter' ] + )) end # method called when command run is issued def run - + + results = [] + print_status("Enumerating Databases on #{sysinfo['Computer']}") - found = false if check_mssql - enumerate_mssql - found = true + results += enumerate_mssql end if check_oracle - enumerate_oracle - found = true + results += enumerate_oracle end if check_db2 - enumerate_db2 - found = true - end + results += enumerate_db2 + end if check_mysql - enumerate_mysql - found = true + results += enumerate_mysql end if check_sybase - enumerate_sybase - found = true - end - if found - print_status("Enumeration Complete, Databases Found.") - else - print_status("Enumeration Complete, No Databases were found") + results += enumerate_sybase end + + if results.empty? + print_status("Done, No Databases were found") + return + end + + print_status("Done, Databases Found.") + + tbl = Rex::Ui::Text::Table.new( + 'Header' => "Installed Databases", + 'Indent' => 1, + 'Columns' => + [ + "Type", + "Instance", + "Database", + "Port" + ]) + + results.each { |r| + report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}") + tbl << r + } + + print_line(tbl.to_s) + p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases") + print_status("Results stored in: #{p}") + end ##### initial identification methods ##### - + # method for Checking if database instances are installed on host - mssql def check_mssql key = "HKLM\\SOFTWARE\\Microsoft" @@ -75,7 +92,7 @@ class Metasploit3 < Msf::Post print_status("\tMicrosoft SQL Server found.") return true end - return false + return false rescue return false end @@ -89,12 +106,15 @@ class Metasploit3 < Msf::Post elsif registry_enumkeys(key).include?("SYSMAN") print_status("\tOracle Server found.") return true + elsif registry_enumkeys(key).include?("KEY_XE") + print_status("\tOracle Server found.") + return true end - return false + return false rescue return false end - + # method for Checking if database instances are installed on host - db2 def check_db2 key = "HKLM\\SOFTWARE\\IBM\\DB2" @@ -102,11 +122,11 @@ class Metasploit3 < Msf::Post print_status("\tDB2 Server found.") return true end - return false + return false rescue return false - end - + end + # method for Checking if database instances are installed on host - mysql def check_mysql key = "HKLM\\SOFTWARE" @@ -114,11 +134,11 @@ class Metasploit3 < Msf::Post print_status("\tMySQL Server found.") return true end - return false + return false rescue return false - end - + end + # method for Checking if database instances are installed on host - sybase def check_sybase key = "HKLM\\SOFTWARE\\Sybase" @@ -129,15 +149,16 @@ class Metasploit3 < Msf::Post print_status("\tSybase Server found.") return true end - return false + return false rescue return false end ##### deep analysis methods ##### - + # method to identify mssql instances def enumerate_mssql + results = [] key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL" instances = registry_enumvals(key) if not instances.nil? and not instances.empty? @@ -145,122 +166,189 @@ class Metasploit3 < Msf::Post tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll" tcpport = registry_getvaldata(tcpkey,"TcpPort") print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})") - + results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport] end end + return results rescue + print_error("\t\t! could not identify information") + return results || [] end - + # method to identify oracle instances def enumerate_oracle - basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN" - instances = registry_enumkeys(basekey) - if not instances.nil? and not instances.empty? + results = [] + #basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN" + found_key = false + basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"] + + basekey_set.each do |basekey| + next if found_key + instances = registry_enumkeys(basekey) + if instances.nil? or instances.empty? + next + else + found_key = true + end + instances.each do |i| - key = "#{basekey}\\#{i}" - val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID") - val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME") - - if session.fs.file.exists?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") - data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") - ports = data_TNSNAMES.scan(/PORT\ \=\ (\d+)/) - port = 0 - ports.each do |p| - if port == 0 - port = $1 - end - end - print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})") + if basekey.include?"KEY_XE" + val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID") + val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME") else - print_error("\t\t+ #{val_ORACLE_SID} (No Listener Found)") + key = "#{basekey}\\#{i}" + val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID") + val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME") + end + if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") + next + end + + data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + if data_TNSNAMES =~ /PORT\ \=\ (\d+)/ + port = $1 + print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})") + results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ] + else + print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") end end end + if not found_key + print_error("\t\t! Oracle instances not found") + end + return results rescue + print_error("\t\t! could not identify information") + return results || [] end # method to identify mysql instances def enumerate_mysql + results = [] basekey = "HKLM\\SOFTWARE\\MySQL AB" instances = registry_enumkeys(basekey) - if not instances.nil? and not instances.empty? - instances.each do |i| - found = false - key = "#{basekey}\\#{i}" - val_Location = registry_getvaldata(key,"Location") - if session.fs.file.exists?(val_Location + "\\my.ini") - found = true - data = read_file(val_Location + "\\my.ini") - elsif session.fs.file.exists?(val_Location + "\\my.cnf") - found = true - data = read_file(val_Location + "\\my.cnf") - else - sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") - getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) - data = 0 - getfile.each do |file| - if data == 0 - if session.fs.file.exists?("#{file['path']}\\#{file['name']}") - found = true - data = read_file("#{file['path']}\\#{file['name']}") - end - end - end - end - if found - ports = data.scan(/port\=(\d+)/) - port = 0 - ports.each do |p| - if port == 0 - port = $1 - end - end - print_good("\t\t+ MYSQL (Port:#{port})") - else - print_error("\t\t+couldnt locate file.") - end - + if instances.nil? or instances.empty? + return results + end + instances.each do |i| + key = "#{basekey}\\#{i}" + val_location = registry_getvaldata(key,"Location") + + data = find_mysql_conf(val_location) + + if data and data =~ /port\=(\d+)/ + port = $1 + print_good("\t\t+ MYSQL (Port:#{port})") + results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port] + else + print_error("\t\t! could not identify information") end end + return results rescue + print_error("\t\t! could not identify information") + return results || [] end - - # method to identify mysql instances + + # method to identify sybase instances def enumerate_sybase basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer" instance = registry_getvaldata(basekey,"DSLISTEN") location = registry_getvaldata(basekey,"RootDir") - if session.fs.file.exists?(location + "\\ini\\sql.ini") - data = read_file(location + "\\ini\\sql.ini") - segments = data.scan(/\[#{instance}\]([^\[]*)/) - segment = "" - segments.each do |s| - if segment == "" - segment = $1 - end - end - port = segment.scan(/master\=\w+\,0.0.0.0\,(\d+)/) - print_good("\t\t+ #{instance} (Port:#{port})") - else - print_error("\t\t+couldnt locate file.") + results = [] + + if not exist?(location + "\\ini\\sql.ini") + print_error("\t\t! could not locate configuration file.") + return results end + + data = read_file(location + "\\ini\\sql.ini") + if data =~ /\[#{instance}\]([^\[]*)/ + segment = $1 + else + print_error("\t\t! couldnt locate information.") + return results + end + + if segment =~ /master\=\w+\,[^\,]+\,(\d+)/ + port = $1 + else + print_error("\t\t! couldnt locate information.") + return results + end + + print_good("\t\t+ #{instance} (Port:#{port})") + results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ] + return results rescue - print_error("\t\t+ couldnt locate information.") + print_error("\t\t! couldnt locate information.") + return results || [] end - + # method to identify db2 instances def enumerate_db2 - key = "HKLM\\SOFTWARE\\IBM\\DB2\\GLOBAL_PROFILE" - instance = registry_getvaldata(key,"DB2INSTDEF") - tcpkey = "HKLM\\SOFTWARE\\IBM\\DB2\\PROFILES\\#{instance}" - tcpport = registry_getvaldata(tcpkey,"DB2PORTRANGE") - account = registry_getvaldata(tcpkey,"DB2ACCOUNTNAME") - owner = registry_getvaldata(tcpkey,"DB2INSTOWNER") - print_good("\t\t+ #{instance} (Port:#{tcpport} , User:#{account}, Owner:#{owner})") - rescue - print_error("\t\t+#{instance}, couldnt identify instance information.") - end - + results = [] + cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist") + cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg") + if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/ + port = $1 + else + print_error("\t\t! could not identify instances information") + return results + end + + windir = session.fs.file.expand_path("%windir%") + getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1) + + data = nil + getfile.each do |file| + if exist?("#{file['path']}\\#{file['name']}") + data = read_file("#{file['path']}\\#{file['name']}") + break if not data.nil? + end + end + + if data and data =~ /#{port}[\ \t]+(\d+)/ + port_t = $1 + else + print_error("\t\t! could not identify instances information") + return results + end + + cmd_i.split("\n").compact.each do |line| + stripped=line.strip + print_good("\t\t+ #{stripped} (Port:#{port_t})") + results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ] + end + + return results + + rescue + print_error("\t\t! could not identify instances information") + return results || [] + end + + ##### helper methods ##### + + def find_mysql_conf(val_location) + data = nil + if exist?(val_location + "\\my.ini") + data = read_file(val_location + "\\my.ini") + elsif exist?(val_location + "\\my.cnf") + data = read_file(val_location + "\\my.cnf") + else + sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") + getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) + getfile.each do |file| + if exist?("#{file['path']}\\#{file['name']}") + data = read_file("#{file['path']}\\#{file['name']}") + break + end + end + end + return data + end - end \ No newline at end of file From 3efe9ac76147cb8bb7d012e6d5ea475f71d38482 Mon Sep 17 00:00:00 2001 From: Barry Shteiman Date: Wed, 26 Sep 2012 13:37:17 +0100 Subject: [PATCH 6/7] removed dev comments --- modules/post/windows/gather/enum_db.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb index 0ff8c6abb6..624378f867 100644 --- a/modules/post/windows/gather/enum_db.rb +++ b/modules/post/windows/gather/enum_db.rb @@ -178,10 +178,8 @@ class Metasploit3 < Msf::Post # method to identify oracle instances def enumerate_oracle results = [] - #basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN" found_key = false basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"] - basekey_set.each do |basekey| next if found_key instances = registry_enumkeys(basekey) From 5bd39536a24ee906f207b7ee62cfc04ad4e43038 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 26 Sep 2012 08:40:50 -0500 Subject: [PATCH 7/7] Reformatting with Unix linefeeds. For the curious, I like this procedure a lot, it's my new favorite: http://vim.wikia.com/wiki/File_Format#Converting_the_current_file --- modules/post/windows/gather/enum_db.rb | 704 ++++++++++++------------- 1 file changed, 352 insertions(+), 352 deletions(-) diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb index 624378f867..aee0393382 100644 --- a/modules/post/windows/gather/enum_db.rb +++ b/modules/post/windows/gather/enum_db.rb @@ -1,352 +1,352 @@ -## -# ## This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'rex' -require 'msf/core' -require 'msf/core/post/file' -require 'msf/core/post/common' -require 'msf/core/post/windows/registry' - -class Metasploit3 < Msf::Post - - include Msf::Post::File - include Msf::Post::Common - include Msf::Post::Windows::Registry - include Msf::Auxiliary::Report - - def initialize(info={}) - super( update_info( info, - 'Name' => 'Windows Gather Database Instance Enumeration', - 'Description' => %q{ This module will enumerate a windows system for installed database instances }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'Barry Shteiman ', # Module author - 'juan vazquez' # minor help - ], - 'Platform' => [ 'windows' ], - 'SessionTypes' => [ 'meterpreter' ] - )) - end - - # method called when command run is issued - def run - - results = [] - - print_status("Enumerating Databases on #{sysinfo['Computer']}") - if check_mssql - results += enumerate_mssql - end - if check_oracle - results += enumerate_oracle - end - if check_db2 - results += enumerate_db2 - end - if check_mysql - results += enumerate_mysql - end - if check_sybase - results += enumerate_sybase - end - - if results.empty? - print_status("Done, No Databases were found") - return - end - - print_status("Done, Databases Found.") - - tbl = Rex::Ui::Text::Table.new( - 'Header' => "Installed Databases", - 'Indent' => 1, - 'Columns' => - [ - "Type", - "Instance", - "Database", - "Port" - ]) - - results.each { |r| - report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}") - tbl << r - } - - print_line(tbl.to_s) - p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases") - print_status("Results stored in: #{p}") - - end - - ##### initial identification methods ##### - - # method for Checking if database instances are installed on host - mssql - def check_mssql - key = "HKLM\\SOFTWARE\\Microsoft" - if registry_enumkeys(key).include?("Microsoft SQL Server") - print_status("\tMicrosoft SQL Server found.") - return true - end - return false - rescue - return false - end - - # method for Checking if database instances are installed on host - oracle - def check_oracle - key = "HKLM\\SOFTWARE\\Oracle" - if registry_enumkeys(key).include?("ALL_HOMES") - print_status("\tOracle Server found.") - return true - elsif registry_enumkeys(key).include?("SYSMAN") - print_status("\tOracle Server found.") - return true - elsif registry_enumkeys(key).include?("KEY_XE") - print_status("\tOracle Server found.") - return true - end - return false - rescue - return false - end - - # method for Checking if database instances are installed on host - db2 - def check_db2 - key = "HKLM\\SOFTWARE\\IBM\\DB2" - if registry_enumkeys(key).include?("GLOBAL_PROFILE") - print_status("\tDB2 Server found.") - return true - end - return false - rescue - return false - end - - # method for Checking if database instances are installed on host - mysql - def check_mysql - key = "HKLM\\SOFTWARE" - if registry_enumkeys(key).include?("MySQL AB") - print_status("\tMySQL Server found.") - return true - end - return false - rescue - return false - end - - # method for Checking if database instances are installed on host - sybase - def check_sybase - key = "HKLM\\SOFTWARE\\Sybase" - if registry_enumkeys(key).include?("SQLServer") - print_status("\tSybase Server found.") - return true - elsif registry_enumkeys(key).include?("Server") - print_status("\tSybase Server found.") - return true - end - return false - rescue - return false - end - - ##### deep analysis methods ##### - - # method to identify mssql instances - def enumerate_mssql - results = [] - key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL" - instances = registry_enumvals(key) - if not instances.nil? and not instances.empty? - instances.each do |i| - tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll" - tcpport = registry_getvaldata(tcpkey,"TcpPort") - print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})") - results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport] - end - end - return results - rescue - print_error("\t\t! could not identify information") - return results || [] - end - - # method to identify oracle instances - def enumerate_oracle - results = [] - found_key = false - basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"] - basekey_set.each do |basekey| - next if found_key - instances = registry_enumkeys(basekey) - if instances.nil? or instances.empty? - next - else - found_key = true - end - - instances.each do |i| - if basekey.include?"KEY_XE" - val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID") - val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME") - else - key = "#{basekey}\\#{i}" - val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID") - val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME") - end - if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") - print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") - next - end - - data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") - if data_TNSNAMES =~ /PORT\ \=\ (\d+)/ - port = $1 - print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})") - results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ] - else - print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") - end - end - end - if not found_key - print_error("\t\t! Oracle instances not found") - end - return results - rescue - print_error("\t\t! could not identify information") - return results || [] - end - - # method to identify mysql instances - def enumerate_mysql - results = [] - basekey = "HKLM\\SOFTWARE\\MySQL AB" - instances = registry_enumkeys(basekey) - if instances.nil? or instances.empty? - return results - end - instances.each do |i| - key = "#{basekey}\\#{i}" - val_location = registry_getvaldata(key,"Location") - - data = find_mysql_conf(val_location) - - if data and data =~ /port\=(\d+)/ - port = $1 - print_good("\t\t+ MYSQL (Port:#{port})") - results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port] - else - print_error("\t\t! could not identify information") - end - end - return results - rescue - print_error("\t\t! could not identify information") - return results || [] - end - - # method to identify sybase instances - def enumerate_sybase - basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer" - instance = registry_getvaldata(basekey,"DSLISTEN") - location = registry_getvaldata(basekey,"RootDir") - results = [] - - if not exist?(location + "\\ini\\sql.ini") - print_error("\t\t! could not locate configuration file.") - return results - end - - data = read_file(location + "\\ini\\sql.ini") - if data =~ /\[#{instance}\]([^\[]*)/ - segment = $1 - else - print_error("\t\t! couldnt locate information.") - return results - end - - if segment =~ /master\=\w+\,[^\,]+\,(\d+)/ - port = $1 - else - print_error("\t\t! couldnt locate information.") - return results - end - - print_good("\t\t+ #{instance} (Port:#{port})") - results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ] - return results - rescue - print_error("\t\t! couldnt locate information.") - return results || [] - end - - # method to identify db2 instances - def enumerate_db2 - results = [] - cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist") - cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg") - if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/ - port = $1 - else - print_error("\t\t! could not identify instances information") - return results - end - - windir = session.fs.file.expand_path("%windir%") - getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1) - - data = nil - getfile.each do |file| - if exist?("#{file['path']}\\#{file['name']}") - data = read_file("#{file['path']}\\#{file['name']}") - break if not data.nil? - end - end - - if data and data =~ /#{port}[\ \t]+(\d+)/ - port_t = $1 - else - print_error("\t\t! could not identify instances information") - return results - end - - cmd_i.split("\n").compact.each do |line| - stripped=line.strip - print_good("\t\t+ #{stripped} (Port:#{port_t})") - results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ] - end - - return results - - rescue - print_error("\t\t! could not identify instances information") - return results || [] - end - - ##### helper methods ##### - - def find_mysql_conf(val_location) - data = nil - if exist?(val_location + "\\my.ini") - data = read_file(val_location + "\\my.ini") - elsif exist?(val_location + "\\my.cnf") - data = read_file(val_location + "\\my.cnf") - else - sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") - getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) - getfile.each do |file| - if exist?("#{file['path']}\\#{file['name']}") - data = read_file("#{file['path']}\\#{file['name']}") - break - end - end - end - return data - end - -end \ No newline at end of file +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'rex' +require 'msf/core' +require 'msf/core/post/file' +require 'msf/core/post/common' +require 'msf/core/post/windows/registry' + +class Metasploit3 < Msf::Post + + include Msf::Post::File + include Msf::Post::Common + include Msf::Post::Windows::Registry + include Msf::Auxiliary::Report + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Gather Database Instance Enumeration', + 'Description' => %q{ This module will enumerate a windows system for installed database instances }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Barry Shteiman ', # Module author + 'juan vazquez' # minor help + ], + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter' ] + )) + end + + # method called when command run is issued + def run + + results = [] + + print_status("Enumerating Databases on #{sysinfo['Computer']}") + if check_mssql + results += enumerate_mssql + end + if check_oracle + results += enumerate_oracle + end + if check_db2 + results += enumerate_db2 + end + if check_mysql + results += enumerate_mysql + end + if check_sybase + results += enumerate_sybase + end + + if results.empty? + print_status("Done, No Databases were found") + return + end + + print_status("Done, Databases Found.") + + tbl = Rex::Ui::Text::Table.new( + 'Header' => "Installed Databases", + 'Indent' => 1, + 'Columns' => + [ + "Type", + "Instance", + "Database", + "Port" + ]) + + results.each { |r| + report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}") + tbl << r + } + + print_line(tbl.to_s) + p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases") + print_status("Results stored in: #{p}") + + end + + ##### initial identification methods ##### + + # method for Checking if database instances are installed on host - mssql + def check_mssql + key = "HKLM\\SOFTWARE\\Microsoft" + if registry_enumkeys(key).include?("Microsoft SQL Server") + print_status("\tMicrosoft SQL Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - oracle + def check_oracle + key = "HKLM\\SOFTWARE\\Oracle" + if registry_enumkeys(key).include?("ALL_HOMES") + print_status("\tOracle Server found.") + return true + elsif registry_enumkeys(key).include?("SYSMAN") + print_status("\tOracle Server found.") + return true + elsif registry_enumkeys(key).include?("KEY_XE") + print_status("\tOracle Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - db2 + def check_db2 + key = "HKLM\\SOFTWARE\\IBM\\DB2" + if registry_enumkeys(key).include?("GLOBAL_PROFILE") + print_status("\tDB2 Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - mysql + def check_mysql + key = "HKLM\\SOFTWARE" + if registry_enumkeys(key).include?("MySQL AB") + print_status("\tMySQL Server found.") + return true + end + return false + rescue + return false + end + + # method for Checking if database instances are installed on host - sybase + def check_sybase + key = "HKLM\\SOFTWARE\\Sybase" + if registry_enumkeys(key).include?("SQLServer") + print_status("\tSybase Server found.") + return true + elsif registry_enumkeys(key).include?("Server") + print_status("\tSybase Server found.") + return true + end + return false + rescue + return false + end + + ##### deep analysis methods ##### + + # method to identify mssql instances + def enumerate_mssql + results = [] + key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL" + instances = registry_enumvals(key) + if not instances.nil? and not instances.empty? + instances.each do |i| + tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll" + tcpport = registry_getvaldata(tcpkey,"TcpPort") + print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})") + results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport] + end + end + return results + rescue + print_error("\t\t! could not identify information") + return results || [] + end + + # method to identify oracle instances + def enumerate_oracle + results = [] + found_key = false + basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"] + basekey_set.each do |basekey| + next if found_key + instances = registry_enumkeys(basekey) + if instances.nil? or instances.empty? + next + else + found_key = true + end + + instances.each do |i| + if basekey.include?"KEY_XE" + val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID") + val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME") + else + key = "#{basekey}\\#{i}" + val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID") + val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME") + end + if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") + next + end + + data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora") + if data_TNSNAMES =~ /PORT\ \=\ (\d+)/ + port = $1 + print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})") + results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ] + else + print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)") + end + end + end + if not found_key + print_error("\t\t! Oracle instances not found") + end + return results + rescue + print_error("\t\t! could not identify information") + return results || [] + end + + # method to identify mysql instances + def enumerate_mysql + results = [] + basekey = "HKLM\\SOFTWARE\\MySQL AB" + instances = registry_enumkeys(basekey) + if instances.nil? or instances.empty? + return results + end + instances.each do |i| + key = "#{basekey}\\#{i}" + val_location = registry_getvaldata(key,"Location") + + data = find_mysql_conf(val_location) + + if data and data =~ /port\=(\d+)/ + port = $1 + print_good("\t\t+ MYSQL (Port:#{port})") + results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port] + else + print_error("\t\t! could not identify information") + end + end + return results + rescue + print_error("\t\t! could not identify information") + return results || [] + end + + # method to identify sybase instances + def enumerate_sybase + basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer" + instance = registry_getvaldata(basekey,"DSLISTEN") + location = registry_getvaldata(basekey,"RootDir") + results = [] + + if not exist?(location + "\\ini\\sql.ini") + print_error("\t\t! could not locate configuration file.") + return results + end + + data = read_file(location + "\\ini\\sql.ini") + if data =~ /\[#{instance}\]([^\[]*)/ + segment = $1 + else + print_error("\t\t! couldnt locate information.") + return results + end + + if segment =~ /master\=\w+\,[^\,]+\,(\d+)/ + port = $1 + else + print_error("\t\t! couldnt locate information.") + return results + end + + print_good("\t\t+ #{instance} (Port:#{port})") + results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ] + return results + rescue + print_error("\t\t! couldnt locate information.") + return results || [] + end + + # method to identify db2 instances + def enumerate_db2 + results = [] + cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist") + cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg") + if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/ + port = $1 + else + print_error("\t\t! could not identify instances information") + return results + end + + windir = session.fs.file.expand_path("%windir%") + getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1) + + data = nil + getfile.each do |file| + if exist?("#{file['path']}\\#{file['name']}") + data = read_file("#{file['path']}\\#{file['name']}") + break if not data.nil? + end + end + + if data and data =~ /#{port}[\ \t]+(\d+)/ + port_t = $1 + else + print_error("\t\t! could not identify instances information") + return results + end + + cmd_i.split("\n").compact.each do |line| + stripped=line.strip + print_good("\t\t+ #{stripped} (Port:#{port_t})") + results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ] + end + + return results + + rescue + print_error("\t\t! could not identify instances information") + return results || [] + end + + ##### helper methods ##### + + def find_mysql_conf(val_location) + data = nil + if exist?(val_location + "\\my.ini") + data = read_file(val_location + "\\my.ini") + elsif exist?(val_location + "\\my.cnf") + data = read_file(val_location + "\\my.cnf") + else + sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") + getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) + getfile.each do |file| + if exist?("#{file['path']}\\#{file['name']}") + data = read_file("#{file['path']}\\#{file['name']}") + break + end + end + end + return data + end + +end