add encryption detection, reporting to mssql_version

zgoldman-r7 · Mar 4, 2024 · d06df0e · d06df0e
1 parent 8abc67b
commit d06df0e
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 11 deletions.
diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb
@@ -134,7 +134,7 @@ def mssql_prelogin_packet
         0x04, # ThreadIdLength
 
         0xFF
-    ].pack("CnnCnnCnnCnnC")
+    ].pack('CnnCnnCnnCnnC')
 
     pkt_data << pkt_data_token
     pkt_data << version
@@ -144,7 +144,7 @@ def mssql_prelogin_packet
 
     pkt_hdr[2] = pkt_data.length + 8
 
-    pkt = pkt_hdr.pack("CCnnCC") + pkt_data
+    pkt = pkt_hdr.pack('CCnnCC') + pkt_data
     pkt
   end
 
@@ -155,21 +155,47 @@ def mssql_get_version
     pkt = mssql_prelogin_packet
 
     resp = mssql_send_recv(pkt)
+    return unless resp
+
+    data = {}
     while resp
       token = resp.slice!(0, 1)
       if token.unpack('C')[0] == 255
-        major =  resp.slice!(0, 1).unpack('C')[0]
-        minor =  resp.slice!(0, 1).unpack('C')[0]
+        major = resp.slice!(0, 1).unpack('C')[0]
+        minor = resp.slice!(0, 1).unpack('C')[0]
         build = resp.slice!(0, 2).unpack('n')[0]
         break
       end
     end
 
     if major && minor && build
-      return "#{major}.#{minor}.#{build}"
-    else
-      return nil
+      build = "#{major}.#{minor}.#{build}"
     end
+    if resp
+      resp.slice!(0,2)
+      enc = resp.slice!(0,1).unpack('C')[0]
+      case enc
+      when ENCRYPT_OFF
+        enc_value = 'off'
+      when ENCRYPT_ON
+        enc_value = 'on'
+      when ENCRYPT_NOT_SUP
+        enc_value = 'unsupported'
+      when ENCRYPT_REQ
+        enc_value = 'required'
+      end
+    end
+
+    if build
+      data['Version'] = build
+    end
+
+    if enc_value
+      data['Encryption'] = enc_value
+    end
+    data['Status'] = 'open'
+    return data
+
   end
 
   def mssql_send_recv(req, timeout=15, check_status = true)

diff --git a/modules/auxiliary/scanner/mssql/mssql_version.rb b/modules/auxiliary/scanner/mssql/mssql_version.rb
@@ -21,10 +21,38 @@ def run
     if session
       set_session(session.client)
     end
-    version = mssql_get_version
-    if version && !version.empty?
-      print_status("SQL Server for #{mssql_client.address}:")
-      print_good("Version: #{version}")
+    data = mssql_get_version
+    if data.nil? || data.empty?
+      print_error("Unable to retrieve version information for #{mssql_client.address}")
+      return
     end
+
+    print_status("SQL Server for #{mssql_client.address}:")
+    if data['Version'] && !data['Version'].empty?
+      print_good("Version: #{data['Version']}")
+    else
+      print_error('Unknown Version')
+    end
+    if data['Encryption'] && !data['Encryption'].empty?
+      print_good("Encryption is #{data['Encryption']}")
+    else
+      print_error('Unknown encryption status')
+    end
+
+    report_mssql_service(mssql_client.address, data)
+  end
+
+  def report_mssql_service(ip, data)
+    mssql_info = 'Version: %<version>s, Encryption: %<encryption>s' % [
+      version: data['Version'] || 'unknown',
+      encryption: data['Encryption'] || 'unknown'
+    ]
+    report_service(
+      host: ip,
+      port: 1433,
+      name: 'mssql',
+      info: mssql_info,
+      state: (data['Status'].nil? ? 'closed' : data['Status'])
+    )
   end
 end