Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-SCANNER-MSSQL-MSSQL_VERSION-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::MSSQL
  include Msf::Auxiliary::Scanner
  include Msf::OptionalSession::MSSQL

  def initialize
    super(
      'Name' => 'MSSQL Version Utility',
      'Description' => 'Executes a TDS7 pre-login request against the MSSQL instance to query for version information.',
      'Author' => 'Zach Goldman',
      'License' => MSF_LICENSE
    )

    register_options([
      Opt::RPORT(1433)
    ])
  end

  def run
    if session
      set_mssql_session(session.client)
      data = mssql_client.initial_connection_info[:prelogin_data]
    else
      create_mssql_client
      data = mssql_prelogin
    end

    if data.blank?
      print_error("Unable to retrieve version information for #{mssql_client.peerhost}")
      return
    end

    data[:status] = 'open' if data[:version] || data[:encryption]

    print_status("SQL Server for #{mssql_client.peerhost}:")
    if data[:version]
      print_good("Version: #{data[:version]}")
    else
      print_error('Unknown Version')
    end
    if data[:encryption]
      case data[:encryption]
      when ENCRYPT_OFF
        data[:encryption] = 'off'
      when ENCRYPT_ON
        data[:encryption] = 'on'
      when ENCRYPT_NOT_SUP
        data[:encryption] = 'unsupported'
      when ENCRYPT_REQ
        data[:encryption] = 'required'
      else
        data[:encryption] = 'unknown'
      end
      print_good("Encryption: #{data[:encryption]}")
    else
      print_error('Unknown encryption status')
    end

    report_mssql_service(mssql_client.peerhost, data)
  end

  def report_mssql_service(ip, data)
    mssql_info = 'Version: %<version>s, Encryption: %<encryption>s' % [
      version: data[:version] || 'unknown',
      encryption: data[:encryption] || 'unknown'
    ]
    report_service(
      host: ip,
      port: mssql_client.peerport,
      name: 'mssql',
      info: mssql_info,
      state: (data['Status'].nil? ? 'closed' : data['Status'])
    )
  end
end