add mssql acceptance tests

[zgoldman-r7]

This adds MSSQL session type acceptance tests

Creating a session:

msf6 auxiliary(scanner/mssql/mssql_login) > use mssql_login

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mssql/mssql_login  .                normal  No     MSSQL Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mssql/mssql_login

[*] Using auxiliary/scanner/mssql/mssql_login
[*] New in Metasploit 6.4 - The CreateSession option within this module can open an interactive session
msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Pass
word

[*] 127.0.0.1:1433        - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.
[+] 127.0.0.1:1433        - 127.0.0.1:1433 - Login Successful: WORKSTATION\sa:yourStrong(!)Password
[*] MSSQL session 1 opened (127.0.0.1:54561 -> 127.0.0.1:1433) at 2024-04-01 12:05:21 -0500
[*] 127.0.0.1:1433        - Scanned 1 of 1 hosts (100% complete)
[*] 127.0.0.1:1433        - Bruteforce completed, 1 credential was successful.
[*] 127.0.0.1:1433        - 1 MSSQL session was opened successfully.
[*] Auxiliary module execution completed

Load test modules:

msf6 auxiliary(scanner/mssql/mssql_login) > loadpath test/modules
Loaded 41 modules:
    14 auxiliary modules
    13 exploit modules
    14 post modules

Running test module:

msf6 auxiliary(scanner/mssql/mssql_login) > use post/test/mssql
msf6 post(test/mssql) > run session=-1

[!] SESSION may not be compatible with this module:
[!]  * Unknown session platform. This module works with: Windows, Unknown, Irix, HPUX, AIX, FreeBSD, NetBSD, BSDi, OpenBSD, BSD, OSX, Solaris, Arista, Mikrotik, Brocade, Unifi, Juniper, Cisco, Linux, Ruby, R, Java, Android, Netware, Apple_iOS, Hardware, Multi, Mainframe, Firefox, NodeJS, Python, JavaScript, PHP, Unix.
[*] Running against session -1
[*] Session type is mssql and platform is
[+] should return a version
[+] should support the help command
[*] Passed: 2; Failed: 0; Skipped: 0
[*] Post module execution completed

Running test suite (outside of msfconsole):

docker run -e "ACCEPT_EULA=Y" -e 'MSSQL_SA_PASSWORD=yourStrong(!)Password' -p 1433:1433 -d mcr.microsoft.com/mssql/server:2019-latest

MSSQL_RPORT=1433 SPEC_OPTS='--tag acceptance' SPEC_HELPER_LOAD_METASPLOIT=false bundle exec rspec ./spec/acceptance/mssql_spec.rb

Verification:

• Ensure local reproduction steps work
• Ensure CI Passes

[smcintyre-r7]

Would it be possible to randomly generate the MSSQL_SA_PASSWORD here on L53 then refer to it in a variable on L56?

[smcintyre-r7]

When a module fails silently in the background, this message will still be printed so this particular line does not really add anything.

[smcintyre-r7]

If this is intended to be a resource file then the no additional commands run line would cause an error to be thrown. It should probably be within a comment to prevent that if the desired output is an RC file.

[smcintyre-r7]

You may be able to use either all or an empty string here instead.

https://github.com/zgoldman-r7/metasploit-framework/blob/a1613d6070cd9a481c813b8abc12c2acf9b89e3d/lib/msf/core/module/platform.rb#L14

[adfoster-r7]

Suggested change

	'Instance Name:',
	/Instance Name: "\w+"/,

[adfoster-r7]

Not a blocker; Maybe we should populate the mssql database with something useful so these modules have more useful output

[adfoster-r7]

Suggested change

	'Instance Name:'
	/Instance Name: "\w+"/,

[adfoster-r7]

I think this module needs updated to support windows server 2022? Or it needs a print_status message to say that it's not doing anything

i.e. version is:

[5] pry(#<Msf::Modules::Auxiliary__Scanner__Mssql__Mssql_hashdump::MetasploitModule>)> version_year
=> "2022"

But the code handles:

metasploit-framework/modules/auxiliary/scanner/mssql/mssql_hashdump.rb

Lines 156 to 174 in 9e670d2

	def mssql_hashdump(version_year)
	is_sysadmin = mssql_query(mssql_is_sysadmin())[:rows][0][0]
	if is_sysadmin == 0
	print_error("The provided credentials do not have privileges to read the password hashes")
	return nil
	end
	case version_year
	when "2000"
	results = mssql_query(mssql_2k_password_hashes())[:rows]
	when "2005", "2008", "2012", "2014"
	results = mssql_query(mssql_2k5_password_hashes())[:rows]
	end
	return results
	end

[adfoster-r7]

It looks like the 2005, etc, bucket handles this query just fine:

    when "2005", "2008", "2012", "2014"
      results = mssql_query(mssql_2k5_password_hashes())[:rows]

Result

[7] pry(#<Msf::Modules::Auxiliary__Scanner__Mssql__Mssql_hashdump::MetasploitModule>)> results = mssql_query(mssql_2k5_password_hashes())
=> {:sql=>"SELECT name, password_hash FROM master.sys.sql_logins",
 :errors=>[],
 :colinfos=>
  [{:utype=>256, :flags=>8, :type=>231, :id=>:string, :max_size=>256, :codepage=>1033, :cflags=>208, :charset_id=>52, :msg_len=>4, :name=>"name"},
   {:utype=>0, :flags=>33, :type=>165, :id=>:hex, :max_size=>256, :msg_len=>13, :name=>"password_hash"}],
 :colnames=>["name", "password_hash"],
 :rows=>
  [["sa", "0200ade13faac48dbeb54dafd46d5611ce47b6f254072ae9d0be46f8e492759f2a59e4a651ae30e82206000aa9427dfcb90e8a130a2f3e813dad5edc6195a2a40f925ae756f1"],
   ["##MS_PolicyEventProcessingLogin##",
    "020030db0ac7c247089e8047a9df006b507b3ef947fba7a7e0d3e33e434493160bba5dc12621d1b560f389faaddb50a35dfbbc0b4f7873480ca433a52eb82fa0af1fe5eeae2d"],
   ["##MS_PolicyTsqlExecutionLogin##",
    "0200e7b8d1f6d5500faf98bc492a2b813f0d6a1831370c5e7a072c5a67063d197798fb41a2ff47bae0d78dbc61850d6106b9734d579f1f1d7a20157060956fa86d745274e201"]],
 :done=>{:status=>16, :cmd=>193, :rows=>3}}

But the john hash logic will need to be updated too so it's handled properly 93da4dc

[adfoster-r7]

There's some tweaks to make here still, but I'm good with this as a first pass - since we've got another PR that wants to make use of this test suite functionality we can make any remaining tweaks over there

We'll ticket the hashdump module enhancements separately

[adfoster-r7]

Release Notes

Adds a set of acceptance tests for MSSQL modules