Convert non-loginscanner MSSQL to rubyntlm

Author: egypt

lib/metasploit/framework/mssql/client.rb

@@ -89,7 +89,7 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
               domain: domain_name,
             )
             type1 = ntlm_client.init_context
-            # At least SQL 2012 does not support KEY_EXCHANGE
+            # SQL 2012, at least, does not support KEY_EXCHANGE
             type1.flag &= ~ ::Net::NTLM::FLAGS[:KEY_EXCHANGE]
             ntlmsspblob = type1.serialize
 
@@ -142,13 +142,12 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
             # has a strange behavior that differs from the specifications
             # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
             # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
-
             if tdsencryption == true
                proxy = TDSSSLProxy.new(sock)
                proxy.setup_ssl
-               resp = proxy.send_recv(pkt)
+               resp = proxy.send_recv(pkt, 15, false)
             else
-               resp = mssql_send_recv(pkt)
+               resp = mssql_send_recv(pkt, 15, false)
             end
 
             # Strip the TDS header
@@ -160,16 +159,16 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
             idx = 0
             pkt = ''
             pkt_hdr = ''
-            pkt_hdr =	[
-                TYPE_SSPI_MESSAGE, #type
-                STATUS_END_OF_MESSAGE, #status
-                0x0000, #length
-                0x0000, # SPID
-                0x01, # PacketID
-                0x00 #Window
+            pkt_hdr = [
+              TYPE_SSPI_MESSAGE, #type
+              STATUS_END_OF_MESSAGE, #status
+              0x0000, #length
+              0x0000, # SPID
+              0x01, # PacketID
+              0x00 #Window
             ]
 
-            pkt_hdr[2]	= 	type3_blob.length + 8
+            pkt_hdr[2] = type3_blob.length + 8
 
             pkt = pkt_hdr.pack("CCnnCC") + type3_blob
 

lib/msf/core/exploit/mssql.rb

@@ -1,10 +1,6 @@
 # -*- coding: binary -*-
 require 'msf/core'
 require 'msf/core/exploit/mssql_commands'
-require 'rex/proto/ntlm/crypt'
-require 'rex/proto/ntlm/constants'
-require 'rex/proto/ntlm/utils'
-require 'rex/proto/ntlm/exceptions'
 
 
 module Msf
@@ -21,14 +17,6 @@ module Exploit::Remote::MSSQL
   include Exploit::Remote::Tcp
   include Exploit::Remote::NTLM::Client
 
-  #
-  # Constants
-  #
-  NTLM_CRYPT = Rex::Proto::NTLM::Crypt
-  NTLM_CONST = Rex::Proto::NTLM::Constants
-  NTLM_UTILS = Rex::Proto::NTLM::Utils
-  NTLM_XCEPT = Rex::Proto::NTLM::Exceptions
-
   # Encryption
   ENCRYPT_OFF     = 0x00 #Encryption is available but off.
   ENCRYPT_ON      = 0x01 #Encryption is available and on.
@@ -394,10 +382,7 @@ def mssql_login(user='sa', pass='', db='')
       return false
     end
 
-    $stderr.puts 'login'
-
     if datastore['USE_WINDOWS_AUTHENT']
-      $stderr.puts 'windows auth'
 
       idx = 0
       pkt = ''
@@ -436,12 +421,15 @@ def mssql_login(user='sa', pass='', db='')
       domain_name = datastore['DOMAIN']
 
       ntlm_client = ::Net::NTLM::Client.new(
-        opts['username'],
-        opts['password'],
+        user,
+        pass,
         workstation: workstation_name,
         domain: domain_name,
       )
-      ntlmsspblob = ntlm_client.init_context
+      type1 = ntlm_client.init_context
+      # SQL 2012, at least, does not support KEY_EXCHANGE
+      type1.flag &= ~ ::Net::NTLM::FLAGS[:KEY_EXCHANGE]
+      ntlmsspblob = type1.serialize
 
       idx = pkt.size + 50 # lengths below
 
@@ -492,56 +480,36 @@ def mssql_login(user='sa', pass='', db='')
       # has a strange behavior that differs from the specifications
       # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
       # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
-      resp = mssql_send_recv(pkt,15, false)
+      resp = mssql_send_recv(pkt, 15, false)
 
-      # Get default data
-      begin
-        blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(resp)
-      # a domain.length < 3 will hit this
-      rescue NTLM_XCEPT::NTLMMissingChallenge
+      unless resp.include?("NTLMSSP")
         info = {:errors => []}
         mssql_parse_reply(resp, info)
         mssql_print_reply(info)
         return false
       end
-      challenge_key = blob_data[:challenge_key]
-      _server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
-      #netbios name
-      default_name =  blob_data[:default_name] || ''
-      #netbios domain
-      default_domain = blob_data[:default_domain] || ''
-      #dns name
-      dns_host_name =  blob_data[:dns_host_name] || ''
-      #dns domain
-      dns_domain_name =  blob_data[:dns_domain_name] || ''
-      #Client time
-      chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
-
-      spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
-
-      resp_lm, resp_ntlm, _client_challenge, _ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(user, pass, challenge_key,
-                        domain_name, default_name, default_domain,
-                        dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
-                        spnopt, ntlm_options)
-
-      ntlmssp = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, user, resp_lm, resp_ntlm, '', ntlmssp_flags)
+
+      # Get default data
+      resp = resp[3..-1]
+      type3 = ntlm_client.init_context([resp].pack('m'))
+      type3_blob = type3.serialize
 
       # Create an SSPIMessage
       idx = 0
       pkt = ''
       pkt_hdr = ''
-      pkt_hdr =	[
-          TYPE_SSPI_MESSAGE, #type
-          STATUS_END_OF_MESSAGE, #status
-          0x0000, #length
-          0x0000, # SPID
-          0x01, # PacketID
-          0x00 #Window
-          ]
+      pkt_hdr = [
+        TYPE_SSPI_MESSAGE, #type
+        STATUS_END_OF_MESSAGE, #status
+        0x0000, #length
+        0x0000, # SPID
+        0x01, # PacketID
+        0x00 #Window
+      ]
 
-      pkt_hdr[2]	= 	ntlmssp.length + 8
+      pkt_hdr[2] = type3_blob.length + 8
 
-      pkt = pkt_hdr.pack("CCnnCC") + ntlmssp
+      pkt = pkt_hdr.pack("CCnnCC") + type3_blob
 
       resp = mssql_send_recv(pkt)
 
@@ -984,7 +952,7 @@ def mssql_parse_info(data, info)
   #
   def mssql_parse_login_ack(data, info)
     len  = data.slice!(0,2).unpack('v')[0]
-    buff = data.slice!(0,len)
+    _buff = data.slice!(0,len)
     info[:login_ack] = true
   end
 end

modules/auxiliary/scanner/mssql/mssql_hashdump.rb

@@ -31,7 +31,7 @@ def initialize
   def run_host(ip)
 
     if !mssql_login_datastore
-      print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
+      print_error("Invalid SQL Server credentials")
       return
     end
 
@@ -150,7 +150,7 @@ def report_hashes(mssql_hashes, version_year)
       login = create_credential_login(login_data)
 
       tbl << [row[0], row[1]]
-      print_good("#{rhost}:#{rport} - Saving #{hashtype} = #{row[0]}:#{row[1]}")
+      print_good("Saving #{hashtype} = #{row[0]}:#{row[1]}")
     end
   end
 
@@ -160,7 +160,7 @@ def mssql_hashdump(version_year)
     is_sysadmin = mssql_query(mssql_is_sysadmin())[:rows][0][0]
 
     if is_sysadmin == 0
-      print_error("#{rhost}:#{rport} - The provided credentials do not have privileges to read the password hashes")
+      print_error("The provided credentials do not have privileges to read the password hashes")
       return nil
     end