forked from p34709852/monkey
Merge pull request #142 from guardicore/feature/MSSQL_fingerprint
Feature/mssql fingerprint
This commit is contained in:
commit
f55133e8c1
|
@ -8,7 +8,8 @@ from itertools import product
|
|||
|
||||
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \
|
||||
SambaCryExploiter, ElasticGroovyExploiter
|
||||
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger
|
||||
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger, \
|
||||
MSSQLFinger
|
||||
|
||||
__author__ = 'itamar'
|
||||
|
||||
|
@ -145,7 +146,7 @@ class Configuration(object):
|
|||
max_iterations = 1
|
||||
|
||||
scanner_class = TcpScanner
|
||||
finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger]
|
||||
finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger, MSSQLFinger]
|
||||
exploiter_classes = [SmbExploiter, WmiExploiter, # Windows exploits
|
||||
SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux
|
||||
ElasticGroovyExploiter, # multi
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
"HTTPFinger",
|
||||
"SMBFinger",
|
||||
"MySQLFinger",
|
||||
"MSSQLFingerprint",
|
||||
"ElasticFinger"
|
||||
],
|
||||
"max_iterations": 3,
|
||||
|
|
|
@ -27,3 +27,4 @@ from elasticfinger import ElasticFinger
|
|||
from mysqlfinger import MySQLFinger
|
||||
from info import local_ips
|
||||
from info import get_free_tcp_port
|
||||
from mssql_fingerprint import MSSQLFinger
|
|
@ -0,0 +1,74 @@
|
|||
import logging
|
||||
import socket
|
||||
|
||||
from model.host import VictimHost
|
||||
from network import HostFinger
|
||||
|
||||
__author__ = 'Maor Rayzin'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class MSSQLFinger(HostFinger):
|
||||
|
||||
# Class related consts
|
||||
SQL_BROWSER_DEFAULT_PORT = 1434
|
||||
BUFFER_SIZE = 4096
|
||||
TIMEOUT = 5
|
||||
SERVICE_NAME = 'MSSQL'
|
||||
|
||||
def __init__(self):
|
||||
self._config = __import__('config').WormConfiguration
|
||||
|
||||
def get_host_fingerprint(self, host):
|
||||
"""Gets Microsoft SQL Server instance information by querying the SQL Browser service.
|
||||
:arg:
|
||||
host (VictimHost): The MS-SSQL Server to query for information.
|
||||
|
||||
:returns:
|
||||
Discovered server information written to the Host info struct.
|
||||
True if success, False otherwise.
|
||||
"""
|
||||
|
||||
assert isinstance(host, VictimHost)
|
||||
|
||||
# Create a UDP socket and sets a timeout
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
sock.settimeout(self.TIMEOUT)
|
||||
server_address = (str(host.ip_addr), self.SQL_BROWSER_DEFAULT_PORT)
|
||||
|
||||
# The message is a CLNT_UCAST_EX packet to get all instances
|
||||
# https://msdn.microsoft.com/en-us/library/cc219745.aspx
|
||||
message = '\x03'
|
||||
|
||||
# Encode the message as a bytesarray
|
||||
message = message.encode()
|
||||
|
||||
# send data and receive response
|
||||
try:
|
||||
LOG.info('Sending message to requested host: {0}, {1}'.format(host, message))
|
||||
sock.sendto(message, server_address)
|
||||
data, server = sock.recvfrom(self.BUFFER_SIZE)
|
||||
except socket.timeout:
|
||||
LOG.info('Socket timeout reached, maybe browser service on host: {0} doesnt exist'.format(host))
|
||||
sock.close()
|
||||
return False
|
||||
|
||||
host.services[self.SERVICE_NAME] = {}
|
||||
|
||||
# Loop through the server data
|
||||
instances_list = data[3:].decode().split(';;')
|
||||
LOG.info('{0} MSSQL instances found'.format(len(instances_list)))
|
||||
for instance in instances_list:
|
||||
instance_info = instance.split(';')
|
||||
if len(instance_info) > 1:
|
||||
host.services[self.SERVICE_NAME][instance_info[1]] = {}
|
||||
for i in range(1, len(instance_info), 2):
|
||||
# Each instance's info is nested under its own name, if there are multiple instances
|
||||
# each will appear under its own name
|
||||
host.services[self.SERVICE_NAME][instance_info[1]][instance_info[i - 1]] = instance_info[i]
|
||||
|
||||
# Close the socket
|
||||
sock.close()
|
||||
|
||||
return True
|
|
@ -121,6 +121,14 @@ SCHEMA = {
|
|||
],
|
||||
"title": "MySQLFinger"
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"MSSQLFinger"
|
||||
],
|
||||
"title": "MSSQLFinger"
|
||||
},
|
||||
|
||||
{
|
||||
"type": "string",
|
||||
"enum": [
|
||||
|
@ -367,6 +375,7 @@ SCHEMA = {
|
|||
"PingScanner",
|
||||
"HTTPFinger",
|
||||
"MySQLFinger",
|
||||
"MSSQLFinger",
|
||||
"ElasticFinger"
|
||||
],
|
||||
"description": "Determines which classes to use for fingerprinting"
|
||||
|
|
Loading…
Reference in New Issue