Evangelos Deirmentzoglou GSoC status report #13 of 17

[Evangelos Deirme <edeirme () gmail com>]

Hey everyone,

This is my report for the 13th week of GSoC 2017.

---Status Report #13 of 17---

7 August 2017

Accomplishments:

* The module for MSSQL is completed. The module supports MSSQL mixed
authentication. My analysis concluded that the quickest and best (for
Ncrack) way to perform authentication is the use of Pre-TDS 7 Login packets
as they are used by Medusa and Hydra.

A breakdown of the protocol was made and with a lot of research, the
transaction now completes with just one packet as opposed to the other
tools which require 2 packets to be sent for each attempt.

With the use of Pre-TDS 7 Login packets, the user credentials are sent in
plain text which leaves a minimal computational footprint for both sides,
accelerating this way the brute forcing attempt.

The devil is in the details, a quick note on how we made it work.

According to the FreeTDS specification:
A TDS packet that is longer than 512 bytes (without the 8-byte header) has
to be split in more packets. That limit was increased to 4096 (default
value) in TSD version 7. TDS version 7 was introduced for Microsoft SQL
server 7.0 (1998).

MSSQL servers support Pre-TDS 7 Login packets (at least up to MSSQL 2016).

According to MS-TDS v20170601:
"Only legacy clients that support SQL Server versions that were released
prior to SQL Server 7.0 can use Pre-TDS7 Login."

With all of the above information, it was possible to craft a Pre-TDS 7
Login packet with a block size larger than 512 bytes.
We decided to not support servers older than MSSQL 7.0. This decision
allowed us to perform the authentication with just one packet.
Medusa and Hydra support older servers and as such, they perform the task
with 2 packets.

A feature that is currently lacking from the Ncrack module is to identify
the MSSQL port, in case the server uses named instanced (dynamic ports). In
that case, the SQL server will use a different port every time the service
starts. In order to identify the correct port, the client will have to
'ping' the SQL Monitor service which runs by default on the port 1434 UDP.
This is an extra feature that would be nice to be integrated into the
module.

* Discussed with my mentor, Fotis, regarding the next module to be
developed. The next module is going to be MongoDB.
* Created the appropriate environment for MongoDB.
* Performed initial research for MongoDB authentication techniques. The
authentication technique to be implemented is SCRAM-SHA-1.

Priorities:

* Continue research on MongoDB.
* Start module development of MongoDB module.
* Solve bug, if any on the MSSQL module.
* Solve bug, if any on the WinRM module.

Performance test:

A performance test against Ncrack, Medusa and Hydra took place. The module
tested was MSSQL, 9831 attempts were made, the correct credentials were
placed last on the list. The results were timed with the Unix program
"time". Each tool was tested 10 times. The tests were performed in a
virtual environment from a Kali Linux against a Windows server 2012 running
MSSQL 2016.

All three tools perform authentication with the same technique, Pre-TDS 7
Login packets.

Medusa hung after 1 minute of brute-forcing in every attempt and did not
complete the task.
Hydra completed the task with an average of 41.3 seconds.
Ncrack completed the task with an average of 9 seconds.

Thanks,

Evangelos Deirmentzoglou

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/