Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Proxies support to creating a session with mssql_login #18848

Merged
merged 1 commit into from Feb 19, 2024
Merged

Add Proxies support to creating a session with mssql_login #18848

merged 1 commit into from Feb 19, 2024

Conversation

sjanusz-r7
Copy link
Contributor

@sjanusz-r7 sjanusz-r7 commented Feb 16, 2024
edited by cgranleese-r7

This PR allows mssql_login to correctly works with over a provided Socks proxy.

Setup

Ubuntu VM, MacOS Host running two instanced of Framework:

  • Instance 1
    • Has a Meterpreter session running on the Ubuntu VM
    • Has added routes to the private Docker IP ranges using routes add x.x.x.x/32 -1
    • Has a socks_proxy module running on port 1080
  • Instance 2
    • Runs the mssql_login module
    • Uses the first instance as a proxy to access Ubuntu VM's private Docker IP ranges

Before

msf6 auxiliary(scanner/mssql/mssql_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.4 rport=1433 stop_on_success=true CreateSession=true username=sa password=MyMSSQLServerPassword__<> verbose=true

[*] 172.17.0.4:1433       - 172.17.0.4:1433 - MSSQL - Starting authentication scanner.
[-] 172.17.0.4:1433       - 172.17.0.4:1433 - LOGIN FAILED: WORKSTATION\sa:MyMSSQLServerPassword__<> (Unable to Connect: The connection with (172.17.0.4:1433) timed out.)
[-] 172.17.0.4:1433       - 172.17.0.4:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: The connection with (172.17.0.4:1433) timed out.)
[*] 172.17.0.4:1433       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After

msf6 auxiliary(scanner/mssql/mssql_login) > run proxies=socks5:192.168.112.1:1080 rhost=172.17.0.4 rport=1433 stop_on_success=true CreateSession=true username=sa password=MyMSSQLServerPassword__<> verbose=true

[*] 172.17.0.4:1433       - 172.17.0.4:1433 - MSSQL - Starting authentication scanner.
[+] 172.17.0.4:1433       - 172.17.0.4:1433 - Login Successful: WORKSTATION\sa:MyMSSQLServerPassword__<>
[*] MSSQL session 1 opened (192.168.112.1:52867 -> 192.168.112.1:1080) at 2024-02-17 01:30:01 +0000
[*] 172.17.0.4:1433       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
[*] Starting interaction with 1...

MSSQL @ 192.168.112.1:1080 (master) > query select @@version;

[*] 172.17.0.4:1433       - SQL Query: select @@version;
[*] 172.17.0.4:1433       - Row Count: 1 (Status: 16 Command: 193)
Response
========

 NULL
 ----
 Microsoft SQL Server 2022 (RTM-CU9) (KB5030731) - 16.0.4085.2 (X64)
        Sep 27 2023 12:05:43
        Copyright (C) 2022 Microsoft C
 orporation
        Enterprise Evaluation Edition (64-bit) on Linux (Ubuntu 22.04.3 LTS) <X64>

Wireshark

image

The above screenshot shows no leaked destination IP (Private Docker IP Range in the Ubuntu VM)

image

The above screenshot shows an encrypted TCP stream when executing query select @@version; in the mssql session.

Verification

You might want to ensure that on your host, you have no Docker containers running so that false positives with the same IP on the host and VM are avoided.

  • Start msfconsole on your host
  • Have Docker installed on your Ubuntu VM
  • Set up an MSSQL container
  • Get a meterpreter x64 session on your Ubuntu VM
  • in the Framework Console, do route add to add the internal Docker IP from Ubuntu to the routing table (you may be able to call route add 172.17.0.1/24 -1)
  • Set up a socks proxy on the first instance using use socks_proxy
  • Run a second framework instance on your host
  • use mssql_login
  • pass in the proxies= option pointing to your IP and port used by the socks_proxy
  • run proxies=socks5:your_ip:1080 rhost=ubuntu_vm_internal_docker_ip rport=1433 stop_on_success=true CreateSession=true username=sa password=whatever_password_you_picked verbose=true

@cgranleese-r7 cgranleese-r7 self-assigned this Feb 19, 2024
@cgranleese-r7 cgranleese-r7 added the rn-enhancement release notes enhancement label Feb 19, 2024
@cgranleese-r7
Copy link
Contributor

Before

image

After

image

cgranleese-r7
cgranleese-r7 approved these changes Feb 19, 2024
View reviewed changes
Copy link
Contributor

@cgranleese-r7 cgranleese-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍

@cgranleese-r7 cgranleese-r7 merged commit 3be5988 into rapid7:master Feb 19, 2024
37 checks passed
@cgranleese-r7
Copy link
Contributor

cgranleese-r7 commented Feb 19, 2024
edited

Release Notes

This PR adds proxy support for getting a MSSQL session via the mssql_login module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sjanusz-r7 @cgranleese-r7