metasploit-framework/modules/post/windows/gather/enum_db.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex'
require 'msf/core'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post

  include Msf::Post::File
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows Gather Database Instance Enumeration',
      'Description'   => %q{ This module will enumerate a windows system for installed database instances },
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Barry Shteiman <barry[at]sectorix.com>', # Module author
        'juan vazquez' # minor help
      ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ]
    ))
  end

  # method called when command run is issued
  def run

    results = []

    print_status("Enumerating Databases on #{sysinfo['Computer']}")
    if check_mssql
      results += enumerate_mssql
    end
    if check_oracle
      results += enumerate_oracle
    end
    if check_db2
      results += enumerate_db2
    end
    if check_mysql
      results += enumerate_mysql
    end
    if check_sybase
      results += enumerate_sybase
    end

    if results.empty?
      print_status("Done, No Databases were found")
      return
    end

    print_status("Done, Databases Found.")

    tbl = Rex::Ui::Text::Table.new(
      'Header'  => "Installed Databases",
      'Indent'  => 1,
      'Columns' =>
        [
          "Type",
          "Instance",
          "Database",
          "Port"
        ])

    results.each { |r|
      report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}")
      tbl << r
    }

    print_line(tbl.to_s)
    p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases")
    print_status("Results stored in: #{p}")

  end

  ##### initial identification methods #####

  # method for Checking if database instances are installed on host - mssql
  def check_mssql
    key = "HKLM\\SOFTWARE\\Microsoft"
    if registry_enumkeys(key).include?("Microsoft SQL Server")
      print_status("\tMicrosoft SQL Server found.")
      return true
    end
    return false
  rescue
    return false
  end

  # method for Checking if database instances are installed on host - oracle
  def check_oracle
    key = "HKLM\\SOFTWARE\\Oracle"
    if registry_enumkeys(key).include?("ALL_HOMES")
      print_status("\tOracle Server found.")
      return true
    elsif registry_enumkeys(key).include?("SYSMAN")
      print_status("\tOracle Server found.")
      return true
    elsif registry_enumkeys(key).include?("KEY_XE")
      print_status("\tOracle Server found.")
      return true
    end
    return false
  rescue
    return false
  end

  # method for Checking if database instances are installed on host - db2
  def check_db2
    key = "HKLM\\SOFTWARE\\IBM\\DB2"
    if registry_enumkeys(key).include?("GLOBAL_PROFILE")
      print_status("\tDB2 Server found.")
      return true
    end
    return false
  rescue
    return false
  end

  # method for Checking if database instances are installed on host - mysql
  def check_mysql
    key = "HKLM\\SOFTWARE"
    if registry_enumkeys(key).include?("MySQL AB")
      print_status("\tMySQL Server found.")
      return true
    end
    return false
  rescue
    return false
  end

  # method for Checking if database instances are installed on host - sybase
  def check_sybase
    key = "HKLM\\SOFTWARE\\Sybase"
    if registry_enumkeys(key).include?("SQLServer")
      print_status("\tSybase Server found.")
      return true
    elsif registry_enumkeys(key).include?("Server")
      print_status("\tSybase Server found.")
      return true
    end
    return false
  rescue
    return false
  end

  ##### deep analysis methods #####

  # method to identify mssql instances
  def enumerate_mssql
    results = []
    key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
    instances = registry_enumvals(key)
    if not instances.nil? and not instances.empty?
      instances.each do |i|
        tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll"
        tcpport = registry_getvaldata(tcpkey,"TcpPort")
        print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})")
        results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport]
      end
    end
    return results
  rescue
    print_error("\t\t! could not identify information")
    return results || []
  end

  # method to identify oracle instances
  def enumerate_oracle
    results = []
    found_key = false
    basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"]
    basekey_set.each do |basekey|
      next if found_key
      instances = registry_enumkeys(basekey)
      if instances.nil? or instances.empty?
        next
      else
        found_key = true
      end

      instances.each do |i|
        if basekey.include?"KEY_XE"
          val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID")
          val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME")
        else
          key = "#{basekey}\\#{i}"
          val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
          val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME")
        end
        if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
          print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
          next
        end

        data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
        if data_TNSNAMES =~ /PORT\ \=\ (\d+)/
          port = $1
          print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})")
          results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ]
        else
          print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
        end
      end
    end
    if not found_key
      print_error("\t\t! Oracle instances not found")
    end
    return results
  rescue
    print_error("\t\t! could not identify information")
    return results || []
  end

  # method to identify mysql instances
  def enumerate_mysql
    results = []
    basekey = "HKLM\\SOFTWARE\\MySQL AB"
    instances = registry_enumkeys(basekey)
    if  instances.nil? or instances.empty?
      return results
    end
    instances.each do |i|
      key = "#{basekey}\\#{i}"
      val_location = registry_getvaldata(key,"Location")

      data = find_mysql_conf(val_location)

      if data and data =~ /port\=(\d+)/
        port = $1
        print_good("\t\t+ MYSQL (Port:#{port})")
        results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port]
      else
        print_error("\t\t! could not identify information")
      end
    end
    return results
  rescue
    print_error("\t\t! could not identify information")
    return results || []
  end

  # method to identify sybase instances
  def enumerate_sybase
    basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer"
    instance = registry_getvaldata(basekey,"DSLISTEN")
    location = registry_getvaldata(basekey,"RootDir")
    results = []

    if not exist?(location + "\\ini\\sql.ini")
      print_error("\t\t! could not locate configuration file.")
      return results
    end

    data = read_file(location + "\\ini\\sql.ini")
    if data =~ /\[#{instance}\]([^\[]*)/
      segment = $1
    else
      print_error("\t\t! couldnt locate information.")
      return results
    end

    if segment =~ /master\=\w+\,[^\,]+\,(\d+)/
      port = $1
    else
      print_error("\t\t! couldnt locate information.")
      return results
    end

    print_good("\t\t+ #{instance} (Port:#{port})")
    results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ]
    return results
  rescue
    print_error("\t\t! couldnt locate information.")
    return results || []
  end

  # method to identify db2 instances
  def enumerate_db2
    results = []
    cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist")
    cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg")
    if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/
      port = $1
    else
      print_error("\t\t! could not identify instances information")
      return results
    end

    windir = session.sys.config.getenv('windir')
    getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)

    data = nil
    getfile.each do |file|
      if exist?("#{file['path']}\\#{file['name']}")
        data = read_file("#{file['path']}\\#{file['name']}")
        break if not data.nil?
      end
    end

    if data and data =~ /#{port}[\ \t]+(\d+)/
      port_t = $1
    else
      print_error("\t\t! could not identify instances information")
      return results
    end

    cmd_i.split("\n").compact.each do |line|
      stripped=line.strip
      print_good("\t\t+ #{stripped} (Port:#{port_t})")
      results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ]
    end

    return results

  rescue
    print_error("\t\t! could not identify instances information")
    return results || []
  end

  ##### helper methods #####

  def find_mysql_conf(val_location)
    data = nil
    if exist?(val_location + "\\my.ini")
      data = read_file(val_location + "\\my.ini")
    elsif exist?(val_location + "\\my.cnf")
      data = read_file(val_location + "\\my.cnf")
    else
      sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
      getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
      getfile.each do |file|
        if exist?("#{file['path']}\\#{file['name']}")
          data = read_file("#{file['path']}\\#{file['name']}")
          break
        end
      end
    end
    return data
  end

end