Search This Blog

Tuesday, August 7, 2012

sqlmap - NTLM authentication

It's been while I've posted anything new.
Had to stumble upon for an issue, while I was searching for NTLM authentication with 'sqlmap'.
Well if you are using sqlmap from BackTrack, this post is not for you. :-)

But, if you are trying your hands-on with sqlmap on your favorite Linux distro(Ubuntu, in my case), then this post will help you use sqlmap against NTLM authentication-based websites.

So here we go:

1.Tried running sqlmap with --auth-type and --auth-cred switches:

user@ubuntu:~$ ./sqlmap.py --auth-type=NTLM --auth-cred="DOMAIN\username:password" -u "http://www.domain.com/home.php?vulnid=1" -p "vulnid"

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 12:22:48

[12:22:48] [CRITICAL] sqlmap requires Python NTLM third-party library in order to authenticate via NTLM, http://code.google.com/p/python-ntlm/

[*] shutting down at: 12:22:48


2. Failed. Ok. Downloaded python-ntlm library and try to install:

user@ubuntu:~$ sudo python setup.py install
Traceback (most recent call last):
  File "setup.py", line 1, in 
    from setuptools import setup, find_packages
ImportError: No module named setuptools


3. Failed again. Will try to install setuptools. Download setuptools from here:


user@ubuntu:~$ sudo sh setuptools-0.6c11-py2.7.egg 
[sudo] password for user: 
Processing setuptools-0.6c11-py2.7.egg
Copying setuptools-0.6c11-py2.7.egg to /usr/local/lib/python2.7/dist-packages
Adding setuptools 0.6c11 to easy-install.pth file
Installing easy_install script to /usr/local/bin
Installing easy_install-2.7 script to /usr/local/bin

Installed /usr/local/lib/python2.7/dist-packages/setuptools-0.6c11-py2.7.egg
Processing dependencies for setuptools==0.6c11
Finished processing dependencies for setuptools==0.6c11


4. After successfully installing setuptools, try again installing python-ntlm library:

user@ubuntu:~$ user@ubuntu:~$ sudo python setup.py install
running install
Checking .pth file support in /usr/local/lib/python2.7/dist-packages/
/usr/bin/python -E -c pass
TEST PASSED: /usr/local/lib/python2.7/dist-packages/ appears to support .pth files
running bdist_egg
running egg_info
creating python_ntlm.egg-info
writing python_ntlm.egg-info/PKG-INFO
writing top-level names to python_ntlm.egg-info/top_level.txt
writing dependency_links to python_ntlm.egg-info/dependency_links.txt
writing entry points to python_ntlm.egg-info/entry_points.txt
writing manifest file 'python_ntlm.egg-info/SOURCES.txt'
writing manifest file 'python_ntlm.egg-info/SOURCES.txt'
installing library code to build/bdist.linux-x86_64/egg
running install_lib
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/ntlm
copying ntlm/des_data.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/des_c.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/U32.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/ntlm.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/__init__.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/des.py -> build/lib.linux-x86_64-2.7/ntlm
copying ntlm/HTTPNtlmAuthHandler.py -> build/lib.linux-x86_64-2.7/ntlm
creating build/bdist.linux-x86_64
creating build/bdist.linux-x86_64/egg
creating build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/des_data.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/des_c.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/U32.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/ntlm.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/__init__.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/des.py -> build/bdist.linux-x86_64/egg/ntlm
copying build/lib.linux-x86_64-2.7/ntlm/HTTPNtlmAuthHandler.py -> build/bdist.linux-x86_64/egg/ntlm
byte-compiling build/bdist.linux-x86_64/egg/ntlm/des_data.py to des_data.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/des_c.py to des_c.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/U32.py to U32.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/ntlm.py to ntlm.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/__init__.py to __init__.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/des.py to des.pyc
byte-compiling build/bdist.linux-x86_64/egg/ntlm/HTTPNtlmAuthHandler.py to HTTPNtlmAuthHandler.pyc
creating build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/entry_points.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/not-zip-safe -> build/bdist.linux-x86_64/egg/EGG-INFO
copying python_ntlm.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO
creating dist
creating 'dist/python_ntlm-1.0.1-py2.7.egg' and adding 'build/bdist.linux-x86_64/egg' to it
removing 'build/bdist.linux-x86_64/egg' (and everything under it)
Processing python_ntlm-1.0.1-py2.7.egg
creating /usr/local/lib/python2.7/dist-packages/python_ntlm-1.0.1-py2.7.egg
Extracting python_ntlm-1.0.1-py2.7.egg to /usr/local/lib/python2.7/dist-packages
Adding python-ntlm 1.0.1 to easy-install.pth file
Installing ntlm_example_extended script to /usr/local/bin
Installing ntlm_example_simple script to /usr/local/bin

Installed /usr/local/lib/python2.7/dist-packages/python_ntlm-1.0.1-py2.7.egg
Processing dependencies for python-ntlm==1.0.1
Finished processing dependencies for python-ntlm==1.0.1


5. So, python-ntlm library has been installed successfully. Now we try again running sqlmap with --auth-type and --auth-cred switches:


user@ubuntu:~$ ./sqlmap.py --auth-type=NTLM --auth-cred="DOMAIN\username:password" -u "http://www.domain.com/home.php?vulnid=1" -p "vulnid"

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 12:35:38

[12:35:39] [INFO] using '/home/user/sqlmap/output/domain.com/session' as session file
[12:35:47] [INFO] testing connection to the target url
[12:36:11] [INFO] testing if the url is stable, wait a few seconds
[12:36:12] [INFO] url is stable
[12:36:12] [INFO] testing sql injection on GET parameter 'vulnid'
[12:36:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:36:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[12:36:14] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:36:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[12:36:15] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:36:15] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[12:36:15] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[12:36:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[12:36:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[12:36:17] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[12:36:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[12:36:17] [INFO] testing 'Oracle AND time-based blind'
[12:36:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[12:36:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[12:36:22] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
.
.
.
.
</..snip..>;



..............Done!!!