sqlmap - NTLM authentication

It's been while I've posted anything new.
Had to stumble upon for an issue, while I was searching for NTLM authentication with 'sqlmap'.
Well if you are using sqlmap from BackTrack, this post is not for you. :-)

But, if you are trying your hands-on with sqlmap on your favorite Linux distro(Ubuntu, in my case), then this post will help you use sqlmap against NTLM authentication-based websites.

So here we go:

1.Tried running sqlmap with --auth-type and --auth-cred switches:

user@ubuntu:~$ ./sqlmap.py --auth-type=NTLM --auth-cred="DOMAIN\username:password" -u "http://www.domain.com/home.php?vulnid=1" -p "vulnid" sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 12:22:48 [12:22:48] [CRITICAL] sqlmap requires Python NTLM third-party library in order to authenticate via NTLM, http://code.google.com/p/python-ntlm/ [*] shutting down at: 12:22:48

2. Failed. Ok. Downloaded python-ntlm library and try to install:

user@ubuntu:~$ sudo python setup.py install Traceback (most recent call last): File "setup.py", line 1, in from setuptools import setup, find_packages ImportError: No module named setuptools

3. Failed again. Will try to install setuptools. Download setuptools from here:

user@ubuntu:~$ sudo sh setuptools-0.6c11-py2.7.egg [sudo] password for user: Processing setuptools-0.6c11-py2.7.egg Copying setuptools-0.6c11-py2.7.egg to /usr/local/lib/python2.7/dist-packages Adding setuptools 0.6c11 to easy-install.pth file Installing easy_install script to /usr/local/bin Installing easy_install-2.7 script to /usr/local/bin Installed /usr/local/lib/python2.7/dist-packages/setuptools-0.6c11-py2.7.egg Processing dependencies for setuptools==0.6c11 Finished processing dependencies for setuptools==0.6c11

4. After successfully installing setuptools, try again installing python-ntlm library:

user@ubuntu:~$ user@ubuntu:~$ sudo python setup.py install running install Checking .pth file support in /usr/local/lib/python2.7/dist-packages/ /usr/bin/python -E -c pass TEST PASSED: /usr/local/lib/python2.7/dist-packages/ appears to support .pth files running bdist_egg running egg_info creating python_ntlm.egg-info writing python_ntlm.egg-info/PKG-INFO writing top-level names to python_ntlm.egg-info/top_level.txt writing dependency_links to python_ntlm.egg-info/dependency_links.txt writing entry points to python_ntlm.egg-info/entry_points.txt writing manifest file 'python_ntlm.egg-info/SOURCES.txt' writing manifest file 'python_ntlm.egg-info/SOURCES.txt' installing library code to build/bdist.linux-x86_64/egg running install_lib running build_py creating build creating build/lib.linux-x86_64-2.7 creating build/lib.linux-x86_64-2.7/ntlm copying ntlm/des_data.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/des_c.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/U32.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/ntlm.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/__init__.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/des.py -> build/lib.linux-x86_64-2.7/ntlm copying ntlm/HTTPNtlmAuthHandler.py -> build/lib.linux-x86_64-2.7/ntlm creating build/bdist.linux-x86_64 creating build/bdist.linux-x86_64/egg creating build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/des_data.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/des_c.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/U32.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/ntlm.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/__init__.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/des.py -> build/bdist.linux-x86_64/egg/ntlm copying build/lib.linux-x86_64-2.7/ntlm/HTTPNtlmAuthHandler.py -> build/bdist.linux-x86_64/egg/ntlm byte-compiling build/bdist.linux-x86_64/egg/ntlm/des_data.py to des_data.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/des_c.py to des_c.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/U32.py to U32.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/ntlm.py to ntlm.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/__init__.py to __init__.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/des.py to des.pyc byte-compiling build/bdist.linux-x86_64/egg/ntlm/HTTPNtlmAuthHandler.py to HTTPNtlmAuthHandler.pyc creating build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/PKG-INFO -> build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/SOURCES.txt -> build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/dependency_links.txt -> build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/entry_points.txt -> build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/not-zip-safe -> build/bdist.linux-x86_64/egg/EGG-INFO copying python_ntlm.egg-info/top_level.txt -> build/bdist.linux-x86_64/egg/EGG-INFO creating dist creating 'dist/python_ntlm-1.0.1-py2.7.egg' and adding 'build/bdist.linux-x86_64/egg' to it removing 'build/bdist.linux-x86_64/egg' (and everything under it) Processing python_ntlm-1.0.1-py2.7.egg creating /usr/local/lib/python2.7/dist-packages/python_ntlm-1.0.1-py2.7.egg Extracting python_ntlm-1.0.1-py2.7.egg to /usr/local/lib/python2.7/dist-packages Adding python-ntlm 1.0.1 to easy-install.pth file Installing ntlm_example_extended script to /usr/local/bin Installing ntlm_example_simple script to /usr/local/bin Installed /usr/local/lib/python2.7/dist-packages/python_ntlm-1.0.1-py2.7.egg Processing dependencies for python-ntlm==1.0.1 Finished processing dependencies for python-ntlm==1.0.1

5. So, python-ntlm library has been installed successfully. Now we try again running sqlmap with --auth-type and --auth-cred switches:

user@ubuntu:~$ ./sqlmap.py --auth-type=NTLM --auth-cred="DOMAIN\username:password" -u "http://www.domain.com/home.php?vulnid=1" -p "vulnid" sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 12:35:38 [12:35:39] [INFO] using '/home/user/sqlmap/output/domain.com/session' as session file [12:35:47] [INFO] testing connection to the target url [12:36:11] [INFO] testing if the url is stable, wait a few seconds [12:36:12] [INFO] url is stable [12:36:12] [INFO] testing sql injection on GET parameter 'vulnid' [12:36:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [12:36:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [12:36:14] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [12:36:14] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' [12:36:15] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [12:36:15] [INFO] testing 'MySQL > 5.0.11 stacked queries' [12:36:15] [INFO] testing 'PostgreSQL > 8.1 stacked queries' [12:36:16] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [12:36:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [12:36:17] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [12:36:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [12:36:17] [INFO] testing 'Oracle AND time-based blind' [12:36:18] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [12:36:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [12:36:22] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS . . . . </..snip..>;

..............Done!!!