Mssql Exploit
Nikky Schreier
Metasploit is an excellent framework developed by H. D. Moore. It is a free and lightweight tool for penetration testing. It is open-source and cross-platform and has a range of features. Its popularity rests primarily on the fact that it is a powerful tool for auditing security. While this is true, it also has many features that can help people protect themselves. Personally speaking, this is my go-to tool for testing as it encapsulates the exploit a pentester can ever need. Through this article, we will learn how to use Metasploit to exploit MSSQL. Therefore, we will go through every exploit Metasploit has to offer step by step, from finding the MSSQL server in the network to retrieving the sensitive information from the database and gaining control. Without any further ado, let us begin.
Usually, any MSSQL server that you are pentesting will have a database. But as the server on which we are performing this penetration testing is new as we also wanted to show the lab setup; therefore, for our next exploit to work, we will be creating a database in our server. To make the database, use the following command:
Now that we have our database, let us learn how we can dump the content of the database with the help of Metasploit. Luckily, Metasploit has a particular exploit dedicated to dumping the content of the database. And to use the said exploit type:
We found the MSSQL server in the network, retrieved the credentials, impersonated the user to have higher privileges. So now, let us try and get a meterpreter session of the server by exploit xp_cmdshell by using the following exploit:
As you can see in the above image, the exploit is trying to enable the xp_cmdshell to have our session. We have written a detailed article on xp_cmdshell, which you can read here. Once the xp_cmdshel is successfully enabled, we will have our meterpreter session as shown in the image below:
The next exploit will help to take advantage of the CLR integration. This exploit will enable CLR integration, and along with that, it will also activate the trustworthy database property. After the exploit gives you the session, it restores all the settings to their original form. To use this exploit, type:
Another method to gain privileges is by impersonating another user. And the following exploit will help us do precisely that; it will let our user impersonate other users to gain sysadmin privilege. To use this exploit, use the following set of commands:
Now, as you can see in the image above, the lowpriv user can impersonate sa user. Sa user is a member of sysadmin, and with the help of the above exploit, lowpriv is now a sysadmin too, as it impersonated sa user.
The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.
After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.
In this post, we will be deep-diving into various attacks that we can use against an MSSQL server. From these attacks, we will learn how this service can be leveraged for Windows privilege escalation.
Generally, we do not think of MSSQL as a means for privilege escalation; however, there are many situations where MSSQL can be leveraged to either elevate to a different user, a service account, or SYSTEM.
Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications.
As attackers, the most important takeaway from the above statement is that the SQL server stores data that gets requested by software applications. As a prime example, this data could be login credentials or credit card numbers stored for a web application.
SQL servers are used to store sensitive information; however, aside from the information found inside the database, if we find ourselves with access to an account that has the right permissions, we as an attacker can actually exploit the SQL server itself.
Basically, there will be two ways to hunt for MSSQL servers running on the target. The first is remotely, which only works if the service is allowing remote connections. The second is internally, which would only be the case if the firewall is blocking external connections to the SQL server or if the service is running locally (127.0.0.1).
Here we can see that MSSQL is running on the default port of 1433. Also, we can see the WinRM service is running on port 5985 and the RDP service on port 3389, which are also important to note for later in the post.
For the first scenario, we have found credentials for a user during our enumeration that get us into the MSSQL server. From there, we will learn how extract information from a custom database where we will find usernames / hashes stored in one of the tables. We will then successfully crack one of those hashes and find that we can now access the system. Essentially, we will be elevating privileges from one user to another user, which is referred to as horizontal privilege escalation.
Here we see there are two users, which are bob and sa. We can also see that both accounts are enabled. Since we are not logged in with a privileged account, we cannot see the accounts password hashes.
With the hashes we found now in a TXT file, the next thing we need to do is determine the type of hash we will be cracking. This can be accomplished using a tool called hash-identifier.
Seeing md5 as the most likely hashing algorithm used, we have options here. For this example, instead of using hashcat, we will utilize a great website tool called crackstation.
When this is the situation we find ourselves in, then we can abuse the MSSQL server itself by attempting to connect to a non-existent share. With Responder running, we will be able to intercept the request to the non-existent share and dump the hash of the account that the MSSQL service is running as.
This technique is only useful if the account that the service is running under is either a regular user account or service account. If the service is running as SYSTEM then the hash will not be crackable.
This is particularly interesting to us because the name of the custom database that we found in the MSSQL server was named customdb, so there is a good chance that this application and the database are related.
For most types of password protected files, John the Ripper has a tool that can be used to convert the file into a crackable format. These tools are all named xxx2john and can be found on our attacker machine using the following command:
When we have access to the database with a privileged account, we can use a built-in tool called the xp_cmdshell, which allows us to execute commands as the account that the MSSQL service is running as. Earlier we saw that the service was running as the MSSQL$SQLEXPRESS service account; however, we could get lucky and find that the server is actually running as SYSTEM.
For this example, we will transfer nc.exe onto the victim through the MSSQL server and then execute it as SYSTEM. Since we have a foothold on the system already we could just easily transfer a file the normal way and then execute that file as SYSTEM; however, this will be a good learning opportunity to do everything from directly inside the MSSQL server.
Now a days hacking has shifted from attacking systems to know how they work or for the trill of getting into a system for the sake of the hunt but many hackers are doing it for profit, in fact many companies around the world and states are employing hacker for information both for political and financial gain. One of the places where most of this information resides is in databases and one of the most popular databases in enterprises and governments now a days is Microsoft SQL Server and on this blog post I will cover some of the attacks you can do against this system with Metasploit 3.3.
So lets start by finding all host running MSSQL Database Instances on a network for this Metasploit has an auxiliary module called mssql_ping, below you will see how to use this module and see the options it offers from a msfconsole window
As it can be seen by the nmap scan there is a second instance on each of the host files, one special note is that when you run the nmap scan with the ms-sql-info nse script that the scan be a UDP scan and nmap must be ran as root. Another way is to use Nessus in command line mode with the plug-in id 10674
c80f0f1006