Merge pull request #37 from rapid7/feature/MSP-9750/MSSQL_hashdump

Specs and functional tests passing. MSP-9750 #land
rapid7 · Jun 5, 2014 · 75e4e81 · 75e4e81
2 parents af20e8f + d3949b3
commit 75e4e81
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 11 deletions.
diff --git a/Gemfile b/Gemfile
@@ -27,7 +27,7 @@ group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Metasploit::Creential database models
-  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.1.8-metasploit-credential'
+  gem 'metasploit-credential', git: 'github-metasploit-credential:rapid7/metasploit-credential.git', tag: 'v0.1.10-metasploit-credential'
   # Database models shared between framework and Pro.
   gem 'metasploit_data_models', '~> 0.17.1'
   # Needed for module caching in Mdm::ModuleDetails

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,9 +1,9 @@
 GIT
   remote: github-metasploit-credential:rapid7/metasploit-credential.git
-  revision: 2be17e6327b4a5caa9a22ffc0b064923a25a222c
-  tag: v0.1.8-metasploit-credential
+  revision: 728ab82ab069edb21815fa944c1b8224b0511376
+  tag: v0.1.10-metasploit-credential
   specs:
-    metasploit-credential (0.1.8.pre.electro.pre.release)
+    metasploit-credential (0.1.10.pre.electro.pre.release)
       metasploit-concern (~> 0.0.4)
       metasploit_data_models (~> 0.17.0)
       rubyntlm

diff --git a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb
@@ -55,10 +55,10 @@ def report_hashes(mssql_hashes, version_year)
 
     case version_year
     when "2000"
-      hashtype = "mssql.hashes"
+      hashtype = "mssql"
 
-    when "2005", "2008"
-      hashtype = "mssql05.hashes"
+    when "2005", "2008", "2012", "2014"
+      hashtype = "mssql05"
     end
 
     this_service = report_service(
@@ -74,15 +74,42 @@ def report_hashes(mssql_hashes, version_year)
       'Columns' => ['Username', 'Hash']
     )
 
-    hash_loot=""
+    service_data = {
+        address: ::Rex::Socket.getaddress(rhost,true),
+        port: rport,
+        service_name: 'mssql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
     mssql_hashes.each do |row|
       next if row[0].nil? or row[1].nil?
       next if row[0].empty? or row[1].empty?
+
+      credential_data = {
+          module_fullname: self.fullname,
+          origin_type: :service,
+          private_type: :nonreplayable_hash,
+          private_data: row[1],
+          username: row[0],
+          jtr_format: hashtype
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      login_data = {
+        core: credential_core,
+        status: Metasploit::Credential::Login::Status::UNTRIED
+      }
+
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
       tbl << [row[0], row[1]]
       print_good("#{rhost}:#{rport} - Saving #{hashtype} = #{row[0]}:#{row[1]}")
     end
-    filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlhashes.txt"
-    store_loot(hashtype, "text/plain", datastore['RHOST'], tbl.to_csv, filename, "MS SQL Hashes", this_service)
   end
 
   #Grabs the user tables depending on what Version of MSSQL
@@ -99,7 +126,7 @@ def mssql_hashdump(version_year)
     when "2000"
       results = mssql_query(mssql_2k_password_hashes())[:rows]
 
-    when "2005", "2008"
+    when "2005", "2008", "2012", "2014"
       results = mssql_query(mssql_2k5_password_hashes())[:rows]
     end