msdat v2.4 releases: Microsoft SQL Database Attacking Tool

by do son · Published · Updated

MSDAT

MSDAT

MSDAT (Microsoft SQL Database Attacking Tool) is an open-source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

  • You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
  • You have a valid Microsoft SQL account on a database and you want to escalate your privileges
  • You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)

Tested on Microsoft SQL database 2008 and 2012.

Features

Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:

  • get technical information (ex: database version) of an MSSQL database without to be authenticated
  • search MSSQL accounts with a dictionnary attack
  • test each login as password (authentication required)
  • get a windows shell on the database server with
    • xp_cmdshell
  • download files remotely with:
    • OLE Automation
    • bulkinsert
    • openrowset
  • upload files on the server with:
    • OLE Automation
    • openrowset
  • capture a SMB authentication thanks to:
    • bulkinsert
    • openrowset
    • xp_dirtree
    • xp_fileexist
    • xp-getfiledetails
  • steal MSSQL hashed password, on an any MSSQL version
  • scan ports through the database:
    • openrowset
  • execute SQL requests on a remote MSSQL server through the database (target) with:
    • bulkinsert
    • openrowset
  • list files/directories with:
    • xp_subdirs
    • xp_dirtree
  • list drives/medias with:
    • xp_fixeddrives
    • xp_availablemedia
  • create folder with:
    • xp_create_subdir

Changelog v2.4

  • 2 new options in search module: –privs and –privs-full for getting current user roles and privileges (e.g. login and database privileges)
  • 1 new option in search module: –config for getting database configurations & information (version, databases, users, disable users, stored procecdures, etc)

Installation

Some dependencies must be installed in order to run MSDAT.

In Ubuntu:

sudo apt-get install freetds-dev
sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete

Add “use ntlmv2 = yes” in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:

[global]

        # TDS protocol version

        tds version = 8.0

        use ntlmv2 = yes

 

 

 

 

 

Clone the repo

git clone https://github.com/quentinhardy/msdat.git

Modules

  • You can list all modules:
./msdat.py -h
  • When you have chosen a module (example: all), you can use it and you can list all features and options of the module:
./msdat.py all -h

You can know if a specific module can be used on an MSSQL server thanks to the –test-module option. This option is implemented in each mdat module.

Copyright (C) 2018 quentinhardy

Source: https://github.com/quentinhardy

Tags: Microsoft SQL Database AttackingMSDAT