Exemple #1
0
        internal void Run(string[] args)
        {
            Console.WriteLine(BANNER2);
            Console.WriteLine(DELIMITER);

            try
            {
                options.Parse(args);
            }
            catch (OptionException ex)
            {
                Console.WriteLine(ex.Message);
                return;
            }

            if (help)
            {
                Console.WriteLine(DELIMITER);
                options.WriteOptionDescriptions(Console.Out);

                Console.WriteLine(DELIMITER);
                Console.WriteLine("Options per Method: ");
                Console.WriteLine(DELIMITER);
                Console.WriteLine("AgentJob:");
                Console.WriteLine("\t-i InstanceName\n\t--SubsystemFilter=SUBSYSTEM\n\t--KeywordFilter=KEYWORD\n\t--UsingProxyCredentials <Filter for Proxy Credentials>\n\t--ProxyCredentials=CREDENTIALS\n");
                Console.WriteLine("AssemblyFile:");
                Console.WriteLine("\t-i InstanceName\n\t--AssemblyNameFilter=ASSEMBLY\n\t--ExportAssembly <Export Assemblies>\n");
                Console.WriteLine("AuditDatabaseSpec:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivCreateProcedure:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivDbChaining:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivServerLink:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivTrustworthy:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivXpDirTree:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditPrivXpFileExists:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditRoleDbOwner:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditServerSpec:");
                Console.WriteLine("\t-i InstanceName\n\t--AuditNameFilter=NAME\n\t--AuditSpecificationFilter=SPECIFICATION\n\t--AuditActionNameFilter=ACTION\n");
                Console.WriteLine("AuditSQLiSpExecuteAs:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("AuditSQLiSpSigned:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("Column:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin>\n\t--ColumnFilter=FILTER\n\t--ColumnSearchFilter=WILDCARD_FILTER\n");
                Console.WriteLine("ColumnSampleData:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin>\n\t--SearchKeywords=KEYWORDS\n\t--SampleSize=SIZE\n\t--ValidateCC <Run Luhn Algorithm on Results>\n");
                Console.WriteLine("Connection:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("Database:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin>\n");
                Console.WriteLine("DatabasePriv:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t--PermissionNameFilter=PERMISSION\n\t--PrincipalNameFilter=PRINCIPAL\n\t--PermissionTypeFilter=PERMISSION\n");
                Console.WriteLine("DatabaseRole:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t--RoleOwnerFilter=OWNER\n\t--RolePrincipalNameFilter=PRINCIPAL\n");
                Console.WriteLine("DatabaseSchema:");
                Console.WriteLine("\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t--SchemaFilter=SCHEMA\n");
                Console.WriteLine("DatabaseUser:"******"\t-i InstanceName\t-d DatabaseName\n\t-n <No Defaults> \n\t--DatabaseUserFilter=USER\n\t--PrincipalNameFilter=NAME\n");
                Console.WriteLine("FuzzDatabaseName:");
                Console.WriteLine("\t-i InstanceName\n\t-StartId=0 \n\t--EndId=5\n");
                Console.WriteLine("FuzzDomainAccount:");
                Console.WriteLine("\t-i InstanceName\n\t-StartId=0 \n\t--EndId=5\n");
                Console.WriteLine("FuzzObjectName:");
                Console.WriteLine("\t-i InstanceName\n\t-StartId=0 \n\t--EndId=5\n");
                Console.WriteLine("FuzzServerLogin:"******"\t-i InstanceName\n\t--EndId=5\n");
                Console.WriteLine("OleDbProvider:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("OSCmd:");
                Console.WriteLine("\t-i InstanceName -q COMMAND --RestoreState <Undo any changes made to run command>\n");
                Console.WriteLine("OSCmdAgentJob:");
                Console.WriteLine("\t-i InstanceName -q COMMAND\n");
                Console.WriteLine("OSCmdOle:");
                Console.WriteLine("\t-i InstanceName -q COMMAND --RestoreState <Undo any changes made to run command>\n");
                Console.WriteLine("OSCmdPython:");
                Console.WriteLine("\t-i InstanceName -q COMMAND --RestoreState <Undo any changes made to run command>\n");
                Console.WriteLine("OSCmdR:");
                Console.WriteLine("\t-i InstanceName -q COMMAND --RestoreState <Undo any changes made to run command>\n");
                Console.WriteLine("Query:");
                Console.WriteLine("\t-i InstanceName -q QUERY\n");
                Console.WriteLine("ServerConfiguration:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("ServerCredential:");
                Console.WriteLine("\t-i InstanceName \n\t--CredentialNameFilter=CREDENTIAL\n");
                Console.WriteLine("ServerInfo:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("ServerLink:");
                Console.WriteLine("\t-i InstanceName \n\t--DatabaseLinkName=LINK\n");
                Console.WriteLine("ServerLinkCrawl:");
                Console.WriteLine("\t-i InstanceName -q QUERY\n");
                Console.WriteLine("ServerLogin:"******"\t-i InstanceName \n\t--PrincipalNameFilter=NAME\n");
                Console.WriteLine("ServerLoginDefaultPw:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("ServerPasswordHash:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("ServerPriv:");
                Console.WriteLine("\t-i InstanceName \n\t--PermissionNameFilter=PERMISSION\n");
                Console.WriteLine("ServerRole:");
                Console.WriteLine("\t-i InstanceName \n\t--RoleOwnerFilter=ROLE \n\t--RolePrincipalNameFilter=NAME\n");
                Console.WriteLine("ServerRoleMember:");
                Console.WriteLine("\t-i InstanceName \n\t--PrincipalNameFilter=NAME\n");
                Console.WriteLine("ServiceAccount:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("Session:");
                Console.WriteLine("\t-i InstanceName \n\t--PrincipalNameFilter=NAME\n");
                Console.WriteLine("StoredProcedure:");
                Console.WriteLine("\t-i InstanceName \n\t--ProcedureNameFilter=NAME \n\t--KeywordFilter=KEYWORD \n\t--AutoExecFilter <Filter fore Auto Exec Stored Procedures>\n");
                Console.WriteLine("StoredProcedureAutoExec:");
                Console.WriteLine("\t-i InstanceName \n\t--ProcedureNameFilter=NAME \n\t--KeywordFilter=KEYWORD\n");
                Console.WriteLine("StoredProcedureCLR:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin> \n\t--ShowAllAssemblyFiles <Display all Assemblies>\n");
                Console.WriteLine("StoredProcedureXP:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin> \n\t--ProcedureNameFilter=NAME\n");
                Console.WriteLine("SysAdminCheck:");
                Console.WriteLine("\t-i InstanceName\n");
                Console.WriteLine("Tables:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin>\n");
                Console.WriteLine("TriggerDdl:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin> \n\t--TriggerNameFilter=TRIGGER\n");
                Console.WriteLine("TriggerDml:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access>\n\t-s <Is SysAdmin> \n\t--TriggerNameFilter=TRIGGER\n");
                Console.WriteLine("UncPathInjection:");
                Console.WriteLine("\t-i InstanceName \t--UNCPath=\\\\IP\\PATH\n");
                Console.WriteLine("View:");
                Console.WriteLine("\t-i InstanceName \t-d DatabaseName \n\t-n <No Defaults> \n\t-h <Has Access> \n\t--TableNameFilter=TABLE\n");
                return;
            }

            if (string.IsNullOrWhiteSpace(domainController) && string.IsNullOrEmpty(instance))
            {
                domainController = Environment.GetEnvironmentVariable("LogonServer").Replace("\\\\", "");
            }

            if (string.IsNullOrEmpty(module))
            {
                Console.WriteLine("[-] No module selected (-m || --module)");
                return;
            }

            Console.WriteLine("{0,-40}{1}", "Module", module);
            if (!string.IsNullOrEmpty(domainController))
            {
                Console.WriteLine("{0,-40}{1}", "Domain Controller" + new string('.', 40 - 17), domainController);
            }
            if (csv)
            {
                Console.WriteLine("{0,-40}{1}", "CSV Output" + new string('.', 40 - 10), csv);
            }
            if (!string.IsNullOrEmpty(database))
            {
                Console.WriteLine("{0,-40}{1}", "Database" + new string('.', 40 - 8), database);
            }
            if (!string.IsNullOrEmpty(excreds))
            {
                Console.WriteLine("{0,-40}{1}", "Explicit DB Credentials" + new string('.', 40 - 33), excreds);
            }
            if (json)
            {
                Console.WriteLine("{0,-40}{1}", "JSON Output" + new string('.', 40 - 11), json);
            }
            if (!string.IsNullOrEmpty(excreds))
            {
                Console.WriteLine("{0,-40}{1}", "Search Filters" + new string('.', 40 - 14), filters);
            }
            if (!string.IsNullOrEmpty(instance))
            {
                Console.WriteLine("{0,-40}{1}", "Server Instance" + new string('.', 40 - 15), instance);
            }
            if (!string.IsNullOrEmpty(list))
            {
                Console.WriteLine("{0,-40}{1}", "DB Instance Input List" + new string('.', 40 - 30), list);
            }
            if (nodefaults)
            {
                Console.WriteLine("{0,-40}{1}", "Skipping Default Databases" + new string('.', 40 - 34), nodefaults);
            }
            if (!string.IsNullOrEmpty(outputFileName))
            {
                Console.WriteLine("{0,-40}{1}", "Output file" + new string('.', 40 - 11), outputFileName);
            }
            if (!string.IsNullOrEmpty(query))
            {
                Console.WriteLine("{0,-40}{1}", "Query/Command to Execute" + new string('.', 40 - 25), query);
            }
            if (!string.IsNullOrEmpty(creds))
            {
                Console.WriteLine("{0,-40}{1}", "LDAP/DB Credentials" + new string('.', 40 - 19), creds);
            }
            Console.WriteLine(DELIMITER);

            if (!string.IsNullOrEmpty(creds))
            {
                string[] c        = creds.Split(':');
                string   username = c.First();
                string   password = string.Join("", c.Skip(1).Take(c.Length - 1).ToArray());
                Console.WriteLine("Username: {0}", username);
                Console.WriteLine("Password: {0}", password);
                credentials = new Credentials(username, password);
                creds       = string.Empty;
                username    = string.Empty;
                password    = string.Empty;
            }

            if (!string.IsNullOrEmpty(database))
            {
                databases.Add(
                    new SQLDatabase.Database
                {
                    DatabaseName = database,
                    Instance     = instance,
                }
                    );
            }

            if (!string.IsNullOrEmpty(instance))
            {
                SqlInstances i = new SqlInstances
                {
                    ServerInstance = instance,
                    Server         = Misc.ComputerNameFromInstance(instance)
                };
                instances.Add(i);
            }
            else if (!string.IsNullOrEmpty(domainController))
            {
                SQLServers servers = new SQLServers();
                servers.SetDomainController(domainController);
                if (null == credentials || credentials.IsSqlAccount())
                {
                    servers.Connect(null);
                }
                else
                {
                    servers.Connect(credentials);
                }
                if (!servers.Search())
                {
                    return;
                }

                servers.ParseCollection(true, ref instances);
            }
            else if (!string.IsNullOrEmpty(list))
            {
                string path = string.Empty;
                try
                {
                    path = Path.GetFullPath(list);
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Unable to open file");
                    Console.WriteLine(ex);
                    return;
                }

                using (StreamReader sr = new StreamReader(path))
                {
                    string line = string.Empty;
                    while (null != (line = sr.ReadLine()))
                    {
                        if (string.IsNullOrEmpty(line))
                        {
                            continue;
                        }

                        instances.Add(
                            new SqlInstances
                        {
                            ServerInstance = line,
                            Server         = Misc.ComputerNameFromInstance(line),
                            User           = string.Empty
                        }
                            );
                    }
                }
            }
            else
            {
                Console.WriteLine("[-] No instances to target");
                return;
            }

            if (!string.IsNullOrEmpty(excreds))
            {
                string[] c        = excreds.Split(':');
                string   username = c.First();
                string   password = string.Join("", c.Skip(1).Take(c.Length - 1).ToArray());
                Console.WriteLine("Username: {0}", username);
                Console.WriteLine("Password: {0}", password);
                credentials = new Credentials(username, password);
                creds       = string.Empty;
                username    = string.Empty;
                password    = string.Empty;
            }

            if (!string.IsNullOrEmpty(outputFileName))
            {
                output = true;
                string path = string.Empty;
                try
                {
                    path = Path.GetFullPath(outputFileName);
#if DEBUG
                    Console.WriteLine(path);
#endif
                    outputFileStream = new FileStream(path, FileMode.OpenOrCreate);
                }
                catch (Exception ex)
                {
                    Console.WriteLine("Unable to create file");
                    Console.WriteLine(ex);
                    output = false;
                }
            }

            switch (module.ToLower())
            {
            case "instancedomain":
                Console.WriteLine("{0,-30} {1,-40} {2,-10}", "Server", "Instance", "User");
                Console.WriteLine("{0,-30} {1,-40} {2,-10}", "======", "========", "====");
                break;

            default:
                break;
            }

            foreach (var i in instances)
            {
                switch (module.ToLower())
                {
                case "agentjob":
                    _SQLAgentJob(i);
                    break;

                case "assemblyfile":
                    _SQLAssemblyFile(i);
                    break;

                case "auditdatabasespec":
                    _SQLAuditDatabaseSpec(i);
                    break;

                case "auditprivautoexecsp":
                    _SQLAuditPrivAutoExecSp(i);
                    break;

                case "auditprivcreateprocedure":
                    _SQLAuditPrivCreateProcedure(i);
                    break;

                case "auditprivdbchaining":
                    _SQLAuditPrivDbChaining(i);
                    break;

                case "auditprivimpersonatelogin":
                    _SQLAuditPrivImpersonateLogin(i);
                    break;

                case "auditprivserverlink":
                    _SQLAuditPrivServerLink(i);
                    break;

                case "auditprivtrustworthy":
                    _SQLAuditPrivTrustworthy(i);
                    break;

                case "auditprivxpdirtree":
                    _SQLAuditPrivXpDirTree(i);
                    break;

                case "auditprivxpfileexists":
                    _SQLAuditPrivXpFileExists(i);
                    break;

                case "auditroledbowner":
                    _SQLAuditRoleDbOwner(i);
                    break;

                case "auditroledbddladmin":
                    _SQLAuditRoleDBDDLADMIN(i);
                    break;

                case "auditserverspec":
                    _SQLAuditServerSpec(i);
                    break;

                case "auditispexecuteas":
                    _SQLAuditSQLiSpExecuteAs(i);
                    break;

                case "auditispsigned":
                    _SQLAuditSQLiSpSigned(i);
                    break;

                case "column":
                    _SQLColumn(i);
                    break;

                case "columnsampledata":
                    _SQLColumnSampleData(i);
                    break;

                case "connection":
                    _SQLConnection(i);
                    break;

                case "database":
                    _SQLDatabase(i);
                    break;

                case "databasepriv":
                    _SQLDatabasePriv(i);
                    break;

                case "databaserole":
                    _SQLDatabaseRole(i);
                    break;

                case "databaserolemember":
                    _SQLDatabaseRoleMember(i);
                    break;

                case "databaseschema":
                    _SQLDatabaseSchema(i);
                    break;

                case "databaseuser":
                    _SQLDatabaseUser(i);
                    break;

                case "fuzzdatabasename":
                    _SQLFuzzDatabaseName(i);
                    break;

                case "fuzzdomainaccount":
                    _SQLFuzzDomainAccount(i);
                    break;

                case "fuzzobjectname":
                    _SQLFuzzObjectName(i);
                    break;

                case "fuzzserverlogin":
                    _SQLFuzzServerLogin(i);
                    break;

                case "oledbprovider":
                    _SQLOleDbProvider(i);
                    break;

                case "oscmd":
                    _SQLOSCmd(i);
                    break;

                case "oscmdagentjob":
                    _SQLOSCmdAgentJob(i);
                    break;

                case "oscmdole":
                    _SQLOSCmdOle(i);
                    break;

                case "oscmdpython":
                    _SQLOSCmdPython(i);
                    break;

                case "oscmdr":
                    _SQLOSCmdR(i);
                    break;

                case "query":
                    _SQLQuery(i);
                    break;

                case "serverconfiguration":
                    _SQLServerConfiguration(i);
                    break;

                case "servercredential":
                    _SQLServerCredential(i);
                    break;

                case "serverinfo":
                    _SQLServerInfo(i);
                    break;

                case "serverlink":
                    _SQLServerLink(i);
                    break;

                case "serverlinkcrawl":
                    _SQLServerLinkCrawl(i);
                    break;

                case "serverlogin":
                    _SQLServerLogin(i);
                    break;

                case "serverdefaultloginpw":
                    _SQLServerLoginDefaultPw(i);
                    break;

                case "serverpasswordhash":
                    _SQLServerPasswordHash(i);
                    break;

                case "serverpriv":
                    _SQLServerPriv(i);
                    break;

                case "serverrole":
                    _SQLServerRole(i);
                    break;

                case "serverrolemember":
                    _SQLServerRoleMember(i);
                    break;

                case "serviceaccount":
                    _SQLServiceAccount(i);
                    break;

                case "session":
                    _SQLSession(i);
                    break;

                case "storedprocedure":
                    _SQLStoredProcedure(i);
                    break;

                case "storedprocedureautoexec":
                    _SQLStoredProcedureAutoExec(i);
                    break;

                case "storedprocedureclr":
                    _SQLStoredProcedureCLR(i);
                    break;

                case "storedproceduresqli":
                    _SQLStoredProcedureSQLi(i);
                    break;

                case "storedprocedurexp":
                    _SQLStoredProcedureXP(i);
                    break;

                case "sysadmincheck":
                    _SQLSysAdminCheck(i);
                    break;

                case "tables":
                    _SQLTables(i);
                    break;

                case "triggerddl":
                    _SQLTriggerDdl(i);
                    break;

                case "triggerdml":
                    _SQLTriggerDml(i);
                    break;

                case "uncpathinjection":
                    _SQLUncPathInjection(i);
                    break;

                case "view":
                    _SQLView(i);
                    break;

                case "instancedomain":
                    Console.WriteLine("{0,-30} {1,-40} {2,-10}", i.Server, i.ServerInstance, i.User);
                    break;

                default:
                    Console.WriteLine("[-] Invalid Module");
                    break;
                }
            }

            switch (module.ToLower())
            {
            case "connection":
                _WriteJSONOutput(connections.ToArray());
                break;

            default:
                break;
            }
        }