[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [TOOL RELEASE] SQL Fingerprint powered by ENG++ Technology [Version 1.33.23-170308]



Hello, everybody.

I am very happy to announce the Perl version of SQL Fingerprint (Christmas 
Release).

[Description]
Microsoft SQL Server fingerprinting can be a time consuming process, because it 
involves trial and error methods to determine the exact version. Intentionally 
inserting an invalid input to obtain a typical error message or using certain 
alphabets that are unique for certain server are two of the many ways to 
possibly determine the version, but most of them require authentication, 
permissions and/or privileges on Microsoft SQL Server to succeed.

Instead, ESF.pl uses a combination of crafted packets for SQL Server Resolution 
Protocol (SSRP) and Tabular Data Stream Protocol (TDS) (protocols natively used 
by Microsoft SQL Server) to accurately perform version fingerprinting and 
determine the exact Microsoft SQL Server version. ESF.pl also applies a 
sophisticated Scoring Algorithm Mechanism (Powered by Exploit Next Generation++ 
Technology), which is a much more reliable technique to determine the Microsoft 
SQL Server version. It is a tool intended to be used by:
        • Database Administrators
        • Database Auditors
        • Database Owners
        • Penetration Testers

Having over FIVE HUNDRED unique versions within its fingerprint database, 
ESF.pl currently supports fingerprinting for:
        • Microsoft SQL Server 2000
        • Microsoft SQL Server 2005
        • Microsoft SQL Server 2008
        • Microsoft SQL Server 2012

ESF.pl re-invented the techniques used by several public tools (SQLPing Tool by 
Chip Andrews, Rajiv Delwadia and Michael Choi, and SQLVer Tool by Chip 
Andrews). ESF.pl shows the MAPPED VERSION and PATCH LEVEL (i.e., Microsoft SQL 
Server 2008 SP1 (CU5)) instead of showing only the RAW VERSION (i.e., Microsoft 
SQL Server 10.0.2746). ESF.pl also has the ability to show the MOST LIKELY 
version, based on its sophisticated Scoring Algorithm Mechanism, and allows to 
determine vulnerable andunpatched Microsoft SQL Server better than many of 
public and commercial tools.

This version is a completely rewritten version in Perl, making ESF.pl much more 
portable than the previous binary version (Win32), and its original purpose is 
to be used as a tool to perform automated penetration test. This version also 
includes the followingMicrosoft SQL Server versions to its fingerprint database:
        • Microsoft SQL Server 2012 SP1 (CU1)
        • Microsoft SQL Server 2012 SP1
        • Microsoft SQL Server 2012 SP1 CTP4
        • Microsoft SQL Server 2012 SP1 CTP3
        • Microsoft SQL Server 2012 SP0 (CU4)
        • Microsoft SQL Server 2012 SP0 (MS12-070)
        • Microsoft SQL Server 2012 SP0 (CU3)
        • Microsoft SQL Server 2012 SP0 (CU2)
        • Microsoft SQL Server 2012 SP0 (CU1)
        • Microsoft SQL Server 2012 SP0 (MS12-070)
        • Microsoft SQL Server 2012 SP0 (KB2685308)
        • Microsoft SQL Server 2012 RTM

To achieve an accurate and much more reliable version fingerprinting, ESF.pl 
employes the following steps, mimicking a valid negotiation between the CLIENT 
and the SERVER:

        • SSRP Client Unicast Request (CLNT_UCAST_EX)
        • SSRP Client Unicast Instance Request (CLNT_UCAST_INST)
        • TDS Pre-Login Request (PRELOGIN)

        NOTE: ESF.pl IS NOT a SQLi tool, and has no ability to perform such 
task.

[Manual Page]
NAME
    ESF.pl - SQL Fingerprint powered by *ENG++ Technology*

VERSION
    This document describes ESF.pl [Version 1].

USAGE
    "ESF.pl host [options]"

DESCRIPTION
    Microsoft SQL Server fingerprinting can be a time consuming process,
    because it involves trial and error methods to determine the exact
    version. Intentionally inserting an invalid input to obtain a typical
    error message or using certain alphabets that are unique for certain
    server are two of the many ways to possibly determine the version, but
    most of them require authentication, permissions and/or privileges on
    Microsoft SQL Server to succeed.

    Instead, ESF.pl uses a combination of crafted packets for SQL Server
    Resolution Protocol ("SSRP") and Tabular Data Stream Protocol ("TDS")
    (protocols natively used by Microsoft SQL Server) to accurately perform
    version fingerprinting and determine the exact Microsoft SQL Server
    version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism
    (powered by *Exploit Next Generation++ Technology*), which is a much
    more reliable technique to determine the Microsoft SQL Server version.
    It is a tool intended to be used by:
    *   Database Administrators
    *   Database Auditors
    *   Database Owners
    *   Penetration Testers

    Having over "FIVE HUNDRED" unique versions within its fingerprint
    database, ESF.pl currently supports fingerprinting for:
    *   Microsoft SQL Server 2000
    *   Microsoft SQL Server 2005
    *   Microsoft SQL Server 2008
    *   Microsoft SQL Server 2012

    ESF.pl re-invented the techniques used by several public tools (SQLPing
    Tool by *Chip Andrews*, *Rajiv Delwadia* and *Michael Choi*, and SQLVer
    Tool by *Chip Andrews*) (see "SEE ALSO" for further information). ESF.pl
    shows the "MAPPED VERSION" and "PATCH LEVEL" (i.e., Microsoft SQL Server
    2008 SP1 (CU5)) instead of showing only the "RAW VERSION" (i.e.,
    Microsoft SQL Server 10.0.2746). ESF.pl also has the ability to show the
    *MOST LIKELY* version, based on its sophisticated Scoring Algorithm
    Mechanism, and allows to determine "vulnerable" and "unpatched"
    Microsoft SQL Server better than many of public and commercial tools.

    This version is a completely rewritten version in Perl, making ESF.pl
    much more portable than the previous binary version (Win32), and its
    original purpose is to be used as a tool to perform automated
    penetration test. This version also includes the following Microsoft SQL
    Server versions to its fingerprint database:
    *   Microsoft SQL Server 2012 SP1 (CU1)
    *   Microsoft SQL Server 2012 SP1
    *   Microsoft SQL Server 2012 SP1 CTP4
    *   Microsoft SQL Server 2012 SP1 CTP3
    *   Microsoft SQL Server 2012 SP0 (CU4)
    *   Microsoft SQL Server 2012 SP0 (MS12-070)
    *   Microsoft SQL Server 2012 SP0 (CU3)
    *   Microsoft SQL Server 2012 SP0 (CU2)
    *   Microsoft SQL Server 2012 SP0 (CU1)
    *   Microsoft SQL Server 2012 SP0 (MS12-070)
    *   Microsoft SQL Server 2012 SP0 (KB2685308)
    *   Microsoft SQL Server 2012 RTM

        *NOTE: ESF.pl "IS NOT" a *SQLi* tool, and has no ability to perform
        such task.*

  Fingerprinting Steps
    As described in "DESCRIPTION", ESF.pl uses a combination of crafted
    packets for "SSRP" and "TDS" to accurately perform version
    fingerprintfing. To achieve an accurate and much more reliable version
    fingerprinting, ESF.pl employes the following steps, mimicking a valid
    negotiation between the CLIENT and the SERVER:

    1) "SSRP" "Client Unicast Request" (CLNT_UCAST_EX)
        This step attempts to gather the Microsoft SQL Server single
        instance or even multiple instances (see "MULTIPLE SQL SERVER
        INSTANCES WARNING" for further information), and the respective
        "TDS" communication port(s) - the "TDS" communication port for each
        instances can be dynamic or default (see "DYNAMIC SQL SERVER TCP
        PORT WARNING" and "DEFAULT SQL SERVER TCP PORT WARNING" for further
        information).

            *NOTE: If this step fails, the "STEP 2" is not performed and the
            "STEP 3" will use "TDS" default communication port only.*

    2) "SSRP" "Client Unicast Instance Request" (CLNT_UCAST_INST)
        This step attempts to use the information gathered by *step 1* to
        collect, parse and match information for a single instances or for
        multiple instances (see "MULTIPLE SQL SERVER INSTANCES WARNING" for
        further information). Once the collecting, parsing and matching is
        done, the fingerprinting data is stored to be validated by the
        sophisticated Scoring Algorithm Mechanism (powered by *Exploit Next
        Generation++ Technology*).

            *NOTE: If the "STEP 1" fails, this step is not performed.*

    3) "TDS" "Pre-Login Request" (PRELOGIN)
        This step attempts to use the information gathered by *step 1* to
        collect, parse and match information for a single instances running
        on "TDS" default coommunication port (see "DEFAULT SQL SERVER TCP
        PORT WARNING" for further information) or for multiple instances
        (see "MULTIPLE SQL SERVER INSTANCES WARNING" for further
        information) running on "TDS" dynamic communication port(s) (see
        "DYNAMIC SQL SERVER TCP PORT WARNING" for further information. Once
        the collecting, parsing and matching is done, the fingerprinting
        data is stored to be validated by the sophisticated Scoring
        Algorithm Mechanism (powered by *Exploit Next Generation++
        Technology*).

            *NOTE: If "STEP 1" fails, this step will use "TDS" default
            communication port only.*

  SSRP
    As described in "[MS-SQLR]: SQL Server Resolution Protocol"
    specification document (see "SEE ALSO" for further information).

    1) "1.3 Overview"
        "The first case is used for the purpose of determining the
        communication endpoint information of a particular database
        instance, whereas the second case is used for enumeration of
        database instances in the network and to obtain the endpoint
        information of each instance." (*page 8*)

        "The SQL Server Resolution Protocol does not include any facilities
        for authentication, protection of data, or reliability. The SQL
        Server Resolution Protocol is always implemented on top of the UDP
        Transport Protocol [RFC768]." (*page 8*)

    2) "1.9 Standards Assignments"
        "The client always sends its request to UDP port 1434 of the server
        or servers." (*page 10*)

    3) "2.2.2 CLNT_UCAST_EX"
        "The CLNT_UCAST_EX packet is a unicast request that is generated by
        clients that are trying to determine the list of database instances
        and their network protocol connection information installed on a
        single machine. The client generates a UDP packet with a single
        byte, as shown in the following diagram." (*page 11*)

    4) "2.2.3 CLNT_UCAST_INST"
        "The CLNT_UCAST_INST packet is a request for information related to
        a specific instance. The structure of the request is as follows."
        (*page 12*)

    According to the previous quotes, the "SSRP" *is used for the purpose of
    determining the communication endpoint information of a particular
    database instance*, which *does not include any facilities for
    authentication*, and both "SSRP" "CLNT_UCAST_EX Request" and "SSRP"
    "CLNT_UCAST_INST Request" can be used *for the purpose of determining
    the communication endpoint information*.

    Based on this analysis, it is possible to determine the Microsoft SQL
    Server version using the "SSRP" "CLNT_UCAST_EX Request" and/or "SSRP"
    "CLNT_UCAST_INST Request". The version is available within the "SSRP"
    "CLNT_UCAST_EX Response" and/or "SSRP" "CLNT_UCAST_INST Response", and
    it is a gratuitous information sent from SERVER to CLIENT to ensure they
    will establish a communication correctly, using the correct database
    instance and the same dialect by both CLIENT and SERVER.

    Here is a "SSRP" "CLNT_UCAST_INST Request" and "SSRP" "CLNT_UCAST_INST
    Response" sample traffic dump between the ESF.pl and a Microsoft SQL
    Server 2008 SP1:

    "SSRP" "CLNT_UCAST_INST Request"
         0000   04 4d 53 53 51 4c 53 45 52 56 45 52              .MSSQLSERVER

    "SSRP" "CLNT_UCAST_INST Response"
         0000   05 77 00 53 65 72 76 65 72 4e 61 6d 65 3b 53 45  
.w.ServerName;SE
         0010   52 56 45 52 30 34 3b 49 6e 73 74 61 6e 63 65 4e  
RVER04;InstanceN
         0020   61 6d 65 3b 4d 53 53 51 4c 53 45 52 56 45 52 3b  
ame;MSSQLSERVER;
         0030   49 73 43 6c 75 73 74 65 72 65 64 3b 4e 6f 3b 56  
IsClustered;No;V
         0040   65 72 73 69 6f 6e 3b 31 30 2e 30 2e 32 35 33 31  
ersion;10.0.2531
         0050   2e 30 3b 74 63 70 3b 31 34 33 33 3b 6e 70 3b 5c  
.0;tcp;1433;np;\
         0060   5c 53 45 52 56 45 52 30 34 5c 70 69 70 65 5c 73  
\SERVER04\pipe\s
         0070   71 6c 5c 71 75 65 72 79 3b 3b                    ql\query;;

    As demonstrated above, the information within the "SSRP" "CLNT_UCAST_EX
    Response" represents the version for Microsoft SQL Server 2008 SP1
    (*10.0.2531*), as well as many interesting information.

        *NOTE: no authentication and gratuitous information.*

  TDS
    As described in "[MS-TDS]: Tabular Data Stream Protocol" specification
    document (see "SEE ALSO" for further information).

    1) "2.2.1.1 Pre-Login"
        "Before a login occurs, a handshake denominated pre-login occurs
        between client and server, setting up contexts such as encryption
        and MARS-enabled." (*page 17*)

    2) "2.2.2.1 Pre-Login Response"
        "The pre-login response is a tokenless packet data stream. The data
        stream consists of the response to the information requested by the
        client pre-login message." (*page 18*)

    3) "2.2.4.1 Tokenless Stream"
        "As shown in the previous section, some messages do not use tokens
        to describe the data portion of the data stream. In these cases, all
        the information required to describe the packet data is contained in
        the packet header. This is referred to as a tokenless stream and is
        essentially just a collection of packets and data." (*page 24*)

    4) "2.2.6.4 PRELOGIN"
        "A message sent by the client to set up context for login. The
        server responds to a client PRELOGIN message with a message of
        packet header type 0x04 and the packet data containing a PRELOGIN
        structure." (*page 59*)

        "[TERMINATOR] [0xFF] [Termination token.]" (*page 61*)

        "TERMINATOR is a required token, and it MUST be the last token of
        PRELOGIN_OPTION. TERMINATOR does not include length and bits
        specifying offset." (*page 61*)

    According to the previous quotes, the "TDS" "Pre-Login" is just a
    handshake, i.e., the "TDS" "Pre-Login" is a *tokenless packet data
    stream* of the *pre-authentication state* to establish the negotiation
    between the CLIENT and the SERVER - as described in "Figure 3: Pre-login
    to post-login sequence" (*page 103*).

    Based on this analysis, it is possible to determine the Microsoft SQL
    Server version during the "TDS" "Pre-Login" handshake. It is an
    undocumented feature, but it is not a bug or a leakage, in fact, it is
    more likely to be an "AS IS" embedded feature that allows CLIENT to
    establish a negotiation with SERVER. The version is available within the
    "TDS" "Pre-Login Response" packet data stream, and it is a gratuitous
    information sent from SERVER to CLIENT to ensure they will establish a
    communication correctly, using the correct database instance and the
    same dialect by both CLIENT and SERVER.

    Here is a *tokenless packet data stream* sample traffic dump of a "TDS"
    "Pre-Login" handshake between the ESF.pl and a Microsoft SQL Server 2008
    SP1:

    "TDS" "Pre-Login Request"
         0000   12 01 00 2f 00 00 01 00 00 00 1a 00 06 01 00 20
         0010   00 01 02 00 21 00 01 03 00 22 00 04 04 00 26 00
         0020   01 ff 09 00 00 00 00 00 01 00 b8 0d 00 00 01

    "TDS" "Pre-Login Response"
         0000   04 01 00 2b 00 00 01 00 00 00 1a 00 06 01 00 20
         0010   00 01 02 00 21 00 01 03 00 22 00 00 04 00 22 00
         0020   01 ff 0a 00 09 e3 00 00 01 00 01

    As demonstrated above, there are four bytes following the "TERMINATOR"
    (*0xFF* at the OFFSET *34*), and they represent the version for
    Microsoft SQL Server 2008 SP1 (*10.0.2531*):

    1) OFFSET *35* represents the Major Version (0x0a = *10*)
    2) OFFSET *36* represents the Minor Version (0x00 = *0*)
    3) OFFSETS *37*/*38* represent the Build Version ([0x09*256]+0xe3 =
    *2531*)

        *NOTE: no authentication and gratuitous information.*

  MULTIPLE SQL SERVER INSTANCES WARNING
    Warns the availability of multiple instances ("Default Instances" as
    well as "Named Instances"). This information is collected and parsed by
    "STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
    for further information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  DYNAMIC SQL SERVER TCP PORT WARNING
    Warns the availability of multiple instances ("Default Instances" as
    well as "Named Instances") running on "TDS" dynamic communication
    port(s). This information is collected and parsed by "STEP 1" and used
    and validated by "STEP 3" (see "Fingerprinting Steps" for further
    information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  DEFAULT SQL SERVER TCP PORT WARNING
    Warns the availability of "Default Instances" running on "TDS" default
    communication port(s) . This information is collected and parsed by
    "STEP 1" and used and validated by "STEP 3" (see "Fingerprinting Steps"
    for further information).

        *NOTE: Only in "verbose" mode (see "OPTIONS" for further
        information).*

  MOST LIKELY WARNING
    ADD DESCRIPTION HERE

OPTIONS
    "-d,--debug" (default OFF)
        Configure the debug mode, giving much more information details about
        the fingerprinting tasks.

    "-f,--fingerprintdb FILE" (default "ESF.db")
        Configure an optional file for SQL Fingerprint Database.

    "-t,--timeout NUM" (default 30)
        Configure a specific connection timeout (seconds), allowing ESF.pl
        to wait until close the connection.

    "-T,--TIMEOUT NUM" (default 5)
        Configure a specific timeout (seconds), allowing ESF.pl to wait
        until execute the next subroutine.

    "-v,--verbose" (default OFF)
        Configure the verbose mode, giving information details about the
        fingerprinting tasks.

    "-m,--manpage"
        Display the manual page embedded in ESF.pl, being the manual page in
        POD (Plain Old Documentation) format.

    "-h,-?,--help"
        Display the help and usage message.

DEPENDENCIES
    Digest::MD5(3)
        See "Getopt::Long's Perl Documentation" for further information.

    Getopt::Long(3)
        See "Getopt::Long's Perl Documentation" for further information.

    IO::Socket(3)
        See "IO::Socket's Perl Documentation" for further information.

    Pod::Usage(3)
        See "Pod::Usage's Perl Documentation" for further information.

    POSIX(1)
        See "POSIX's Perl Documentation" for further information.

    Switch(3)
        See "Switch's Perl Documentation" for further information.

    PERL(1) v5.10.1 or v5.12.4
        ESF.pl has been widely tested under Perl v5.10.1 (Ubuntu 10.04 LTS)
        and Perl v5.12.4 (OS X Mountain Lion). Due to this, ESF.pl requires
        one of the mentioned versions to be executed. The following tests
        will be performed to ensure its capabilities:

         BEGIN {
            my $subname = (caller(0))[3];
            eval("require 5.012004;");
            eval("require 5.010001;") if $@;
            die "$subname\{\}: Unsupported Perl version ($]).\n" if $@;
         }

            *NOTE: If you are confident that your Perl version is capable to
            execute the ESF.pl, please, remove the above tests and send
            feedback to the author*.

        See "PERL's Perl Documentation" for further information.

SEE ALSO
    Digest::MD5(3), IO::Socket(3), Getopt::Long(3), Pod::Usage(3), POSIX(1),
    Socket(3), Switch(3), PERL(1), [RFC793]
    <http://www.ietf.org/rfc/rfc793.txt>, [RFC768]
    <http://www.ietf.org/rfc/rfc768.txt>, TDS
    <http://msdn.microsoft.com/en-us/library/dd304523.aspx>, SSRP
    <http://msdn.microsoft.com/en-us/library/cc219703.aspx>, SQLPing &
    SQLVer Tools <http://www.sqlsecurity.com/downloads>

HISTORY
    2008
        Private Release (Late 2008)

    2009
        H2HC Talk (November 28)

    2010
        MSSQLFP BETA-3 (January 5)

        MSSQLFP BETA-4 (January 18)

        ESF 1.00.0006 (February 10)

        ESF 1.10.101008/CTP (October 8)

    2012
        ESF 1.12.120115/RC0 (January 15)

BUGS AND LIMITATIONS
    Report ESF.pl bugs and limitations directly to the author.

AUTHOR
    Nelson Brito <mailto:nbrito@xxxxxxxxxx>.

COPYRIGHT
    Copyright(c) 2010-2012 Nelson Brito. All rights reserved worldwide.

    Exploit Next Generation++ Technology and/or other noted Exploit Next
    Generation++ and/or ENG++ related products contained herein are
    registered trademarks or trademarks of Nelson Brito. Any other
    non-Exploit Next Generation++ related products, registered and/or
    unregistered trademarks contained herein is only by reference and are
    the sole property of their respective owners.

    *Exploit Next Generation++ Technology*, innovating since 2010.

LICENSE
    This program is free software: you can redistribute it and/or modify it
    under the terms of the *GNU General Public License* as published by the
    Free Software Foundation, either version 3 of the License, or (at your
    option) any later version.

    You should have received a copy of the *GNU General Public License*
    along with this program. If not, see <http://www.gnu.org/licenses/>.

DISCLAIMER OF WARRANTY
    This program is distributed in the hope that it will be useful, but
    WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *GNU
    General Public License* for more details.

[Download and Source Code]
For immediately download, please, go to:
        • http://code.google.com/p/sql-fingerprint-next-generation/

Atenciosamente / Best regards / Saludos.

Nelson Brito
http://about.me/nbrito

"Quemadmodum gladius neminem occidit, occidentis telum est." (Epistulae morales 
ad Lucilium, Lucius Annaeus Seneca)

Fingerprint: 1983 7E8E D6C9 CAF8 4B4F A8C9 A36D FC5B 4FFC 316C

#!/bin/sh -- # -*- perl -*-
eval 'exec `which perl` -x -S $0 ${1+"$@"} ;'
        if 0;
{(($^O=~/^[M]*$32/i)&&($0=~s!.*\\!!))||($0=~s!^.*/!!)};


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/